We are increasingly becoming dependent on such technology without necessarily realizing the potentially damaging ramifications of these decisions. Data transmitted from one endpoint might carry almost no personal information on its own, but when a collection of endpoints is analyzed together, privacy can become a very real concern. Companies claim that they sell data collected from these devices in a large batch, so third parties shouldn’t be able to determine who you are, but data privacy commissioners are becoming increasingly concerned that this won’t always be the case. With the increase in data constantly being accumulated it could just be a matter of time before these third party companies are able to determine who you are, where you live, and personal characteristics of your lifestyle.
Privacy commissioners are suggesting transparency as being one of the most important factors for the present time. Companies offering IoT devices should be transparent regarding what kind of information they collect from their users, why the information will be collected, and how long the information is stored. We already know few people read Privacy Policies and Terms of Use that come with products we purchase, so the information needs to be brought to the attention of users in other ways and made easy for them to understand.
The most challenging and possibly most disconcerting element of all of this is that as of yet, we don’t fully know or understand all the possible ramifications of the IoT or where the future is heading. Based on an article from The Guardian, voice recognition built into some Smart TVs is allegedly recording private conversations and selling this information to third parties. No longer are you safe to speak privately in your home because “Big Brother” is listening. The Guardian compared these new concerns related to the IoTs as being all too similar to George Orwell’s famous 1984.
Despite privacy laws already in place to protect citizens from this kind of third-party sale in countries like Canada and the UK, it’s not enough. Somehow, the people need to be made aware of what information is being transmitted through their devices and whether or not they’re ok with that. If not, citizens will have to be the ones to speak up and demand increased transparency and control over the data they share. Otherwise, legislation just ends up wagging its finger at companies and telling them they’re in the wrong, or perhaps even worse than that, becomes one of those third party buyers themselves.
For more information regarding the Internet of things and the security concerns stemming from the challenges around privacy, view Part II in our series tomorrow. For more specific help related to your own concerns contact Revision Legal’s Internet attorneys through the form on this page or call 855-473-8474.
Image credit to Flickr user Alan Cleaver
The IoT’s privacy implications are not merely theoretical — they are increasingly subject to legal enforcement. In the United States, there is no single comprehensive federal IoT privacy statute, but a web of laws governs specific aspects of data collection by connected devices. The FTC Act’s prohibition on unfair or deceptive trade practices, 15 U.S.C. § 45, is the primary federal tool. Under this authority, the FTC has brought enforcement actions against companies that collected consumer data through connected devices in ways that contradicted their privacy representations or that were unreasonably harmful to consumers.
State law adds substantial complexity. California’s Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Act of 2020 (CPRA), gives California residents the right to know what personal information is collected, to opt out of its sale, and to request deletion. A connected device that collects geolocation, health, or biometric data from California residents triggers CCPA obligations regardless of where the manufacturer is located. Violations of the CCPA can result in civil penalties of up to $7,500 per intentional violation, and the law grants a private right of action for data breaches resulting from failure to implement reasonable security measures.
Not all data collected by IoT devices carries the same legal weight. Several categories of data trigger heightened obligations under existing law:
As the original post noted, the most serious privacy concern from IoT is not any single data point but the aggregation of individually innocuous data points into a detailed behavioral profile. The law has struggled to keep pace with this reality. Most U.S. privacy laws focus on specific categories of sensitive data rather than on the aggregate risk of combining non-sensitive data. But the FTC has articulated a principle — in its 2012 report “Protecting Consumer Privacy in an Era of Rapid Change” — that the aggregation of multiple data streams can itself constitute a sensitive data practice that triggers heightened obligations.
The FTC’s enforcement action against InMobi in 2016 illustrated this principle in an IoT context. InMobi used location data from mobile devices — individually innocuous — to build profiles that allowed advertisers to target users based on their precise whereabouts without consent. The FTC found this to be an unfair trade practice and imposed a $950,000 civil penalty. The same logic applies directly to IoT: a company that aggregates location, sleep, exercise, purchase, and voice command data from a suite of connected devices, even if no single stream is sensitive, may be engaging in a practice that the FTC considers unfair to consumers who had no reasonable way to anticipate the aggregate picture that would be assembled.
Any company deploying a connected device that collects personal information from U.S. consumers should have a privacy policy that accurately describes the data collected, the purposes of collection, the categories of third parties with whom data is shared, and the user’s rights with respect to that data. This is not optional. The FTC regularly brings enforcement actions against companies whose actual data practices are inconsistent with their posted privacy policies, characterizing the inconsistency as a deceptive trade practice under Section 5(a). Beyond the FTC, state attorneys general in California, Colorado, Connecticut, Virginia, and Texas have independent enforcement authority under their state privacy statutes.
For IoT products, the privacy policy should also address: firmware and software update practices; data retention periods; the security measures applied to data in transit and at rest; the geographic location of data storage (relevant for GDPR compliance if EU users are involved); and the company’s data breach notification procedures. Vague assurances that data is “used to improve the user experience” are increasingly inadequate and invite regulatory scrutiny.
If your company collects data through connected devices and needs help assessing your legal exposure or drafting compliant privacy policies, contact Revision Legal’s internet law attorneys through the form on this page or call 855-473-8474.
Receiving a cease and desist letter can feel alarming. One minute you are running your business as usual, and the next you are staring at a legal demand accusing you of trademark infringement, copyright violation, breach of contract, or some other wrong. The situation can escalate quickly if not handled properly. But receiving a cease […]
Read more about How to Respond to a Cease and Desist Letter
The EEOC confirmed that employers reopening businesses may conduct COVID-19 health screenings without violating disability discrimination laws. Here’s what’s allowed.
Read more about EEOC: Businesses Can Screen for COVID-19
Competitors scraping your e-commerce prices and SKUs is a growing legal problem. Revision Legal’s e-commerce attorneys explain your legal options for stopping scrapers and protecting your product data.
Read more about Protect Your E-Commerce Store from Price Scraping