By Jeanie Gong and Susan Lyon-Hintze
On January 27, 2015, the Federal Trade Commission (“FTC”) released its new report on data protection for users of the Internet of Things (“IoT”) which includes connected products such as health and fitness monitors, home security devices, connected cars and household appliances. The report focuses on the following areas: security, data minimization, and notice and choice
The FTC’s report provides companies developing IoT products with guidelines on what constitutes reasonable security. The FTC recommends that companies build security into devices at the outset, train employees on security policies and practices, manage security at appropriate levels within their organizations, ensure service providers are capable of maintaining reasonable security, develop a multi-layered defense strategy in response to identified security risks, consider measures to keep unauthorized users from accessing data, monitor connected devices throughout their life cycle, and provide security patches to cover known risks when feasible.
The report also focuses on data minimization and urges companies to limit the data they collect and retain. As guidelines, the FTC presents four options to companies: collect no data but only the fields of data necessary to the product or service offered, collect less sensitive data, de-identify any data collected, or seek consumers’ consent for collecting additional, unexpected categories of data. The FTC states that doing so can help protect consumers against data thieves attracted to larger data sets and can lower the risk of data being used in a way that departs from consumers’ reasonable expectations.
The FTC also discusses the continued need for companies offering IoT products to provide notice and choice. If a company plans to use data in ways that consumers would not expect, then, according to the FTC, that company should offer clear and conspicuous choices to consumers. However, if a company plans to only use data in ways a consumer would expect, or if the company immediately and effectively de-identifies the data after collection, then the FTC states that a company generally does not need to offer choices to consumers. The FTC acknowledges that companies face a large practical obstacle if they have to provide choices for every instance of data collection, especially when there is no consumer interface. The FTC, however, explicitly rejected the idea of adopting a solely use-based approach to limitations on data practices. Instead the FTC provided suggestions on how companies could still comply with notice and choice requirements even with limited consumer interfaces using methods such as point of sale choices, QR codes on devices, and icons.
The FTC declined to recommend IoT specific legislation, acknowledging comments regarding the great potential for innovation in the area of IoT and stating that legislation would be premature. The FTC, however, recommended that Congress pass data breach legislation and reiterated its call for baseline federal privacy legislation. The FTC’s lack of support of IoT specific legislation should not be seen as an indication that the FTC believes that enforcement in the area of IoT would be premature. The FTC has already brought an enforcement action against at least one IoT company (See, In the Matter of TRENDNet, Inc.) , and in its report stated it would continue to use its existing enforcement tools, including the FTC Act, to take actions against IoT companies who fail to consider privacy and data security issues.
For additional information about the FTC’s report on the IoT visit: http://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf
The FTC also released a new guide for businesses on building security into products connected to the IoT: “Careful Connections: Building Security in the Internet of Things.”