Gracenote Services Privacy Statement
Last Revised: April 2020
Gracenote, Inc., a Nielsen Company (“Gracenote,” “we,” or “us”) is committed to protecting the privacy of consumers and handling their data in an open and transparent manner. This Gracenote Services Privacy Statement (this “Privacy Statement”) explains how we use, share, and protect the data that we collect or otherwise obtain about consumers in connection with our delivery of certain commercial products and service offerings as further described in the “Collection of Data” section below (the “Services”). This Privacy Statement also describes consumers’ choices and legal rights in relation to such data.
Because we provide the Services to a multitude of companies around the world, including consumer electronics companies, car manufacturers, and media companies (“Client” or “Clients”) and our contracts with certain Clients may restrict our use of data that we collect or otherwise obtain in connection with the provision of the Services to them, this Privacy Statement reflects Gracenote’s general data processing and privacy practices. When our contract with a Client only permits us to process data in the context of our relationship with that Client, we typically do so as a “data processor” or “service provider” to that Client. On the other hand, when our contract with a Client permits us to process data that we collect or obtain for purposes other than delivering any of the Services to that Client, we may do so as a “data controller” or “business.”
In all cases, we are not responsible for the data processing and privacy practices of our Clients. We encourage consumers to review the privacy statements of all websites, applications, and other devices and services (e.g., mobile devices, Smart TVs, etc.) that they use in order to learn about the processing and privacy practices of the parties whose services they access and use. Where applicable, we require our Clients to ensure that: (i) consumers are informed of the Clients’ use of the Services (although they may not always identify Gracenote by name); (ii) appropriate permissions from consumers for the collection, use, and/or disclosure of their data in connection with the Services have been obtained; and (iii) appropriate choices with respect to the collection, use, and disclosure of their data have been made available to consumers.
Please note that this Privacy Statement applies only to Gracenote’s processing of data in connection with its delivery of the Services. To learn more about Gracenote’s processing of personal data collected or obtained via this website (www.gracenote.com), please review our website privacy statement, which is available here. To learn more about the privacy practices associated with Nielsen’s commercial products and service offerings, please click here. To learn more about Nielsen’s group of companies, please click here.
Collection of Data
Depending on the Service, we may collect or otherwise obtain data relating to consumers in a variety of ways. In some cases, our Clients include Gracenote’s proprietary software (the “Software”) on or in websites, mobile apps, mobile devices, computers/laptops, smart TVs, or cars (collectively “Devices”) and the Software gathers data that helps us determine or understand what audio, video, and/or other media (collectively “Content”) a consumer is accessing, viewing, listening to, engaging with, or otherwise is exposed to on or in their Device. In other cases, our Clients may provide us with data directly through connections to their servers and various secure data transfer methods.
When our Clients embed the Software in Devices, the specific types of data that we collect or otherwise obtain depends on how our Clients use the Software. We generally cannot reasonably (and make no attempt to) identify any consumer from the data that we collect or otherwise obtain via the Software. However, if a consumer is a member of a Nielsen panel, we may be able to associate data that is collected or obtained via the Software with the consumer and we may use such data in a manner consistent with the relevant Nielsen panel privacy statement and membership agreement.
Additional details about the types of data that we may collect or obtain in connection with the Services and our use of such data can be found below.
Automatic Content Recognition (ACR)
Our ACR Software is designed to recognize details about the Content that a consumer has been exposed to on their Smart TV. To accomplish this, our ACR Software uses audio and video “fingerprints” (unique digital identifiers generated by Gracenote for pieces of Content) in order to identify the Content on the TV screen (e.g., a movie, TV program, advertisement, game, etc.).
When one of our Smart TV manufacturer Clients includes our ACR Software in their Smart TVs, with the consumer’s permission, the embedded Software collects data about the consumer’s TV, including online and device identifiers (e.g., the TV’s unique device ID created by the TV manufacturer, internet protocol (IP) address, brand and model, firmware version, OS version, usage information (e.g., audio levels), and input source (e.g., HDMI, Tuner, etc.)). We may then make this data as well as details about the specific pieces of Content that the consumer has been exposed to on the TV available to the Smart TV manufacturer and/or other Clients.
Our MusicID/MusicID Radio Software is designed to recognize and deliver to the consumer details about the Content that the consumer has been exposed to, such as a song’s title, artist, genre, and/or any associated images. To accomplish this, our MusicID/MusicID Radio Software uses audio “fingerprints” (unique digital identifiers generated by Gracenote for pieces of Content) in order to identify the Content that is playing and deliver details about the Content to the consumer.
When one of our Device manufacturer Clients includes our MusicID/MusicID Radio Software in their Devices, the embedded Software collects the Device’s internet protocol (IP) address, which is used to determine the country location of the Device and in which language the Content’s details should be presented to the consumer. Our Software then delivers the available details to the consumer on their Device’s screen.
Radio Station ID
Our Radio Station ID Software is designed to recognize and deliver to the consumer details about radio stations that allow them to browse radio stations and music while in their cars.
