Netflix, Facebook, And 11 Others Flunked Their GDPR Privacy Assessments.

Dec. 11, 2018 7:15 PM ETMETA, NFLX
Please Note: Blog posts are not selected, edited or screened by Seeking Alpha editors.

Growth, Tech, Media

Contributor Since 2018

Jeffrey Carr is the founder and managing director of Reel Holdings, LLC, a data analytics and film finance company registered in the State of Wyoming in 2018. He is also the organizer of the Suits and Spooks anti-conference, a boutique forum for the discussion of hard challenges in the national security space.


  • An AI-powered assessment was done on the privacy policies of Google, Facebook, Netflix, Amazon, Apple, Microsoft, and six other tech companies one month after GDPR went live. No one passed.
  • Even though Netflix (NASDAQ: NFLX) was notified about the problems in its Privacy Policy five months ago, it has not made any of the recommended changes as of this writing.
  • Netflix was recently implicated in a new Facebook (NASDAQ: FB) privacy scandal coming out of the British Parliament last week.

The General Data Protection Regulation (GDPR), in effect since May 25, 2018, provides consumers who reside in the E.U. with a set of eight rights:

  1. Right to be informed
  2. Right of access
  3. Right of rectification
  4. Right of erasure (aka right to be forgotten)
  5. Right to restrict processing
  6. Right to data portability
  7. Right to object
  8. Right of automated decision-making and profiling

Any company found to be in non-compliance faces steep penalties of up to €20 million or 4 percent of annual global turnover (net profit). Facebook, for example, is facing a fine of up to €1.63B over a data breach affecting E.U. citizens. 

Although companies have been preparing for this law to go into effect for many months, there is ample evidence to suggest that few companies are ready for it. One of the more interesting analyses was done by the Law department of the European University Institute (.pdf) in Italy who used an artificial intelligence computer program named Claudette to scan the privacy policies (over 80,000 words in total) from Google, Facebook, Instagram, Amazon, Apple, Microsoft, WhatsApp, Twitter, Uber, Airbnb,, Skyscanner and Netflix. 

All of them failed, including Netflix, for a variety of reasons, some more than others. One of several issues in Netflix’s case was the use of a phrase that the company has relied upon as a standard approach to its customers who may not like something about Netflix’s policies. It should have been a teaching moment to the company’s privacy department that this phrase was picked up by the EUI’s GDPR project, but it remains in the company’s current policy as of this writing.

Take It Or Leave it

It's called the "Take It Or Leave it Approach" and generally takes two forms. One form is in the Netflix Privacy Policy itself wherein it states "If you do not wish to acknowledge or accept any updates to this Privacy Statement, you may cancel your use of the Netflix service." While the second form is in the response that a Netflix customer receives after contacting the company using the "" email address wherein the customer is politely told something to akin to "If ....... does not meet your needs, though we would regret losing you as a member, you may cancel your membership without penalty. Sincerely, Netflix"

How does the Take It or Leave It Approach violate the GDPR?

From the EUI's assessment:

According to the GDPR, “When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.” (art 7(4)). The Article 29 Working Party Guidelines on consent49 also state that “the situation of “bundling” consent with acceptance of terms or conditions, or “tying” the provision of a contract or a service to a request for consent to process personal data that are not necessary for the performance of that contract or service, is considered highly undesirable.” (section 3.1.2, page 8). To state once again: this normative threshold is used to explain why the “take it or leave or” approach should be assessed negatively according to the GDPR. This does not change the fact that, based on art 4(11) and 7(2), any consent “hidden” in the privacy policy will be per se invalid.

Netflix, like every other company mentioned in that report, was notified by the BECU about its GDPR non-compliance issues, however unlike some of the other companies who responded positively, Netflix chose to ignore the notice and did nothing to change its language. The company's Privacy Policy shows a last updated date of May 11, 2018. This is surprising since the company includes privacy concerns over customer data as a risk factor in its 2017 Annual Report: (emphasis added with italics)

Privacy concerns could limit our ability to collect and leverage our membership data and disclosure of membership data could adversely impact our business and reputation. In the ordinary course of business and in particular in connection with content acquisition and merchandising our service to our members, we collect and utilize data supplied by our members. We currently face certain legal obligations regarding the manner in which we treat such information. Other businesses have been criticized by privacy groups and governmental bodies for attempts to link personal identities and other information to data collected on the internet regarding users' browsing and other habits. Increased regulation of data utilization practices, including self-regulation or findings under existing laws that limit our ability to collect, transfer and use data, could have an adverse effect on our business. In addition, if we were to disclose data about our members in a manner that was objectionable to them, our business reputation could be adversely affected, and we could face potential legal claims that could impact our operating results. Internationally, we may become subject to additional and/or more stringent legal obligations concerning our treatment of customer and other personal information, such as laws regarding data localization and/or restrictions on data export. Failure to comply with these obligations could subject us to liability, and to the extent that we need to alter our business model or practices to adapt to these obligations, we could incur additional expenses.

Directly speaking to this concern, the New York Times reported last week that between 2012 and 2015 Facebook had sold access to its API and Messenger API to favor certain companies (like Netflix, Airbnb, and Lyft) and punish others. This raised serious questions with U.S. lawmakers:

“Americans’ data belongs to them, not Facebook,” said Senator Edward J. Markey, a Democrat of Massachusetts. “Any evidence of a pay-for-data model would fly in the face of the statements Facebook has made to Congress and the public.”

Just one year before, in 2011, Netflix and Facebook were lobbying Congress and simultanously its subscribers via its blog (later deleted) to repeal or revise the Video Privacy Protection Act so its customers could use the Netflix app to share what they were watching on Facebook without having to get consent each time. Netflix set up a Political Action Committee, spent about one million dollars, and was successful. The bill was changed on Dec 21, 2011.


Netflix received a copy of the EUI's report, like all of the companies mentioned, but in the five months since that report came out, it hasn't changed a single word in its Privacy Policy.

Publicly owned companies like Facebook, Netflix, Google, Apple, Disney, Warner, and Microsoft who are dependent upon subscriptions and personal data for business growth must anticipate an increasingly activist subscriber base who will demand transparency in how their data is used, monetized, accessed, and who to hold accountable.

This is the beginning of a very long war over not just personal data, but the information that's derived from that data and its ownership as well.

Disclosure: I/we have no positions in any stocks mentioned, and no plans to initiate any positions within the next 72 hours.

To ensure this doesn’t happen in the future, please enable Javascript and cookies in your browser.
Is this happening to you frequently? Please report it on our feedback forum.
If you have an ad-blocker enabled you may be blocked from proceeding. Please disable your ad-blocker and refresh.