FTC Backs Net of Things Self-Regulation, General Consumer Privacy Law Backstop

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Alexei Alexis

Jan. 27 — The Federal Trade Commission Jan. 27 issued an Internet of things staff report that instead of calling for industry-specific privacy and security legislation urged the private sector to adopt best practices.

The report recommended that companies build security into devices in the design process—rather than as an afterthought—and ensuring that any outside service providers are capable of maintaining “reasonable security.”

“The FTC got it right by opposing industry-specific legislation and understanding that not all information on the Internet of things is personally identifiable,” Daniel W. Caprio Jr., a senior strategic adviser and independent consultant at McKenna Long & Aldridge LLP in Washington, told Bloomberg BNA Jan. 27.

Christopher Wolf, a partner at Hogan Lovells US LLP in Washington, said the report reflects the fact that prescriptive regulation might stifle the Internet of things market, which is in its infancy.

“The report focuses on cybersecurity and recognizes that application of fair information practice principles needs to be flexible, taking into account the nature of the technology and the context of the data collection,” Wolf told Bloomberg BNA Jan. 27.

Voluntary Measures Enough?

However, Susan Grant, director of consumer protection at the Consumer Federation of America, said that industry self-regulation won't be enough to protect consumers.

“It is important to underscore the need for baseline privacy legislation, a point that the FTC has made before and reiterates in this report,” Grant told Bloomberg BNA Jan. 27. “No multistakeholder processes, voluntary codes of conduct, or best practices can effectively help to protect consumers’ privacy and security unless they are based on fundamental rights and responsibilities set by law.”

Meanwhile, Sen. John Thune (R-S.D.), chairman of the Senate Commerce, Science and Transportation Committee, has announced plans for a Feb. 11 hearing on the Internet of things.

“By engaging early in this debate, Congress can ensure that any government efforts to protect consumers are tailored for actual problems and avoid regulatory overreach,” Thune said in a Jan. 26 statement.

50 Billion Devices by 2020

“The only way for the Internet of Things to reach its full potential for innovation is with the trust of American consumers,” FTC Chairwoman Edith Ramirez said in the FTC's Jan. 27 statement announcing the report. “We believe that by adopting the best practices we’ve laid out, businesses will be better able to provide consumers the protections they want and allow the benefits of the Internet of Things to be fully realized.”

According to the report, analysts estimate that there will be 25 billion connected devices as of this year, and 50 billion by 2020.

The FTC held a workshop on privacy concerns surrounding the Internet of things in 2013.

Republican Objections

The commission voted 4-1 to approve the resulting staff report, with Commissioner Joshua Wright, a Republican, dissenting. Wright said the report's recommendations weren't backed by appropriate analytical support.

“An economically sound and evidence-based approach to consumer protection, privacy, and regulation of the Internet of Things would require the Commission to possess and present evidence that its policy recommendations are more likely to foster competition and innovation than to stifle it,” he said in a dissenting statement.

Although the report didn't urge legislation to regulate the Internet of things specifically, it reaffirmed the commission's support for general data security breach legislation. It also renewed a call for Congress to pass a broad-based privacy bill. However, Commissioner Maureen Ohlhausen, the other Republican member of the commission, issued a concurring statement saying that she didn't see the need for such legislation.

President Barack Obama Jan. 12 renewed calls for Congress to pass stalled proposals, such as an updated data breach notification law proposal, which has been considered by federal lawmakers for over a decade in various forms, and a nearly three-year old consumer privacy bill of rights.

Data Minimization

Besides ensuring security by design and maintaining oversight of outside service providers, the FTC report urged companies to take steps such as:

• training employees in the importance of security and ensuring that security is managed at an appropriate level in the organization;

• considering measures to keep unauthorized users from accessing a consumer’s device, data or personal information stored on the network; and

• monitoring connected devices throughout their expected life cycle, and where feasible, providing security patches to cover known risks.

Commission staff also recommended that companies consider data minimization—that is, limiting the collection of consumer data and retaining that information only for a set period of time, not indefinitely.

In addition, the staff recommended that companies notify consumers and give them choices about how their information will be used, particularly when the data collection is beyond consumers’ reasonable expectations.

TechFreedom, a Washington-based think tank, criticized the report.

“At best, this is just another exercise in Workshop Theater; at worst, the FTC is trying to regulate the Internet of Things by stealth,” TechFreedom President Berin Szoka said in a Jan. 27 statement.

The day after the release of the staff report, FTC Commissioner Terrell McSweeny discussed the Internet of things during a data privacy day event in California.

To contact the reporter on this story: Alexei Alexis in Washington at aalexis@bna.com

To contact the editor responsible for this story: Heather Rothman at hrothman@bna.com

The FTC staff report, “Internet of Things: Privacy & Security in a Connected World,” is available at http://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf.

Wright's dissenting statement is available at http://www.ftc.gov/system/files/documents/public_statements/620701/150127iotjdwstmt.pdf.

Ohlhausen's concurring statement is available at http://www.ftc.gov/system/files/documents/public_statements/620691/150127iotmkostmt.pdf.