When one of our car manufacturer Clients includes our Radio Station ID Software in their cars, the car’s approximate GPS location data (latitude/longitude) is transmitted to our Software. Based on the vehicle’s approximate location, our Software then delivers available radio stations as well as station metadata to enable the consumer to search and find the right station.
Use of Data
We use consumers’ data for the purpose(s) for which it was collected, obtained, or provided to us (as described above in the “Collection of Data” section or at the point of collection).
In addition to using the data to deliver the Services, we may use the data that we collect or otherwise obtain in order to:
- operate and manage our IT and security systems, including to monitor such systems and identify and respond to security events;
- detect, investigate, and prevent fraud;
- carry out internal business activities, such as audits and data analyses;
- conduct research for quality assurance and product, service, and business development purposes;
- facilitate day-to-day operations and financial management as well as any corporate audits and corporate transactions (e.g., a reorganization, merger, sale, joint venture, assignment, transfer, etc.);
- protect the rights, property, operations, health, or safety of one or more Nielsen entities, consumers, and/or others;
- enforce our agreements; comply with applicable laws and regulations; and establish, exercise, and/or defend our legal rights; and
- respond to subpoenas, court orders, or other legal process/requests and communications from law enforcement authorities or other government entities.
Basis for Processing Personal Data
Applicable law in certain countries requires us to set out in this Privacy Statement the legal basis upon which we rely in order to process personal data that we hold as a “data controller.”
Where we process personal data relating to consumers in the European Union (“EU”)/European Economic Area (“EEA”) as a “data controller,” we rely on one of the legal bases below in order to process such data.
Compliance with legal obligations: We may process a consumer’s personal data if necessary for us to comply with a legal obligation arising under an applicable law to which we are subject.
Consent: We may ask for a consumer’s consent to process his or her personal data for certain specific purposes or rely on the consent that our Client has obtained from the consumer. We will only rely on this legal basis in relation to processing that is entirely voluntary (i.e., not necessary or obligatory).
Legitimate interests: We may rely on our legitimate interests to process a consumer’s personal data, provided that such interests are not overridden by the consumer’s interests, fundamental rights, or freedoms. In particular, among other things, we may process a consumer’s personal data in reliance on a legitimate interest in: (i) effectively and lawfully operating our business and effectively delivering and improving the Services; (ii) conducting research and producing analyses; (iii) managing, maintaining, and operating our IT and security systems; (iv) adequately protecting, defending, and safeguarding our networks; (v) evaluating and/or facilitating business and other corporate transactions; (vi) managing and enhancing protection against fraud, spam, harassment, intellectual property infringement, and risks to which we are exposed (e.g., crime and security risks); and (vii) meeting our obligations and enforcing our legal rights.
Please note that where we process personal data on behalf of our Client as a “data processor,” our processing of such data is based on the legal basis established by our Client.
Consumers that have questions or concerns about the legal basis upon which we process their personal data can contact us at firstname.lastname@example.org.
Disclosures and Transfers of Data
In connection with one or more of the purposes outlined above, we may disclose consumers’ data to different entities within Nielsen’s group of companies as well as:
- our third-party service providers, including providers of the following services (among others): data analysis or processing; data security and storage; and product development (subject to binding contractual obligations of confidentiality and security);
- relevant third parties as part of a corporate transaction, such as a reorganization, merger, sale, joint venture, assignment, transfer, or other disposition of all or any portion of our business, assets, or stock (including in connection with any bankruptcy or similar proceeding);
- competent governmental and public authorities, in each case to comply with legal or regulatory obligations or requests or for the purposes of reporting any actual or suspected breach of applicable law; and
- other third parties as we believe to be necessary (e.g., in order to protect the rights, property, operations, health, or safety of consumers, us, or others) or appropriate for legal purposes (e.g., in connection with claims, disputes, or litigation or in order to enforce our legal rights).
Additionally, when one of our Smart TV manufacturer Clients embeds our ACR Software in their Smart TVs, with the consumer’s permission, we may also disclose their data to the Smart TV manufacturer Client as well as certain other Clients (e.g., advertisers, data companies, and marketing firms) and other entities within the Nielsen group of companies, and these parties will use the data for their own business purposes (and in accordance with their own data handling and privacy practices), including to perform data measurement and analysis, develop richer consumer profiles, and create and deliver personalized consumer experiences with advertisements and promotions (which may be delivered on TVs and/or other Devices).
The disclosures described above may result in the transfer of consumers’ personal data to countries or regions with data protection or privacy laws and regulations that differ from those in their country of residence. By providing us with their personal data or otherwise making available such data to us, consumers acknowledge that their personal data may be transferred to countries or regions outside of their country of residence. In cases where consumers’ personal data is transferred outside of their country of residence, we ensure that there are adequate safeguards in place to protect their personal data.
Additional information for EU/EEA residents
Where the personal data of consumers based in the EU/EEA is transferred to a country that has not been recognized by the European Commission as providing an adequate level of data protection, the safeguards put in place by us might include a data transfer agreement with the recipient based on standard contractual clauses approved by the European Commission for transfers of personal data to countries not providing an adequate level of data protection. Alternatively, in certain circumstances, consumers’ personal data may be transferred on the basis of an applicable derogation or exemption. For further details relating to the transfers described above and the adequate safeguards used with respect to such transfers, consumers can email us at email@example.com.
