The non-profit group Online Trust Alliance has recently released a draft framework for best practices in privacy and data security for the Internet of Things (the 'Framework'). The stated goal of the Online Trust Alliance is to increase online trust and promote the vitality of the Internet. The Internet of Things Trustworthy Working Group developed the framework in order to address "the mounting concerns and collective impact of collective devices".
The focus of the draft framework is on two categories of the Internet of Things: (1) home automation and connected home products, such as smart appliances and (2) wearable technologies, such as fitness trackers.
The draft Framework has listed 23 minimum requirements as a "proposed baseline for any self-regulatory and/or certification program" for the Internet of Things. The fundamental principles underlying the recommendations are based on the Fair Information Practice Principles, most notably transparency and data security.
Some examples of the minimum requirements are:
- making privacy policies easily available to review prior to purchasing or downloading a product;
- disclosing how long the consumer’s personal information will be retained;
- encrypting or hashing personal information in storage and in motion;
- developing and implementing a breach response and consumer safety notification plan, which should be reviewed at least semi-annually; and
- creating controls and/or documentation that enable the consumer to set, revise and manage privacy and security preferences, including what types of information are transmitted via a specific device.
In addition to this, the draft Framework also lists further recommendations and considerations for the companies in the Internet of Things space, including disclosing whether personal information is stored and accessed in the cloud and providing a history of private notice changes which customers can review.