The Real Takeaway from VIZIO's Privacy FTC Settlement
It has been widely reported that VIZIO, Inc., a large television manufacturer, settled a Complaint brought by the FTC and the Attorney General of New Jersey for $2.2 million for alleged unfair and deceptive acts and practices related to VIZIO's deployment of automated content recognition (ACR) technology in its smart televisions. However, the most significant aspects of the settlement may not be the widely-reported allegations of electronic "spying" or the terms of the Consent Order, but the preview into how a Republican-led FTC will use its Section 5 authority to enforce consumer privacy issues.
For a quick recap of the facts, the Complaint alleged that VIZIO TVs with the tracking software collected viewing information and device level information (such as MAC addresses) about the television and nearby wireless devices, and that VIZIO sold viewing profiles to enable audience measurement, analyze advertising effectiveness, and target advertisements based on those profiles. Not only was the tracking software included and turned on by default on new TVs, but VIZIO remotely installed tracking software on previously-sold televisions that did not have tracking software on them at the time of sale. The Complaint concluded that this was far beyond what consumers would reasonably expect from a TV manufacturer and the notice and choice mechanisms VIZIO offered to consumers were vague, misleading, and ephemeral.
The Consent Order found VIZIO's actions both unfair and deceptive, assessed a $2.2 million fine, treated the viewing data as "sensitive," required VIZIO to destroy collected data and seek opt-in consent going forward, and imposed a 20-year third-party monitor to ensure compliance. While both the Complaint and the Consent Order were voted for by all three FTC commissioners at the time, including former Chairwoman Edith Ramirez and current Acting Chairwoman Maureen Ohlhausen, it is Ohlhausen's limited concurrence that highlights three important issues that may give companies an insight to future enforcement activities over the next several years, namely: the scope of sensitive information that requires "opt-in" consent; the important role consumer "harm" will play in future allegations of "unfair" acts and practices; and the importance of examining consumer expectations in context.
Sensitive Information
Treating the type of viewing activity information VIZIO collected from consumers as "sensitive" data in and of itself goes beyond the FTC guidelines established in its 2012 report in which the Commission limited sensitive information to financial and health information, Social Security numbers, information about children, and precise geolocation data. Previously, the FTC described how consumer behavioral information is capable of giving rise to sensitive inferences, but the data has not been treated as sensitive per se.
The FTC did file comments in the Federal Communications Commission's privacy proceeding last year, advocating that the FCC should treat the "content" of communications as sensitive, requiring a consumer's opt-in consent prior to using such information for certain purposes under the telecommunications privacy statute. Additionally, Chairwoman Ohlhausen acknowledged in her concurrence that indeed, there may be good policy reasons for treating consumers' viewing activity as sensitive, as reflected in the special treatment Congress has afforded it in other statutes. However, she expressed concern over the blanket expansion of sensitive information to include viewing activity in the FTC enforcement context.
In order to bring an enforcement action for an unfair act or practice under Section 5 of the FTC Act, the act or practice must cause "substantial injury" that is not reasonably avoidable by the consumer and is not outweighed by benefits to competition or consumers. Chairwoman Ohlhausen questioned whether television viewing activity is "sensitive" information whose disclosure is likely to cause substantial consumer injury.
In her separate statement in the FCC privacy proceeding, Chairwoman Ohlhausen reminded her agency that consumers have a consistent understanding of what "sensitive information" is that comports with the data categories enumerated in the FTC's 2012 report, and was skeptical of expanding sensitive information beyond the 2012 categories because "people have widely varying privacy preferences," such that what one consumer deems sensitive another consumer might freely share. Because it is the FTC's mission to tailor its enforcement for the benefit of all consumers, it is not likely that the categories of sensitive information will be expanded to include viewing activity in all contexts, precisely because of such widely varying consumer preferences regarding such sharing, as can be seen on many social media sites.
Cognizable Harm
Additionally, Chairwoman Ohlhausen has noted that expanding the categories of sensitive information can impose a substantial burden on businesses that presumably must be balanced against potential harm. The VIZIO Complaint states that "collection and sharing of sensitive data without consumers' consent has caused or is likely to cause substantial injury to consumers," without offering any analysis of how consumers were, or could be, injured by VIZIO's collection and disclosure of viewing activity information.
