DO’S and DON’TS for the Internet of Things: Lessons Learned from FTC Privacy and Security Enforcement

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

Internet of Things

Connected devices promise enormous benefits for consumers and businesses—allowing businesses to better understand how consumers are interacting with products, find new ways to generate revenue and dramatically improve customer engagement. Staying mindful of Federal Trade Commission enforcement actions can help companies proactively identify and address privacy and data security risks or issues, the authors write.

Alysa Z. Hutnik Crystal N. Skelton

By Alysa Z. Hutnik and Crystal N. Skelton

Alysa Hutnik is a partner at Kelley Drye & Warren in Washington and is a member of the firm’s advertising and privacy practice areas.

Crystal Skelton is an associate in Kelley Drye & Warren in Los Angeles and is a member of the firm’s advertising and privacy practice areas.

This article is for general information purposes and is not intended to be and should not be taken as legal advice.

A confluence of forces in recent years has helped drive the next technology trend of designing and connecting products and devices to the Internet—commonly referred to as the “Internet of things” or “IoT” (defined by the FTC as “the ability of everyday objects to connect to the Internet and to send and receive data,” and includes both consumer-facing devices and those designed strictly for businesses. See FTC, Staff Report, , at 5 (Jan. 2015)).

Connected devices promise enormous benefits for both consumers and businesses alike. From home automation systems and connected cars, to wearable devices and even “smart” yoga mats, the IoT provides consumers with the ability to control or track their daily lives with just the click of a button. Businesses can also better understand how consumers are interacting with their product or device, find new ways to generate revenue and dramatically improve customer engagement and brand awareness.

Indeed, the shift from consumers using basic computers to interacting with mobile apps and other connected devices has continued to generate massive amounts of consumer data online. With the increase of consumer data being generated and collected through IoT devices, comes the increasing need to confirm adequate privacy and data security protections are in place. Absent such precautions, introducing an IoT product or service may attract regulatory scrutiny, including from the FTC.

FTC Enforcement Authority

The FTC has primarily used its Section 5 authority under the FTC Act to challenge “unfair” or “deceptive” acts or practices in its IoT enforcement actions. 15 U.S.C §45(a) (“Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful”). Although IoT enforcement is still at its infancy at the FTC, privacy and data security are top-of-mind for the agency. This is evidenced by the more than 100 privacy or data security enforcement actions brought by the FTC over the last decade.

In its privacy and data security enforcement, the FTC's primary analysis relates to whether: (1) an entity misrepresented its privacy or security practices or the privacy or security controls of a product (a “deception” claim), or (2) failed to implement “reasonable” and “appropriate” controls to secure sensitive personal information in a way that causes or is likely to cause substantial consumer injury, and such injury is not (a) outweighed by benefits to consumers and (b) reasonably avoidable by consumers (an “unfairness” claim).

For a deception claim, to the extent an entity has made a statement in its privacy policy or in other communications (such as in a user guide, advertisements or other public-facing materials) about how it would handle, protect, or otherwise treat personal information that is inconsistent with the entity's actions, that may well provide the grounds for the FTC to assert that the statement is deceptive in violation of Section 5 of the FTC Act.

The FTC's evaluation for an unfairness claim will generally focus on whether the practices at issue were “reasonable” under the circumstances and in light of industry standards, the cost and ease of having various security controls in place, and the known vulnerabilities of not having such controls in place. The U.S. Court of Appeals for the Third Circuit recently confirmed that the FTC has authority to bring an action focused on a company's data security practices under the “unfairness” prong, and that the FTC is not required to articulate a specific cybersecurity standard for companies to follow. FTC v. Wyndham Worldwide Corp., et al., Case No. 14-cv-3514 (3d Cir. Aug. 24, 2015) (14 PVLR 1592, 9/7/15).


If the FTC concludes there is deception or unfairness, the agency can seek to enjoin the unfair and/or deceptive practice, and may also try to freeze assets, appoint receivers, obtain disgorgement of profits, and seek restitution or other relief to redress consumer injury. Although the FTC Act does not provide the agency with the ability to seek civil penalties for initial violations of Section 5(a), if a company violates an FTC order, the agency can seek civil penalties of up to $16,000 for each violation, which the FTC may construe as each day of noncompliance. FTC settlement orders are typically effective for 20 years, meaning that the consequences can be significant.

