FTC Examines Security Risks and Notice and Choice Challenges for the Internet of Things
As we highlighted earlier this fall, the Federal Trade Commission broadcast its interest in the Internet of Things (“IoT”) by bringing its first IoT security action against TrendNet. See here.
Last week, the Commission continued its scrutiny of these technologies with its much-anticipated workshop on the IoT ecosystem, where discussions confirmed that the FTC will remain active in this emerging space. Companies should be careful to implement strong security protections, even at the earliest stages of their product’s development, and consider how to address potential privacy issues through meaningful notice and consent. Although the Director of the Bureau of Consumer Protection, Jessica Rich, indicated that the FTC would not seek to issue new regulations regarding IoT in the near future, it would be prudent to expect more investigations and potential enforcement actions like TrendNet as the FTC continues its IoT focus.
Workshop participants – who included regulators, privacy and security experts, developers of IoT technologies, and consumer advocates – generally agreed that strong security should be a priority for IoT technologies. Given their ability to capture significant amounts of highly personal, albeit sometimes mundane, data, IoT devices are an appealing target for data thieves. The FTC understands these security risks and will be scrutinizing companies that utilize IoT technologies. To mitigate potential exposure, companies should approach security as they would privacy by design, and build in safeguards that can evolve along with their products and businesses.
The workshop also highlighted disagreements over what standards should apply for IoT data collection and use and who should promulgate them. Although this is a common tension with emerging technologies, these technologies create some unique challenges, as many devices do not offer a natural opportunity for meaningful consumer notice and choice. Accordingly, one question is whether the Fair Information Practice Principles (“FIPPs”), are relevant to IoT technologies. The Future of Privacy Forum, a think tank that focuses on “responsible data practices,” highlighted this concern and issued a white paper outlining some key considerations for a new approach. See here. Additionally, FPF urged the FTC to articulate more granular guidance regarding IoT technologies. Other workshop participants disagreed, stating that the FIPPs remain a useful paradigm, and that the FTC’s privacy by design approach would permit the industry to adequately address privacy and security concerns.