Smart TV manufacturer Vizio tracked data on 11 million of its customers TVs without their knowledge or consent, the Federal Trade Commission announced this week.
The Irvine, Calif.-based company agreed on Monday to pay $2.2 million to settle charges that it collected scores of its customers’ data. While the company tracked what programs users watched it also tracked information corresponding to customers’ sex, age, income, marital status, household size, education level, home ownership and household value.
According to a complaint filed by the agency in the U.S. District Court for the District of New Jersey on Monday, Vizio tracked users through proprietary automated content recognition (ACR) software made by a subsidiary, Inscape Services. While that software has been turned on by default since 2014 on most of Vizio’s televisions, the FTC alleges that in some instances the company remotely installed it on any previously sold televisions that didn’t have the software.
The software feeds Vizio a “second-by-second” transmission on what its consumers watch, regardless of whether its on cable, on demand, a streaming device like Google’s Chromecast or Amazon’s Fire Stick, or even a DVD. According to the complaint, the software has quite the reach and is able to capture “up to 100 billion data points each day from more than 10 million VIZIO televisions.”
In addition to household demographics, the software also siphoned up technical details such as the home’s IP address, wired and wireless MAC addresses, how strong the home’s WiFi was, and even any nearby WiFi networks, the complaint (.PDF) reads.
The complaint alleges the company sold this information to third party companies who first used it to analyze the effectiveness of advertising, and then used it in targeted advertising.
“Defendants provide these third parties with IP addresses, so that the third parties can analyze a household’s behavior across devices, in order to determine, for example, (a) whether a consumer has visited a particular website following a television advertisement related to that website, or (b) whether a consumer has viewed a particular television program following exposure to an online advertisement for that program. The data is used in the aggregate to evaluate the effectiveness of advertising campaigns,” the complaint reads.
The company failed to provide users with any notice their viewing habits were being tracked. It wasn’t until March 2016 – in the midst of investigations against the company – that Vizio sent users a quick pop-up notification on their television notifying them their viewing data was being collected.
“This notification timed out after 30 seconds without input from the household member who happened to be viewing the screen at the time, and did not provide easy access to the settings menu,” the complaint reads.
Going forward the company is being asked to disclose and obtain consent for any information it collects in the future, maintain transparency when it comes to what its doing with its customers’ information, and to develop a data privacy program subject to assessment every two years.
As part of the settlement Vizio is also being asked to erase any data it may have collected before March 1, 2016. Of the $2.2 million paid to settle the matter, $1.5 million will go to the FTC, another $1 million to the New Jersey Division of Consumer Affairs, with $300,000 of that amount suspended.
Vizio, for its part, issued a press release shortly after the settlement was announced on Monday saying it was “pleased to reach this resolution” and that it set a “new standard for best industry practices,” At the same time the also company took a moment to clarify exactly what kind of customer information its ACR program gathered.
According to Jerry Huang, Vizio’s General Counsel, the program didn’t pair viewing data with personally identifiable information; instead, as the complaint specifies, it was used “in the ‘aggregate’ to create summary reports.”
“VIZIO is pleased to reach this resolution with the FTC and the New Jersey Division of Consumer Affairs. Going forward, this resolution sets a new standard for best industry privacy practices for the collection and analysis of data collected from today’s internet-connected televisions and other home devices,” stated Jerry Huang, VIZIO General Counsel. “The ACR program never paired viewing data with personally identifiable information such as name or contact information, and the Commission did not allege or contend otherwise. Instead, as the Complaint notes, the practices challenged by the government related only to the use of viewing data in the ‘aggregate’ to create summary reports measuring viewing audiences or behaviors.”
“Today, the FTC has made clear that all smart TV makers should get people’s consent before collecting and sharing television viewing information and VIZIO now is leading the way,” concluded Huang.
In the FTC’s eyes, Vizio’s statement runs counter to a securities filing previously filed by the company. In the filing, Vizio claims its data analytics program “provides highly specific viewing behavior data on a massive scale with great accuracy, which can be used to generate intelligent insights for advertisers and media content providers.”
The FTC’s Acting Chairman Maureen K. Ohlhausen said Monday that Vizio’s practices, specifically how it failed to disclose the fact it was tracking users, were unfair and deceptive.
“Evidence shows that consumers do not expect televisions to collect and share information about what they watch. Consumers who are aware of such practices may choose a different television or change the television’s settings to reflect their preferences,” Ohlhausen wrote. (.PDF) ”
The FTC filed a complaint against another major technology company, D-Link, earlier this year. In that complaint, the agency alleged the router manufacturer failed to adequately secure its wireless routers and IP cameras, something that could have potentially put its customers’ data at risk of compromise.