VIZIO to Pay 2.2 Million to Settle Consumer Tracking Charges; FTC Treats Television Viewing History as “Sensitive Information” Requiring Notice and Opt-In Consent Outside the Privacy Policy

VIZIO to Pay 2.2 Million to Settle Consumer Tracking Charges; FTC Treats Television Viewing History as “Sensitive Information” Requiring Notice and Opt-In Consent Outside the Privacy Policy

Blog WilmerHale Privacy and Cybersecurity Law

On February 6, 2017, the FTC and New Jersey Attorney General and Department of Consumer Affairs filed a Complaint and Stipulated Order for Permanent Injunction and Monetary Judgment against television manufacturer VIZIO, Inc., and VIZIO Inscape Services, LLC, (according to the Complaint, “a wholly-owned subsidiary of VIZIO, Inc., and the successor entity to Cognitive Media Services, Inc., which developed proprietary automated content recognition (ACR) software to detect the content on internet-connected televisions and monitors”). The FTC and New Jersey agencies alleged that, beginning in February 2014, VIZIO used ACR software in its Internet-enabled televisions to track, in fine detail, programs that consumers watched on VIZIO’s connected TVs. According to the complaint, VIZIO provided this information to third parties, sometimes in combination with other information about the relevant consumers, including IP address, MAC addresses, and WiFi access points. The agencies alleged that this information enabled third parties to conduct analysis of consumers’ viewing habits to determine audience measurement and the effectiveness of advertising campaigns, and to deliver advertisements based on television viewing behavior and demographic data obtained from third parties to other devices owned by the relevant consumers. The complaint also alleges that VIZIO initially failed to disclose the ACR software and its capabilities to consumers in privacy policies or in descriptions of the televisions’ “Smart Interactivity” function. However, the Complaint does indicate that VIZIO eventually provided a pop-up notice to consumers of its tracking activities in March 2016, after the investigation began.

The complaint alleges that, under Section 5 of the FTC Act and section 56:8-2 of the New Jersey Consumer Fraud Act, VIZIO’s tracking activities were unfair and that the failure to describe them in privacy policies and in other notices amounted to a deceptive omission. The complaint also charges that VIZIO further deceived consumers by failing to offer promised “program offers and suggestions” via the “Smart Interactivity” feature. VIZIO did not admit or deny the allegations in the complaint.

To settle the allegations, VIZIO will pay $1.5 million to the FTC—presumably under the equitable theory of disgorgement of ill-gotten gains—and $1 million (payment of $300,000 of this amount will be suspended) to the New Jersey agencies in civil penalties (pursuant to N.J. Stat. Ann. § 56:8-13) and reimburse the New Jersey agencies for attorney fees and investigative costs (pursuant to N.J. Stat. Ann. § 56:8-11, -19). Notably, the use of the FTC’s equitable powers under Section 5 to seek monetary relief in privacy cases is uncommon—Ashley Madison was required to pay over $800,000 in 2016 (with an additional almost $8 million dollars suspended). Most FTC privacy settlements have included injunctive relief only. In addition, VIZIO will be required to delete any viewing data it collected from consumers before March 1, 2016 (a date selected presumably because of the pop-up notice VIZIO provided to consumers after the investigation began), unless the consumer has provided affirmative consent or the data’s preservation is otherwise required by law. (Vizio is a defendant in multidistrict litigation in the Central District of California based on its collection and sharing of consumers’ television viewing behavior).

Notably, the FTC and the New Jersey Attorney General and Department of Consumer Affairs treated TV viewing data as sensitive personal information, adding it to the existing list of sensitive personal information the FTC outlined in its 2012 Privacy Report (health data, financial data, Social Security Numbers, precise geolocation data, and data regarding children) for the first time. Accordingly, going forward, VIZIO must obtain consumers’ consent—via a “prominent” notice (“prominently” is defined in the Order to mean that “a required disclosure is difficult to miss (i.e., easily noticeable) and easily understandable by ordinary consumers”; thus, outside of its standard privacy policy or other terms and conditions)—to the collection, use, and sharing of any consumer viewing data. VIZIO will also be required implement an effective opt-out mechanism for consumers who do not wish to have their viewing data collected.

In addition to these requirements, VIZIO must also implement a comprehensive privacy program, submit to third-party privacy assessments for 20 years, and engage in standard compliance reporting and record-keeping. To implement a comprehensive privacy program, VIZIO must designate an employee responsible for privacy matters, conduct a comprehensive risk assessment to identify potentially inappropriate uses of consumer information, create a plan to remediate these risks, and then regularly evaluate the plan’s effectiveness and update it according to the findings of those assessments. The Order also requires that the privacy program include a vendor-management plan to ensure that any of VIZIO’s service providers safeguard information appropriately. The comprehensive privacy program will be the subject of third-party assessments (also required by the Order) which will be conducted by an FTC-approved assessor. The assessments will begin six months after the Order’s effective date, and be conducted every two years for the next two decades. Similar requirements have been features of other FTC settlements in previous privacy cases, including the FTC’s settlements with Eli Lilly, Ashley Madison, and InMobi.

A 3-0 vote of the FTC’s commissioners approved the complaint and proposed Order. However, Acting Chairman Maureen Ohlhausen filed a concurring statement to call attention to the complaint’s characterization of “television viewing activity” as “sensitive information” that, when shared without consent, “causes or is likely to cause a ‘substantial injury’ under Section 5(n) of the FTC Act.” Acting Chairman Ohlhausen noted that this is the first time the FTC has “alleged in a complaint that individualized television viewing activity falls within the definition of sensitive information”—a category previously reserved for “financial information, health information, Social Security Numbers, information about children, and precise geolocation information.” Although voting to approve the complaint and proposed Order, Acting Chairman Ohlhausen noted that “[t]his case demonstrates the need for the FTC to examine more rigorously what constitutes ‘substantial injury’ in the context of information about consumers” and indicated that she “will launch an effort to examine this important issue further.” 

More from this series

Notice

Unless you are an existing client, before communicating with WilmerHale by e-mail (or otherwise), please read the Disclaimer referenced by this link.(The Disclaimer is also accessible from the opening of this website). As noted therein, until you have received from us a written statement that we represent you in a particular manner (an "engagement letter") you should not send to us any confidential information about any such matter. After we have undertaken representation of you concerning a matter, you will be our client, and we may thereafter exchange confidential information freely.

Thank you for your interest in WilmerHale.