Broadcasters such as Viacom have introduced ‘staffers’ to collect information on e.g. set-top box viewing habits, mobile-location information and consumer purchase patterns which they sell on to advertisers. This paper will investigate SDO decision making in fora such as IETF-W3C working groups relating to data collection and privacy. The paper demonstrates how privacy and data protection standard adoption is agreed under the exogenous mechanisms of state influence and civil society activism. Differences in the governance of data transfer, namely between US self-regulated codes of conduct (“opt-out” of data tracking rather than “opt-in”) and EU statutory protection under the 2016 General Data Protection Regulation show stark contrast between the US and the EU. Civil society has been able to influence SDOs through actions in the spaces that construct privacy and data protection legislation and norms. The Paper therefore seeks to investigate the key roles that states and civil society actors play through their external activity.