There has been an uptick in congressional inquiries regarding privacy concerns in the IoT space. And most recently in the gaming world of augmented reality. On Tuesday, Senator Al Franken (D-Minn.) initiated a congressional investigation into Niantic, Inc., maker of the Pokémon Go app that has taken the world by storm. The app uses a smartphone’s GPS and clock to decide which Pokémon characters “appear” on smartphone screens for players to capture. Franken’s letter cites to recent reports, as well as Pokémon GO’s own privacy policy, indicating that Niantic can collect a broad swath of personal information from its players, from general profile information to the users’ precise location data and device identifiers. Media reports also have highlighted Pokémon GO’s apparent full access to some users’ Google accounts, including their Gmail. This week, Niantic released a statement indicating that it had not intended to ask for such elevated permissions and would correct this error. In light of unresolved privacy concerns, Franken asks that Niantic provide greater clarity on how it is addressing issues of user privacy and security, particularly with respect to its younger players.

This inquiry follows a week after Senator Mark Warner’s (D-VA) request to FTC Chairwoman Edith Ramirez that the FTC work with members of Congress to identify ways to better protect children in the era of connected toys. Warner writes that the Children’s Online Privacy Protection Act was enacted in 1998 and may not have contemplated today’s evolving market of smart toys, for example, those connected devices that record children’s conversations and upload them to the cloud for all to hear and for hackers to exploit. The recent proliferation of these connected toys, Warner states, makes congressional efforts to protect children’s data “even more imperative.”

These congressional inquiries underscore potentially serious privacy concerns in the evolving market of connected toys and augmented reality. Since the publication of its January 2015 IoT Report, the FTC has encouraged companies to take three key steps in order to build consumer trust in IoT devices: (i) adopt “security by design”; (ii) engage in data minimization; and (iii) increase transparency and provide consumers with notice and choice for unexpected data uses. The FTC recently stated its belief that IoT-specific federal legislation is not warranted at this time, and the FTC will continue to rely on its Section 5 authority to ensure companies do not engage in unfair or deceptive privacy and data security practices.

For more guidance, see our Mashable article, “Navigating the Legal Pitfalls of Augmented Reality.”