Laws surrounding data privacy are in a state of rapid global transformation. During the past six months alone, the European Union has implemented the General Data Protection Regulation (GDPR), the United Kingdom has enacted and implemented the Data Protection Act 2018 (DPA 2018) and California has enacted the California Consumer Privacy Act of 2018 (CCPA 2018). These measures impose significant new restrictions on the ability of companies to collect, retain and transfer consumer data (or, more specifically, in the case of GDPR personal data generally) while expanding the rights of consumers to exercise control over how their data is used. This dramatic shift in the balance of power reflects a fundamental change in consumer digital privacy expectations and an increasing need for transparency by companies that deal in personal data.

The legal and normative changes in data privacy have coincided with the emergence of over-the-top (OTT) video service providers which have become dominant players in the entertainment and media industry. Companies and services like Netflix, Hulu and Amazon Prime Video have been built upon a foundation of consumer data, using algorithms to analyze consumer viewing habits and preferences in order to help the service provider make the targeted decisions about content creation and licensing. Indeed, access to daily real time data about the ways in which subscribers consume content gives OTT providers a distinct advantage over traditional television networks. As more and more entertainment and media companies enter the OTT arena, it is crucial for all of the players to understand the extent to which they can exploit consumer data without violating the new data privacy laws.

Scope and Applicability

GDPR. The GDPR has broad territorial reach covering data controllers (e.g., OTT providers) and data processors (e.g., OTT data partners) that are: (1) established in the EU and process personal data, regardless of whether the data processing takes place within the EU; or (2) not established in the EU but process personal data of EU data subjects in connection with offering goods or services or monitoring their behavior to the extent they process the personal data of those persons. Therefore, an OTT provider that processes the personal data of any EU citizen would be subject to the GDPR regardless of where they may be based in the world. However, mere accessibility to a non-EU based OTT provider’s website is not itself sufficient for to trigger GDPR application. Rather, there must be a degree of intent by the OTT provider to attract EU data subjects as customers, which might be evidenced by advertising to data subjects in the union or providing the website in a local language.

DPA 2018. While the DPA 2018 implemented aspects of the GDPR that were left to the discretion of member states, it is the European Union (Withdrawal Act) 2018 which serves to ensure that the GDPR, along with any other laws made under the European Communities Act 1972, will remain applicable post-Brexit. OTT providers that process the personal data of UK citizens will be subject to both the GDPR and the DPA 2018, regardless of where they may be based.

CCPA 2018. The CCPA 2018 does not take effect until January 1, 2020. At that time the CCPA 2018 will apply to any business that collects and processes personal information from a California resident and that meets one or more of the following criteria: (1) it has more than $25 million in annual gross revenue; (2) it buys, receives, sells or shares the personal information of 50,000 or more consumers for “commercial purposes”; or (3) it derives 50 percent or more of its annual revenue from selling the personal data of California residents (the definition of a “sale” is not clear and regulatory guidance will be required from the California Attorney General). Once an entity in a company group qualifies under the CCPA 2018, parent and subsidiary entities may automatically qualify even if they do not meet the threshold requirements or act as data controllers. While the CCPA 2018 is narrower in scope than the GDPR or the DPA 2018, it sets a low bar for applicability that most multinational OTT providers will meet. Therefore, OTT providers that target California residents most likely will be subject to CCPA 2018.

What Qualifies as Personal Data or Information

Broad Definition. The GDPR, DPA 2018 and CCPA 2018 all include broad definitions of personal data or information. Under the GDPR and DPA 2018, personal data includes “any information relating to a data subject” which can be used to identify that data subject, whether directly or indirectly when combined with other pieces of information. This broad definition may include an individual’s personal details, geolocation, lifestyle details, contractual details, online identifiers such as IP addresses, cookie identifiers and any traces left by an individual when operating online that could be picked up by their devices, applications, tools and protocols. Under the CCPA 2018, personal information includes “any information that relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device” such as geolocation, internet browsing activity (including interaction with a website, application or advertisement), commercial information (including purchasing or consuming histories or tendencies), IP address information and inferences that organizations draw from other personal information to create consumer profiles.

Includes Important Data That OTT Providers Seek to Collect. The expansive definitions of “personal data or information” encompasses much of the data that OTT providers seek to collect on a daily basis. For example, the following data may be considered “personal data or information”, particularly when combined with one another or where linked to an account profile:

  • When consumers pause, rewind, or fast forward content
  • What days consumers watch various kinds of content
  • Where consumers watch content (i.e., zip code)
  • What device consumers use to watch content (e.g., Roku, Chromecast, Apple TV) and the unique device IDs associated therewith
  • When consumers pause and leave specific content, and if they come back
  • The content ratings given by consumers
  • The searches performed by consumers
  • The browsing and scrolling behavior of consumers

Requirements When Personal Data or Information is Implicated

GDPR/DPA 2018. The GDPR and the DPA 2018 are very strict and do not allow a data controller to “process” (i.e., collect, record, store, use, disclose or disseminate) personal data unless they have a legal basis for doing so. There are various legal bases on which OTT providers may choose to rely when processing the personal data of their users. For example, it may be that an OTT provider can justify their processing of certain types of user personal data on the basis that it is necessary to do so to perform the contract between itself and the user, i.e. the subscription agreement. In the absence of any other justification, an OTT provider is likely to rely upon the consent of the data subject, which must be “freely given, specific, informed and unambiguous.” In order to meet this threshold, any such consent must meet the following criteria:

