Connected devices? How about 36 million of them? That’s the number of smart meters currently deployed in the U.S., monitoring energy use in the home as part of some 1,400 collected data points per device.

“The Smart Grid is a good thing,” said Jerry Hanley, CPO at the Department of Energy, at yesterday’s IAPP Practical Privacy Series-DC (PPS-DC) event, “I can’t emphasize that enough … but the home is your most sacred place. Yes, the smart meter has a lot of capability to collect information about you. Maybe it deceases your bill. But there’s a lot of potential for abuse.”

That’s why, as Hanley helped oversee the implementation of the American Recovery and Reinvestment Act of 2009, which supplied $4.5 billion for the upgrade of the American power grid, he made sure that privacy was a consideration every step of the way.

Venable Partner David Strickland and Department of Energy CPO Jerry Hanley at the IAPP Practical Privacy Series in Washington, DC.

Similarly, David Strickland, then-administrator of the National Highway Traffic Safety Administration, had a tall order when he oversaw the creation of a rule requiring the inclusion of an event recorder in every new car sold after September 1, 2014. “Ninety-six percent of all cars already had an event recorder,” he said from the PPS-DC stage. “We were simply capturing the last four percent of vehicles, and we got 8,000 public comments about it.

“What’s going to happen with something that can actually track you?”

That’s the question burning in privacy pros’ minds in U.S. federal government and around the globe as the Internet of Things (IoT) explodes with new devices sitting on the network and recording personal data.

Hanley and Strickland outlined three major pieces to any successful IoT rollout.

First, you need transparency. “Communications and giving notice to the consumer is vital,” said Hanley. “You gotta be the advocate and convey stories about how if you don’t follow the privacy principles, it’s the kiss of death.”

Whether you’re working at a government agency or a commercial enterprise, “it’s just good business to have communications with your customer,” Strickland agreed. “You have to say, ‘I know you might be concerned; let me tell you what we’re collecting and let me tell you what we’re not collecting.’”

Second, “you have to have standards,” said Hanley. Whether it’s a prescribed standard from a regulator or an industry-generated code of conduct, there needs to be a consistent group of rules you can point to for consistency’s sake.

It’s certainly no coincidence that the Association of Global Automakers has taken it upon themselves to create privacy principles for the automobile manufacturing industry, Strickland noted.

Finally, Hanley argued, there must be oversight: “You need a party who’s qualified, not affiliated with the manufacturer, who, if they find irregularities, has the ability to pull the plug and convey what’s happening to consumers.”

Maybe that’s a CPO who’s really been empowered to oversee operations. Or maybe it’s simply a strong regulator with which the industry or organization is in frequent communication.

“The standard of care has been established by the FTC,” said Strickland. The auto industry has created principles in order to show it cares about privacy and stave off inquiring regulators. “You don’t want to be the industry that has a huge data breach and the enforcers come rolling in,” he said.