The FTC also has the authority under a host of federal laws, rules, and guides that provide the agency with enforcement authority to protect consumers' privacy and security. See e.g., Children's Online Privacy Protection Act (COPPA) (15 U.S.C. §6501 et seq.; 16 C.F.R. pt. 312); the Gramm-Leach-Bliley Act (GLBA) (15 U.S.C. §6801 et seq.; 16 C.F.R. pts. 313–314); and the Fair Credit Reporting Act (FCRA) (15 U.S.C. §1681 et seq.; 16 C.F.R. pts. 602–698). The FTC can seek civil penalties and/or damages under several of these laws.

FTC IoT Enforcement Efforts

Over the last several years, the FTC has expanded its enforcement efforts to cover IoT and other connected devices. In September 2013, the FTC brought its first IoT enforcement action against TRENDnet Inc. concerning its smart home security cameras and baby monitors. Decision and Order, In re TRENDnet, Inc., File No. 122-3090 (FTC Feb. 7, 2014) (13 PVLR 289, 2/17/14). In its complaint, the FTC alleged that TRENDnet failed to employ reasonable and appropriate security in the design and testing of the software and failed to implement a process to actively monitor security vulnerability reports. The FTC alleged that, due to the company's failure to properly secure the cameras, hackers were able to access and then post online the private video and even audio feed of nearly 700 TRENDnet cameras, including live feeds displaying private areas of users' homes. Complaint, ., File No. 122-3090 (FTC Jan. 16, 2014).

The FTC announced its second IoT enforcement action in February 2016, alleging that ASUSTeK Computer, Inc. failed to secure its connected routers and “cloud” services. Complaint, ., File No. 142-3156 (FTC Feb. 23, 2016) (15 PVLR 439, 2/29/16). The FTC alleged that ASUS misrepresented the products' privacy and security through various advertising claims, such as “your secure space,” “the most complete, accessible, and secure cloud platform,” and get “indefinite storage and increased privacy.” Nonetheless, the routers and cloud services contained significant vulnerabilities and design flaws that allegedly permitted unauthorized access to router login credentials and consumer files.

For instance, the complaint alleged that hackers could exploit pervasive security bugs in the consumer's web-based control panel to change the router's security settings, turn off the router's firewall, permit public access to the consumer's “cloud” storage and configure the router to redirect consumers to malicious websites. Attackers also could access users' cloud storage without any login credentials and gain complete access to a consumer's connected storage device. This led to the compromise of thousands of consumers' connected storage devices, exposing consumer's personal files and sensitive information.

Most recently, in March 2016, the FTC sent warning letters to a number of mobile app developers concerning audio monitoring software used in their apps. The FTC alleged that these app developers used third-party technology and “audio beacons” that had the potential to enable the apps to “listen” for unique codes embedded into television or advertising content nearby. The technology was allegedly configured to access the device's microphone to collect audio information, even if the app was not actively in use.

Using this technology, the software developer could allegedly generate a detailed log of television or advertising content viewed by the user for targeted advertising and analytics purposes. Although the FTC's warning letters explain that the audio beacons are not currently embedded into any U.S. television programming, the FTC warned that these practices could constitute a violation of Section 5 if the app developers do not provide consumers with proper notice of these practices, or if the app's privacy policy or user interface contains misrepresentations concerning this functionality.

Learning From Past FTC IoT Enforcement and Guidance: The ‘DO’S' and the ‘DON’TS'

Although the FTC has announced only two enforcement actions and a set of warning letters involving IoT or connected devices, the agency considers privacy and data security issues in the IoT a priority. Since 2013, the staff has released a report setting forth recommendations for IoT devices, released numerous business guidance documents, hosted or announced several public workshops to discuss emerging IoT issues, and has addressed IoT privacy and data security through various speeches and events. Taking all of these into account, below are 15 “Do's” and “Don'ts” to consider when implementing privacy and data security practices into IoT and other connected devices.

