The Internet of Things (IoT) is booming. Smart cars, wearable health trackers, connected medical devices, drones—entrepreneurs and evolving industry are connecting to the world in ways only science fiction writers imagined. In 2008, the number of connected devices surpassed the number of people on earth. By 2020, conservative estimates predict the IoT market will grow to $7.1 trillion (up from $1.9 trillion in 2013). Its massive scale and expected future growth belies the simple truth that IoT is still in its infancy. In fact, you were probably born before IoT was; the market didn’t even have a name until 1999.
As with any profitable and developing market, legal questions abound. IoT is no different, especially for designers and manufacturers of novel devices. What happens if your product injures a customer? What kind of data should your product collect? Do you have a duty to review and understand all the information your product provides? What happens when your connected device gets hacked? How much control should customers have over connected devices? Is a recall necessary when a product’s connection to the Internet fails but the product still works? These questions all share a common thread: there is not yet a developed body of case law with the answers.
Because of companies’ abilities to capture, analyze, and capitalize on information gathered from connected devices, one of the most important questions for IoT companies concerns data ownership and governance. Who “owns” all of the data that’s being collected by these billions of devices? Again, the courts have not weighed in on this yet. But we have some ideas that may help companies stay out of trouble in courtrooms.
Figure It Out Early.
Where ownership of data hasn’t been properly appropriated, we expect significant disputes between all interested parties. This means companies may be unwittingly signing up for prolonged litigation down the road when they haven’t made clear (1) what data it plans to collect; (2) what it plans to do with that data; and (3) how much say the consumer has in limiting the amount or kind of data collected. Much of what a company can, or should, do with information collected depends on (1) the type and source of the data; (2) the specific ways in which the data will be used; (3) the scope of disclosure or consent given by the data subject; (4) contractual restrictions on data usage; and (5) regulatory authority over the use of data. These complicated and often intertwined factors require serious analysis and foresight when bringing novel products to market.
Take for example, a “smart” thermostat. This cool device provides the manufacturer with advanced metrics about consumer usage and preferences. In turn, the company can use this information to implement firmware updates designed to reduce overall energy use or to provide personalized settings for individual users. The company could also analyze aggregate data and use patterns from all of its customers to tailor its marketing and design for future models. The company may further capitalize on this data by selling it to third parties for research or analysis purposes. But what if a customer objects (or sues!) saying it didn’t agree to the company using or selling data collected from his or her home? Or more concerning, what if a third party breaks into the company’s database and can ascertain when a customer has turned off his or her smart thermostat and is, therefore, not home? When the hacker then robs the customer’s house and the customer sues the manufacturer for failing to keep his or her information safe, who’s to blame? Although they may not provide an answer to every disagreement down the road, clearly delineated user agreements and disclaimers can go a long way in providing customers’ expectations of what their data will or will not be used for.
With great data comes great possibilities. We are here to remind you that these possibilities can also lead to great risks.