It’s a Post-GDPR World: (Device) IDs Will Be Checked at the Digital Door

The deadline to achieve compliance with the European Union’s General Data Protection Regulation (GDPR) has passed, and the global sense of panic that so many organizations felt as they rushed to meet that deadline has died down. But GDPR’s broad definition of what constitutes a consumer’s personal data, and its strict requirements governing how companies process and use that data, remain pervasive topics of an on-going global discourse around privacy regulation. Like any other internet consumer service, OTT video providers with subscribers in the EU must comply with GDPR because they typically handle data that fall under its purview. One example that OTT providers need to pay close attention to is device IDs.

Smart TVs and streaming digital media players such as Roku and Chromecast have their own unique device IDs that fulfill several functions for OTT services in addition to identifying a specific device. They can also be used to tie licenses for consuming content to a device or user, track user behavior to create personalized content recommendations, perform audience measurement and target interest-based advertising.

Collecting and using this information incurs several obligations on the part of OTT providers, ideally beginning with conducting a “data protection by design” review of their applications and services. This is a systematic technology and process review to ensure good privacy protections are built in, identify and mitigate potential privacy risks and document all the steps in accordance with the GDPR’s accountability requirement.  

Users should be informed about the collection of identifiers and the purposes they are used for prior to collection. Automated collection in the background without the user’s knowledge is problematic.

An OTT provider needs to decide on a legal basis for processing device IDs, which would typically be "consent" or "legitimate interest" of the provider. Where "consent" is the legal basis it should be "unbundled" to give users meaningful choices - and not simply a take-it-or-leave-it menu. For example, device identification may be strictly necessary for service delivery, and the utilization of identifiers for DRM purposes is arguably in the legitimate interest of the provider. However, the use for recommendation services or targeted advertising may require independent consent. 

If device identifiers are shared with third parties, put proper contractual safeguards in place. This includes provisions of how the identifiers can be used by any third party. Also, decide on data retention policies for identifiers and the usage data associated with them. 

 With regard to privacy by design and default, OTT service providers should apply good privacy engineering principles to the generation, collection and processing of device IDs. “Data minimization” is one such principle. Collecting only what’s needed will make it much easier to manage and secure personal data responsibly. 

 Another privacy engineering principle to embrace focuses on giving users more control over their data. For example, a user should be able to reset device IDs, where doing so is reasonably possible. If a class of device IDs is not resettable for justifiable reasons, then consider generating multiple device IDs for additional purposes. 

Even OTT video providers that do not need to comply with GDPR should conduct thorough audits of their policies and practices for managing personal data. GDPR and the scandal created by Cambridge Analytica’s misuse of Facebook data are just two events driving rising consumer demand for more control over the privacy of one’s data. In the U.S. that’s causing a ripple effect across state legislatures and in several departments and offices throughout the federal government. 

 Consider that California and Vermont this year passed legislation, which aggressively addresses data privacy that, like GDPR, has broad-reaching ramifications around how companies collect and use personal data. At the federal level, the Trump administration is reportedly crafting a set of data privacy protections to guide state and federal lawmakers as they consider similar legislation. 

 There is still some uncertainty about when it’s OK to use "legitimate interest" rather than opt-in consent as the legitimate basis for processing: it seems prudent to wait to see how these discussions shape up before making drastic decisions that could dramatically impact a product. What degree of unbundling of consents is expected will also become clearer as lawmakers are deciding complaints against big tech companies such as Google and Facebook on similar issues.In closing, it’s imperative that OTT video service providers strive to ensure compliance with all applicable laws and regulations that are “on the books” today and may be signed into law tomorrow. 

This can start with a straightforward two-step process: 

  1. Conduct a detailed "data protection by design" review of OTT applications and services; 
  2. Develop and implement a mitigation plan for any privacy risks and shortcomings. 

Dr. Tomas Sander is the data protection officer (DPO) and a senior research scientist at Intertrust Technologies. Tomas leads Intertrust’s Privacy and Data Protection program. He also conducts research on privacy enhancing technologies and their use in practice. Prior to joining Intertrust, Tomas worked for 14 years at Hewlett Packard Labs in Princeton, New Jersey where he was a member of the Security and Manageability Lab, which conducts research in security, privacy and cloud technologies.