Why this matters

If you are a founder, product lead, or first-time streaming CTO, geo-blocking is the feature a studio's lawyer will test before they sign, and the feature your support queue will hate if you build it carelessly. Get it too loose and you stream a title into a country you were never licensed for — a breach a rights holder can detect from their own logs and act on. Get it too strict and you turn away paying customers who are sitting exactly where they are allowed to be, which shows up as refunds, angry tickets, and churn. This article explains, in plain language, why territory rights exist, how a platform actually figures out where a viewer is, where that goes wrong, and how to wire the whole thing into the catalog so it scales to millions of plays a day across dozens of countries. It is the territory specialization of content licensing and rights for OTT — read that first if "the five dimensions of a license" is new to you.

The one idea: availability is a function of location

Most teams model a catalog as a list of titles and assume everyone sees the same list. The territory dimension breaks that assumption permanently. What a viewer may watch depends on where they are, because the right to stream a given title was licensed to you in some countries and to someone else — or no one — in the rest.

So the core change to your thinking is small to state and large to build: availability is not a property of a title, it is a function that takes a title and a location and returns yes or no. The film Example Feature is not "available" or "unavailable" in the abstract; it is available in Brazil, unavailable in Portugal, and available-but-not-yet in France until its window opens. Your platform's job is to compute that function correctly, fast, on every catalog screen and every play, without a human in the loop.

That single reframing — from "what is in the catalog" to "what is in this viewer's catalog, right now, where they are" — is the whole subject of this article. Everything below is either how you compute the location, or how you turn it into a correct yes/no.

Why the same title is licensed in one country and blocked in another

The reason is older than streaming. Copyright is national: a film's rights are owned and sold territory by territory, often pre-sold that way decades before a streaming platform existed. The owner of Example Feature can sell its Brazilian streaming right to you, its Portuguese right to a competitor, and hold the French right back for a later window — all for the same film, because the underlying right can be sliced by country. We unpack that slicing in content licensing and rights for OTT; here, the only thing that matters is the consequence: you hold a map, not a global on-switch.

Live sport makes the map vivid. Sports rights are layered — a national package for a whole country, regional rights sold to a local network, and digital rights that can differ from the television deal — so the same match can be blocked for one viewer and live for another a hundred kilometres away. The industry calls a location-based block on a live feed a blackout: a game is darkened in a defined territory to protect the local broadcaster who paid for exclusivity there. A platform that carries sport inherits a blackout map that can change week to week, which is the same territory problem on a faster clock.

The practical upshot for a builder: the territory dimension is not a setting you toggle once. It is per-title, per-country, time-bound, and — for sport — sometimes per-event. It has to live in your rights data as structured records, exactly like the window and the business tier, and be read on every request. The same territory map also drives what you owe whom, because royalties are reported per territory — the subject of royalties, reporting, and rights compliance.

One film sold as three territory deals — to you, to a competitor, and held back — so availability depends on location. Figure 1. The same film is sold as separate territory deals. The platform holds a map of where it may play, not a global on-switch, so availability is a function of the viewer's location.

What the platform must answer: where is this viewer, really?

To turn a territory map into a decision you need the viewer's location, and you have four signals, each with a different cost and a different way of being wrong.

The first and primary signal is the viewer's internet address — the IP address every connected device has — mapped to a country through a geo-IP database, a regularly updated table that says "this block of addresses sits in this country." It needs no permission, works on every device, and is fast. The second signal, on phones and tablets, is the device's own GPS location, which is precise but requires the user to grant permission and is therefore not always available. The third is the account's registered country — the home country the subscriber gave you at sign-up, often confirmed by their payment method. The fourth is the billing country of the card or wallet that pays for the subscription, a strong hint about where the customer really lives even when they travel.

A grown-up geo system does not pick one. It resolves the IP for the live location, reads the account's registered home for context, and treats GPS as a high-confidence override where it is offered. The interesting decisions — covered further down — happen when these signals disagree: the IP says France, the account says Brazil, the card is Brazilian. Is this a Brazilian subscriber on holiday, or a French viewer who should not see the Brazilian catalog? The answer is a policy, not a lookup.

