GDPR Spotlight on media platforms

Personal Data has been Hollywood’s rising star over the last few years. But will the introduction of Europe’s new General Data Protection Regulations steal the spotlight?

I had a bit of a migraine this weekend, so I spent the better part of the last two days on the couch watching Narcos and a few period costume dramas on Netflix. As I scrolled through the recommendations deciding what to watch, I smiled to myself thinking of how confusing my behaviours must appear to the algorithms used by Netflix. My tastes vary from watching FBI agents in 1970s Columbia, to Miss Elinor Dashwood in rural Georgian England.

Me Before You is apparently a 95% match to my preferences, despite being a film I have no desire to see. On the other hand, Blackfish, the whale documentary I’ve seen three times, is only a 54% match. Of course, Netflix only knows what my online behaviour reflects. And while it may not be perfect, when my behaviour is combined with my personal data, Netflix recommendations are fairly accurate most of the time. The advancement in behavioural analytics is big business in the world of media consumption – and it’s only getting bigger.

Unlike traditional ways of consuming audiovisual content through radio, cable television, or going to the movies, on-demand and streaming services provide a mechanism by which viewers can deliver feedback to the content creators.

Whether it’s by clicking one TV show instead of another, subscribing to a platform using an email address, following actors on instagram, or simply using a film’s hashtag on twitter, our preferences have become much easier to track and analyse online. For content creators, collecting and analysing personal data has become second nature. “You do not make a $100 million investment these days without an awful lot of analytics,” said Netflix’s director of product analytics, Dave Hastings (Source).

Behavioral analytics use the massive volumes of raw user data captured during sessions in which consumers use applications and websites, including navigation paths, clicks, social media interactions, purchasing decisions and marketing responsiveness. This focus on understanding how consumers act online – and why – enables more accurate predictions about how we are likely to act in the future.

63% of adults in the UK use iPlayer, making it the most popular on-demand/streaming service. (Source: Ofcom 2017 report)

From May 2018 however, the environment in which companies control and process personal data will become a lot more complicated thanks to the General Data Protection Regulation, or “GDPR.” For media platforms in particular, I consider that the key areas of concern are likely to be consent, the right to be forgotten, design, and the extended reach of the law to non-European companies.

• Consent. The GDPR grants people more control and choice regarding what companies can do with their personal data. “Personal data” is any information relating to a natural person, including names, ID numbers, IP addresses, and usernames. Currently, businesses can rely on implied consent from users: continued use of a website or having pre-ticked “I agree” boxes are such examples. The GDPR requires that users give clear, affirmative consent that constitutes a “specific, informed and unambiguous agreement” to their personal data being processed. From May, viewers should expect to see new pop-up boxes or notices online regarding the collection and processing of their data.

BBC iPlayer allows viewers to watch a wide variety of programming. Signing in allows the service to recommend particular shows to users (“My Programmes,” top right).

• Right to be Forgotten. Businesses will need to be transparent as to why they engage in profiling activities such as online tracking, direct marketing, and behavioural advertising. Importantly, the GDPR allows people to withdraw consent, or even have all of their data “forgotten.” This means that if asked to do so, organisations must delete a user’s account and all associated personal data. As mentioned above, the  insights gained from behavioural analytics have been incredibly valuable for content creators. As such, to maintain the benefits of direct marketing, platforms will need to convince consumers that profiling helps make their online experience more interesting and relevant.
• Privacy by Default and Design. Under the GDPR, the strictest privacy settings automatically apply “by default” when a customer acquires a new product or service. Additionally, organisations must consider data protection from first stages of design for any new technology, product or service involving use of personal data. This is contrary to the more widespread approach of “privacy as an afterthought,” where data protection is simply added on top of the existing platform. Unfortunately, there is little understanding of and research on the complexity of this engineering task, not least because certain privacy vulnerabilities may be hidden until a product is brought to market and tested in the real world.

Whether you’re in the United States, Columbia, or anywhere in between, if you process European data, you’re subject to the GDPR (photo: Narcos on Netflix)

• Implications for Hollywood. Another key change under the GDPR is that these rules will apply to non-European companies if they deal with European citizens’ data: this would include Netflix, Amazon, Snap, Inc. and countless others. This may prove to be a difficult task, as America recently rolled back data regulation introduced by the Federal Communication Commission which limited the collecting and selling of personal data. Will companies in the US now operate on two different privacy settings, one for each side of the Atlantic?
• Tougher Fines. Organisations cannot afford to neglect the GDPR, as penalties for data breaches are severe. Under the current laws, each individual member state of the EU can set its own fine levels: in the UK, the maximum fine is £500,000. However, the GDPR will set a common European fine system, ranging from €10 million to 4% of annual worldwide turnover of the preceding financial year.

These are only a few ways in which the GDPR will likely impact how media platforms deal with collecting and processing personal data, and how European citizens control how their data is used. For audiovisual platforms especially, these changes may inspire innovations which build customer trust and minimise security risks. With data protection fines and penalties named as the “top risk” for over 40% of media companies (Report), this can only be a good thing – for both businesses and consumers alike.