LG and privacy (again)

Just to explain, as some people did not get it, sorry.

This issue here is that LG can do stuff - they can log what programmes and channels I (or anyone else here) watch, and log when I use the voice activated thing.

1. The voice thing being "cloud processed" I can understand, necessary part of the service. I'd like to know it is encrypted to them. I'd like to know it is not retained and sold later. But the basic "process the voice to understand the command, and then forget it all" I would be reasonably happy with if encrypted to them.

2. The tracking what I watch, and worse - selling that to other people? Well no thanks... Why track what I watch?

At the end of the day, they either need consent in order to process this personal data (and they have a postcode anyway and an IP address, so very possible to make "personal" data here), or they do not need consent...

If they need consent they are screwed as people can come and go, enter the room, watch TV, without ever having engaged with LG nor given any consent to any processing of such personal data. They have to stop processing such data now. Needing consent and not having it is a problem!

If they do not need consent then why the hell do we have to jump through hoops in the set up to agree terms and consent to shit in the first place. I can understand the simple processing of encrypted voice to make a command, and not recording/logging/selling that information may be something that is "necessary" and not need consent - not worried if that is the case.

But which is it?

I hope that makes some sense - as to what I choose to publish on my blog, well that is up to me...


  1. Consent isn’t the only lawful basis for processing, legitimate interests could apply here, or they could be sufficiently anonymising your data that it is no longer personal data. Anyway - ask them for their gdpr compliant privacy notice, it’ll tell you their lawful basis for processing, what they are doing with your data etc


    1. It could be that their basis for processing the data is that it's necessary to do so in order to fulfil a contract/provide the service (customised content, responses to voice commands, etc) that they have been contracted to provide (with the contract being established once the terms of service are accepted) - and hence no consent required (other lawful basis already established). Presumably the wording of the terms therefore must also place the onus on the person accepting the terms to ensure that the TV's personalisation/voice recognition services will only be made available to other users if they have been made aware of and are willing to accept the conditions of service too.

      Out of interest, are we sure that they really do hold the data in a way that makes it personally-identifiable... of course, they might have the ability to do that (e.g. by linking your IP address to Netflix username to postcode and so on) but is it possible that they don't actually hold the data in a way that would make it traceable to one named individual (genuine question, I really don't know the answer... might they process it anonymously somehow)?

      As Mr Anonymous above says, it would be good to see what their GDPR compliant privacy notice says about it all..

      Maybe it's a bit like cookies... out of interest, are tracking cookies considered to be personal data under GDPR (assuming all they hold is which sites a particular IP address has visited)?

  2. I'd guess they'd have some language along the lines of "you may only allow other people to use our services on the device if they have also consented blah blah etc."? Rather like my ISP's terms which say "The service is provided to you as the customer, but you can provide Internet access service to third parties if you wish. You remain responsible for all charges for usage of the service, whoever uses it."

    1. GDPR Article 7 "the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data."

      LG needs to be able to evidence that consent was given.

    2. Good point...but only if consent is required as the lawful basis for processing the data (assuming that it is indeed personally-identifiable data to start with).

  3. Well out of interest how does A&A treat it? I have configured my account as an individual not a provider. If I let a friend on my network they have not agreed to A&A's terms but you are processing their data. Or if I have a friend around and they interact with Netflix on my television they are generating data which you are processing but they have not agreed to A&A's terms. Is A&A able to stop processing data for third-parties who generate data on my endpoints until they have agreed to your terms?

    1. We are obviously working on the GDPR stuff, but we don’t process data based on “consent”, it is necessary for the service. My issue with LG is they are specifically asking for “consent”, which either they don’t need or they are not asking everyone they need to ask.

    2. Apologies for taking this thread off-topic but I am a slightly neurotic individual (pedantic, too!) and was wondering if the correct term for the world’s favourite ISP (which protects our freedoms and upholds the true founding principles of the net) is A&A or is it AAISP. Thank you

    3. I am tempted to answer “yes” in the true style of pedantry. To clarify, the company is Andrews & Arnold Ltd, often abbreviated to A&A, but we called our internet service AAISP.

    4. Thank you, that’s a really clear and exact answer and has settled my pedantic tendencies considerably! It is so refreshing to be in the company of logical, precise people!

  4. Don’t Sky Q track what you do as well?

  5. (Meant to post this a few days ago, sorry.)

    Came across the following Consumer Reports article, on a very related topic. Their analysis of T&Cs etc. is quite interesting (scroll down to "What We Found: Privacy")


  6. Processing is one of six lawful bases for processing personal data under the GDPR. Here they all are as outlined in Article 6:

    (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

    (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

    (c) processing is necessary for compliance with a legal obligation to which the controller is subject;

    (d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;

    (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

    (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.


Comments are moderated purely to filter out obvious spam, but it means they may not show immediately.


There are lots of ways to debug stuff, but at the end of the day it is all a bit of a detective story. Looking for clues, testing an hypothe...