Geo-IP: very good at countries, weak at cities

Geo-IP deserves a careful look because almost every territory decision rests on it, and its accuracy is wildly uneven by zoom level.

At the country level it is strong. Blocks of addresses are handed out to internet providers by regional registries, and a provider almost always serves one country, so the country an address belongs to is usually unambiguous. MaxMind, the most widely used provider, states country-level accuracy around 99.8%, and independent summaries put well-engineered country identification in the 97–99%+ range. Country-scoped rights — "licensed in Brazil" — are therefore enforceable with confidence.

At the city or region level it is much weaker. The same data that nails the country often cannot place the address in the right city, and for many addresses the city simply is not returned. That matters the moment a right is sub-national — a regional sports blackout drawn around a metro area, say — because geo-IP alone cannot reliably tell whether a viewer is inside or outside a 50-kilometre circle. For those rules you need a stronger signal (device GPS, or the registered home address) and a fallback policy for when it is missing.

Two edge cases bite often enough to plan for. A network can be registered to a different country than the one it physically serves — a mobile carrier operating across borders, or an embassy or military network — so the "registered country" and the "located country" of an address can differ, and a naive lookup picks the wrong one. And large mobile and corporate networks route many users through a shared address, so one address can represent thousands of people who are not all in the same place. Neither breaks country-level enforcement often, but both produce the misclassifications that become false positives at scale.

A standard worth knowing about improves the picture. IETF RFC 8805 (2020) defines a geofeed — a simple published file in which a network operator maps its own address ranges to the country, region, and city they actually serve. Consumers of the feed (Google is a public example) merge it into their geo-location data, correcting exactly the registered-versus-located errors above. RFC 8805 deliberately allows only coarse location, and its discovery mechanism was standardized later in RFC 9632 (2024). For a platform, the takeaway is practical: your geo-IP quality improves over time as operators self-publish, so treat the database as a living input, not a one-time purchase.

The home-country twist: travel and the EU Portability Regulation

Here is the rule that separates a thoughtful geo system from a brittle one. Territory enforcement is not simply "where is the IP right now" — because a subscriber's rights can travel with them. The clearest example is law, not courtesy.

The EU Cross-Border Portability Regulation (Regulation (EU) 2017/1128), applicable since 1 April 2018, requires a provider of a paid online content service to let a subscriber access their home-country catalog when they are temporarily present in another EU member state — at no extra charge, and any contract clause that forbids this is unenforceable. In plain terms: a paying subscriber who lives in Germany and spends two weeks in Spain must still get their German catalog, even though a pure "block by current IP" system would hand them the Spanish one or nothing. A platform serving the EU must build the home-country concept in, not bolt it on.

That same regulation tells you how to establish the home country without over-collecting data. Under its Article 5, the provider verifies the subscriber's member state of residence using no more than two of a closed list of reasonable means — an identity document or electronic ID, payment details such as the card or bank account, the installation address of a set-top box, or, where doubt arises later, an IP check. The same article demands data minimization: verification data is used only for that purpose and destroyed as soon as the check is complete. So the registered-home signal is not a vague preference — for the EU it is a regulated, auditable step, and the location data it touches is personal data governed by the privacy rules we cover in privacy and viewing data: VPPA, GDPR, CCPA.

The same "home territory travels with you" pattern appears commercially in US sport, where a subscriber moving more than a set distance from their home area keeps the right to stream their home team for a limited window before the block resumes. The mechanism differs; the lesson is identical: encode a registered home and a temporary-presence rule, not just a live-IP check.

Is the EU's geo-blocking ban a problem? No — audiovisual is exempt

Teams sometimes hear "the EU banned geo-blocking" and panic. It does not apply to you. The EU Geo-Blocking Regulation (Regulation (EU) 2018/302), in force since 3 December 2018, bans unjustified geo-blocking in e-commerce — but it explicitly excludes audiovisual services, including sports broadcasts, that are provided under exclusive territorial licenses. After heavy lobbying from the film and television industries, the legislators accepted that territorial exclusivity is how much audiovisual content is financed, so streaming services may continue to restrict their catalogs country by country inside the EU. The regulation carries a periodic review clause, so this is a dated fact to re-check, but as of 2026 territorial catalogs remain lawful. The one EU obligation you cannot ignore is the Portability rule above; the geo-blocking ban is not your constraint.

