The Federal Trade Commission (“FTC”) voted four to one to release a report on the Internet of Things (“IoT”), which refers to the ability of everyday objects to connect to the Internet and transmit data about a consumer. The report focuses on any Internet-connected object used by consumers other than a computer, mobile device or tablet (e.g., home appliances, medical devices, smart meters, or sensors) and lays out best practices to guide companies in maintaining data security and privacy. Given that the IoT industry is in a relatively early stage and has great potential for innovation, the FTC favors industry self-regulation and does not recommend addressing IoT-related privacy and security risks through legislation at this time.
The FTC recommends best practices for data privacy in three areas: security, data minimization, and notice and choice. The FTC recommends that companies incorporate “security by design,” meaning that security features are built into the connected object from the outset, rather than as an afterthought. Companies should ensure that any outside service providers they retain are capable of maintaining reasonable security, as failure to do so could result in an FTC enforcement action. Companies should also implement reasonable access control measures to limit unauthorized access to a consumer’s device or data.
Mimicking its guidance to firms in other consumer industries, the FTC encourages data minimization in the quantity and type of information collected to decrease potential harm in the event of a data breach and to avoid using data in a way that is contrary to consumers’ reasonable expectations. When companies collect data for a reasonable business purpose, they should consider whether to collect de-identified data. The FTC is flexible with this recommendation given the need to balance beneficial uses of data with privacy protection, and acknowledges that the appropriateness of de-identification may depend on the sensitivity of the data to the consumer.
The FTC recommends giving consumers notice and choice as to the data collected about them, particularly where the data is sensitive, but recognizes that not every data collection should require consumer choice. When the collection and use of data is consistent with the company’s relationship with the consumer, choice is not necessary. For example, data collection is consistent with a company’s relationship with its consumer if the company collects information about a consumer’s use of its product for the purpose of making improvements or recommending other products, but not for the purpose of sharing the data with an ad network.
A copy of FTC’s report is available by clicking here.