Gracenote Services Privacy Statement
Last Revised: March 2020
Gracenote, Inc., a Nielsen Company (“Gracenote,” “we,” or “us”) is committed to protecting the privacy of consumers and handling their data in an open and transparent manner. This Gracenote Services Privacy Statement (this “Privacy Statement”) explains how we use, share, and protect the data that we collect or otherwise obtain about consumers in connection with our delivery of certain commercial products and service offerings as further described in the “Collection of Your Data” section below (the “Services”). This Privacy Statement also describes consumers’ choices and legal rights in relation to such data.
Because we provide the Services to a multitude of companies around the world, including consumer electronics companies, automakers, and media companies (“Client” or “Clients”), and our contracts with certain Clients may restrict our use of data that we collect or otherwise obtain in connection with the provision of the Services to them, this Privacy Statement reflects Gracenote’s general data processing and privacy practices. When our contract with a Client only permits us to process data in the context of our relationship with that Client, we typically do so as a “data processor” or “service provider” to that Client. On the other hand, when our contract with a Client permits us to process data that we collect or obtain for purposes other than delivering any of the Services to the Client, we may do so as a “data controller” or “business.”
In all cases, we are not responsible for the data processing and privacy practices of our Clients. We encourage consumers to review the privacy statements of all websites, applications, and other devices and services (e.g., mobile devices, Smart TVs, etc.) that they use in order to learn about the processing and privacy practices of the parties whose services they access and use. Where applicable, we require our Clients to ensure that: (i) consumers are informed of the Clients’ use of the Services (although they may not always identify Gracenote by name); (ii) they have obtained appropriate permissions from consumers for the collection, use, and/or disclosure of data in connection with the Services; and (iii) consumers are given appropriate choices with respect to the collection, use, and disclosure of their data.
Please note that this Privacy Statement applies only to Gracenote’s processing of data in connection with the Services. To learn more about Gracenote’s processing of personal data collected via this website (www.gracenote.com), please review our website privacy statement, which is available here. To learn more about the privacy practices associated with Nielsen’s commercial products and service offerings, please click here.
Collection of Data
Depending on the Service, we may collect or otherwise obtain data relating to consumers in a variety of ways. In some cases, our Clients include Gracenote’s proprietary software (the “Software”) on or in websites, mobile apps, mobile devices, computers/laptops, smart TVs, or connected cars (collectively “Devices”) and the Software gathers data that helps us determine or understand what audio, video, and/or other media (collectively “Content”) a consumer has accessed, viewed, listened to, engaged with, or otherwise been exposed to on or in his or her Device. In other cases, our Clients may provide us with data directly through connections to their servers and various secure data transfer methods.
Where our Clients include the Software in Devices, the specific types of data that we collect or otherwise obtain depends on how our Clients use the Software. We generally cannot reasonably (and make no attempt to) identify any consumer who has accessed, viewed, engaged with, or been exposed to the Content. However, if you are a member of a Nielsen panel, we may be able to associate data that is collected or obtained via the Software with you and we may use such data in a manner consistent with the panel membership agreement that Nielsen has in place with you and your household.
Additional details about the types of data that we may collect or obtain in connection with the Services and our use of such data can be found below.
Automatic Content Recognition (ACR)
Our ACR Software is designed to recognize and deliver to our Clients details about the Content that a consumer has been exposed to on his or her Smart TV. To accomplish this, our ACR Software uses audio and video “fingerprints” (unique digital identifiers generated by Gracenote for pieces of Content) in order to identify the Content on the TV screen (e.g., a movie, TV program, advertisement, game, etc.).
When one of our Smart TV manufacturer Clients includes our ACR Software in their Smart TVs, with the consumer’s permission, the embedded Software collects information about the consumer’s TV, including online and device identifiers (e.g., the TV’s unique device ID created by our TV manufacturer Client, internet protocol (IP) address, brand and model, firmware version, OS version, usage information (e.g., audio levels), and input source (e.g., HDMI, Tuner, etc.)). We may then make this information as well as information about the specific pieces of Content that the consumer has been exposed to on the TV available to the Smart TV manufacturer and/or other Clients as part of the Services.
Use of Data
We use your data for the purpose(s) for which it was collected, obtained, or provided to us (as described above in the “Collection of Data” section or at the point of collection).
