As the Internet of Things and connected devices become more ubiquitous in the marketplace, they bring with them many privacy and data security complexities surrounding the collection and use of personal information. The Federal Trade Commission has made clear that IoT is at the forefront of consumer protection issues before the agency.
Understanding the particular practices the FTC views as unlawful can be challenging, especially when it comes to IoT devices. Indeed, this effort often involves a deep understanding of the more than 100 privacy and security FTC enforcement cases and related business guidance (as well as the broader scope of FTC consumer protection law), which can be challenging to distill quickly.
Below is an initial checklist to help avoid the type of privacy and security snafus that can attract FTC attention when marketing and releasing an IoT device.
1. Know what data the connected device will collect and transmit
Understand precisely what individual and device identifiers the device will collect and transmit, both actively and passively, intentionally and unintentionally, from and about users, and identify whether such information could be considered personal to the user or identify the device or location. In this regard, it helps to cast a wide net and include data that are obviously individually identifiable, as well as data that might seem anonymous but which the FTC views as personal, such as: (1) a persistent identifier, such as a customer number held in a cookie, a static IP address, a mobile device ID, or a processor serial number; (2) precise geolocation data of an individual or mobile device, including GPS-based, Wi-Fi-based, or cell-based location information; and (3) an authentication credential, such as a user name or password.
2. Be mindful when collecting sensitive data
When developing a device that will collect sensitive consumer data, apply extra scrutiny to such collection and anticipated consumer use of the device. The device design and practices should be further reviewed to confirm that data are collected for a legitimate, defensible business reason, and is appropriately secured while in the company’s or its agents’ control, or when stored locally on the device. This can include, for example, personal health information collected through wearable devices, credit card or other financial information stored in a virtual wallet, recent and precise geolocation information obtained through a mobile device, or information collected about special populations like children or the elderly.
3. Follow the data
Connected devices may obtain information through a variety of sources and share such data in a variety of ways. This could include user data coming inbound to the company’s network from the device, the device connecting to a service provider’s network, or the company sharing access to an internal database of user information for marketing purposes. Understanding what internal or external networks the device will be connecting to, what third parties the data will be shared with, and how such information will be used can be half the battle. It also is equally as relevant to anticipate how a consumer will use the device, particularly within the context of device functionality and how the device is marketed. Having a clear understanding of actual and foreseeable data flow and corresponding security can help ensure that appropriate security measures and risk mitigation strategies are taken.
4. Conduct due diligence throughout the product lifecycle
Practice privacy and security design due diligence throughout all relevant phases of a device’s life cycle. This should include in the initial design phase, during development, before deployment, once in the marketplace, and with product or software updates thereafter.
5. Confirm privacy and security representations are accurate and substantiated
Statements made about how the smart device will function, its capabilities and marketed use, as well as how personal information will be handled, protected, or otherwise treated should be accurate, up-to-date, and supported. This can include representations made in consumer-facing documents, such as a privacy policy, customer agreement, product user guide, or advertising materials. The FTC often will look at these representations when determining whether a practice is deceptive.
6. Give consumers appropriate notice and choice
Provide clear, user-friendly notice and choice options that are delivered at a time and in a context relevant to the consumer’s decision about whether to allow the device to collect or use specific data. This is especially true if the connected device will be collecting sensitive personal information from users, or could involve data practices that are likely to surprise consumers. If so, the FTC urges companies to provide “just-in-time” disclosures and obtain “affirmative express consent” from the user. What a reasonable consumer may expect concerning collection or use likely depends on the content being offered and the benefits to consumers. Consumers are increasingly trading their privacy for ancillary benefits when the information use is clearly conveyed.
7. Assess risks with your audience and data in mind
Assess both the intended and likely uses of the product by consumers, and anticipate whether the product and company’s practices reasonably protect against unnecessary risks to consumers or their data. Implementing reasonable administrative, technical, and physical safeguards to protect such data is key, based on the size of the company and the nature and scope of personal information collected and maintained. Designating an individual or team within the company (and within relevant product development divisions) to oversee privacy and security-related issues can help to confirm that the company has reasonable safeguards in place, collects only data needed for specific business purposes, and has reasonable data retention practices in place to fulfill such purposes. Having a program to continuously assess the risks will help demonstrate that you have built your device with consumer privacy and data security in mind.
8. Confirm legal scope
The type of data being collected, how that information is used, and what parties are involved in the associated business transactions can trigger a variety of consumer protection laws, including the FTC Act, Children’s Online Privacy Protection Act (COPPA), Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach Bliley Act (GLBA), Fair Credit Reporting Act (FCRA), Telephone Consumer Protection Act (TCPA), and CAN-SPAM Act, among others. Having a good understanding of the data collection and use practices, along with the laws that they may trigger, can often help to avoid FTC or other legal scrutiny.
9. Oversee and monitor service providers and partners
Develop a documented process for overseeing and monitoring third-party service providers and business partners who will have access to or handle personal information collected by the company, or stored on or transmitted from the device. This can include executing agreements containing strong provisions requiring third parties to limit their use of such data, confirming appropriate information security safeguards, requiring the third party to provide notice of any known or suspected breach, and identifying their responsibilities and liability if such a breach should occur.
10. Keep up-to-date on happenings at the FTC
Just as technology continues to evolve, so do FTC standards and guidance. The FTC often will hold workshops and technology-specific forums, followed by guidance, followed by enforcement in new and emerging areas of interest. Recently, the FTC announced a series of workshops designed to address ransomware and related data security issues; privacy and other considerations associated with the use of drones; and tracking consumer habits through their Smart TVs. The FTC also announced an upcoming financial technology forum, and will hold its second PrivacyCon event, seeking to explore new and evolving technologies, such as targeted advertising, cross-device tracking, smart homes, wearable devices, voice-controlled technologies, connected cars, and commercial drones. These IoT issues and options may soon appear in future FTC enforcement fact patterns.
Technology will always be ahead of the law, but companies can take proactive steps to not only minimize the likelihood of becoming an FTC target, but also to build consumer loyalty and long-term market success.