The Consumer Product Safety Commission (CPSC) announced today that on May 16, 2018, it will hold a public hearing on “potential safety issues and hazards associated with internet-connected consumer products.”[1] The Commission will hear testimony from interested stakeholders on potential safety hazards created by network-connected devices, the types of hazards arising from their use or foreseeable misuse, current standards development, industry best practices, and the proper role of CPSC in addressing potential safety hazards with IoT devices.

CPSC’s goal with this hearing is to gather information from regulators, standards organizations, and business and consumer advocates, to “inform future Commission risk management work.” How CPSC interprets the information received at this hearing could significantly shape the predictably unpredictable regulatory environment that IoT-focused consumer companies are asked to navigate.

Regulatory Scrutiny Follows the IoT Explosion

CPSC’s intensified focus on the Internet of Things (IoT) is no surprise to industry followers given the recent explosion of IoT devices in the consumer products space. And companies can expect the focus to continue because the IoT train isn’t slowing down. By some estimates, the global IoT market is projected in the next five years to grow from roughly $170 billion to $561 billion—a compound growth rate of 26.9%.[2]

CPSC’s Focus Will Be on IoT Devices’ Potential Physical Hazards

While recognizing this trend and its “promise of many benefits for consumers,” CPSC is still cautious about the ways “internet connectivity is also capable of introducing a potential for harm (a hazard) where none existed before.” Still, CPSC’s focus remains where it has always been: on product hazards that cause physical injury or property damage, including “[f]ire, burn, shock, tripping or falling, laceration, contusion, and chemical exposure.”

As a framework for analyzing IoT-related risks, CPSC has grouped product safety challenges posed by IoT products into two broad categories:

  1. Hazards Inherent in the Product Design. These hazards specifically include the “high-risk remote operation” of devices or network-enabled control of product features. One example is a “cooktop that might be remotely controlled” and could start a fire.
  2. Hazards Arising Post-Connection. CPSC calls these “incidents of hazardization,” meaning situations in which the product was safe when the consumer obtained it, but later became hazardous when “connected to a network through malicious, incorrect, or careless changes to operational code.” One example is a “robotic vacuum cleaner that suddenly begins operating much faster than expected” upon connection to the network or after experiencing a network interference. Another would be the loss of a safety function due to a glitch in the network connection. For example, an integrated home security system could be set by default to deactivate if the system failed to download a software update properly, disabling the smoke alarms without the consumer’s knowledge. CPSC acknowledges that managing these kinds of hazards “may lead industry and regulators to examine policies related to code encryption and security, authorized access to programming, and defensive measures (and countermeasures) for device software.” But CPSC is quick to emphasize that “[t]his is a non-traditional area of product safety activity for the consumer product industry and for the CPSC.”

Data Security and Privacy Issues Won’t Be Considered (Yet)

Although hot-button privacy and data security risks unique to IoT devices are at the forefront of public debate, CPSC plans to steer clear of these issues at its upcoming hearing. As we pointed out in the wake of the Google Home Mini privacy glitch revelation, privacy groups have recently called on CPSC to scoop up data security and privacy issues into its jurisdiction, which has traditionally focused only on physical injury and property damage.[3] Today’s notice suggests those calls will go unanswered—at least in the short run. CPSC reiterated that the agency will stick to its traditional wheelhouse of physical safety hazards and “will not address personal data security or privacy implications of IoT devices.”

Although CPSC has declined to address these privacy issues now, it is acutely aware of these risks. As the IoT industry grows and new information about IoT-related product risks comes to light, we may yet see CPSC chart new jurisdictional territory in its quest to preserve consumer safety.

Hearing Details

  • Date/Time: May 16, 2018, 10:00 a.m.
  • Place: Hearing Room, 4th Floor of the Bethesda Towers Building, 4330 East-West Highway, Bethesda, MD 20814
  • Simultaneous Webcast: The hearing will also be available through a webcast, but viewers will not be able to interact with the panels and presenters through the webcast.
  • Oral Presentations: Requests to make oral presentations and the written text of any oral presentations must be received by the Office of the Secretary no later than 5:00 pm on May 2, 2018.
  • Written Comments: Written comments may be submitted (identified by Docket No. CPSC-2018-0007)
    • By Mail/Hand Delivery/Courier – to the Office of the Secretary, Consumer Product Safety Commission, Room 820, 4330 East-West Highway, Bethesda, MD 20814; telephone (301) 504-7923. CPSC will accept written comments through June 15, 2018.