The evaders: VPNs, smart DNS, and residential proxies

Some viewers actively hide their location to reach a catalog they are not entitled to, and rights holders expect you to make a reasonable effort to stop them. Understanding the tools tells you what is detectable and what is not.

A VPN (virtual private network) routes a viewer's traffic through a server elsewhere, so your geo-IP lookup sees the server's country, not the viewer's. Most commercial VPNs run on data-center addresses — addresses that belong to cloud and hosting companies, not home internet providers — and that is their tell. Detection works by maintaining lists of known data-center and anonymizer address ranges and by spotting behavioural anomalies, the giveaway being that hundreds of different accounts appear from one address at once. Vendors such as MaxMind, IPinfo, and IPQualityScore sell this proxy/VPN signal as a live, continuously refreshed feed, because a static blocklist is stale the day it ships.

The harder evader is smart DNS, a service that changes only the part of the connection that resolves names to addresses, leaving the viewer's real IP in place. Because it does not route video through a data-center address, the obvious "this is a hosting IP" tell is absent, and detection has to lean on other signals. Residential proxies — routing through real home connections rented from other users — are harder still. The honest framing for a builder is that location obfuscation is an arms race you manage, not a problem you solve: you buy a good VPN/proxy signal, refresh it constantly, and accept that perfect enforcement is neither achievable nor what the studio contract actually requires. What it requires is reasonable, current effort — and the trade-off that effort creates is the next section.

The central trade-off: accuracy versus false positives

Every tightening of a geo rule blocks more evaders and more innocent subscribers. That is the whole game, and the only way to tune it is to put numbers on it.

Walk a concrete day. Suppose your platform serves 500,000 plays per day in a region, and you enforce territory with country-level geo-IP at 99.8% accuracy. The math on the misclassified slice:

Plays per day:            500,000
Geo-IP error rate:        0.2%   (100% − 99.8%)
Misclassified plays:      500,000 × 0.002 = 1,000 per day

Those 1,000 plays are geolocated to the wrong country. If you hard-block any mismatch between the geo-IP country and the licensed territory, a share of those 1,000 are paying subscribers sitting legally at home whose mobile carrier or cross-border ISP address simply registered on the wrong side of a line. If even 30% are legitimate, that is 300 wrongful blocks a day — roughly 9,000 a month of correctly located, paying customers told "not available in your region." Each is a support ticket and a churn risk.

Now stack a second strict check — block any address your VPN feed flags — with a modest 0.5% false-positive rate:

Plays per day:            500,000
VPN-flag false positives: 500,000 × 0.005 = 2,500 per day

That is 2,500 more paying viewers a day — someone on a corporate VPN at home, in-territory — wrongly told to turn it off. The two checks do not cancel; their false positives add up, and both scale linearly with your success. The lesson is scalability-first: at a thousand plays a day the false positives are a rounding error; at ten million they are a business line. Tune each check to the breach risk the studio contract actually cares about, prefer a soft prompt ("we think you may be using a VPN — confirm your location") over a hard block where the law and the deal allow it, and reserve hard blocking for the high-value, high-scrutiny titles where leakage is materially costly.

Accuracy-versus-false-positive dial: loose leaks content, strict blocks paying customers, with a tuned middle and the math. Figure 3. The accuracy-versus-false-positive trade-off. Loose rules leak content past its territory; strict rules block paying customers; the tuned middle blends signals and reserves hard blocking for high-value titles.