  • Must involve an affirmative action such as ticking a box or choosing technical settings. Silence, pre-ticked boxes or inactivity do not constitute consent.
  • Must be “unbundled”, meaning that the consent may not be bundled with other non-privacy related terms and conditions. Additionally, each request for consent must be “unbundled” such that separate consent is obtained for each processing purpose “unless this would be unduly disruptive or confusing” and for each processing activity “unless those activities are clearly interdependent.”
  • Must have the right to withdraw consent at any time after it is given.
  • Must have genuine choice and control, such that consent can be refused without detriment.
  • There must not be a clear imbalance between the data subject and the controller, such as an employer-employee relationship. Thus, OTT providers likely cannot insert data collection clauses into their employment contracts.

If consent is properly obtained and an OTT provider processes personal data, the OTT provider must be prepared to provide each data subject with access to the collected data. If a “right of access” request is made by a data subject, within 30 days thereafter, the OTT provider must disclose to the data subject detailed information about the data collected and the purposes for such collection. Further, the OTT provider must be prepared to erase a data subject’s personal data upon request, without undue delay.

CCPA 2018: The CCPA 2018 is more lenient than the GDPR and the DPA 2018. The GDPR/DPA 2018 default position prohibits personal data processing without legal justification. The CCPA 2018, however, generally permits data processing and sale unless the consumer exercises an opt-out right. The requirements for an OTT provider to comply with the CCPA 2018 are fairly straightforward, notably including: (1) a privacy policy that describes consumers’ rights and methods to submit requests, lists the personal information categories of collection for the past 12 months, lists the personal information categories sold or disclosed in the past 12 months; (2) a clear and conspicuous “Do Not Sell My Personal Information” page linked from the website homepage; and (3) response to right of access requests within 45 days. Finally, like the GDPR/DPA 2018, an OTT provider must be prepared to erase a data subject’s personal data upon request.  However, the exceptions to the right to erase under the CCPA 2018 are very different from the grounds that justify erasure under the GDPR and the DPA 2018 and will require separate analysis as developments occur.


Similar to the GDPR, the CCPA 2018 assigns responsibility for enforcement to the California Attorney General, a governmental authority. Civil penalties they may reach up to $7,500 per violation while under the GDPR penalties may be quite severe: (1) under Article 83 up to 10,000,000 EUR or, in certain cases, up to 2 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher, for infringements of certain obligations; (2) up to 20,000,000 EUR or, in certain cases, up to 4 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher, for infringements of certain specified obligations; and (3) under Article 84, each member state can adopt other penalties applicable to infringements not subject to Article 83 and can take all measures necessary to ensure that they are implemented..

Unlike the GDPR, the CCPA 2018 does not create a private right of action except for data breaches. The CCPA 2018 allows any consumer whose “nonencrypted or nonredacted personal information” is “subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information” to sue to recover statutory damages between $100 and $750 per consumer per incident or actual damages, whichever is greater, and obtain other forms of relief.  Note that “service providers” are not subject to a private cause of action, which only applies to “businesses” (as defined in the CCPA 2018).  Thus, it can be expected that companies suffering a data breach will see litigation under the CCPA 2018 and potential significant exposure to money damage awards.


Infrastructure Development. Perhaps the most significant change imposed by the new data privacy laws is the set of associated rights given to consumers whose personal data or information is collected. These consumers have the right to: (1) access their data and information and learn how it has been used; (2) restrict processing of their data; (3) have their data deleted; and (4) withdraw consent at any time. OTT providers must ensure that they have the infrastructure in place to handle the exercise by consumers of these rights. Thus, OTT providers will have to update their terms of use and privacy policies, create an effective consent/”opt-in” process, maintain staff and best practices to handle personal data requests and maintaining accurate and secure records of all data that is collected.

Selective Data Collection. More data is not necessarily better. This is the view taken by European legislators, and is most clearly reflected in the principle of ‘data minimization’ which underpins the GDPR. Each new piece of data that an OTT provider collects increases the risk that such data will be misused, whether internally or by external hackers. Each new piece of data also represents an incremental cost incurred by OTT providers to accurately store and maintain such data and respond to consumer disclosure and deletion requests. A failure in any of these processes could expose an OTT provider to hefty fines and expensive civil lawsuits. For these reasons, OTT providers would be wise to be selective in the data they choose to collect.

Diversify Data Practices Across Jurisdictions. While OTT providers should generally maintain a conservative data privacy approach, they should also tailor their practices to the different restrictions required  by each jurisdiction. It cannot be assumed that jurisdictional compliance in one region will satisfy compliance requirements elsewhere. For example, the CCPA 2018 does not have the burdensome consent requirements imposed by the GDPR/DPA 2018 and allows 45 days to respond to a consumer right of access request as compared to the 30-day period provided by the GDPR/DPA 2018. Differences in these regimes may allow for a diversified compliance strategy to maximize data repurposing opportunities and minimize compliance costs. Further, as data privacy law continues to develop through legislative, administrative and judicial processes, significant differences may emerge between jurisdictions with respect to what constitutes, and permissible uses of, personal data and information.