By some estimates, there were more than 2 wireless networked devices for every person on the planet in 2014. The multiplier is expected to reach 5 by the year 2020.

This explosive proliferation of networked technology offers remarkable opportunities, but also inspires concern that the connected future may result in ubiquitous, inescapable, surveillance of every aspect of our lives. Legislators and regulators around the world are grappling with the implications of this technology for the ability to protect personal privacy interests and the practical problems of applying legal regimes originally developed in a very different era.

Against this backdrop, the Online Trust Alliance, a U.S.-based organization with the goal (among other things) of advancing best practices to “enhance online safety, data security, privacy and brand protection” has recently release a discussion draft of a “Trust Framework” for the Internet of Things. This framework is intended to set out guiding principles for connected home and wearable devices. It is conceptually based on the “Fair Information Practice Principles” (FIPPs) that underlie privacy law in many jurisdictions, including Canada. [1]

The framework consists of 23 “minimum requirements” and 12 “additional recommendations”. Some of the requirements are technical in nature, such as using https encryption and enabling email authentication protocols. Others deal with business practices, such as support periods and end-of-life. Still others intersect more directly with privacy and other legislation.

For example, requirement #1 provides that:

The privacy policy must be readily available to review prior to product purchase, download or activation and be easily discoverable to the user. Such policies must disclose the consequences of declining to opt-in or opt-out of policies, including the impact to usage of key product features or functionality.

The Trust Framework is broadly consistent with Canadian privacy law. For example, PIPEDA principle 4.8.2 provides that:

Organizations shall be open about their policies and practices with respect to the management of personal information. Individuals shall be able to acquire information about an organization’s policies and practices without unreasonable effort. This information shall be made available in a form that is generally understandable.

Comparison with Canadian Privacy Laws

Despite the broad similarity, there are some important differences. While the OTA policy suggests that it is sufficient to “disclose the consequences” of declining to consent to a privacy policy, Canadian law goes farther. An organization may not make supply of a product or service conditional on such consent, unless that consent is “required to fulfil the explicitly specified, and legitimate purposes”.

Similarly, requirement #4 of the Trust Framework states that:

Any default personal data sharing must be limited to third parties/service providers who agree to confidentiality and to limit usage for specified purposes.

Canadian law similarly requires contractual controls on third parties and service providers when personal information is shared. But Canadian law has distinct tests for when consent is required, and when opt-out vs. opt-in consent models may be applied.

Generally, the Trust Framework is at least conceptually aligned with the applicable Canadian legal principles, since both derive from the same underlying FIPPs. But vendors and manufacturers cannot assume that compliance with the Trust Framework will result in compliance with Canadian laws. The Trust Framework provides practical guidance, not legal advice.

The Trust Framework and Canada’s Anti-Spam Law (CASL)

Despite the broad conceptual alignment of the Trust Framework with Canadian privacy laws, there is one specific point of potential conflict that vendors should take note of (albeit not one arising from privacy law, per se). Requirement #12 provides that:

Manufacturers must have capabilities to remediate vulnerabilities in a prompt and reliable manner either through remote updates and / or through consumer notifications and instructions.

Manufacturers and vendors must note that remote activation and “push” updates could easily run afoul of the prohibition on installation of software without consent in Canada’s anti-spam law (commonly known as “CASL”). Manufacturers and vendors should be very careful to ensure they understand these consent requirements, because failure to comply can result in exposure to administrative monetary penalties of up to $10,000,000 per violation.

The draft Trust Framework is open for comments until September 14. Interested parties should visit https://otalliance.org/initiatives/internet-things.