Notice and Consent Challenges on Connected Devices

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Joyce E. Cutler

Sept. 30 — Application developers, original equipment manufacturers and companies seeking to link devices on the Internet of Things must consider just how much consumer and tracking information they really need and sufficiently notice users to avoid privacy pitfalls, privacy professionals said Sept. 30.

The increasingly connected world is creating opportunities and sand traps for mobile tracking and IoT hidden not too deep in great ideas, attorneys and privacy advocates said during a breakout session at the International Association of Privacy Professionals annual meeting in Las Vegas.

Adoption rates are “through the roof,” with an estimated 5.13 billion smartphone users by 2017, said Dominique Shelton, a partner with Alston & Bird LLP in Los Angeles. That's up from 4.08 billion in 2012, eMarketer figures show.

The discussion sprang from a hypothetical mobile fitness and health app developer teaming up with an auto manufacturer for co-branding and syncing a device with the car collecting such information as blood pressure and precise location.

“My first question is, why do you need all this data and why do you need to comingle it?” said Ted Lazarus, legal director at Google Inc. Right after that question is who is responsible for notification and obtaining consent, Lazarus said.

Complex Relationships

The complexity of relationships and functions of the different parties makes who will give notice and what it will say challenging, said Joanne McNabb, California Attorney General's office privacy education and policy director.

“From a policy perspective, it's not enough to assume that because the permissions platform says you can access all this stuff, to understand that the person has made a conscious decision for specific data to be taken and used in a specific way and shared with specific people. So that part of the challenge in just transparency is not just who provides the notice but how much detail can you provide in the notice,” McNabb said.

McNabb said a good example of a short form notice is on Lookout Inc.’s mobile security app. The notice is based on National Telecommunications & Information Administration principles, which highlight “the potentially concerning types of personal information” that could be collected and third parties “that could potentially be concerning,” such as data brokers.

“They did a very good implementation. It's very easy to use,” McNabb said.

Capturing Consent

Express affirmative consent is required after Jan. 1, 2016, under the automotive industry self-regulating principles when capturing and transmitting data securely outside the vehicle to the mobile app developer, said Allison Cohen, managing counsel for Toyota Motor Sales U.S.A., Torrance, Calif. The principles treat driver location and behavior as sensitive information. One of the crucial aspects is what technology the car makes available to capture the individual's consent as it relates to the release of that location data, Cohen said.

“There are lot of opportunities where we could capture the proper consent disclosure” and disclose who is using the data and how long data is retained, Cohen said. Examples include a subscription agreement as it relates to infotainment and safety benefits provided through the connected services model, or an end user licensing agreement for an automotive-developed app that syncs with the third-party app.

Any data coming from the vehicle would be the manufacturer's responsibility as the original collector of that information, Cohen said.

Potential HIPAA Issues Lurking

Sharing a consumer's health information that's transmitted to doctors is another potential land mine, as it could trigger Health Insurance Portability and Accountability Act responsibilities, McNabb said. The merging of that health data “with all this other stuff gets very problematic.”

“Anytime you're collecting people's health information for anything other than providing service, I think you're in a dangerous area,” Lazarus said. Collecting aggregate data and using the learnings “gets tricky.”

Consumers and plaintiffs' counsel are responding with 1,009 do-not-track consumer class actions filed across the country, including 122 in California, Shelton said

To contact the reporter on this story: Joyce E. Cutler in Las Vegas at

To contact the editor responsible for this story: Jimmy H. Koo at