Laws surrounding data privacy are in a state of rapid global transformation. During the past six months alone, the European Union has implemented the General Data Protection Regulation (GDPR), the United Kingdom has enacted and implemented the Data Protection Act 2018 (DPA 2018) and California has enacted the California Consumer Privacy Act of 2018 (CCPA 2018). These measures impose significant new restrictions on the ability of companies to collect, retain and transfer consumer data (or, more specifically, in the case of GDPR personal data generally) while expanding the rights of consumers to exercise control over how their data is used. This dramatic shift in the balance of power reflects a fundamental change in consumer digital privacy expectations and an increasing need for transparency by companies that deal in personal data.
The legal and normative changes in data privacy have coincided with the emergence of over-the-top (OTT) video service providers which have become dominant players in the entertainment and media industry. Companies and services like Netflix, Hulu and Amazon Prime Video have been built upon a foundation of consumer data, using algorithms to analyze consumer viewing habits and preferences in order to help the service provider make the targeted decisions about content creation and licensing. Indeed, access to daily real time data about the ways in which subscribers consume content gives OTT providers a distinct advantage over traditional television networks. As more and more entertainment and media companies enter the OTT arena, it is crucial for all of the players to understand the extent to which they can exploit consumer data without violating the new data privacy laws.
Scope and Applicability
GDPR. The GDPR has broad territorial reach covering data controllers (e.g., OTT providers) and data processors (e.g., OTT data partners) that are: (1) established in the EU and process personal data, regardless of whether the data processing takes place within the EU; or (2) not established in the EU but process personal data of EU data subjects in connection with offering goods or services or monitoring their behavior to the extent they process the personal data of those persons. Therefore, an OTT provider that processes the personal data of any EU citizen would be subject to the GDPR regardless of where they may be based in the world. However, mere accessibility to a non-EU based OTT provider’s website is not itself sufficient for to trigger GDPR application. Rather, there must be a degree of intent by the OTT provider to attract EU data subjects as customers, which might be evidenced by advertising to data subjects in the union or providing the website in a local language.
DPA 2018. While the DPA 2018 implemented aspects of the GDPR that were left to the discretion of member states, it is the European Union (Withdrawal Act) 2018 which serves to ensure that the GDPR, along with any other laws made under the European Communities Act 1972, will remain applicable post-Brexit. OTT providers that process the personal data of UK citizens will be subject to both the GDPR and the DPA 2018, regardless of where they may be based.
CCPA 2018. The CCPA 2018 does not take effect until January 1, 2020. At that time the CCPA 2018 will apply to any business that collects and processes personal information from a California resident and that meets one or more of the following criteria: (1) it has more than $25 million in annual gross revenue; (2) it buys, receives, sells or shares the personal information of 50,000 or more consumers for “commercial purposes”; or (3) it derives 50 percent or more of its annual revenue from selling the personal data of California residents (the definition of a “sale” is not clear and regulatory guidance will be required from the California Attorney General). Once an entity in a company group qualifies under the CCPA 2018, parent and subsidiary entities may automatically qualify even if they do not meet the threshold requirements or act as data controllers. While the CCPA 2018 is narrower in scope than the GDPR or the DPA 2018, it sets a low bar for applicability that most multinational OTT providers will meet. Therefore, OTT providers that target California residents most likely will be subject to CCPA 2018.