We understand the importance of protecting the privacy of children, especially in the online environment. The Services are not designed for or directed at children, and we do not knowingly solicit, collect, or maintain personal data from or relating to children. If we become aware that we have collected personal data from or relating to a child, we will take reasonable steps to delete it.
We have in place reasonable organizational, technical, and administrative measures that are designed to protect consumers’ data from loss, misuse, and unauthorized access, disclosure, alteration, destruction, and other forms of unlawful processing while it is under our control. However, consumers should be aware that the storage and transfer of data cannot always be one-hundred percent secure.
We retain consumers’ data in a form that permits identification only for as long as necessary for the fulfillment of the various purposes outlined in this Privacy Statement, unless a longer retention period is required by applicable law or is necessary in order to resolve disputes, protect our legal rights, or otherwise comply with our legal or professional obligations.
We are committed to providing consumers with choices with respect to how we process their personal data. This section describes how consumers can exercise these choices.
Automatic Content Recognition (ACR)
When our ACR Software is embedded in the Smart TVs manufactured by one of our Clients, we require them to ensure that appropriate disclosures regarding data collection and use and related choices are made available to consumers. Consumers wishing to opt out of the collection and use of their data from their Smart TVs can do so by adjusting their TV settings.
Consumers’ Legal Rights
We are also committed to ensuring that consumers have reasonable access to their personal data and the ability to review and limit the use of such data in accordance with applicable law.
Depending on their country (or U.S. state) of residence, under applicable law consumers may have the right to:
- request confirmation as to whether or not we are processing their personal data (and details about the processing of such data);
- request access to or a copy of their personal data;
- request that we update or correct their personal data (e.g., if it is inaccurate or incomplete);
- object to our processing of their personal data;
- propose other restrictions on our processing of their personal data (e.g., if there is no legal right to keep using it) or limit our use of their personal data (e.g., if their personal data is inaccurate or unlawfully held);
- withdraw the consent that they have provided for the processing of their personal data (where applicable);
- request that their personal data be transferred to another organization in a structured, commonly used, and machine-readable format (to the extent applicable);
- request the deletion of their personal data; and
- lodge a complaint with the data protection or privacy authority regarding our processing of their personal data.
We will not discriminate against any consumer who chooses to exercise any of the above-listed rights available to them under applicable law.
Because we want to avoid taking action regarding a consumer’s personal data at the direction of someone other than the consumer, only the consumer (or, where applicable, a natural person or business entity that the consumer has authorized to act on their behalf by providing written permission (an “Authorized Agent”)) may submit a request. Please note that we may deny a request from an Authorized Agent if they do not submit proof that they have been authorized by the consumer to act on their behalf.
A consumer’s request must:
- provide sufficient information that allows us to reasonably verify that they are the person about whom we have collected/obtained personal data (and, where applicable, the requester has been properly authorized to submit a request on the consumer’s behalf); and
- describe the consumer’s request with sufficient detail that allows us to understand, evaluate, and respond to it.
We will not be able to respond to a request or disclose any personal data if we are not able to verify the consumer’s identity (and, where applicable, an agent’s authority to make the request on the consumer’s behalf) and confirm that the personal data that we hold relates to the consumer. To verify a consumer’s identity, we will match data that the consumer (or an Authorized Agent) provides to any personal data that we already have in our possession.
Please note that where we act as a “service provider” or “data processor” to our Clients, we depend on our Clients to facilitate the exercise of the above-listed rights and cooperate with them in responding to valid requests insofar as it is possible.
Additional information for consumers in the EU/EEA
Consumers that have questions or concerns about our collection and processing of their personal data can contact our EU Data Protection Officer at firstname.lastname@example.org.
Consumers that are dissatisfied with the way that we have processed their personal data or any privacy-related query or request that they have raised to us have the right to complain to the Data Protection Authority (“DPA”) in their country of residence or the location where the issue that is the subject of the complaint occurred. To find the contact details of the appropriate DPA, please visit https://edpb.europa.eu/about-edpb/board/members_en.
Updates to this Privacy Statement
We will update this Privacy Statement from time to time in light of, for example, changing business or data processing practices, technology, or legal requirements. When we make updates to this Privacy Statement, we will amend the “Last Revised” date at the top of this page.
The most current version of this Privacy Statement will always be available here, and we encourage consumers to review it periodically in order to remain informed about our data processing and privacy practices.
Consumers that have any questions, comments, or feedback about this Privacy Statement or our data handling and privacy practices should email us at email@example.com or write us at one the addresses below.
Consumers that reside in the EU/EEA can write us at:
Oxford Business Park South
John Smith Drive
Oxford OX4 2WB
Attn.: Legal Dept.
Consumers that reside in any country outside of the EU/EEA can write us at:
85 Broad Street
New York, NY 10004
Attn.: Legal Dept.