The U.S. Consumer Product Safety Commission (CPSC) will host a hearing on May 16, 2018 on potential safety hazards associated with internet-connected consumer products. With primary jurisdiction over consumer product safety, the CPSC’s evaluation of risk affects everything from design evaluation to mandatory recalls. The CPSC will use the information the public provides at the hearing and in written comments to the agency to inform its ongoing risk management work. The hearing therefore is an opportunity for the public to help shape best practices and possible regulation for mitigating potential new hazards resulting from the introduction of internet connectivity to consumer products.
The hearing will be webcast. Members of the public interested in speaking at the hearing must submit their requests to make oral presentations, along with the written text of those presentations, by 5 p.m. on May 2, 2018. The Commission will accept written comments through June 15, 2018, at Docket No. CPSC-2018-0007. Hogan Lovells will cover the full-day meeting and provide interested clients with an in-depth summary of the meeting. If there are particular subjects of interest, please let us know.
The CPSC is an independent federal agency created in 1972 by the Consumer Product Safety Act (CPSA). The agency is responsible for protecting the public from unreasonable risks of injury or death associated with the use of consumer products. The CPSC conducts research into product-related illness and injury and oversees recalls of consumer products due to safety hazards. It also has authority to issue regulations governing the manufacture and sale of consumer products, including establishing safety or design standards for particular product categories (e.g., toys, lawn mowers) or to ban certain hazardous products (e.g., lead-based paint, lawn darts). CPSC also mandated that firms report potentially unsafe products to the Commission. The failure to report in a timely fashion can subject a firm to up to approximately $16 million in civil penalties.
“The Internet of Things” (IoT) refers to the connected network of devices—including common consumer products such as refrigerators or coffee makers—that are able to send and receive data, upload or download operating software, or communicate with other internet-connected devices. The planned meeting by the CPSC demonstrates just the latest example of how product innovation and the CPSC regulatory framework may become intertwined.
The CPSC’s upcoming IoT hearing will focus on how internet connectivity may cause consumer products to present consumer hazards in new or different ways. According to the CPSC, consumer hazards that conceivably could be created by IoT devices include fire, burn, shock, tripping or falling, laceration, contusion, and chemical exposure. The agency anticipates that the product safety challenges associated with IoT produces will fall into two main categories:
- Preventing or eliminating hazardous conditions designed into products intentionally or without sufficient consideration (e.g., high-risk remote operation or network enabled control of products or product features). According to the CPSC, these types of devices function as intended on delivery and create unreasonable levels of risk, or have design defects that were not considered or were disregarded before delivery. The work associated with preventing or correcting such devices is a more traditional activity for industry and the CPSC.
- Preventing and addressing “incidents of hazardization,” or the situation where an otherwise safe product becomes hazardous through malicious, incorrect, or carless changes to its operational code. These risks potentially could be addressed through policies such as code encryption and security, authorized access to programming, and defensive measures for device software. According to the CPSC, this is a non-traditional area of product safety activity for the consumer product industry and for the CPSC.
The CPSC offered several examples of hazards that could be created by an internet connection, including:
- Remote operation, such as remote activation of a cooktop, creating a fire or burn hazard;
- Unexpected operating conditions, such as a change in firmware or software (malicious or otherwise) that results in a hazard where none existed before (e.g., a robotic vacuum that suddenly begins operating faster than expected); and
- Loss of a safety function (e.g., an integrated home security and safety system fails to download software properly and deactivates by default, resulting in disabling the smoke alarms without the consumer’s knowledge).
In the Federal Register notice announcing the meeting, the CPSC poses several questions intended for discussion at the meeting. / The general topics include potential safety hazards created by consumer products’ connection to IoT or other network-connected devices; the types of hazards related to the intended, unintended, or foreseeable misuse of consumer products because of an IoT connection; current standards development; industry best practices; and the proper role of the CPSC in addressing potential safety hazards with IoT-related products. Taken as a whole, it is apparent that the Commission is taking a very broad view of the safety risks it will examine with regard to consumer products that interact with the internet in some fashion.
The CPSC will not consider personal data security or privacy issues resulting from IoT products.
* * *
The public meeting illustrates that technological advances related to the IofT can carry direct regulatory consequences. While immediate action by the CPSC is unlikely in terms of new requirements, it is apparent that emerging technologies will be closely scrutinized by the CPSC when evaluating potential product hazards. The timing and focus of this meeting are clear evidence that stakeholders should follow CPSC developments in this area closely and account for how CPSC operates when developing new products or when potential safety issues arise.