OTT and the Value of Data Privacy

Internet-based over-the-top and authenticated video distribution arrangements enable data collection. This data is a critical business asset, because it allows programmers and distributors to improve their services and deliver more relevant ads by better understanding who is watching their programming, when and how they watch it, and — when combined with other data, including third-party data sources — viewers’ other interests and characteristics.

This data, however, also raises potential business and legal risks. These deals may provide distributors access to data about the traffic and users on the programmer’s digital properties because, in addition to directly distributing a programmer’s content, distributors may authenticate users on the programmer’s own sites and mobile apps.

Moreover, the collection, use and disclosure of personal data potentially can implicate various privacy and data security laws. For example, the California Online Privacy Protection Act requires websites and mobile applications to have publicly posted privacy policies; the Video Privacy Protection Act restricts the disclosure of an identified person’s video viewing information; and the Cable Communications Policy Act protects the privacy of cable service subscribers.

However, data sometimes receives slight attention during the negotiation of such deals. To address this gap, following are some key questions to ask before signing such agreements.

What user data will be collected? To authenticate users the distributor may need to collect personal information, such as an email address associated with the subscriber’s account. The distributor also may be able to collect a variety of other types of information from users as they browse and view content, such as the content viewed and the time and length of the viewing.

Having a clear understanding of the data collection practices allows the parties to evaluate whether any legal requirements apply and to include privacy and security provisions in the agreement.

What technologies will be used to collect data? User data may be collected through a variety of technologies and techniques. For example, the distributor might drop or read a cookie when a user tries to authenticate on the programmer’s website. The distributor also might use web pixels, local shared objects, mobile advertising identifiers and similar technologies on its own or the programmer’s sites and services to collect and store user data. Some of these technologies have been the subject of litigation or scrutiny by privacy regulators.

The distribution agreement might specify the types of technologies and techniques that may be used, require prior written consent before any new data collection methods may be used, and require that the technologies are used consistent with applicable privacy laws.

Who will own or license the data? Data ownership and the scope of data licenses can be an important issue. For example, a party might want to be able to use and disclose data to a third party to later re-target viewers in an online or social-media advertising campaign.

Although distributors will likely seek to own personal or proprietary data about their subscribers, the parties might consider addressing the use of data collected through the programmer’s own sites and apps or obtaining a license to use certain user data for analytics, measurement and reporting, and other purposes.

Does the data need to be identifiable or can it be de-identified? In some circumstances, a programmer or distributor may need personal data. But depending on who will own or license the data and how it will be used, the parties might be able to instead use the data in aggregated or de-identified form.

De-identifying the data before it is shared also can avoid triggering certain privacy laws that govern the disclosure of personal information, such as the Video Privacy Protection Act.

Do any privacy policies, ad guidelines or similar policies apply?Each party should carefully consider any provision that would require compliance with the other party’s privacy policy, ad guidelines or similar policies. For example, restrictions on data usage and collection might not be included in the agreement, but instead be embedded in a privacy policy.

Are service providers specified? OTT agreements sometimes specify which data analytics, data management platforms, ad networks or other ad service providers will be used to process user data. The parties should confirm that they are comfortable with these service providers and are familiar with their data privacy and security practices. Consider whether any data will be stored outside of the United States, which could trigger additional legal considerations.

Are users receiving appropriate notice and choice about how data is collected, used and disclosed? Each party should consider whether any privacy notices should be provided and whether consumers should have an opportunity to exercise any choice over how data is collected, used and disclosed.

Where notice and choice are required, the agreement should specify which party is responsible for providing the notice or securing consent.

Addressing issues of data ownership, privacy and security in over-the-top distribution agreements is an important step to securing a valuable business asset, while also ensuring legal compliance and mitigating reputational risk.

Robyn Polashuk and Lindsay Tonsager are partners with international law firm Covington & Burling.