FTC Chief: Privacy Principles Should Govern ‘Internet of Things'

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Alexei Alexis  

Nov. 19 --Principles such as privacy by design should be adapted to the emerging world of Internet-connected appliances and other devices, given the potential for a new explosion of consumer data collection in coming years, Federal Trade Commission Chairwoman Edith Ramirez said Nov. 19.

While offering vast benefits for consumers, the Internet of things presents “undeniable” privacy risks, Ramirez said at a commission workshop on the issue.

“With really big data comes really big responsibility,” Ramirez said. “It's up to the companies who take part in this ecosystem to embrace their role as stewards of the consumer data they collect and use.”

The Internet of things refers to the ability of everyday devices, such as home appliances, to be connected to the Internet. Such “smart” devices have the potential to help consumers with everything from reducing monthly utility bills to keeping track of when it is time to replace refrigerator items, Ramirez said. However, she added, such devices also may be capable of collecting, transmitting and compiling sensitive information about consumers, raising privacy concerns.

Core Privacy Principles

Ramirez said that companies in this area should adhere to three core principles espoused by the FTC: building privacy features into new products at the outset--a concept known as privacy by design (see related report); being transparent with consumers about what information devices are collecting and how it is being used or shared; and giving consumers control over their data.

Adapting such principles to the Internet of things could prove challenging in some cases, Ramirez said. She wondered, for example, how realistic it would be to provide consumers with “just-in-time” notice and choice if there is no user interface.

Dan Caprio, a senior consultant for McKenna Long & Aldridge LLP, told Bloomberg BNA Nov. 19 that the Internet of things presents privacy protection questions that are brand new to the FTC.

“We're talking about sensor-based networks, where there's no clear and obvious consumer interface,” he said. “The existing privacy principles still apply, but we have to rethink their application.”

One principle that is sure to be applied to connected devices is data security, according to Caprio.

“Security is a big issue, because the attack vector increases dramatically with the Internet of things,” he said.

Enforcement Possible

Ramirez cited a recent case as a warning to companies that fail to pay attention to data security in the context of the Internet of things.

“Any device connected to the Internet is potentially vulnerable to hijack, and companies need to build security into their products--no exceptions,” she said.

In September, the FTC announced what it characterized as the commission's first Internet of things enforcement action. TRENDnet Inc., which markets video cameras designed to allow consumers to monitor their homes remotely, settled commission charges that the company's lax security practices exposed the private lives of hundreds of individuals to public viewing on the Internet (12 PVLR 1532, 9/9/13).

The commission relied on its authority under Section 5 of the FTC Act, which prohibits “unfair and deceptive” trade practices.

Companies whose data security practices were challenged by the FTC under the unfairness prong of Section 5 have been pushing back, bringing the commission's data security enforcement powers under scrutiny.

Hotelier Wyndham Worldwide Corp. is seeking dismissal of the FTC's lawsuit alleging that its security practices failed to prevent a series of customer data breaches (12 PVLR 1465, 9/2/13). After oral arguments on the motion, the court refused the company's request to stay discovery (12 PVLR 1946, 11/18/13).

Cancer-detection services company LabMD Inc. recently filed a complaint asking a federal court to enjoin the FTC from using the unfairness prong in a data security administrative action against the company.


To contact the reporter on this story: Alexei Alexis in Washington at aalexis@bna.com

To contact the editor responsible for this story: Heather Rothman at hrothman@bna.com

Further information on the FTC workshop, including links to written submissions and an archived webcast of the hearing, is available at http://www.ftc.gov/bcp/workshops/internet-of-things/.