Streaming's Data Compliance Headache: "Entertainment Companies Are Going to Be Targets"

Adobe Stock

From Disney+ to Harry Potter websites, Hollywood is readying a slew of digital platforms, and California legislation is taking aim at those collecting user info.

You can tell a lot about a person from their Netflix queue, and whether the streamer recommends romantic comedies with quirky female leads or historical dramas or British comedies is determined by a viewer's data — a lot of it.

While the streamers and the rest of Hollywood have been writing nine-figure checks to top talent to attract viewers, a California privacy law going into effect Jan. 1 is shifting their focus to how much information they've collected from their users — and who they're sharing it with. Everything from Warner Bros.' online Harry Potter shop to ABC's Freeform app will need to be in compliance.

The law, dubbed the California Consumer Privacy Act, passed in response to concerns that most people have no clue how much of their private data businesses like Facebook and Google possess and how they use it. But the law applies to entertainment distributors too. "A lot of companies are scrambling," says Mark McCreary, chief privacy officer and co-chair of Fox Rothschild's data security practice. Only 2 percent of affected companies are now in compliance, according to a survey conducted by the International Association of Privacy Professionals this summer. "There's never been a law like this in the United States before," McCreary adds.

The CCPA gives California consumers the right to know what personal information a business is collecting from them; the right to know who it shares it with or sells it to; the right to request that a business delete that information; and the right to stop the sale of their info. A business must comply with the CCPA if it has annual gross revenue of more than $25 million; buys, sells or shares personal information of more than 50,000 consumers a year; or makes more than half its revenue from selling consumers' personal information.

Almost 300 businesses in arts, entertainment and recreation will meet the revenue threshold, and another 12,000 to 18,000 could be affected under the other two standards, according to an August study by Berkeley Economic Advising and Research that was commissioned by California Attorney General Xavier Becerra.

While none of the streamers would comment on the incoming law, a source close to Netflix tells THR that since its service is ad-free and its business model doesn't rely on selling personal data, the company supports the intent behind the legislation.

Conglomerates that operate globally might have a bit of a head start because of the European Union's similar General Data Protection Regulation, which became effective in May 2018. But the CCPA is more stringent. While the law becomes official Jan. 1, experts say it's likely the new rules won't be enforced until July 1 because Becerra is still finalizing the regulations. McCreary notes that becoming compliant is a "significant undertaking" and estimates most large companies should plan on six to 12 months of work.

Executives and lawmakers might also have different definitions of personal information, says attorney Rachel Marmor, who counsels corporations on how they collect and use data. "Business teams often consider data 'anonymous' if it isn't attached to a name or address, but CCPA obligations apply to things like device identifiers, IP addresses and cookie data as well," she says, adding that the volume of data collected by companies providing content will create challenges in drafting privacy disclosures and responding to access requests. "Many of these services use AI to provide content suggestions to the user — which in turn requires both extensive tracking of what that person has viewed to analyze their preferences and tracking of what others have viewed to analyze what people with particular preferences are interested in," notes Marmor.

That doesn't necessarily mean a streamer has to forfeit valuable data about viewing habits, though. In response to a verified request to delete personal data, a business can erase the information, de-identify it or aggregate it. "You can still use that information for research, reporting and deciding which projects to greenlight," says privacy attorney Jessica Lee. "You don't need to know Jessica Lee liked that movie. You need to know 40 million people liked it." McCreary agrees, though he notes it's easier said than done. "If they just want to see how many people watched Wonder Woman last month, they can give you a number that has nothing to do with you," he says. "That information keeps coming in, but there's no way to tie it back to you."

Companies also must notify users what info will be collected from them and how it will be used at or before the time of collection, and they must put a "Do Not Sell My Info" link on their websites and/or mobile apps.

The CCPA includes a right to sue for security breaches, which allows courts to award damages of $100 to $750 per consumer per incident. McCreary says it will "create a whole new industry for class-action lawyers."

Meanwhile, Becerra doesn't have to wait for a hack to crack down on rule breakers, and experts agree he's likely to go after companies that make an error affecting many people, like a mistake in a privacy policy. "They're going to go for the slam-dunk cases," says McCreary. "The entertainment companies are going to be targets. They have an extraordinary amount of information on their users, and that's partly how they make their money." Adds Lee, “The California attorney general has said very clearly that he does intend to enforce the law and levy fines. A lot of eyes are on California to see how this works, and a number of other states are considering their own laws.”

Meanwhile, Marmor isn’t convinced CCPA is the best way to protect consumer information. “In the age of big data, it would take hundreds of hours for a consumer to review the privacy policy of each website they visit, and it would take even more time to submit an access request, review the information, and request deletion even if desired,” she says. “And only the consumers who take the time to do this are protected.”

Becerra is still taking comments from members of the public who have concerns about the law’s implementation. Four public hearings are scheduled across the state next week, with one set in downtown L.A. on Dec. 3. Comments must be submitted by 5:00 p.m. PT on Dec. 5.

A version of this story first appeared in the Nov. 25 issue of The Hollywood Reporter magazine. To receive the magazine, click here to subscribe.