On January 27, 2015, the Federal Trade Commission (FTC), by a 4 to 1 vote, issued a long-awaited staff report entitled The Internet of Things: Privacy and Security in a Connected World. The lengthy report summarizes the FTC’s November 19, 2013, workshop, which explored the consumer privacy and security issues associated with the increasing number of connected devices, provides recommended privacy and security best practices for companies that create and sell connected devices, and repeats the Commission’s call to Congress to enact broad, technology-neutral privacy and data security legislation. FTC Chairwoman Edith Ramirez announced the release of the report during her keynote address at the annual State of the Net conference, stating that “by adopting the best practices . . . laid out, businesses will be better able to provide consumers the protections they want and allow the benefits of the Internet of Things to be fully realized.”
During the November 2013 workshop, participants, including FTC staff attorneys, academics, and public and private sector industry representatives, discussed the benefits and risks associated with the “Internet of Things” – the Internet-connected devices that communicate and interact with consumers through the collection and transmission of data. In her opening statements at the workshop, Chairwoman Ramirez emphasized three challenges in the area:
The workshop’s panels focused on the privacy concerns associated with three areas in particular – the “smart home,” connected health and fitness devices and apps, and connected cars – and concluded with a panel addressing the broader privacy and security issues raised by the Internet of Things.
The FTC staff note in the recent report that, although workshop participants generally agreed that the Internet of Things (“IoT”) will provide numerous benefits to consumers, the participants highlighted several potential security risks unique to the IoT arena. Those risks are (1) enabling unauthorized access to and misuse of personal information; (2) facilitating attacks on other systems; and (3) creating risks to personal safety. In addition, the staff note in the report that these risks may change over time as information collection and use change.
The report provides and encourages companies that create and sell connected devices to consider adopting a number of best practices, which are grouped into three categories modeled after the Fair Information Practice Principles – (1) data security, (2) data minimization, and (3) notice and choice.
1. Data Security
While acknowledging that “reasonable” security practices depends on several factors, including the amount and sensitivity of consumer data collected, the staff recommend the following specific security best practices:
Importantly, the staff note that the Commission’s first Internet of Things case against TRENDnet, involving Internet-connected cameras marketed for home security and baby monitoring, dealt with many issues the data security best practices are intended to help mitigate and demonstrated the importance of privacy by design.
2. Data Minimization
The staff’s second set of best practices focuses on self-examination. Specifically, the staff recommend that companies examine their data practices in view of their business needs and develop policies and practices that impose reasonable limits on the collection and retention of consumer data in line with those needs. For example, a company may decide not to collect all data; collect only the data fields necessary for the functioning of the product or service offered; collect only less sensitive data; or de-identify the data collected. Data minimization, the staff explain, can help guard against the potential harms associated with a data breach, as well as the risk that the collector will use the data in a manner that deviates from consumers’ reasonable expectations.
3. Notice and Choice
The staff’s final set of best practices evaluates the notice and choice principle in light of the non-traditional (and broad) collection and use environment of the Internet of Things. The staff maintain, however, that providing consumers with the ability to make informed choices remains feasible in this environment, but recognizes that one size does not fit all. The staff provide the following non-exhaustive list of several notice and choice options:
While the staff also acknowledged a use-based notice and choice model, which learns from consumer behavior on a device to personalize the device, they raise three concerns about the adoption of a use-based model only: (1) it is unclear who would decide which uses are beneficial or harmful; (2) use limitations alone do not address the risks created by expansive data collection; and (3) the model would not take into account concerns about the practice of collecting sensitive information.
The staff acknowledge that Internet-of-Things-specific legislation is not necessary at this time but encourage the development of self-regulation designed for particular industries, which “would be helpful as a means to encourage the adoption of privacy- and security-sensitive practices.” Additionally, the staff took the opportunity to reiterate its call to Congress to enact general data security legislation, pointing to the availability of connected devices that are not reasonably secure and explaining that technology-neutral legislation would apply to the Internet of Things environment and address the risks connected devices pose to consumer personal information. The legislation would require companies to implement reasonable and appropriate data security practices, notify consumers in the event of a security breach, issue privacy notices at specific points, and offer consumers choices about the company’s data collection and use.
Despite Chairwoman Ramirez’s praise, the Commission’s vote to publish the report was not unanimous. Commissioner Wright dissented from the decision to publish the report because, in his opinion, the staff’s recommendations for both best practices and baseline privacy legislation are without analytical support establishing that, if adopted, they would improve consumer welfare. Any published report, he explains, should set forth evidence identifying the costs and benefits of these recommendations and analyzing whether the latter outweigh the former.
Additionally, Commissioner Olhausen issued a concurring statement explaining that, while she generally agrees with the report, she does not support the recommendation for baseline privacy legislation because, in her opinion, it is not necessary. She also expressed concern that the call for data minimization encourages the deletion of valuable data based on speculative and hypothetical harms.
At a minimum, the FTC’s IoT report underscores the areas on which the Commission will be focusing from a policy perspective in the arena of mobile and wireless-connected devices. But if past is prologue, these recent “do’s and don’ts” also provide a blueprint on enforcement issues that the FTC and other government enforcers and private litigants are likely to scrutinize and use to take action against companies whose practices may fall short of these guideposts. Companies that provide an IoT product or service can benefit from considering how this latest guidance applies to their business practices and whether there is an opportunity for enhancements to:
Taking proactive, reasonable efforts now on compliance considerations in the design and marketing of such products and services can ultimately determine whether a company’s brand will become one of these 2015 enforcement examples.
John J. Heitmann is a partner and chair of the Communications practice at Kelley Drye & Warren LLP. Alysa Zeltzer Hutnik is a partner who represents clients in all forms of privacy, data security and advertising matters. Dana B. Rosenfeld is a partner and chair of the firm’s Privacy and Information Security practice. Jameson J. Dempsey, an associate, focuses his practice on telecommunications, information technology, and data privacy and security matters, and Katherine E. Riley, an associate, focuses her practice on advertising and marketing, privacy and information security, product safety and other consumer protection law matters.