The Internet of Things (IoT) enables everyday objects – printers, thermostats, pacemakers, cars – to collect and exchange data over the Internet. Like other online data, IoT data can be mined, transformed and monetized. Estimates suggest that by 2019, such data will be worth over $1.7 billion.
However, with the exponential growth of IoT comes higher risk and greater scrutiny of data privacy and security.
In the United States, the Federal Trade Commission, the nation's top privacy enforcer, has issued guidance and standards on privacy and has been an active enforcer of privacy and cybersecurity issues.
In its report, Protecting Consumer Privacy in an Era of Rapid Change, the FTC set out its privacy framework for the collection, use and disclosure of device and personally identifiable information. Key privacy principles under the framework are notice and transparency, as well as consumer choice (in particular related to sensitive data and "unexpected" collection, use and sharing). However, finding ways to provide clear notice and obtain consent can be challenging in the context of IoT and connected devices. Even so, the FTC has made clear that its privacy framework applies in the IoT space. In 2015, the Commission issued guidance on how its privacy framework applies to IoT in Internet of Things: Privacy and Security in a Connected World. In a recent enforcement action, the FTC went so far as to require a company to delete the consumer information that it had collected unfairly, in violation of notice and choice principles.
Is it spyware?
One risk not directly addressed in the FTC's privacy reports is that of spyware, which the FTC has previously defined as "software that aids in gathering information about a person or organization without their knowledge and which may send such information to another entity without the consumer's consent, or asserts control over a computer without the consumer's knowledge." Connected devices often leverage some type of software-based functionality to track information, but companies should be mindful that they do not deploy their connected devices in a way that could bring them within the spyware category.
Determining when software crosses the line into illegal spyware can be challenging. Significant legal and technical analyses may be necessary to ensure the spyware line is not crossed. Recent FTC enforcement actions in the IoT context do not explicitly mention spyware, yet they do provide indications as to what the FTC considers unreasonable tracking of consumer activities. In a 2017 action against Vizio, the FTC established rules for connected devices and unexpected information collection. Through its smart televisions, Vizio was automatically tracking consumers' TV viewing, without consent or adequate notice, and was also selling the data to third parties.
Vizio settled charges with the FTC and the New Jersey Attorney General for $2.2 million. It also was required to delete most consumer data collected through the tracking software and to establish a data privacy program that is subject to a 20-year biennial third-party audit requirement.
Is it an unfair trade practice?
The criteria established by the FTC in the Vizio case applies to any company collecting sensitive or unexpected data from connected devices. Potentially, this could even apply to a company that has acquired unfairly collected data. If that company, for example, hasn't obtained reasonable assurances from the data collector that consumer privacy rights have been respected in the collection and sharing of consumer data, it may be at risk of claims that it has acted unfairly.
In addition to federal enforcement risks, more than 20 state attorneys general are able to obtain monetary penalties for deceptive practices. While fines average around $100,000 per state, for large-scale or egregious consumer privacy violations, fines can rise to the tens of millions of dollars. Reputational and class action risks are also high in this context, as underscored by the Vizio example, which was widely reported and has been the subject of class action litigation.
Going forward, the scrutiny of data privacy and security issues related to IoT will only grow, and the regulatory landscape will be in flux for some time. Prudent boards will keep this in mind.