While Chairwoman Ohlhausen agreed with the Complaint that "[e]vidence shows that consumers do not expect televisions to collect and share information about what they watch," she expressed a desire to explore "more rigorously" whether the use or disclosure of viewing information could constitute a substantial injury, and thus give rise to an unfairness claim. Accordingly even if VIZIO's stipulation was considered an acceptable settlement in this specific context, it may not reflect the ongoing enforcement approach of the current FTC.
Chairwoman Ohlhausen's desire to closely analyze the economic consequences to consumers of use or disclosure of their information should come as no surprise. For example, in a speech on the Federal Communications Commission's privacy rules, she said that "[t]here is a serious need for rigorous economic thinking about privacy issues." And her dissent in the Nomi Technologies case is perhaps the most vivid example of this regulatory philosophy. In that case, Nomi, which provides retail companies the ability to analyze aggregate data about physical consumer traffic in retailers' stores, was fined by the FTC for failing to provide an opt-out to consumers at retail locations, even though it provided a functioning, global opt-out on its website. Her dissent criticized the FTC for adopting a consent decree that imposed "a penalty far out of proportion to the non-existent consumer harm."
Consumer Expectations and Context
Despite Chairwoman Ohlhausen's objections to a key element of the Complaint, she did vote in favor of both the Complaint and the Consent Order, indicating the Commission's bi-partisan approach to privacy and requiring businesses to "say what they do and do what they say." A core tenet of the FTC's longstanding privacy recommendations and history of enforcement actions is that consumers should be informed about the types of information that companies are collecting about them and how that information will be used, disclosed and protected. When a company is going to use or disclose data in a way that consumers do not, or would not, expect, the FTC advocates that consumers should be given a choice prior to such use or disclosure. Here, all of the FTC Commissioners found VIZIO's consumer notice and choice mechanisms insufficient.
Several facts about VIZIO's behavior—which are reminiscent of the Sears tracking software case—appeared to be dispositive in the FTC's opinion.
- Where consumer notice was available, it was vague and fleeting.
- The consumer notice did not adequately explain that data collection was occurring.
- The televisions were set to collect such information by default.
- The ACR tracking software was installed on devices that did not previously have that feature, and the notice to consumers of that installation was inadequate.
- VIZIO represented to consumers that the Smart Interactivity feature, which made use of the ACR software, would provide program offers and suggestions, but never did.
- Consumers had to navigate through several menus to reach opt-out alternatives.
In sum, the FTC disapproved of the fact that VIZIO did not provide clear notice to consumers about its data collection practices, particularly because the FTC did not believe that consumers would expect such collection. As such, VIZIO highlights important lessons for companies that collect, use, and disclose consumer data:
- Context matters. Companies that collect consumer data must take into account consumers' perspectives and expectations when designing systems that will collect consumers' personal information. If a company employs novel methods of collection, it should consider making notice to consumers (of both the collection of data and any choices available to opt–in or –out) more prominent. Companies that develop Internet of Things technologies, particularly those that will be embedded in devices in the home, should be particularly careful because consumer expectations about these devices' data collection capabilities are unsettled.
- Privacy notices and consumer choice should be clear and persistent. When drafting a privacy policy or implementing opt-ins and opt-outs, companies should think carefully about what consumers would expect in terms of data collection: What type of information is at issue? What does the consumer user interface look like? How long do consumers have to make their choices? How might they change their choices later? Are the consequences of making that choice clearly articulated?
Although Chairwoman Ohlhausen's concurrence signals a shift in terms of how the FTC will analyze "unfair" privacy acts and practices going forward, there is no indication the FTC intends to abandon its practice of bringing privacy enforcement actions under Section 5. Instead, it seems likely that any future enforcement will contain a robust analysis of the costs and benefits to consumers and the economy alike, and any remedies will be tailored to identifiable, concrete harms. Accordingly, companies should continue to carefully assess how their existing and proposed privacy practices match not only consumer expectations, but the FTC's, as well.