Privacy Do's and Don'ts
1. DO Know Your Data

Companies designing and marketing IoT devices should understand precisely what data the device will collect and transmit, both actively and passively, intentionally and unintentionally, from and about users. This information should be further evaluated to determine whether it could be considered personal to the user or identify the device or the user's location.

The FTC takes a broad view as to the types of data it considers to be personal. For instance, the FTC has defined the following as covered personal information in recent enforcement actions: (1) an authentication credential, such as a user name or password; (2) photo, video or audio files; (3) a persistent identifier, such as a customer number held in a “cookie,” a static IP address, a mobile device identifier or a processor serial number; (4) precise geolocation data of an individual or mobile device, including GPS-based, Wi-Fi-based or cell-based location information; and (5) any communications or content that is transmitted or stored through a connected device. See e.g.,Agreement Containing Consent Order, In re ASUSTeK Computer, Inc., File No. 142-3156 (FTC Feb. 23, 2016) and Decision and Order, In the Matter of Snapchat, Inc., File No. 132-3078 (FTC Dec. 2014).

2. DON'T Avoid a ‘Privacy-by-Design' Approach

Companies should build in consumer privacy protections from the beginning and at each key stage of an IoT device's development. Emphasis should be on proactively incorporating a privacy analysis as to each product, service or platform that is capable of collecting, accessing, storing or transmitting personal or individual device information.

Such analysis often includes: (a) determining whether there are legitimate business reasons for collecting each type of data commensurate with the risk associated with such data collection and retention; (b) understanding the ways in which information will be used; (c) implementing reasonable limits on the collection and retention of such data; (d) finding ways to minimize, aggregate or otherwise anonymize the collected data; and (e) implementing reasonable procedures to promote data accuracy and integrity. In an initial investigation into a company's practices, the FTC will often look to see whether, and to what extent, a company applied this type of analysis from the beginning. See, e.g., Complaint, In re HTC America Inc., File No. 122-3049 (FTC Feb. 22, 2013) (12 PVLR 377, 3/4/13).

3. DO Consider Whether and How Users Should Be Provided Notice and Choice

As a general rule, companies should provide clear, user-friendly notice and choice options that are delivered at a time and in a context relevant to the consumer's decision about whether to allow the device to collect or use specific data. This is especially true if the connected device will be collecting sensitive personal information from users, or could involve data practices that are likely to surprise consumers. Yet, offering notice and choice can be challenging in the IoT, due to the ubiquity of data collection and the practical obstacles that often come with providing information and choice mechanisms in products not having a user interface.

While the FTC has recognized that there is no one-size-fits-all approach, and not every data collection may require user choice, companies should fully analyze whether and how to best provide notice, and when to obtain “affirmative express consent” from the user. FTC, Staff Report, Internet of Things: Privacy & Security in a Connected World, at 41. What a reasonable consumer may expect concerning collection or use likely depends on the content being offered and the benefits to consumers. Companies can be creative in the ways in which notice and consent are provided in IoT devices. For instance, the FTC explains that developing video tutorials, affixing quick response (QR) codes on devices, or providing choices at point of sale, within set-up wizards, or in a privacy dashboard may be useful depending on the type of product or device. Id.

4. DO Have a Privacy Policy Covering the IoT Device and Ensure it is Accurate

Privacy policies are an effective consumer communication tool, and a way to show consumers that you have thought about protecting your customer's privacy. While there is no comprehensive federal law that requires companies to have a privacy policy, states, the FTC and other agencies (as well as future plaintiffs) may be closely monitoring your privacy promises when it comes to IoT devices.

California law is the most stringent and broadly applicable state law concerning an entity's obligation to publicly post a website privacy policy and provide certain disclosures. See Cal. Bus. & Prof. Code §22577 et seq.; Cal. Civ. Code §1798.83 et seq. In addition, under Section 5 of the FTC Act and similar state unfair and deceptive practice statutes, the FTC, State Attorneys General and private litigants may initiate an action against a business that makes alleged material misrepresentations (or material omissions) in its privacy policy, or makes changes to its privacy policy (and related business practices) in a manner that is considered deceptive or unfair.

