What Roku and Sling TV Settlements Reveal About Privacy Enforcement

Streaming service providers are finding themselves in the spotlight of regulators with Sling TV entering the group chat and settling a paid $530,000 enforcement action with California's Attorney General for “failing to provide an easy to use method for consumers to stop the sale of their personal information and by failing to provide sufficient privacy protections for children”. Meanwhile, both the Michigan and Florida Attorney General’s have filed suits against Roku, America’s #1 streaming platform, under both the Michigan Consumer Protection and Florida’s Digital Bill of Rights. 

This is the first enforcement action under Florida’s Digital Bill of Rights against Roku for collecting children's viewing habits and voice recordings without parental consent. These are part of a larger pattern - test cases revealing exactly where state regulators are looking.

Enforcement patterns becoming clear

Enforcement agencies now have a defined playbook when it comes to their actions. The Sling TV settlement makes this crystal clear. California's DOJ didn't just review their privacy policy. They tested the actual user experience, evaluated the use of targeting advertising for children's profiles and measured whether opt-out mechanisms worked (or were present) across different platforms.

Specific violations:

Sling TV (California CCPA):

• Convoluted and hard to find methods to opt out of the sale and sharing of personal information. Combined cookie preferences with CCPA opt-out, even though turning off cookies was insufficient

• Logged in/known users were required to input their information (name, email, address and phone number) to submit a request which was information already known to SlingTV. 

• Didn't provide opt-out methods within apps on living-room devices

• Failed to obtain affirmative opt-in authorization when minors under 16 were likely watching
  

Roku (Florida Digital Bill of Rights):

• Collected, sold, and enabled reidentification of children's viewing habits and voice recordings without parental authorization

• Misrepresented the effectiveness of privacy controls and opt-out tools

• Failed to implement industry-standard user profiles to identify child users despite offering Kids & Family content, kids' screensavers, and theme packs

• Failed to contractually obligate the recipients of the shared data to comply with the provisions of the Digital Bill.
  

What’s interesting in the Sling TV findings is that the specific call out for the logged in user opt-out process should not require the consumer to re-enter their details to submit a request. In practice, clients who are subject to the CCPA and have a logged in customer experience should have an integration with their identity provider to auto populate the user’s details when the consumer is initiating a new rights request. We can tell you now that this is rarely being followed in practice. 

Florida's action against Roku follows the same playbook. The complaint doesn't allege Roku had no privacy controls. It alleges those controls didn't work effectively. Roku offered kids' screensavers and theme packs but didn't use those obvious indicators to segment child users. They partnered with data brokers while claiming to protect privacy, but sold "deidentified" data that could still be reidentified. Loose policy governance rears its ugly head here as well as we’ve seen in other recent enforcement actions. 

Quick audit: Can a logged-in user opt-out of sale/sharing of their personal data in two or three clicks or less on every platform where you interact with them? If you're counting steps or checking documentation, you already have your answer.

What Regulators Are Actually Testing

The Multi-Platform Gap

Sling TV's settlement highlights a critical oversight: they didn't provide opt-out methods within their apps on living-room devices. Your web-based privacy center means nothing if consumers primarily interact with you through mobile apps, smart TV interfaces, or connected devices.

Furthermore, Delaware's Deputy Attorney General John Eakins, was just recently on a panel at the IAPP’s annual Privacy, Security and Risk event in San Diego and shared that “his office emphasized looking into the use of personal data in connected devices from cars to televisions”. 

Net - Managing, measuring and governing consumer rights across all platforms is quickly becoming a muscle teams are needing to develop. 

Test this yourself: Try to exercise a privacy right on every platform where your service is available. Mobile app, smart TV, web browser, voice interface. If the process differs significantly or doesn't exist on certain platforms, you're creating the exact friction pattern that triggers enforcement.

The "Willful Disregard" Standard

Florida's complaint introduces a concerning precedent: platforms cannot claim ignorance about child users when they actively market children's content and maintain child-directed features. The state argued that Roku's Kids & Family channel, cartoon screensavers, and age-based content categories made it impossible to claim they didn't know children were using the platform.

It's no longer sufficient to plead ignorance and to say "we don't knowingly collect children's data." If your business model includes child-directed content, regulators expect proactive age verification and parental control systems.

The Third-Party Accountability Problem

Both enforcement actions scrutinize vendor relationships. Florida's complaint specifically faults Roku for partnering with Kochava, a data broker currently defending an FTC action for improper geolocation disclosure. The message: your vendor's compliance problems become your compliance problems.

We're seeing clients realize their vendor assessment process focused on contract terms, not operational reality. The question isn't "does the vendor say they're compliant?" It's "can you demonstrate what data they're actually collecting through their SDK?" 

Consider adding safeguards into your vendor/supplier onboarding practice where contract and/or privacy teams are at the table to ensure state level provisions are included. 

What Actually Works 

Proactive User Segmentation
If you offer child-directed content, implement user profiles with age verification. California's settlement requires Sling TV to provide parents with clear disclosures and tools to minimize collection and use of their children's data. This isn't just about kids' profiles anymore. It's about demonstrating you've architected your system to recognize different user types and apply appropriate protections.

The implementation challenge: Retrofitting age verification into platforms that were never designed for it. Plan your engineering resources appropriately, these efforts could take several weeks to months. 

Friction Audits for Privacy Rights
Count the clicks. Test your logged in user experience. Test it across all platforms. If exercising a privacy right takes longer than making a purchase, you've built friction into the system. Organizations that conduct quarterly UX testing on privacy controls spot problems before regulators do.

Vendor Transparency Programs
Document what data each third-party partner actually collects, not what the contract says they're allowed to collect. This requires technical auditing of SDKs, APIs, and data flows. The gap between contractual promises and technical reality is where enforcement risk lives.

The Business Case Beyond Compliance

The headlines focus on penalties, but miss the bigger story: organizations that execute on these requirements properly are creating sustainable competitive advantages.

When you implement real platform parity for privacy controls, you're also building the infrastructure for personalization that actually works. User segmentation for child safety doubles as segmentation for relevant content recommendations. Transparent data practices reduce customer support tickets and increase conversion rates on legitimate data collection requests.

We're seeing this play out in retention metrics while also supporting accelerated growth in monthly active users, likely a strategic metric your organization is paying close attention to. Organizations with mature privacy programs maintain higher customer lifetime value because trust compounds over time. When a data breach happens in your industry, your customers don't assume you're affected if you've been transparent about data practices all along.

The Bottom Line

California's DOJ announced its investigative sweep in January 2024, focusing on streaming services and connected TVs. These settlements represent the first results from that systematic review. Florida's enforcement action is the first under the Digital Bill of Rights. The pattern is clear: states are conducting targeted sweeps of specific industries, testing actual implementations, and settling cases that establish operational standards.

Need to assess the state of your organizations’ privacy tech?

Reach out to our team for an initial discussion.