In addition to using the data to deliver the Services, we may use the data that we collect or otherwise obtain in order to:
- operate and manage our IT and security systems, including to monitor such systems and identify and respond to security events;
- detect, investigate, and prevent fraud;
- carry out internal business activities, such as audits and data analyses;
- conduct research for quality assurance and product, service, and business development purposes;
- facilitate day-to-day operations and financial management as well as any corporate audits and corporate transactions (e.g., a reorganization, merger, sale, joint venture, assignment, transfer, etc.);
- protect the rights, property, operations, health, or safety of one or more Nielsen entities, consumers, and/or others;
- enforce our agreements; comply with applicable laws and regulations; and establish, exercise, and/or defend our legal rights; and
- respond to subpoenas, court orders, or other legal process/requests and communications from law enforcement authorities or other government entities.
Basis for Processing Personal Data
Applicable law in certain countries requires us to set out in this Privacy Statement the legal basis upon which we rely in order to process personal data that we hold as a data controller.
Where we process personal data relating to consumers in the European Union (“EU”)/European Economic Area (“EEA”) as a data controller, we rely on one of the legal bases below in order to process such data.
Consent: We may ask for a consumer’s consent to process his or her personal data for certain specific purposes or rely on the consent that our Client has obtained from the consumer. We will only rely on this legal basis in relation to processing that is entirely voluntary (i.e., not necessary or obligatory).
Legitimate interests: We may rely on our legitimate interests to process a consumer’s personal data, provided that such interests are not overridden by the consumer’s interests, fundamental rights, or freedoms. In particular, among other things, we may process a consumer’s personal data in reliance on a legitimate interest in: (i) effectively and lawfully operating our business and effectively delivering and improving the Services; (ii) conducting research and producing analyses; (iii) managing, maintaining, and operating our IT and security systems; (iv) adequately protecting, defending, and safeguarding our networks; (v) evaluating business and other corporate transactions; (vi) managing and enhancing protection against fraud, spam, harassment, intellectual property infringement, and risks to which we are exposed (e.g., crime and security risks); and (vii) meeting our obligations and enforcing our legal rights.
Compliance with legal obligations: We may process a consumer’s personal data if necessary for us to comply with a legal obligation arising under an applicable law to which we are subject.
Please note that where we process personal data on behalf of our Client as a data processor, our processing of such data is based on the legal basis established by our Client.
Users that have questions or concerns about the legal basis upon which we collect and use their personal data can contact us at email@example.com.
Disclosures and Transfers of Data
In connection with one or more of the purposes outlined above, your data may be disclosed to different entities within the Nielsen group of companies as well as:
- our third-party service providers, including providers of the following services (among others): data analysis or processing; data security and storage; and product development (subject to binding contractual obligations of confidentiality and security);
- relevant third parties as part of a corporate transaction, such as a reorganization, merger, sale, joint venture, assignment, transfer, or other disposition of all or any portion of our business, assets, or stock (including in connection with any bankruptcy or similar proceeding);
- competent governmental and public authorities, in each case to comply with legal or regulatory obligations or requests or for the purposes of reporting any actual or suspected breach of applicable law; and
- other third parties as we believe to be necessary (e.g., in order to protect the rights, property, operations, health, or safety of you, us, or others) or appropriate for legal purposes (e.g., in connection with claims, disputes, or litigation or in order to enforce our legal rights).
The disclosures described above may result in the transfer of your personal data to countries or regions with data protection or privacy laws and regulations that differ from those in your country of residence. By providing us with your personal data or otherwise making available such data to us, you are acknowledging that your personal data may be transferred to countries or regions outside of your country of residence. In cases where your personal data is transferred outside of your country of residence, we will ensure that there are adequate safeguards in place to protect your personal data.
Additional information for EU/EEA residents
If you are based in the EU/EEA and your personal data will be transferred to a country that has not been recognized by the European Commission as providing an adequate level of data protection, the safeguards put in place by us might include a data transfer agreement with the recipient based on standard contractual clauses approved by the European Commission for transfers of personal data to countries not providing an adequate level of data protection. Alternatively, in certain circumstances, your personal data may be transferred on the basis of an applicable derogation or exemption. For further details relating to the transfers described above and the adequate safeguards used with respect to such transfers, please email us at firstname.lastname@example.org.
We understand the importance of protecting the privacy of children, especially in the online environment. The Services are not designed for or directed at children, and we do not knowingly solicit, collect, or maintain personal data from children. If we become aware that we have collected personal data from a child, we will take reasonable steps to delete it.
