Internet of Things and Consumer Privacy
In short, the Internet of Things ("IoT") refers to a widespread network of internet-connected "smart" devices that detect and monitor certain data, and communicate that data to one another without human intervention. For instance, recent technology advances have allowed for the development of devices like smart cars and smart homes that utilize embedded sensors to gain "intelligence," which can then be shared with other devices that possess similar capabilities.
What type of risk does the Internet of Things pose?
For consumers, there are a number of exciting benefits to be wrought from such technological advances, anywhere from devices performing critical tasks like heart monitoring, to those simply providing conveniences like self-adjusting thermostats. However, the collection, storage, and dissemination of data necessary for the effectiveness of the Internet of Things risks intruding on consumer privacy and security, particularly when sensitive personal information is collected over time.
In turn, much of this risk to consumers is borne by businesses that utilize these technologies in that intrusion on consumer privacy and security can expose businesses to legal liability. Moreover, because regulation of this area is in a developmental stage, the extent of this potential liability is uncertain, rendering these technologies even riskier to employ. Despite this uncertainty, the Federal Trade Commission ("FTC")-the federal agency primarily responsible for consumer protection-has made its intention clear to combat misuse of consumers' private data.
What can businesses do to minimize these risks?
On January 27, 2015, the FTC released a report recommending steps for protecting consumer privacy and security to businesses that manufacture and sell devices that are part of the IoT. The recommendations focused on four of the FTC's Fair Information Practice Principles: (1) security; (2) data minimization; (3) notice; and (4) choice.
In sum, businesses are advised to ensure reasonable security by, for example, implementing security measures into the device design and training personnel in order to handle security issues. Further, businesses may want to practice data minimization, or collecting minimal data and retaining it for minimal time periods. Finally, one notable theme of the report is the importance of consumer control. In other words, businesses should inform consumers of the possible uses of their private information, and where practicable, allow consumers to limit these uses (e.g., by requiring consent).
While the report is not binding, it is said to be helpful guidance for such businesses, as these regulations often serve as a basis for binding legislation, and the law can be expected to develop quickly in response to the urgent need posed by rapidly developing technologies. Thus, businesses are advised to follow these guidelines at the outset (or at the very least conform ongoing operations to them), not only to protect consumers from privacy invasion, but also to avoid potential liability for any such invasions.
For more information about the Internet of Things, you should consult with an attorney. At our law firm, we assist clients regarding internet and technology-related issues in order to help them avoid legal complications.