Sling TV Settlement Dives Deep Into Consumers' Opt-Out Experiences
California's Oct. 30 settlement with Sling TV reinforced that regulators are focused on opt-out processes and children’s data, while revealing that they are looking more closely at how privacy choices influence the consumer experience, privacy lawyers said afterward.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
In the $530,000 settlement, the California attorney general's office found that the Dish subsidiary's complicated and confusing opt-out mechanisms violated the California Consumer Privacy Act (CCPA) (see 2510300040). Additionally, Sling TV made it difficult to provide extra privacy protections for kids, such as limited targeted advertising, as required by the law (see 2510300052).
The settlement reinforced that sales opt-outs and minors’ data are "big targets," and it seems that will continue, Shook Hardy's Josh Hansen said in an interview with Privacy Daily. But it also showed regulators are digging “a little bit deeper into these opt-out processes.”
“It's no longer just, ‘Oh, it was very clear you weren't honoring the opt-out,’” he said. Instead, the attorney general faulted Sling TV for its "confusing" opt-out process, which is “one of the first instances of a state privacy settlement addressing possible dark patterns.”
Benjamin Mishkin, a Cozen O’Connor privacy attorney emphasized Sling’s "conflating user cookie preferences with the CCPA’s right to opt-out of selling/sharing data.” Though “tracking cookies are often related to activities that constitute selling/sharing under the CCPA,” the settlement shows companies can't "rely solely on a standard ‘cookie banner’ as effectuating not only cookie preferences but also satisfying their obligation to allow consumers to exercise their opt-out rights under the CCPA," he said in an email.
Hansen agreed. “For a lot of companies,” having opt-out preferences redirect [users] to cookie preferences likely works "because cookies are the only sale and sharing of data that they do,” he said. But that “wasn’t all that Sling did.”
This is also “one of the first times” there has been an “enforcement action against a company that doesn't really have its primary interactions through a website,” said Hansen.
As such, companies should think about how they interact with consumers, Hansen said. So, companies that operate more than a website -- a mobile app or have physical interactions with consumers, for instance -- should think about offering opt-out methods beyond a hyperlink.
Holland & Knight's Kevin Angle highlighted the AG's argument that Sling’s “characterizing cookie settings as ‘Do Not Sell/Share My Info’ within the preference center was deceptive, since data was sold by Sling in other ways.” In a LinkedIn post, Angle noted that he has “seen that version of the preference center many times!”
Mishkin added “that Sling was penalized for forcing logged-in customers to enter personal information into Sling’s CCPA request webform that Sling already had access to,” probably “things like their name and email address," even though “Sling already knew that information.”
This shows if users can "submit CCPA requests while logged in to their accounts, you may need to create a technical mechanism to automatically associate the logged-in user’s data with their request in order to avoid unduly burdening the requestor by asking for information you already have,” he said.
Hansen said another big takeaway from the settlement is that companies must address the low-hanging fruit. “If you're directing people to a page where they can exercise only a portion of their rights, it should be clear what [privacy rights] you're offering." If a company isn't "offering the full family of rights” and consumers must go “somewhere else” to access additional options, “there's a question whether that's even allowed.” If it's allowed, companies “need to be transparent about how the process works.”
Companies should “walk through the consumer’s experience" as people "try to exercise their rights," and think about how easy or difficult it is, he added.
Childrens' Data and Disgorgement
The settlement also shows that children’s data continues to be “a focal point,” which isn't a "surprise,” Hansen said. “It's going to continue to be an area that regulators hone in on.”
Angle said, “The AG argued that Sling should have allowed parents to create specific ‘kid's profiles’ that turned off the collection, sale and cross-context advertising.”
Privacy attorney Dalton Cline of Dentons said in a LinkedIn post that the “data disgorgement as part of the injunctive relief” stood out. Under the settlement, “Sling must delete the data of consumers it has ‘actual knowledge’ are children collected prior to the enforcement date.” Cline called this “a shock to the system.”
“To my knowledge, this is the first time data disgorgement has been part of the injunctive relief imposed by a state regulator,” Cline added. “The AG's remedy here suggests that regulators are seeking to ensure an organization won't make the business decision to pay a fine as the price of conducting business in a way [that] violates consumer's privacy rights.”
Hansen said, “What's been a common thread in a lot of these settlements is [regulators] will find something, and then they will dive deeper into it.” But “what seems to be the starting point for many of these investigations is the readily apparent issues,” mostly concerning sale of data.
“The laws aren't necessarily clear, so [companies] need to document why and how” they make decisions, Hansen added. Regulators are “not looking to penalize" companies trying "in good faith to comply.”
Given that the AG announced a sweep of streaming platforms in 2024 -- which this settlement stemmed from -- it's important for companies to “continue to monitor” what regulators are saying, Hansen said.