We have in place reasonable organizational, technical, and administrative measures that are designed to protect your data from loss, misuse, and unauthorized access, disclosure, alteration, destruction, and other forms of unlawful processing while it is under our control. However, please be aware that the storage and transfer of data cannot always be one-hundred percent secure.
We will retain your personal data in a form that permits identification only for as long as necessary for the fulfillment of the various purposes outlined in this Privacy Statement, unless a longer retention period is required by applicable law or is necessary in order to resolve disputes, protect our legal rights, or otherwise comply with our legal or professional obligations.
We are committed to providing consumers with choices with respect to how we process their personal data. This section describes how consumers can exercise these choices.
Automatic Content Recognition (ACR): When our ACR Software is embedded in the Smart TVs manufactured by one of our Clients, we require them to ensure that appropriate disclosures regarding data collection and use and related choices are provided to consumers. Consumers wishing to opt out of the collection and use of their data from their Smart TVs can do so by adjusting the settings on their TVs.
Consumers’ Legal Rights
We are also committed to ensuring that consumers have reasonable access to their personal data and the ability to review and limit the use of such data in accordance with applicable law.
Depending on a consumer’s country (or U.S. state) of residence, under applicable law he or she may have the right to:
- request confirmation as to whether or not their personal data is being processed and details about the personal data that is being processed;
- request access to or a copy of their personal data;
- request that we update or correct their personal data (e.g., if it is inaccurate or incomplete);
- object to the processing of their personal data;
- propose other restrictions on the processing of their personal data (e.g., if there is no legal right to keep using it) or limit the use of their personal data (e.g., if their personal data is inaccurate or unlawfully held);
- withdraw the consent that they have provided for the processing of their personal data (where the data is processed on the basis of the consumer’s consent);
- request that their personal data be transferred to another organization in a structured, commonly used, and machine-readable format (to the extent applicable);
- request the deletion of their personal data; and
- lodge a complaint with the data protection or privacy authority regarding the processing of their personal data.
We will not discriminate against any consumer who chooses to exercise any of the above-listed rights available to them under applicable law.
Because we want to avoid taking action regarding a consumer’s personal data at the direction of someone other than the consumer, only the consumer (or, where applicable, a natural person or business entity that the consumer has authorized to act on his or her behalf by providing written permission (an “Authorized Agent”)) may submit a request. Please note that we may deny a request from an Authorized Agent if they do not submit proof that they have been authorized by a consumer to act on his or her behalf.
A consumer’s request must:
- provide sufficient information that allows us to reasonably verify that the he or she is the person about whom we have collected/obtained personal data (or, where applicable, the requester has been properly authorized to submit a request on the consumer’s behalf); and
- describe the consumer’s request with sufficient detail that allows us to understand, evaluate, and respond to it.
We will not be able to respond to a request or disclose any personal data if we are not able to verify the consumer’s identity (or, where applicable, an agent’s authority to make the request on the consumer’s behalf) and confirm that the personal data relates to the consumer. To verify a consumer’s identity, we will match data that he or she (or an Authorized Agent) provides to any personal data that we already have in our possession.
Please note that where we act as a “service provider” or “data processor” to our Clients, we depend on our Clients to facilitate the exercise of these rights and cooperate with them in responding to valid requests insofar as it is possible.
Additional information for users in the EU/EEA
Consumers who have questions or concerns about our collection and processing of their personal data can contact our EU Data Protection Officer at email@example.com.
Consumers who are dissatisfied with the way that we have processed their personal data or any privacy-related query or request that they have raised to us have the right to complain to the Data Protection Authority (“DPA”) in their country of residence or the location where the issue that is the subject of the complaint occurred. To find the contact details of the appropriate DPA, please visit https://edpb.europa.eu/about-edpb/board/members_en.
Updates to this Privacy Statement
We will update this Privacy Statement from time to time in light of, for example, changing business or data processing practices, technology, or legal requirements. When we make updates to this Privacy Statement, we will amend the “Last Revised” date at the top of this page. The most current version of this Privacy Statement will always be available here, and we encourage consumers to review it periodically in order to remain informed about our data processing and privacy practices.
Consumers who have any questions, comments, or feedback about this Privacy Statement should email us at firstname.lastname@example.org or write us at one the addresses below.
Consumers who reside in the EU/EEA can write us at:
Oxford Business Park South
John Smith Drive
Oxford OX4 2WB
Attn.: Legal Dept.
Consumers who reside in any country outside of the EU/EEA can write us at:
85 Broad Street
New York, NY 10004
Attn.: Legal Dept.