The Internet of Things has multiple uses in business-to-consumer and business-to-business spaces. It is typically defined as a network of devices equipped with sensors that can observe real-time data and communicate with each other. Think about connected cars, smart homes and various “smart products” designed for consumers, as well as connected machines and facilities increasingly used in workplaces.
For in-house privacy professionals, a new IoT project may present a range of legal and compliance issues, as existing laws might not be squarely suited to address privacy and security risks in the IoT environment. This article provides an overview of the current regulatory landscape and some practical tips on approaching IoT projects.
The state of play
In recent years, discussions around IoT technologies were mostly held in corporate research and development departments with some rare attention from regulators in the EU and U.S. (e.g., WP29 Opinion 8/2014, 2015 FTC Staff Report).
Existing privacy laws do not specifically call out IoT devices. The EU General Data Protection Regulation provides individuals with certain privacy rights and controls over their data, regardless of the technologies used. The California Consumer Privacy Act and other privacy laws worldwide are following suit.
On the security front, California has gone a step further and recently adopted the “first-of-its-kind” IoT security law that requires manufacturers to equip IoT devices with “reasonable security features.” Otherwise, many data protection authorities are nowadays catching up with rapid technological advancement, focusing on distinct areas of concern, such as facial recognition and artificial intelligence.
In the absence of nuanced guidance in the IoT arena, many companies strengthen their privacy programs and turn to the development of corporate data ethics programs, building upon existing data protection laws and frameworks and shaping an industrywide approach to the IoT and other emerging technologies.
Key features of IoT
In contrast to our laptops and smartphones that provide a distinctive “gateway” to the digital world, IoT devices are supposed to seamlessly blend into our lives.
“Always-on” devices: They are always “on,” communicate by their very nature and are intentionally designed to collect an extensive amount of data to provide contextual services. These characteristics might appear to contradict data minimization and privacy-by-design/-default concepts.
Technical sophistication: IoT devices use an advanced infrastructure that can provide monitoring 24/7. Add to that the collection of sensitive data (e.g., fitness trackers) and automated decision-making features (big data analytics, AI/machine learning), and your IoT project falls into a high-risk bucket under the GDPR.
Shift in human perception: It might be hard for users to perceive that real-world physical objects now “think” and “talk” (e.g., a smart refrigerator reminds you to buy orange juice). It will be even harder to understand how their data moves in IoT ecosystems and what’s happening downstream.
Limited capabilities of user interface: In many cases, sensors or IoT devices themselves are rather small or lack an input mechanism (e.g., touch screen), which leads to certain challenges in providing appropriate privacy controls to end-users.
Fluid concept of “end-user”: Who should be even considered as an end-user in the IoT environment? Is this a person who bought the device or people who use it? What about guests in your “smart home” or employees on your construction site that is equipped with IoT sensors?
Compliance focus areas
Due to these distinctive characteristics, certain compliance areas become more challenging in the IoT context but nevertheless remain relevant.
Security is a big deal, so is PbD
Inadequate security practices have recently become a common enforcement theme in the IoT world. The severity of data breaches can be high due to the interconnected nature of the IoT. Agencies and industry groups came forward and provided guidance on what “reasonable security measures” mean for IoT devices (e.g., European Union Agency for Cybersecurity's Good Practices for Security of IoT, U.S. National Institute of Standards and Technology's Recommendations for IoT Device Manufacturers).
Privacy by design, along with data minimization and use limitation practices, are equally important. Despite some perception that the nature of IoT devices can be opposite to these approaches, there are a few emerging privacy-enhancing technologies, such as local processing, device-level machine learning techniques, and “small data” concepts that allow companies to innovate, comply with existing laws and stand out among competitors.
How to provide valid notice?
Transparency is the central component of many privacy frameworks; however, there might be no standard means to display notices in the context of the IoT context — imagine distracting pop-ups while driving a car. Therefore, providing notice for IoT devices may require some creativity to keep it safe, user-friendly and compliant.
For example, in the GDPR world, notice options include icons on IoT device packaging, QR codes, tutorials during setup, voice alerts and privacy dashboards, as indicated in the WP29 Guidelines 2016/676. This list could be a good starting point for your conversation with IoT project stakeholders.
Consent is (likely) not a ‘king’
The overreliance on consent is often criticized in the web domain (e.g., cookie fatigue). Indeed, the EU ePrivacy Directive, which sets special rules for “machine-to-machine communications,” is focused on consent as the prevailing ground for data processing. In an interesting turn, the ePrivacy Regulation draft released recently by the Croatian Presidency establishes that end-user consent is not required in the IoT context and that processing is allowed based on contractual necessity.
Regardless of regulatory developments, it seems more important to understand your users’ expectations. With a number of gray areas, the user-centric approach, coupled with companies’ accountability, can mitigate associated risks in the IoT space.
So, where to start?
Review the regulatory landscape: Make sure to monitor IoT regulatory developments worldwide, including laws, industry standards, guidelines and enforcement cases.
Develop the IoT review framework: Create a cross-functional data review board to get input from various stakeholders and demonstrate to regulators a thoughtful decision-making process behind your IoT project.
Initiate a security assessment: Run an assessment to identify whether a new IoT product implicates any regulatory security requirements and incorporates appropriate security safeguards.
Leverage your PbD program: Engage with your product team at the earliest, and make sure to stay involved during the development lifecycle. In many cases, a data protection impact assessment review will be triggered.
Design privacy controls:Depending on jurisdiction, there might be various legal requirements for notice, consent or data subject rights. Consider providing geo-specific settings, such as a CCPA’s “do not sell” button for Californian residents.
Think like a user: User research and testing are crucial in understanding your users' expectations for the IoT. Results will help you have a meaningful discussion with stakeholders on “what is the right thing to do?”
Remember about B2B issues: Consider how to provide your enterprise customers with means to address applicable privacy and employment laws, such as restrictions on employee monitoring in certain jurisdictions.
On a big-picture scale, the wide adoption of IoT is still in the early stages. Remarkably, the COVID-19 pandemic has led to an increase in the use of connected devices by companies, such as IoT sensors in buildings and various contact-tracing apps. Hence, it is a crucial time for companies to step up their data protection and data ethics programs to foster trust in IoT technologies. In the end, privacy is not a compliance burden; it’s good and socially responsible business.
Photo by Federico Beccari on Unsplash