What do babies, sex toys and wireless head phones have in common? Apparently, the privacy concerns of the Federal Trade Commission (FTC), state AGs and legislatures, class action plaintiffs, and consumer advocacy groups, at least when it comes to the Internet of Things (IoT). The IoT refers to consumer devices that are connected, directly or indirectly, to the internet or other internet-connected devices.
Today cars, household appliances, so-called wearables like Fitbits, smart TVs, home command centers like Nest, Alexa and Google Home, and even sex toys and toothbrushes are collecting consumer data, often of a sensitive nature, and transmitting it over Wi-Fi, Bluetooth and the internet. The same privacy and data security issues that apply to computers and mobile phones apply to the IoT. Given the potentially sensitive nature of the data involved, the first generation of lawsuits and regulatory actions has involved babies, abortion, movie-viewing at home and vibrators. But these cases are not outliers, and there are lessons to be learned for all companies considering a foray into the IoT. And with the public notoriety these cases are generating has come the interest of the California legislature, which is considering legislation that would, among other things, codify data security obligations and require point-of-sale privacy disclosures and express consent to data collection.
The first IoT FTC action was TRENDnet, when, in September 2013, the maker of babycams that got hacked settled FTC deception and unfairness claims arising out of allegedly unreasonably inadequate security. A month later, the FTC settled with Aaron’s Rent-To-Own, which rented computers to consumers equipped with “detective mode” software that was capable of capturing keystrokes and screen shots, and activating microphones and cameras. It was alleged that staff used this software not just to recover lost and stolen devices but to spy on users, including recording their most intimate acts. As part of the consent decree, Aaron’s Rent-To-Own agreed to give notice at purchase of the software and its capabilities, and to give activation notice whenever it was used unless in response to a loss or theft report. This January, the FTC filed a lawsuit against connected camera-maker D-Link for unfairness arising out of allegedly unreasonable security, even though no security breach had yet occurred. For more detail, see our post here.
Not to be outdone, the Massachusetts attorney general recently took pre-emptive action against an ad tech company that had used geo-aware/geo-fencing technology to send pro-life/anti-choice ads to users of mobile phones that were proximate to abortion clinics. The AG obtained a commitment from the company not to send ads based on sensitive data to Massachusetts residents without clear and express prior consent. For more detail, see our post here.
The class action plaintiff’s bar has seen the trend, as evidenced by the March 2017 $3.75 million settlement of a 2016 lawsuit in Illinois alleging that the “We-Vibe” marital aid, which allows users to give remote partners the ability to change settings through the internet or mobile connectivity and to live chat during sessions. The plaintiff alleged the manufacturer collected and kept usage info (e.g., times of use, battery life and intensity level) tied to user and partner emails without notice or consent, and that the plaintiff would not have bought the device, which allegedly was more expensive than similar competitor devices, if she had known of the tracking. There were no allegations of security breach or misuse – unjust enrichment, wiretapping and state law privacy violations arising out of the data practices. For more detail, see our post here.
And in April 2017, consumer protection group Access Now filed a complaint and request for investigation with the FTC alleging that the $250 internet-connected vibrator manufactured by Svakom and called “Siime Eye,” which has a built-in camera and pleasure functions that the user can allow friends to access to view and manipulate sessions, was rife with security vulnerabilities, placing users’ privacy at risk. The complaint alleges hackers have proved they can breach security, take over controls and access the camera view, and that while Svakom has promised a “secure connection,” the default password is eight 8s, something hackers can easily guess to take over controls and access the camera both via Wi-Fi and the internet.
The latest company to be a target of a privacy class action lawsuit is Bose. The complaint filed on April 18, 2017 alleges that by using a companion app, the Bose wireless headphones was secretly collecting, transmitting, and disclosing its customers’ private music and audio selections and selling the data to advertisers without notice or consent.
Finally, the FTC and the New Jersey attorney general recently settled with Vizio for $2.2 million. Vizio must destroy data and change its practices regarding its tracking of the viewing habits of users of its internet-connected smart TVs, and selling of that data to advertisers without, in the FTC’s opinion, adequate consumer notice or choice. For more details, see our posts here and here.
The FTC has also given the IoT industry specific guidance on what it thinks would constitute reasonable privacy and security protections for IoT devices. This advice, if heeded, would have prevented most of the problems alleged in the cases and incidents discussed above. In June 2016, the FTC staff responded to a Request for Comments from the Commerce Department’s National Telecommunications and Information Administration (NTIA), and that followed a January 2015 FTC Staff Report (“Internet of Things: Privacy & Security in a Connected World”). From these guidance materials, and the cases and incidents discussed, the following lessons can be discerned:
- Build privacy and security into devices and software at the outset and continuously look for and cure deficiencies.
- For sensitive data, a higher level of security should be provided.
- Clear notice of and meaningful choice about data collection, use and sharing should be given to the consumer, particularly if the data is sensitive or its collection, use or sharing would be unexpected.
- Even for less-than-sensitive data, provide info to allow consumers to decide whether and how their data will be collected and used, which in some cases may mean choosing not to buy or use the product, and in others would mean choice options.
- Limit the amount of data collected/retained to what is needed, and limit access to it.
- Secure data and securely dispose of data when no longer needed.
- Train employees on good practices and monitor for knowledge and compliance.
- Ensure downstream privacy and data protections via vendor contracts and oversight.
- Apply defense-in-depth strategies that offer protections at multiple levels and interfaces.
- Employ reasonable access controls.
While the FTC guidance is just that, and not law or regulation, it does reflect what the FTC staff thinks is required to avoid a deception or unfairness charge under the FTC’s Section 5 authority. It may also not be long before there is specific legislation, at least at the state level. CA Senate Bill 327, introduced in February 2017 and amended March 20, proposes to codify privacy and security by design and allows specific enforcement actions for failure to employ reasonable data protection when developing any device “capable of connecting to the internet, directly or indirectly, or to a connected device,” and for failure to promptly patch or otherwise cure later-discovered inadequacies and vulnerabilities. It would also require data collection notices, including a short-form notice at the point of sale regarding audio, video, biometric, health, sensitive or personal info, and require companies to obtain consent before collecting or transmitting such device or consumer information.
So, what are the lessons to be learned from the cases and incidents to date? First, IoT devices may have the ability to collect all sorts of data, some quite personal or sensitive, and consumers may not expect this data to be collected, used or shared. Next, follow the FTC guidance, including employing privacy-by-design and security-by-design principles. Finally, look to limit your liability with consumers through enforceable consents to clearly stated data and privacy practices, and through limitations on warranties, liability and class actions in user agreements that are affirmatively accepted prior to device data collection.