Skip to content

Newspaper Column

PCPD in Media

"To Watch and to be Watched: Behavioural Tracking and Content Personalisation by Streamers"-- Privacy Commissioner's article contribution to Hong Kong Lawyer (July 2020)

Watching films and TV shows on streaming platforms is increasingly popular. Are you aware that you may be watched at the same time?

While the COVID-19 is causing a tough blow to many businesses and the global economy, the lockdown conditions and the embrace of “staying at home” boost the demand for at-home entertainment, in particular video streaming services. Disney Plus has almost doubled its global subscriber number to 50 million since last February as the virus spread across continents. In view of the increase in the number of viewers of streaming websites, cybercriminals have been registering domain names featuring the brands of streamers to deceive viewers to install infected files or reveal personal information. As we watch video entertainment at our fingertips on streaming websites, we should beware of our viewing behaviours being watched too.

Online Behavioural Tracking

As opposed to brick and mortar video rental services, streamers can watch and record the content a viewer has searched for and viewed, time of the viewing activities, the devices used for viewing, the sequence of viewing as well as the completion rate of a particular content (i.e. whether he/she finished watching a film till its end or all the episodes of a TV series).

A streamer posted a message on Twitter in 2017 saying, “To the 53 people who've watched A Christmas Prince every day for the past 18 days: Who hurt you?” Another streamer also shared its users’ behaviour by posting “Dear person who played ‘Sorry’ 42 times on Valentine’s Day, What did you do?” in an advertising billboard in 2016. Although these publicity messages did not reveal the identities of the users concerned, they demonstrated that the streamers can tell precisely what their users have been watching or listening to over a period of time.

In addition, online advertisers often use sophisticated algorithms to analyse internet users’ behavioural data, build detailed profiles of the users and categorise them accordingly. The user categories can be used for the presentation of marketing materials or advertisements considered to be relevant to them. According to a study conducted by researchers of the Princeton University and the University of Chicago (https://tv-watches-you.princeton.edu/
tv-tracking-acm-ccs19.pdf
), tracking was pervasive on two popular video streaming platforms in the United States. It was found that tracking was extensively conducted in many different channels by third-party domains associated with advertising and analytics functions.

Content Personalisation

Big data analytics is now widely used for behavioural study, forecasting trends, targeting the right audience or customers, etc. With users’ viewing data and data analytics tools, streamers can understand comprehensively and predict the interests, preferences and viewing habits of their subscribers. They algorithmically recommend new content that may be of interest to their subscribers, thereby encouraging further viewing and continued subscription of the streaming services.

As stated by Netflix in its blog (https://netflixtechblog.com/artwork-personalization-c589f074ad76), the main goal of its personalised recommendation system has been to “get the right titles in front of each of its subscribers at the right time”. It goes even further to personalise the imagery used to portray the titles on its streaming platform to highlight the aspects of a title that are specifically relevant to a particular subscriber, thereby creating “personalised recommendations and personalised visuals” for each subscriber.

From the users’ perspectives, content personalisation may improve the viewing experience and inspire them of new and interesting titles. However, the award-winning film director, Martin Scorsese, indicated his concern about algorithms and that streamers would be over-feeding the audience with content similar to what they watched before. This, as he warned, might drive us away from the creative viewing experience.

Privacy Implications

As individual users benefit from the convenience and inspiration brought by entertainment streamers, they should be aware of the digital footprints passively left behind. From a privacy perspective, an individual’s viewing history and ratings of content watched may reveal his/her personal and even sensitive information, causing surprises, embarrassments, psychological and reputational harm to the individual.

In a classic privacy incident in the US, a retailer had analysed a teenager’s purchase records and revealed her pregnancy status well before her father knew about it. In another classic privacy incident, a streamer released anonymised rating data of their subscribers to contenders in a competition to help improve their movie-recommendation algorithms; little did they know that it was possible to combine the anonymised ratings with other publicly available data, re-identify the subscribers and reveal their political views and religious beliefs.

Before subscription, consumers should read the personal information collection statements (commonly known as PICS) and privacy policies of streamers carefully in order to understand (1) what kinds of personal data will be collected during usage of the services, (2) for what purposes the personal data will be used, and (3) to whom the personal data will be transferred. Consumers may object to the use and/or transfer of their personal data for direct marketing under the Personal Data (Privacy) Ordinance (Ordinance).

Streamers as data users should comply with the Ordinance in the collection and use of personal data. In particular, it is a criminal offence under the Ordinance to use or transfer personal data for direct marketing purpose without the data subjects’ consent or upon the data subjects’ opt-out requests. An offender is liable, upon conviction, to a fine of HK$1,000,000 and imprisonment for five years.

Personal data belongs to individuals. Organisations, streamers included, should, in addition to complying with the legal requirements, respect individuals’ personal data privacy right by being transparent and explainable in their privacy policies and practices, and by returning to individuals the legal right to control the collection, use and disclosure of their personal data.