What Qualifies as Personal Data or Information

Broad Definition. The GDPR, DPA 2018 and CCPA 2018 all include broad definitions of personal data or information. Under the GDPR and DPA 2018, personal data includes “any information relating to a data subject” which can be used to identify that data subject, whether directly or indirectly when combined with other pieces of information. This broad definition may include an individual’s personal details, geolocation, lifestyle details, contractual details, online identifiers such as IP addresses, cookie identifiers and any traces left by an individual when operating online that could be picked up by their devices, applications, tools and protocols. Under the CCPA 2018, personal information includes “any information that relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device” such as geolocation, internet browsing activity (including interaction with a website, application or advertisement), commercial information (including purchasing or consuming histories or tendencies), IP address information and inferences that organizations draw from other personal information to create consumer profiles.

Includes Important Data That OTT Providers Seek to Collect. The expansive definitions of “personal data or information” encompasses much of the data that OTT providers seek to collect on a daily basis. For example, the following data may be considered “personal data or information”, particularly when combined with one another or where linked to an account profile:

• When consumers pause, rewind, or fast forward content
• What days consumers watch various kinds of content
• Where consumers watch content (i.e., zip code)
• What device consumers use to watch content (e.g., Roku, Chromecast, Apple TV) and the unique device IDs associated therewith
• When consumers pause and leave specific content, and if they come back
• The content ratings given by consumers
• The searches performed by consumers
• The browsing and scrolling behavior of consumers

Requirements When Personal Data or Information is Implicated

GDPR/DPA 2018. The GDPR and the DPA 2018 are very strict and do not allow a data controller to “process” (i.e., collect, record, store, use, disclose or disseminate) personal data unless they have a legal basis for doing so. There are various legal bases on which OTT providers may choose to rely when processing the personal data of their users. For example, it may be that an OTT provider can justify their processing of certain types of user personal data on the basis that it is necessary to do so to perform the contract between itself and the user, i.e. the subscription agreement. In the absence of any other justification, an OTT provider is likely to rely upon the consent of the data subject, which must be “freely given, specific, informed and unambiguous.” In order to meet this threshold, any such consent must meet the following criteria:

• Must involve an affirmative action such as ticking a box or choosing technical settings. Silence, pre-ticked boxes or inactivity do not constitute consent.
• Must be “unbundled”, meaning that the consent may not be bundled with other non-privacy related terms and conditions. Additionally, each request for consent must be “unbundled” such that separate consent is obtained for each processing purpose “unless this would be unduly disruptive or confusing” and for each processing activity “unless those activities are clearly interdependent.”
• Must have the right to withdraw consent at any time after it is given.
• Must have genuine choice and control, such that consent can be refused without detriment.
• There must not be a clear imbalance between the data subject and the controller, such as an employer-employee relationship. Thus, OTT providers likely cannot insert data collection clauses into their employment contracts.

If consent is properly obtained and an OTT provider processes personal data, the OTT provider must be prepared to provide each data subject with access to the collected data. If a “right of access” request is made by a data subject, within 30 days thereafter, the OTT provider must disclose to the data subject detailed information about the data collected and the purposes for such collection. Further, the OTT provider must be prepared to erase a data subject’s personal data upon request, without undue delay.

CCPA 2018: The CCPA 2018 is more lenient than the GDPR and the DPA 2018. The GDPR/DPA 2018 default position prohibits personal data processing without legal justification. The CCPA 2018, however, generally permits data processing and sale unless the consumer exercises an opt-out right. The requirements for an OTT provider to comply with the CCPA 2018 are fairly straightforward, notably including: (1) a privacy policy that describes consumers’ rights and methods to submit requests, lists the personal information categories of collection for the past 12 months, lists the personal information categories sold or disclosed in the past 12 months; (2) a clear and conspicuous “Do Not Sell My Personal Information” page linked from the website homepage; and (3) response to right of access requests within 45 days. Finally, like the GDPR/DPA 2018, an OTT provider must be prepared to erase a data subject’s personal data upon request.  However, the exceptions to the right to erase under the CCPA 2018 are very different from the grounds that justify erasure under the GDPR and the DPA 2018 and will require separate analysis as developments occur.

Enforcement

Similar to the GDPR, the CCPA 2018 assigns responsibility for enforcement to the California Attorney General, a governmental authority. Civil penalties they may reach up to $7,500 per violation while under the GDPR penalties may be quite severe: (1) under Article 83 up to 10,000,000 EUR or, in certain cases, up to 2 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher, for infringements of certain obligations; (2) up to 20,000,000 EUR or, in certain cases, up to 4 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher, for infringements of certain specified obligations; and (3) under Article 84, each member state can adopt other penalties applicable to infringements not subject to Article 83 and can take all measures necessary to ensure that they are implemented..

Unlike the GDPR, the CCPA 2018 does not create a private right of action except for data breaches. The CCPA 2018 allows any consumer whose “nonencrypted or nonredacted personal information” is “subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information” to sue to recover statutory damages between $100 and $750 per consumer per incident or actual damages, whichever is greater, and obtain other forms of relief.  Note that “service providers” are not subject to a private cause of action, which only applies to “businesses” (as defined in the CCPA 2018).  Thus, it can be expected that companies suffering a data breach will see litigation under the CCPA 2018 and potential significant exposure to money damage awards.

Implications

Infrastructure Development. Perhaps the most significant change imposed by the new data privacy laws is the set of associated rights given to consumers whose personal data or information is collected. These consumers have the right to: (1) access their data and information and learn how it has been used; (2) restrict processing of their data; (3) have their data deleted; and (4) withdraw consent at any time. OTT providers must ensure that they have the infrastructure in place to handle the exercise by consumers of these rights. Thus, OTT providers will have to update their terms of use and privacy policies, create an effective consent/”opt-in” process, maintain staff and best practices to handle personal data requests and maintaining accurate and secure records of all data that is collected.

Selective Data Collection. More data is not necessarily better. This is the view taken by European legislators, and is most clearly reflected in the principle of ‘data minimization’ which underpins the GDPR. Each new piece of data that an OTT provider collects increases the risk that such data will be misused, whether internally or by external hackers. Each new piece of data also represents an incremental cost incurred by OTT providers to accurately store and maintain such data and respond to consumer disclosure and deletion requests. A failure in any of these processes could expose an OTT provider to hefty fines and expensive civil lawsuits. For these reasons, OTT providers would be wise to be selective in the data they choose to collect.

Diversify Data Practices Across Jurisdictions. While OTT providers should generally maintain a conservative data privacy approach, they should also tailor their practices to the different restrictions required  by each jurisdiction. It cannot be assumed that jurisdictional compliance in one region will satisfy compliance requirements elsewhere. For example, the CCPA 2018 does not have the burdensome consent requirements imposed by the GDPR/DPA 2018 and allows 45 days to respond to a consumer right of access request as compared to the 30-day period provided by the GDPR/DPA 2018. Differences in these regimes may allow for a diversified compliance strategy to maximize data repurposing opportunities and minimize compliance costs. Further, as data privacy law continues to develop through legislative, administrative and judicial processes, significant differences may emerge between jurisdictions with respect to what constitutes, and permissible uses of, personal data and information. 

Client Alert 2018-251