The FTC released a report on the Internet of Things (IoT) that focuses on data security and upholding consumer expectations. The report urges manufacturers to incorporate security practices like "security by design" and data minimization. It also states that companies should meet reasonable consumer expectations regarding how personal data is collected and used, which may vary between different IoT devices. While some industry groups criticized parts of the report, following the FTC's recommendations can help companies comply with regulations on unfair data practices. Applying rules to new technologies poses challenges, so legal counsel is advised.
1. FTC Internet of Things (IoT) Report Focuses on Security and Consumer
Expectations
March 11, 2015
by Kim Verska
In January, the Federal Trade Commission (FTC) released a detailed report, “Internet of Things: Privacy &
Security in a Connected World”. The FTC’s Report urges product designers and manufactures to adopt best
practices including a strong focus on data security and upholding consumer expectations. For purposes of FTC
regulation, the IoT includes any consumer device – other than computers, smartphones or tablets – that connect
and store data via the Internet. This growing area includes diverse products from heart pacemakers to “smart”
appliances that collect and transmit user data over the Internet in the name of household efficiency. IoT
presents many challenges for government regulators, including rapidly advancing technology and the potential
for widespread collection of sensitive consumer medical information.
To address these challenges, the FTC Report attempts to strike a balance between prescriptive rules and more
flexible guidelines. In terms of prescriptive rules, some of the best practices FTC urged include “security by
design” and data minimization. FTC will evaluate IoT devices on whether data security appears to have been
considered as an integral design principle (or as a later add-on), and whether the devices collect more data than
is strictly necessary for their intended purposes. During FTC’s comment period, some industry representatives
had criticized FTC’s proposed emphasis on “security by design” and data minimization as potentially stifling
innovation and lacking sufficient cost/benefit analysis. They noted that what may be needed for security of a
pacemaker may not be needed for less sensitive devices. Less controversial was the FTC’s direction that IoT
device makers strive to meet the reasonable expectations of consumers regarding collection and use of personal
data – expectations that vary from device to device. This regulatory standard is arguably more flexible, able to
evolve alongside IoT technologies, and potentially less likely to become outdated quickly.
While IoT device makers are naturally those most concerned about the approach FTC is taking, any company
desiring a high level of regulatory compliance regarding consumer personal data practices can benefit from
application of the Report’s recommendations. The Report nicely encapsulates the FTC’s general regulatory
approach with respect to its “unfair and deceptive trade practices” enforcement over the past decade. As the
Report illustrates, application of a single set of rules to a diverse and changing set of circumstances and
technologies can be very challenging, and consumer product manufacturers will benefit from the advice of
legal counsel experienced in FTC privacy matters.
2. Author Kim Verska is a Certified Information Privacy Professional (US) through the
International Association of Privacy Professionals and a Partner in Culhane Meadows’ Atlanta office. She is
a frequent speaker regarding evolving legal issues for the technology industry and other businesses and can be
reached at kverska@culhanemeadows.com