In January, the Federal Trade Commission (FTC) released a detailed report, “Internet of Things: Privacy & Security in a Connected World”. The FTC’s Report urges product designers and manufactures to adopt best practices including a strong focus on data security and upholding consumer expectations. For purposes of FTC regulation, the IoT includes any consumer device – other than computers, smartphones or tablets – that connect and store data via the Internet. This growing area includes diverse products from heart pacemakers to “smart” appliances that collect and transmit user data over the Internet in the name of household efficiency. IoT presents many challenges for government regulators, including rapidly advancing technology and the potential for widespread collection of sensitive consumer medical information.
To address these challenges, the FTC Report attempts to strike a balance between prescriptive rules and more flexible guidelines. In terms of prescriptive rules, some of the best practices FTC urged include “security by design” and data minimization. FTC will evaluate IoT devices on whether data security appears to have been considered as an integral design principle (or as a later add-on), and whether the devices collect more data than is strictly necessary for their intended purposes. During FTC’s comment period, some industry representatives had criticized FTC’s proposed emphasis on “security by design” and data minimization as potentially stifling innovation and lacking sufficient cost/benefit analysis. They noted that what may be needed for security of a pacemaker may not be needed for less sensitive devices. Less controversial was the FTC’s direction that IoT device makers strive to meet the reasonable expectations of consumers regarding collection and use of personal data – expectations that vary from device to device. This regulatory standard is arguably more flexible, able to evolve alongside IoT technologies, and potentially less likely to become outdated quickly.
While IoT device makers are naturally those most concerned about the approach FTC is taking, any company desiring a high level of regulatory compliance regarding consumer personal data practices can benefit from application of the Report’s recommendations. The Report nicely encapsulates the FTC’s general regulatory approach with respect to its “unfair and deceptive trade practices” enforcement over the past decade. As the Report illustrates, application of a single set of rules to a diverse and changing set of circumstances and technologies can be very challenging, and consumer product manufacturers will benefit from the advice of legal counsel experienced in FTC privacy matters.
Author Kim Verska is a Certified Information Privacy Professional (US) through the International Association of Privacy Professionals and a Partner in Culhane Meadows’ Atlanta office. She is a frequent speaker regarding evolving legal issues for the technology industry and other businesses and can be reached at kverska@culhane.law