Location signal What it sees Country accuracy Spoofed / defeated by False-positive risk
Geo-IP database Country of the IP address ~99.8% (country); weak at city VPN, smart DNS, residential proxy Carrier/corporate NAT, cross-border ISP
Geo-IP + RFC 8805 geofeed Operator-corrected country/region Higher than raw geo-IP Same evaders Lower (registered-vs-located fixed)
Device GPS (mobile) Precise device position Very high where granted Mock-location apps (rooted devices) User denies permission → no signal
Account registered home Stated/verified residence n/a (policy input) False sign-up details Legitimate relocation not updated
Payment / billing country Where the card is issued n/a (strong hint) Foreign-issued cards Expats, gift cards, corporate cards
VPN / proxy risk feed Whether the IP is an anonymizer High for data-center VPNs Smart DNS, residential proxies Corporate VPN, privacy-conscious users

The signals are complementary; a confident decision blends several rather than trusting one. Country-scoped rights are reliably enforceable; sub-national ones need GPS or a verified address.

Location signals compared — geo-IP, geofeed, GPS, account home, payment, VPN feed — by what they see and false-positive risk. Figure 4. The location signals at a glance. No single signal is enough; a confident territory decision blends several, and only country-scoped rights are reliably enforceable from geo-IP alone.

How geo-rules wire into the platform

The good news is that geo-enforcement is not a new subsystem — it slots into the availability service that is already part of the platform chassis in how an OTT platform works. Recall the two-question split from the licensing article: the availability service asks "may this title be shown here and now, to anyone?" and the entitlement service asks "may this user watch it?" Territory belongs to the first. We cover the per-user half in subscription billing and entitlement.

The flow on each request has four steps. First, resolve location: look up the IP in the geo-IP database (improved by geofeeds), read the account's registered home, and accept a GPS override where the app provides one. Second, score risk: consult the VPN/proxy feed and attach a confidence level. Third, decide in the availability service: combine the resolved country, the registered-home and temporary-presence policy (including the EU Portability rule), and the title's territory record from your rights data, then return allow or deny — the same call that already checks the window and the SVOD/AVOD tier. Fourth, enforce in two places.

That last point is the one teams miss. Hiding a title from the catalog screen is not enforcement — the video segments still sit behind URLs that a determined client can request directly. Real geo-enforcement happens at the content-delivery edge too: the network that serves the video checks the location (and a signed, expiring token) before it hands over a single segment, so an out-of-territory request is refused at the byte level. The edge mechanics — tokenized URLs, edge geo-rules, and the content-delivery network's own geo-filtering — are a delivery topic, and we cover them in Video Streaming's geo-blocking, geo-fencing, and content restriction. The rights layer decides; the edge enforces; both read the same territory truth.

Geo-enforcement flow: resolve location, score VPN risk, check territory, then enforce in the app and at the delivery edge. Figure 2. The geo-enforcement flow. Location and a VPN-risk signal feed the same availability service that checks window and tier; the decision is enforced both in the app and at the content-delivery edge.

A common mistake: blocking on the IP alone

The single most expensive geo error is treating the live IP address as the whole truth: "if the IP is outside the licensed country, deny." It looks correct and it ships fast, and then it fails three ways at once. It wrongly blocks the traveling EU subscriber whose home catalog the Portability Regulation says must follow them. It wrongly blocks the at-home subscriber whose mobile carrier address registers in a neighbouring country. And it fails to stop the smart-DNS user whose real IP looks perfectly local. A system that is simultaneously too strict for honest customers and too leaky for evaders is the worst of both worlds, and it is the default you get from an IP-only rule.

The fix is the architecture above: resolve several signals, encode a registered-home and temporary-presence policy, layer a VPN-risk score rather than a binary IP gate, prefer a soft challenge to a hard block where the deal allows, and enforce at the edge as well as the app. None of it is exotic; all of it has to be designed in before the first multi-territory studio deal, because retrofitting a home-country concept onto an IP-only gate touches the most-called function in the platform.

Where Fora Soft fits in

Geo-enforcement is a scale-and-correctness problem before it is a legal one: an availability check consulted on every catalog render and every play, across every territory, that must be fast, auditable, and wrong as rarely as possible — because each error is either a studio breach or a churned subscriber. Since 2005, Fora Soft has shipped 625+ video projects for 400+ clients across video streaming, OTT/Internet TV, live conferencing, e-learning, surveillance, and telemedicine, including platforms whose catalogs are bound by territory, window, and tier at the same time. When a media company arrives with deals in a dozen countries, our first engineering job is the one mapped here: turn each territory clause into rights data, blend the location signals into one confident decision, respect the home-country rules, and enforce it at both the app and the delivery edge so the catalog scales without leaking and without blocking the people who pay for it.

