Producers who use the Vimeo OTT platform to stream videos to their customers must comply with a variety of laws, including those that regulate the collection and usage of “personal information” of individuals. Two of the most prominent laws are the EU’s General Data Protection Law (GDPR) and the California Consumer Protection Act (CCPA). In this FAQ, we answer common questions about each law and how Vimeo OTT helps you comply with them.
⚠️Note: This FAQ provides general information and Vimeo OTT’s position on certain legal concepts, but does not provide legal advice, nor does it modify our Terms of Service or any other agreement we have with you. If you have questions of a legal nature, you should consult a qualified attorney.
In this article
Part I: General Principles
What is “personal information”?
Personal information is generally considered any information that relates to an individual. It includes information that can personally identify someone, such as name and mailing address. It generally also includes “sensitive information” like financial information, health information, and social security number. It may also, depending on the context, include information such as IP address or geo-location information. What is considered “personal information” under a particular law will depend on that law’s definition.
Who owns the personal information of my subscribers?
- As between you and Vimeo OTT, you own the personal information of your subscribers.
What personal information does Vimeo OTT collect about my subscribers?
- We collect various information including email addresses and IP addresses. You may read Vimeo OTT’s Privacy Policy for more information.
What does Vimeo OTT do with my subscribers’ personal information?
- We use it to provide the Vimeo OTT platform service to you. This includes processing subscription transactions on your behalf and allowing subscribers to view your programming.
Does Vimeo OTT use my subscribers’ information to market other products and services to them?
- No.
Part II: GDPR
The General Data Protection Act (GDPR) is a 2018 EU law that regulates the collection and processing of personal information from residents of the European Economic Area (EEA), which includes all EU member states (listed here), plus Iceland, Liechtenstein, and Norway.
In general, the GDPR imposes requirements on two sets of entities involved in the collection of personal information: “controllers” (entities that make decisions about personal information) and “processors” (entities that process information at the request of a controller). Controllers and processors each have different responsibilities. For example, a data controller is responsible for making sure their vendors comply with their instructions and a data processor is responsible for complying with those instructions.
Do I need to comply with the GDPR?
- You must comply with the GDPR if you (1) have a physical presence in the EEA; or (2) target consumers in the EEA with goods or services (e.g., by advertising in the EEA or making subscriptions available to purchase by EEA consumers). If you don’t wish to be subject to the GDPR, you should, at a minimum, disable distribution in the EEA and not target EEA customers for subscriptions.
What are my responsibilities under the GDPR?
- Under the GDPR, you are considered the “controller” of your subscribers’ personal information because you make decisions about how it is processed and with whom you share it. Your responsibilities as a data controller are outlined in Article 24 of the GDPR. Those obligations include ensuring the fulfillment of individual rights requests and safeguarding your subscribers’ personal information.
What is Vimeo OTT’s role under the GDPR?
- Vimeo OTT considers itself to be a “data processor” under the GDPR. This means we are acting as a vendor to you and that we will process subscriber information on your behalf and at your direction. We have memorialized our commitments as a processor to you in our Data Processing Agreement (DPA).
Will Vimeo OTT help me process individual rights requests under the GDPR?
- Yes. Under the terms of the DPA, Vimeo OTT will process individual rights requests received directly by our support team for you. If you receive a request directly, you can write to us at OTTprivacy@vhx.tv with the details of the request, and we will process it on your behalf.
Part III: CCPA
The California Consumer Privacy Act (CCPA) is a 2019 California law that regulates the collection and processing of personal information of California residents. Passed in 2019, the CCPA became effective on January 1, 2020, and enforcement by the California Attorney General will begin on July 1, 2020. The CCPA gives California residents numerous rights about how their information may be used. For example, California residents have a right to opt-out of “sales” of their data and have a right to get information about how their data is being used.
Do I need to comply with the CCPA?
- The CCPA applies to businesses that (1) have annual gross revenue of USD $25 million, or (b) annually process for commercial purposes the personal information of 50,000 California residents.
What are my responsibilities under the CCPA?
- Businesses subject to the CCPA are required to provide privacy notices meeting the statutory requirements of the CCPA, process individual rights requests, and give consumers the right to opt out of the sale of their information.
What is Vimeo OTT’s role under the CCPA?
- Vimeo OTT considers itself to be a “service provider” under the CCPA. This means that Vimeo OTT processes the data of end-users only to the extent reasonably necessary to provide the Vimeo OTT platform service to you. Vimeo’s commitments as a service provider as set forth in our DPA.
Am I ‘selling’ my customers’ personal information to Vimeo OTT?
- We do not believe that you sell your customers’ personal information to Vimeo OTT when you use the Vimeo OTT platform. Instead, we take the position that we are providing a service to you as a service provider. This position is memorialized in our DPA.
Will Vimeo OTT help me process individual rights requests under the CCPA?
- Yes. Under the terms of the DPA, Vimeo OTT will process individual rights requests received directly by our support team for you. If you receive a request directly, you can write to us at OTTprivacy@vhx.tv with the details of the request, and we will process it on your behalf.