Smart TV vendor penalised for massive privacy violation

A US smart TV maker tracked the program-watching habits of millions of viewers and collected their personal data to onsell to third parties without consent, in one of the largest deliberate privacy breaches recorded.

Vizio, which was acquired by Chinese electronics maker LeEco last year, has agreed to pay the US Federal Trade Commission (FTC) and the New Jersey Divsion of Consumer Affairs a total of US$2.5 million (A$3.27 million) for the privacy violation, US$300,000 of which was suspended.

The company was also ordered [pdf] to delete most of the data, which it collected from over 11 million internet-connected TV sets since 2014 and sold to advertisers and other third-parties, unbeknownst to viewers.

To identify what people were watching, Vizio collected a selection of pixels on the TV screen and matched them to a database of of television, movie, and commercial content.

This included data from a range of content sources such as streaming devices, free to air broadcasts, cable TV, DVD players, and more.

A wholly-owned subsidiary, Vizio Inscape Services, formerly known as Cognitive Media Services, developed automated content recognition (ACR) software for the TV vendor to collect viewing histories.

Although Vizio did not allow re-identification of user data with consumer names, it appended a large amount of personal details to the viewing histories it collected. Third parties that bought viewing histories received them matched to information such as a consumer's sex, age, marital status, income, household size, education, and home ownership.

Information on devices in viewer homes such as their network IP and unique media access control (MAC) identifiers were also collected by Vizio's ACR software, along with wi-fi signal strength and nearby access points, the FTC said.

The TV maker went as far as to retrofit older devics with the ACR software to glean further information, and permitted third-parties to track viewers across devices.

Vizio was able to capture as much as 100 billion data points each day from millions of TVs, the FTC said.

The regulator said Vizio provided no onscreen notice to viewers that the data collection would take place. The ACR viewer tracking and data collection was enabled by default, and Vizio hid the functionality under a setting that it said would provide program offers and suggestions, which did not take place. 

Vizio has published information on how to turn off the "Smart Interactivity" ACR feature on tis TVs.