Public comments to government proposals are not limited to the general public; sometimes other government agencies offer feedback. In response to a general solicitation made by the Department of Commerce’s National Telecommunications and Information Administration (NTIA), the FTC commented last week on its experience with the Internet of Things (IoT)—the ability of everyday objects to connect through the Internet and send and receive data. From appliance and baby monitors to wearable health devices, IoT technologies include innocuous objects that now gather and send vast amounts of personal information on our health, habits, and locations.
The NTIA solicitation asked for general comments on IoT-related issues as well as for potential roles the government could play to foster the advancement of the IoT. Noting that last year there were approximately 25 billion connected devices (outnumbering people by about 3.5 to 1) and that further exponential growth is expected, NITA plans to use the information to compose a “green paper” on policy proposals for the government as a whole to strengthen collaboration with the private sector in this burgeoning field.
The FTC’s comments highlighted their history of enforcement of consumer protections in data security, previous collaborative policy workshops, and some benefits and challenges they have already experienced. More telling for businesses, however, was what the FTC reemphasized about IoT companies’ responsibilities. In one example, the FTC noted that companies that fail to implement reasonable security measures could violate the FTC Act’s prohibition against deceptive and unfair practices. In another example, the FTC noted that since many consumers purchase IoT devices expecting that their privacy and security will be protected throughout the product’s useful life, if a company at some point abandons monitoring and patching vulnerabilities, that information ought to be disclosed to help consumers understand when a product’s safeguards could “expire.” Other recommendations included minimizing the data that companies collect and retain, disposing data when it is no longer needed, obtaining consent for collecting additional and unexpected categories of data, and providing clear and prominent notice and choice for consumers when their data may be used outside of reasonably expected uses consistent with the company-consumer relationship.
TIP: The FTC’s comments follow their recommendations for best practices in FTC’s 2015 report on the Internet of Things. IoT companies looking to understand their federal responsibilities should reference the FTC report, their comments to NTIA, and look at recent enforcement actions.