Fifteen months after forming an Internet of Things (IoT) working group, on March 2, 2016, the Online Trust Alliance (OTA) released a final version of its IoT Framework (Framework) along with a companion Resource Guide that provides explanations and additional resources. The voluntary Framework sets forth thirty suggested guidelines that provide criteria for designing privacy, security, and sustainability into connected devices. The creation of the OTA IoT principles represents a potential starting point for achieving privacy- and security-protective innovation for IoT devices.
For now, the Framework focuses on wearable technology and connected home devices. In so doing, it avoids addressing some of the more challenging transparency and consent issues presented by devices lacking a direct buyer-seller relationship, such as those that arise in the retail or infrastructure context. The Framework also excludes connected medical devices and the associated potential life-or-death implications of medical technologies.
Though purely voluntary and non-binding, the Framework differentiates between what it posits as “required” and “recommended” guidelines, thereby allowing for a broader consensus in a dynamic environment with many unresolved questions. Certain guidelines will likely be familiar to consumers—such as multi-factor verification for resetting credentials, and user notification after a password change. Other guidelines are particularly tailored to the IoT space—such as disclosure of the duration of patch support, and notice when a device initially pairs with a network. Themes of the Framework include guidelines designed to achieve the following:
Support robust notice and consent. Being transparent and obtaining consent for IoT data collection can be challenging especially for devices without a user interface. The Framework calls for opt-in consent for data collection beyond what is “reasonably useful for the functionality and purpose” of the device. The Resource Guide recommends using an associated platform, such as a mobile device or computer, and explains that the definitions of personally identifiable information (PII) and sensitive data may change in the IoT context. For example, knowing what lights are on (or off) in someone’s home may indicate an individual’s location and pattern of activities and therefore fall within the definition of PII or sensitive information. The Framework also calls for providing notice or requesting user confirmation during the device pairing process, and disclosing to users which features will fail to function if connectivity is lost. Whether the approach proves workable and realistic remains to be seen.
Provide more granular user control mechanisms. Where IoT devices lack a user interface, individuals are also limited in the methods by which they can modify the collection or use of their data during the life of a product. The Framework recommends several features to help consumers navigate their relationships with connected devices. These include allowing users to reset or erase the data stored by a specific device in order to limit unintended disclosures, as well as enabling them to regularly review or edit their privacy settings and reset these to the “factory default.” The Framework does not address the possibility that, depending on the design of a service and its functionality, even with user interfaces it may not be realistic to provide consumers granularity in choices and controls in all circumstances.
Increase oversight of third parties. Connected devices create the potential for device manufacturers to collect more sensitive data about users than previously. Increased data collection brings ample opportunities for data sharing among manufacturers, retailers, and service providers. The Framework calls for clauses that hold third parties to the same notice, consent, and data breach notification standards as first parties although that may not be workable where the third party does not interface directly with end users. The Resource Guide recommends that first parties monitor these contractual obligations through appropriate oversight, including regular audits of third-party data collection, use, and retention practices.
Whether the Framework will be widely adopted remains to be seen. Compliance is voluntary, but companies that publicly adopt the Framework will be bound to adhere to it under the Federal Trade Commission’s (FTC) Section 5 authority. Despite the potential for FTC enforcement, the voluntary framework approach has been successful in other contexts: for example, a set of privacy principles for connected cars was adopted by companies representing the majority of all car and light truck sales in the United States. Regulators and legislators have welcomed the connected car principles as an example of industry taking proactive steps to achieve broad consensus on a set of privacy protections. The OTA Framework aims for a similar result.
If broadly adopted, the Framework may bring greater privacy, security, and transparency to consumers; provide companies with guideposts for their privacy and security design; and enable regulators to achieve their goals without the need to create additional regulations.