Have you ever had the niggling suspicion your television was watching you?  Apparently, if it was made by smart technology manufacturer VIZIO, it very well may have been.  In a $2.2 million settlement with the Federal Trade Commission (FTC) and the New Jersey Attorney General, VIZIO acknowledged that it collected and sold data from 11 million televisions without viewers’ knowledge.

According to the FTC complaint, beginning in February 2014, VIZIO smart televisions covertly recorded continuous data of what viewers watched without their knowledge or consent. The television’s Smart Interactivity feature was advertised simply as way to get program recommendations.  But when the feature was activated, rather than make viewing suggestions, it collected data from cable, on-air broadcasts, dvds, broadband, and streaming devices and sent it back to VIZIO via the company’s embedded, proprietary ACR software.  The data, including a persistent identifier for each television, program and commercial viewed, when it was viewed, how long it was viewed, and what channel it was on, was then sold to third parties for audience measurement, analyzing advertising effectiveness, and behavioral advertising purposes. The complaint asserts that these actions violated Section 5 of the FTC Act and New Jersey consumer protection laws.

Under a stipulated federal court order, VIZIO is required to obtain express consent for its data collection and sharing practices, and must institute a comprehensive data privacy program.  The company is also barred from mispresenting the privacy, security, and confidentiality of consumer information it collects.

FTC Acting Chairman Maureen K. Ohlhausen issued a concurring statement in which she noted that “[e]vidence shows that consumers do not expect televisions to collect and share information about what they watch.”  She went on, however, to caution:

We must determine whether the practice causes substantial injury that is not reasonably avoidable by the consumer and is not outweighed by benefits to competition or consumers. This case demonstrates the need for the FTC to examine more rigorously what constitutes “substantial injury” in the context of information about consumers. In the coming weeks I will launch an effort to examine this important issue further.

Ohlhausen’s statement is consistent with earlier dissenting and concurring statements in other cases suggesting that FTC privacy and data security enforcement actions should focus on instances where business actions resulted in actual harm to consumers. The type of review Ohlhausen describes may result in affirming the importance of all three factors under the Commission’s 1980 Unfairness Policy Statement.  With the Internet of Things exploding, manufacturers of smart products should stay tuned.