What to read next

Call to action

References

  1. Regulation (EU) 2017/1128 — Cross-border portability of online content services (Official Journal of the EU, applicable 1 April 2018). Tier 1. Requires paid online content services to give subscribers their home-country catalog while temporarily present in another member state, at no extra charge; contrary contract terms are unenforceable. Article 5 lists the closed set of verification means (ID/eID, payment details, set-top-box address, IP check) and mandates data minimization. https://eur-lex.europa.eu/eli/reg/2017/1128/oj/eng
  2. Regulation (EU) 2018/302 — Addressing unjustified geo-blocking (Official Journal of the EU, in force 3 December 2018). Tier 1. Bans unjustified geo-blocking in e-commerce but explicitly excludes audiovisual services provided under exclusive territorial licenses, so streaming catalogs may remain territory-scoped within the EU; carries a periodic review clause. https://eur-lex.europa.eu/eli/reg/2018/302/oj/eng
  3. IETF RFC 8805 — A Format for Self-Published IP Geolocation Feeds (IETF, August 2020). Tier 1. Defines the "geofeed," a published file mapping a network operator's own IP ranges to coarse country/region/city, used to correct registered-versus-located geo-IP errors; discovery later standardized in RFC 9632 (2024). https://www.rfc-editor.org/info/rfc8805/
  4. WIPO Copyright Treaty (1996), Article 8 — Right of Communication to the Public (WIPO). Tier 1. The international "making available" right that is licensed territory by territory and is the legal basis for a per-country streaming map. https://www.wipo.int/wipolex/en/text/295166
  5. MaxMind — Geolocation accuracy; country-level and city-level geolocation (MaxMind, 2025). Tier 4. States country-level geo-IP accuracy around 99.8% and explains the weaker city-level data plus the registered-versus-located country distinction (mobile carriers, embassy/military networks). https://support.maxmind.com/hc/en-us/articles/4414762983195-Country-level-and-City-level-Geolocation
  6. Proxy / VPN detection databases (IPQualityScore; IPinfo, 2025). Tier 4. Describe how data-center address ranges and behavioural anomalies are used to flag VPNs and proxies in real time, and why static blocklists are stale on publication. https://www.ipqualityscore.com/proxy-detection-database
  7. MovieLabs Specification for Enhanced Content Protection (ECP), v1.4 (MovieLabs, August 2024). Tier 2. The studio-driven protection profile premium licenses commonly require; studios individually determine which practices — including location/geo-filtering controls — are prerequisites for distributing their content. https://movielabs.com/ngvideo/MovieLabs_ECP_Spec_v1.4.pdf
  8. Smart DNS proxies — how they evade geo-detection (Multilogin; SmartDNSProxy, 2025–2026). Tier 7. Explains that smart DNS changes only DNS resolution and leaves the real IP in place, so it sidesteps data-center-IP detection — orientation for the evasion arms race, not a primary source. https://multilogin.com/blog/smart-dns-proxy-servers/
  9. Regional blackouts and home-territory ("couch") rights (FanDuel Sports Network help; industry guides, 2026). Tier 5. Describes layered national/regional/digital sports rights and the home-territory travel allowance — a concrete commercial parallel to the EU Portability home-country model. https://help.fanduelsportsnetwork.com/hc/en-us/articles/40278620370075
  10. IP geolocation and VPN-usage trends, 2025 (BigDataCloud; industry summaries). Tier 5. Orientation figures on geolocation accuracy variability and rising VPN adoption affecting enforcement. https://www.bigdatacloud.com/blog/why-ip-geolocation-accuracy-makes-or-breaks-ad-tech

Per the conflict hierarchy, the EU regulation texts (refs 1–2) and the IETF standard (ref 3) control over vendor and industry material; where popular guides implied "the EU banned geo-blocking for streaming," the article follows Regulation (EU) 2018/302's explicit audiovisual exemption and flags the distinction.