Ad RevenueApr 14, 2026 | FlexyConsent

Consent for Connected TV & OTT: What Streaming Publishers Need to Know

Connected TV (CTV) and over-the-top (OTT) streaming now account for a larger share of premium video ad spend than linear television in many markets. The audience is engaged, the CPMs are strong, and the inventory is programmatic — but the consent story is complicated. Most privacy frameworks were written with websites and mobile apps in mind; the living-room screen was an afterthought.

If you operate a CTV app, sell OTT inventory, or build the CMP infrastructure that runs underneath it, you need a deliberate strategy for consent on the TV. This guide explains what is different, what is the same, and what regulators and standards bodies are already enforcing.

Why CTV Consent Is Different

Web and mobile consent experiences share a common assumption: the user can easily read small text, tap precise controls, and scroll. A 10-foot user interface, operated by a D-pad remote, breaks every one of those assumptions. That has direct consequences for consent design:

Typing is expensive. Users cannot comfortably input long-form information, which limits how much customization you can expect.
Multi-user devices are the norm. A single TV may be shared by adults and children, with no reliable way to know who is currently watching.
Limited persistent identifiers. Identifiers vary by platform: Roku uses RIDA, Amazon Fire TV uses a Fire Advertising ID, Android TV exposes an Advertising ID, tvOS restricts identification heavily. All of them can be reset, and several can be disabled entirely.
App-container restrictions. Most CTV platforms run apps inside a sandbox that limits what a CMP can inject, what storage it can use, and what UI chrome is available.

Which Privacy Laws Actually Apply

There is no CTV-specific privacy law, which means CTV apps and SSPs are governed by the general-purpose frameworks that already cover digital services:

GDPR and ePrivacy in the EU and UK — they apply whenever a CTV app places storage on the device or reads information from it, including the advertising ID.
CCPA / CPRA in California, which treats device identifiers and viewing history as personal information and grants opt-out rights for "sale" and "sharing" of that data.
LGPD in Brazil, PIPL in China, and DPDP Act in India, all of which apply to CTV viewers the same way they apply to web users.
COPPA in the United States, which is particularly relevant for family-oriented CTV apps and any inventory where a reasonable belief that children are watching exists.

None of these laws exempt CTV, and none of them accept "it's a TV" as a reason to skip consent. The question is not whether to collect consent — it is how to collect it in a way that users can actually complete on a remote control.

The IAB Tech Lab Framework for CTV Consent

The IAB Tech Lab has published specifications that make programmatic CTV monetization compatible with consent. The pieces that matter most are:

Global Privacy Platform (GPP) — the successor to the TCF and USP strings, designed from day one to represent multiple jurisdictions in a single consent signal and to travel cleanly through server-side bid requests.
OpenRTB 2.6 and later — includes fields for passing GPP strings, sensitive category flags, and the user's loggedInState so buyers can respect consent at auction time.
App-ads.txt and sellers.json — essential for inventory authentication in a channel where fraud and misrepresentation are common, and indirectly relevant because buyers increasingly refuse to bid on CTV inventory without a verifiable consent signal attached.

If your CTV monetization stack does not speak GPP or pass a consent string in the bid request, many DSPs will simply drop the impression rather than risk buying without a legal basis.

Designing a CTV Consent Experience That Actually Works

Good CTV consent is a UX problem first and a legal problem second. A few principles that consistently work in practice:

Show the notice once, up front. Present the privacy notice on first launch before any ad call is made, not buried in settings.
Use large, remote-friendly targets. Two or three buttons, each at least a quarter of the screen width, with high-contrast focus states that survive D-pad navigation.
Offer a genuine "reject" option at the same level as "accept." Hiding reject behind a sub-menu is a textbook dark pattern and has drawn enforcement action in web contexts — regulators will not give CTV a free pass.
Support voice confirmation when the platform offers it. On Alexa, Google Assistant, and Siri-enabled devices, spoken confirmation is often the most accessible way to give consent.
Provide a persistent preferences screen that is reachable from the main menu in two clicks or fewer.
Never gate content on consent. Ad-supported tiers may be conditioned on accepting advertising, but the choice between a paid and free tier must be genuinely meaningful — not a disguised cookie wall.

Server-Side Ad Insertion and the Consent Chain

Most high-quality CTV inventory is delivered through server-side ad insertion (SSAI), where the ad is stitched into the video on the publisher's servers and the end user's device never directly calls an ad server. SSAI creates a consent chain that must be handled carefully:

The app collects consent on the device and produces a GPP string.
The GPP string is passed to the SSAI vendor as part of the session initialization.
The SSAI vendor forwards the string to the ad server or SSP in every upstream request.
The SSP includes the string in OpenRTB bid requests to buyers.

Any break in that chain — a missing field, a stale cached string, an SSAI vendor that does not forward GPP — and the downstream buyer is effectively buying blind. In GDPR jurisdictions, that is a legal exposure for every party in the chain.

Children and CTV

The CTV channel is heavily used by families, and regulators take a dim view of tracking on screens where children are likely viewers. Practical safeguards include supporting platform-level kids modes, offering a contextual-only ad experience for kids content, and making sure any COPPA-covered app runs an entirely separate consent and ad-selection pipeline from the general audience. The FTC has shown repeatedly that it will treat "we didn't know it was a kid" as a weak defense when the content clearly targets children.

What CTV Publishers Should Do Now

Audit your current consent signal. Confirm that your CTV app actually produces a consent string and that it reaches the SSP in every bid request. Many publishers discover, on inspection, that they rely on a default "1YNN" or empty string.
Adopt GPP. TCF-only or USP-only strings are no longer enough for multi-jurisdiction inventory. Move to GPP so one signal covers EU, UK, US state laws, and emerging frameworks.
Redesign the first-launch experience around a remote-friendly consent UI before shipping your next app update.
Document your consent chain end-to-end, from the app through SSAI to the buyer. Regulators are starting to ask for this diagram by name.
Train your ad ops team to recognize which inventory is consented and which is not, so they can offer contextual-only fallbacks when the consent signal is missing.

Conclusion

CTV is not a privacy-free zone, and the assumption that "no one regulates TV" is already wrong in every major market. The good news is that the building blocks — GPP, OpenRTB 2.6, SSAI-aware consent forwarding, and remote-friendly UX patterns — all exist. Publishers who adopt them early will be the ones who can keep selling premium CTV inventory when buyers begin refusing everything else. The living-room screen is the next frontier for consent management, and the operators who treat it that way will own the ad dollars when the rest of the market catches up.