with co-author Mary Race
The Internet of Things (IoT) is rapidly expanding. Our homes, cars and workplaces are filling with connected devices designed to cater to our personalized needs. They respond to our instructions, whether delivered through a mobile app or a spoken command, and they collect data about our activities in order to better anticipate our needs. All of this data collection creates a digital trail of consumers’ lives, which becomes richer and more detailed as multiple sources of data are combined. Big data analytics offer seemingly endless opportunities to use and commercialize this data in new ways.
Yet unanticipated uses and disclosures of user data may compromise consumer privacy and even undermine consumer trust. As a result, companies will need to pay increasing attention to privacy compliance in the IoT space as courts and regulators focus on issues such as notice, choice and security.
A recent FTC settlement with the smart TV manufacturer Vizio, Inc. highlights several key privacy compliance challenges facing companies in the IoT space. In the settlement, which included a hefty payment of $1.5 million, the FTC reiterated its position that collecting and using information in ways that surprise consumers — such as Vizio’s collection and sharing of consumers’ television viewing activity via its connected televisions — requires “just-in-time” notice and choice. In addition, the FTC expanded its view of what constitutes sensitive personal information to include consumers’ television viewing activity, an indication that regulators are willing to look beyond traditional concepts of personal information as they evaluate new types of data collected by connected devices.
Security and data protection concerns loom large in the IoT space. As devices become more connected and hackers become more sophisticated, companies developing IoT products will want to stay on top of data security, ideally by building sufficient protections into their product design. Current best practices, such as conducting privacy impact assessments of new products and services, are rapidly becoming legal requirements. When the European Union’s General Data Protection Regulation goes into effect in 2018, for instance, companies developing IoT products may be legally required to conduct data privacy impact assessments of technologies that involve consumer profiling or large-scale processing of sensitive information.
Companies should also be aware of privacy compliance issues that arise when employees interact with IoT in the workplace, such as through GPS-enabled devices that allow employers to track employee movement and location. At least one employer has been sued for requiring employees to install a smartphone app that allowed the employer to monitor the employees’ location around the clock, even during non-work hours. Companies should strive to give proper notice to employees, be conscious about collecting only the data they need and consider how long they maintain the data.
The fact that precise location data is considered sensitive both in the U.S. and internationally is particularly relevant in the IoT space. In an FTC action brought against the developer of a mobile flashlight app, for example, the agency alleged that the company deceptively failed to disclose that the app automatically transmitted a user’s precise location and unique device identifier to third parties. The FTC ordered the company to provide a just-in-time notice and obtain opt-in consent for such data collection and sharing, including disclosures regarding how the location data may be used, why the app is accessing location data and which third parties receive the location data directly or indirectly via the app.
Going forward, companies can expect to see expanding definitions of what types of data are considered personal information, legal battles over when and how law enforcement agencies can access user data and industry self-regulatory initiatives to try to strike an appropriate balance between privacy and innovation. In an era of constant technological development, privacy compliance in the IoT space remains an ongoing challenge while at the same time presenting an area of opportunity for companies that take privacy concerns into account when developing their products and services.
Sign up for our free weekly e-newsletter for more GRC articles, job postings, GRC events, white papers & more…..click here
Christine Lyon is a partner in the Privacy and Data Security practice of the global law firm Morrison & Foerster. She advises organizations on issues related to the collection, use, sharing and safeguarding of data, including personal information of customers and employees. She serves as a trusted advisor, working with clients to develop global strategies to comply with U.S. and international privacy and data protection laws.