OTT and the Value of Data Privacy

Negotiating How to Deal With Subscriber Info in Over-the-Top and Authenticated Distribution Pacts

Internet-based over-the-top and authenticated video distribution arrangements enable data collection. This data is a critical business asset because it allows programmers and distributors to improve their services and deliver more relevant ads by better understanding who is watching their programming, when and how they watch it, and – when combined with other data, including third-party data sources – viewers’ other interests and characteristics. 

This data, however, also raises potential business and legal risks. These distribution deals may provide distributors access to data about the traffic and users on the programmer’s digital properties because, in addition to directly distributing a programmer’s content, distributors may authenticate users on the programmer’s own sites and mobile apps. 

Moreover, the collection, use and disclosure of this data potentially can implicate various privacy and data security laws. For example, the California Online Privacy Protection Act requires websites and mobile applications to have publicly posted privacy policies; the Video Privacy Protection Act restricts the disclosure of an identified person’s video viewing information; and the Cable Communications Policy Act protects the privacy of cable service subscribers. 

Given the business opportunities and risks associated with the data collected in connection with over-the-top and authenticated video distribution, it is surprising that data sometimes receives slight attention during the negotiation of such deals. 

To address this gap, following are some key questions to ask before signing such agreements.

What user data will be collected?

To authenticate users the distributor may need to collect personal information, such as an email address associated with the subscriber’s account. The distributor also may be able to collect a variety of other types of information from users as they browse and view content on the distributor’s or programmer’s sites and services, such as the content viewed and the time and length of the viewing.  Having a clear understanding of the data collection practices and the data flows allows programmers and distributors to evaluate whether any legal requirements apply and to include provisions in the agreement to protect the privacy and security of the data.

What technologies will be used to collect data?

User data may be collected through a variety of technologies and techniques. For example, the distributor might drop or read a cookie when a user tries to authenticate on the programmer’s website. The distributor also might use web pixels, local shared objects, mobile advertising identifiers and similar technologies on its own or the programmer’s sites and services to collect and store user data.

Some technologies and practices that may be used to collect information online, such as local storage objects and cross-device tracking, have been the subject of litigation or scrutiny by privacy regulators.  For example, plaintiffs have sued companies that used local shared objects and HTML5 storage, alleging that the companies failed to provide adequate notice and choice over the data collection. And the Federal Trade Commission is holding a workshop on November 16 to learn more about the practice of collecting data across a consumer’s different devices using cross-device linking techniques.  

To help manage expectations, the distribution agreement might specify the types of tracking technologies and techniques that may be used (particularly on the programmer’s own sites and services), require prior written consent before any new data collection technologies or techniques may be used, and require that cookies and similar technologies are used consistent with applicable privacy laws.

Who will own or license the data? 

Data ownership and the scope of data licenses can be an important issue in over-the-top and authenticated distribution deals. For example, a programmer might want to be able to use and disclose data to a third party to later re-target viewers in an online or social-media advertising campaign. 

But the programmer’s ability to effectuate this data use and sharing could be frustrated if it hasn’t secured the necessary rights to the data in the distribution agreement. Although distributors will likely seek to own personal or proprietary data about their subscribers, the parties might consider, for example, addressing the use of data collected through the  programmer’s own sites and apps or obtaining a license to use certain user data for analytics, measurement and reporting, optimization, targeted advertising and other purposes. 

Does the data need to be identifiable or can it be de-identified?   

In some circumstances, a programmer or distributor may need user-level, personal data. But depending on who will own or license the data and how it will be used, the parties might be able to protect viewers’ privacy by instead using the data in aggregated or de-identified form. 

For example, a distributor might use aggregated and anonymous data to provide analytics reports to other programmers, investors, advertisers or other third parties, and programmers might want to ensure that these reports do not directly or indirectly leak their own confidential business data. 

De-identifying the data before it is shared also can avoid triggering certain privacy laws that govern the disclosure of personal information, such as the Video Privacy Protection Act. Any limitations on the form in which user data may be used should be clearly specified in the agreement.

Do any privacy policies, ad guidelines or similar policies apply?

Each party should carefully consider any provision that would require compliance with the other party’s privacy policy, ad guidelines  or similar policies. For example, restrictions on data usage and collection might not be included in the agreement , but instead  be embedded in a privacy policy, thereby limiting the ability of one party to understand its consumers’ viewing habits. 

Further, unlike the agreement, these policies and guidelines typically can be changed unilaterally at any time. Consequently, parties might consider whether these provisions could be limited to require compliance with policies and guidelines that have been provided in advance and that receive prior written approval. 

In addition, where a programmer relies on a distributor to authenticate users on the programmer’s own sites and services, the programmer should ensure that the arrangement is consistent with the programmer’s own privacy policies. 

Are service providers specified?

Over-the-top agreements sometimes specify which data analytics, data management platforms, ad networks or other ad service providers will be used to process user data. The parties should confirm that they are comfortable with these service providers and are familiar with their data privacy and security practices. Particularly if third-party cloud storage or processing services will be used, consider whether any data will be stored outside of the United States, which could trigger additional legal requirements. 

Are users receiving appropriate notice and choice about how data is collected, used and disclosed?

Before entering into an authenticated or over-the-top arrangement, each party should consider whether any privacy notices should be provided and whether consumers should have an opportunity to exercise any choice over how data is collected, used and disclosed.

The answers to these questions will depend on the data being collected, how it will be used and whether it will be further disclosed. But where notice and choice are required, the agreement should specify which party is responsible for providing the notice or securing consent. While it might be possible in some cases to rely on a general representation that the parties comply with all applicable laws and self-regulatory principles, this provides little protection if the laws are ambiguous or the roles of each party are not otherwise clearly defined. 

Requiring indemnification for third-party claims or costs associated with an inquiry by the Federal Trade Commission, state attorneys general, or other governmental or self-regulatory bodies also should be considered. 

Data is critical for programmers and distributors to better understand their viewers, improve their services and facilitate the delivery of more relevant advertising. At the same time, privacy regulators and advocates are scrutinizing online practices to ensure the privacy and security of consumer data is appropriately protected. Addressing issues of data ownership, privacy and security in over-the-top distribution agreements is an important step to securing a valuable business asset, while also ensuring legal compliance and mitigating reputational risk.

Lindsey Tonsager and Robyn Polashuk are partners with international law firm Covington & Burling. 

Related