Consent and privacy compliance is no longer just a web problem - every OTT app collects device IDs, IP addresses, viewing behavior, and (if ad-supported) advertising identifiers. Doing this without a proper consent mechanism risks fines, ad-revenue blocking, and platform-level rejection. Here is how to build it right.
The three regimes you must respect
- GDPR (EU/UK) - explicit opt-in for any non-essential data collection, including ad targeting. Default state is no consent.
- CCPA / CPRA (California, increasingly all US) - opt-out model for sale or sharing of personal information. Must offer a clear 'Do Not Sell or Share My Personal Information' option.
- IAB TCF v2.2 - Industry-standard signal that conveys user consent to ad-tech partners. Required by most CTV SSPs for personalized ad targeting in the EU.
Geo-detect first, then respect
Before showing any consent UI, geolocate the user via IP. EU/UK users see GDPR opt-in. California users see CCPA opt-out. Other US users typically see a notice without an interactive choice. Other regions follow local rules (LGPD in Brazil, PIPEDA in Canada, etc.).
Geolocate at session start, store the result for the session, and re-check on app upgrade or every 90 days.
Designing the consent UX for TV
TV remote interaction limits make complex consent UIs miserable. Best practices:
- Show consent only when you actually need a non-essential signal - not on first app launch if the user is just browsing.
- Offer three clear choices: Accept all, Reject all, Manage preferences.
- Make Reject all as easy as Accept all (GDPR requires this; the EDPB has clarified that dark patterns are non-compliant).
- Persist the choice across sessions - re-prompting is a deceptive pattern.
IAB TCF v2.2 implementation
TCF v2.2 conveys consent through a TC String passed to every ad-tech partner. The string encodes which purposes (storage, targeting, measurement) and which vendors the user has consented to.
Use a TCF-certified CMP (consent management platform) - OneTrust, Sourcepoint, Didomi, Quantcast. Integrate the CMP SDK in your app and pass the TC String in every VAST request as the gdpr_consent parameter.
CCPA / CPRA implementation
Implement the Global Privacy Control (GPC) signal - when present in the request, treat the user as having opted out without showing a prompt.
Provide an in-app 'Do Not Sell or Share My Personal Information' settings option that toggles your downstream signal (US Privacy String - uspString in VAST requests).
Children's content and COPPA
If your app or any sub-section targets children under 13, do not pass any persistent identifier or behavioural ad signal. Use COPPA-safe ad inventory only (contextual, no tracking). Misclassifying child-directed inventory is one of the FTC's enforcement priorities in 2026.
What it costs not to do this
GDPR fines can reach 4% of global annual revenue. California CCPA fines run $2,500–$7,500 per violation, per user. More immediately, premium ad demand will reject your inventory if you do not pass valid TCF and US Privacy signals - typically a 30–50% CPM hit.
The bottom line
Privacy compliance is operationally manageable when planned from the start. OTT Engine integrates with leading TCF-certified CMPs and ships geo-aware consent UI templates for Roku, Fire TV, and Apple TV. Book a demo to walk through your compliance posture.
Frequently Asked Questions
Does GDPR apply to my Roku channel?
If any EU or UK user can install your channel, yes. GDPR applies based on the user's location, not your company's.
Do I need a Consent Management Platform (CMP)?
If you serve programmatic ads to EU/UK users, effectively yes. TCF v2.2 requires a certified CMP to generate valid consent strings for ad-tech partners.
What is the US Privacy String?
A short string passed in ad requests that conveys CCPA/CPRA opt-out status to ad-tech partners. Required by most US-facing CTV demand.
Can I show ads to kids if my app is COPPA-compliant?
Only contextual ads with no behavioural targeting and no persistent identifiers. Most premium DSPs offer COPPA-safe inventory pools for this.
What is Global Privacy Control (GPC)?
A browser/app signal that automatically expresses opt-out preferences. Recognized as a valid opt-out by California, Colorado, and several other US state regulators in 2026.