This morning, the Federal Trade Commission (FTC) released an 71-page report on the Internet of Things (IoT).1 The report comes on the heels of a white paper on wearable technology and the IoT2 and follows an FTC-hosted workshop, focused on privacy and security concerns related to the IoT.3 The report summarizes the workshop and outlines the FTC's recommendations in response.
In support of the report, FTC Chairwoman Edith Ramirez stated, "The Internet of Things can only flourish when companies take privacy and data security into account." Chairwoman Ramirez also emphasized her primary concern with the amount of data that can potentially be collected from IoT technologies in consumers' homes.
However, not all Commissioners support the proposals set forth in the report. Commissioner Joshua Wright, in particular, dissents from the issuance of the report and issued a separate dissenting statement. Commissioner Wright was particularly concerned with the FTC's reliance on a single workshop as a basis for its recommendations as to best practices or legislative action. He further voiced his opinion that the report "includes a lengthy discussion of industry best practices and recommendations for broad-based privacy legislation without analytical support to establish the likelihood that those practices and recommendations, if adopted, would improve consumer welfare."
The report focuses on the inclusion of Fair Information Practice Principles (FIPPs) into the IoT realm. In particular, the report concentrated on four FIPPs: (i) security; (ii) data minimization; (iii) notice; and (iv) choice. In addition to FIPPs, the report also touches on privacy- and security-related legislative proposals.
Below is a summary of the recommendations set forth in the report.
The FTC encouraged companies to adopt the following security best practices, set forth by workshop participants:
- build security into products at the outset, including:
- conducting a privacy or security risk assessment
- minimizing the data that is collected and retained
- testing security measures before launching products
- train company personnel on best security practices
- retain service providers who are capable of maintaining reasonable security, and provide oversight for such providers
- implement a defense-in-depth approach to identified significant risks within company systems
- implement reasonable access control measures to limit unauthorized access to an IoT device, data or network
- monitor products throughout the lifecycle and (if feasible) patch known vulnerabilities
The report urged companies to consider reasonably limiting their collection and retention of consumer data, arguing that doing so helps prevent against two privacy risks:
- Large amounts of data stored present a more attractive target for malicious actors and increases potential harm to victims of an attack.
- Large amounts of data increase the risk that data will be used in a way that differs from consumers' reasonable expectations.
To accomplish data minimization, the report suggests a flexible approach, giving companies the following options:
- abstain from collecting data altogether
- collect only those fields of data necessary to the product or service
- collect data that is less sensitive
- de-identify (i.e., anonymize) collected data
- obtain consumer consent for collecting additional, unexpected categories of data
Notice and Choice
Despite some workshop participants advocating that the ubiquity of data collection and practical obstacles makes offering notice and choice challenging in the IoT, the FTC argued that doing so is nevertheless important (but clarified that not every data collection requires choice). Noting that there is no one-size-fits-all approach, the FTC laid out the following options for offering notice and choice in the IoT sphere:
- develop video tutorials
- affix QR codes on devices
- provide choices at point of sale, within wizards or in a privacy dashboard
The FTC articulated that companies may implement a combination of approaches, but that no matter which strategy a company implements, the privacy choices offered must be clear and prominent—not buried within lengthy documents.In response to participants' push for use limitations to be considered as a supplement to, or in lieu of, notice and choice, the FTC incorporated certain use-based approach elements. In particular, the report maintained that clear and conspicuous choices must be offered where use would be inconsistent with the context of the interaction (i.e., an unexpected use). In contrast, the report argued that choice would not be required in the following instances:
- where use is consistent with the context (i.e., an expected use)
- where collected data is "immediately and effectively" anonymized
Although the report did incorporate elements of the use-based approached, the FTC would not go as far as embracing a pure use-based model for the IoT. The FTC was specifically concerned with the fact that use-based limitations are not comprehensively articulated in legislation, rules, or widely-adopted codes of conduct, which would make unclear who would have the final say as to which additional uses are appropriate. Additionally, the FTC stopped short of advocating for a pure-use based approach because "use limitations alone do not address the privacy and security risks created by expansive data collection and retention." Finally, the FTC believes that a pure use-based model would not sufficiently address consumer concerns pertaining to the collection of sensitive information.
The FTC also opined that legislating the IoT arena would be "premature" at this stage but encouraged the development of industry-specific, self-regulatory programs aimed at promoting privacy and security practices. It did, however, advocate for Congress to enact "strong, flexible, and technology-neutral federal legislation" to enhance existing data security enforcement and to provide consumer notification of security breaches.
Although the FTC stated that IoT-specific legislation would be premature, it did stress that the IoT "reinforces the need for baseline privacy standards" and recommended that Congress enact broad-based privacy legislation. The FTC noted that such legislation should be "flexible and technology-neutral" while simultaneously providing clear standards regarding consumer choice for data collection and use. In the interim, the FTC promised to leverage existing resources to ensure security and privacy issues are contemplated in the IoT sphere, including: (i) law enforcement; (ii) consumer and business education; (iii) participation in multi-stakeholder groups; and (iv) advocacy.
Read the full report.