Connected TV adoption and viewership has been growing for years and has accelerated substantially due to the COVID-19 crisis. A recent study shows that the pandemic appears to be accelerating the cord-cutting shift, with 64% of respondents saying they cut the cord, are planning to, or never subscribed to cable in the first place. Moreover, 35% said they would rather watch a streaming service with ads to lower their monthly costs. Another study shows that over a third of consumers plan to remain frugal or cut spending post-crisis, which should only serve to bolster cord-cutting.
All this is to say that premium ad-supported video, watched in a lean-back CTV environment, is here to stay. With that in mind, it makes sense to discuss a topic that hasn’t been addressed much in this nascent field: consumer privacy.
Why should you care about consumer privacy in CTV?
Like most other internet-connected devices these days, information collected from CTV devices may be used to select, deliver, and measure the advertising that supports the content you consume. There is no holistic identity solution in CTV, and each manufacturer, distributor, and media owner is taking its own path to consumer privacy and targeted advertising. In light of recent privacy laws, namely GDPR and CCPA, those participating in CTV data collection and processing want to do so in a privacy-centric way that protects consumers and follows the law, while allowing advertising to continue at scale. However, “following the law” is not cut and dried for a number of reasons.
Household vs. individual consent confusion
GDPR and CCPA both allow for data collection on the basis of consent. There are significant differences in the requirements—primarily that GDPR is default opt-out and CCPA is default opt-in—but both allow for some sort of consent to collect and process data.
One issue is: Is it even legal to collect consent on a CTV device?
The challenge here is that for most families, a CTV is a household device, not an individual one. It sits in the living room and multiple members of the family use it, unlike most cell phones or computers. So if Dad reads the consent notice and says “yes” to data collection for behavioral targeting, but then Mom sees a targeted ad and feels like her rights were encroached upon, who is correct? Can Dad really legally consent for the entire family? Is it up to the entity collecting consent to insert itself in the middle of this domestic dispute? Some vendors are pointing to this as a reason not to allow for consent in CTV at all, which doesn’t feel quite right.
Let’s assume for a moment that collecting consent from an individual in the household is legal for the entire household. Is it required to have a legal basis to target a CTV household?
Under CCPA, the answer is yes. CCPA defines personal information as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household [emphasis ours].”
Under GDPR, the answer is maybe. GDPR defines personal data as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” Here, it only refers to a person, or individual, not a household. The trouble for those looking at this as a loophole is, what if the CTV device owner lives alone? In that case, the household is the individual and vice versa. For this reason, the distinction might not matter.
Although it’s unclear exactly what the legal wording should be to solve these problems, we believe in making a good faith effort to inform the user of the processing and obtain a legal basis to process their data.
Who is responsible for collecting consent from the user? More confusion abounds.
Today, there is finger pointing when it comes to who should be collecting consent from the user. Device manufacturers want content creators and pay TV operators to collect their own, yet these content creators and pay operators point to device manufacturers as being in the best position to get it on their behalf. Let’s break down the pros and cons of each method.
Device manufacturers and CTV platforms
Device manufacturers have the most ubiquitous relationship with the user and the most consistent user experience. Users must interact with the device to access content and expect some sort of Ts & Cs when they first turn it on. It’s a logical place to collect consent, at least for the manufacturer itself.
Manufacturers and CTV platforms may have thousands of channels or content partners. It’s not fair or realistic to expect them to collect consent for all, and given the user must provide informed consent for the consent to be valid, it might not be legal either. How can a consumer expect to understand what thousands of partners will do with their data?
Having each channel, app, or content creator collect its own consent provides the most visibility to the user and gives the user the most control. It’s tidy because everyone is responsible for their own legal basis and has full control over what they communicate to the consumer.
The user experience would be a nightmare. Not only would the user have to go through a consent screen for each new app or channel, but each one is likely to be different. Additionally, it’s cumbersome to use a TV remote to scroll through legal disclosures and make selections, especially if it adheres to GDPR requirements which necessitate multiple UI layers and vendor-level toggling.
Pay TV platforms (such as Comcast, Sky, DISH)
Each of these providers has a billing relationship with the user. They require significant legal documentation to sign up and can add consent collection to this process. They typically require login authentication, which means they can connect a user’s selections for his or her profile and use it across platforms. It also gets around the “household” issue because the user is typically associated with an individual login.
This solution only works for pay TV platforms or others that have non-CTV user experiences (desktop, mobile, offline) and omnichannel authentication experiences. The largest growing CTV services today are free or low-cost ad-supported options, many of which don’t require a login at all. The low barrier to entry is part of the reason they are growing so quickly, and requiring a login is cumbersome to the user experience and hurts their growth potential.
Privacy as a competitive differentiator
Privacy in CTV is so disjointed that there seems to be room to make it a competitive differentiator. Could a manufacturer make an easy-to-use SDK for app creators that makes it easier to collect consent within their platform? This could serve to attract both users and content creators to that platform, offering a consistent privacy user experience that would reduce some of the pain users will feel if they have to make selections in each app.
The other potential solution is requiring all users to authenticate. Users make their privacy selections online where it’s easier, and then simply log in to the CTV app or channel. As noted above, if the user is logged in and his or her preferences are saved, it results in a more reliable experience and gives the user full control. However, this means we need to increase consumer trust in this behavior, since more personal data is required to make a login to exert preferences in the first place, such as name and email.
Solutions in the market; a way forward
Right now, the CTV privacy solutions in the market are fragmented or nonexistent. Manufacturers and content creators are arguing over who is responsible at the expense of the consumer’s experience, rights, or both. There are a few third-party solutions in-market or announced, such as those from OneTrust, LiveRamp, and SourcePoint that are moving in the right direction. However, each one requires work to implement and effort from the user. It’s also unclear whether the solutions provide the level of detail downstream vendors need to ensure the consent collected is valid, particularly in GDPR regions. We are hopeful that data privacy authorities will provide additional guidance for CTV, that the technology community will come up with a tenable solution, and that consumer rights in CTV can remain protected so CTV can continue to grow and serve consumers.
This article was written by Eric Shiffman, director of product marketing at SpotX