These actions provide important guidance regarding modifications to an entity's privacy policy and the need for clarity in policy language, particularly where the business intends to share customer information with third parties for marketing purposes.

5. DON'T Forget to Update All Representations to Match the Privacy Practices

Companies should confirm that all representations made about a product and how personal information is handled and secured (whether in the privacy policy or in other materials) remain accurate and up-to-date as business practices evolve. See e.g., Complaint for Civil Penalties, Permanent Injunction, and Other Relief, ., Case No. 3:13-cv-00448-RS (N.D. Cal. Jan. 31, 2013) . This is especially important when there is an update that (intentionally or unintentionally) causes more or new types of information to be collected from or about the user, or when the company has new and materially different ways in which it is using or disclosing such information.

Data Security Do's and Don'ts
6. DON'T Neglect to Identify Where the Data Will Flow

Companies should understand how data is collected from the connected device and where it is going. This includes what types of data may come inbound to the company's network from the device, where the data will be stored, whether the device will connect to a service provider's network or whether the company will share access to an internal database of user information for marketing or other purposes. Understanding what internal or external networks the device will be connecting to, what third parties the data will be shared with, and how such information will be used is key to determining what security protections are appropriate.

7. DO Test and/or Audit the IoT Device's Security Before Launch and Regularly Thereafter

Companies should perform a security review for their IoT device before launching the product, with each update to the device or software, and as business practices evolve to ensure the implemented security measures appropriately protect the data being collected. The FTC has settled with a number of companies over allegations that they failed to employ reasonable and appropriate security in the design, development, testing or maintenance of their website, app, product, service or platform. See, e.g., Complaint, In re TRENDnet, Inc., FTC File No. 122-3090; Complaint, , File No. 132-3089 (FTC Mar. 28, 2014) (13 PVLR 557, 3/31/14). Often times, a company will conduct beta testing in which it disables or does not include certain security measures. Before releasing a product to the marketplace, companies should identify and prevent such vulnerabilities by performing an adequate security review prior to launch to ensure these security measures are reinstated.

8. DON'T Overlook Implementing a Reasonable Cybersecurity Program

Companies should establish a written information security program with policies and applicable procedures that addresses administrative, technical and physical safeguards designed to protect customer data.

Several states, such as Massachusetts, apply rigorous information security standards to protect the residents of their states. See 201 Mass. Code Regs. §17.01 et seq. In at least one instance, the FTC sent a closing letter to a company who had established and implemented comprehensive policies designed to protect against insider theft of personal information. SeeFTC Closing Letter from Maneesha Mithal, Associate Director, Division of Privacy and Identity Protection, Federal Trade Commission, to Lisa J. Sotto, Hunton & Williams LLP, Aug. 10, 2015.

FTC orders often require companies to implement a comprehensive security program that includes, among other things: (a) designating a responsible employee; (b) identifying potential material internal and external privacy and security risks; (c) conducting risk assessments and employee training; (d) designing and implementing reasonable safeguards to control the risks identified through the risk assessment; and (e) regularly testing and monitoring of the effectiveness of these safeguards. See e.g., Agreement Containing Consent Order, In re ASUSTeK Computer, Inc., File No. 142-3156. The program should be based on the size of the company, and the type, amount, and sensitivity of information collected and maintained. Companies also should implement data breach notification procedures, which should be aligned with relevant state (and depending on the type of entity, federal) laws.

To date, 47 states and D.C. have enacted data security breach notification laws requiring consumer notification in the event of a data breach involving certain types of consumer data and, in some cases, notification to the state Attorney General or other consumer protection units when certain personal information is compromised.

9. DO Train Your Employees in Cybersecurity Awareness

Businesses should educate and train employees on the basics of data security, including the use of strong passwords, protecting those passwords, learning to recognize social engineering techniques and common attack methods that hackers may be using to gain access ( e.g., phishing attacks), and immediately reporting to the company if they believe a cybersecurity incident has occurred. Taking these proactive steps can cut down detection time in the event of an incident and make it harder for hackers to gain entry in the first place (or may help to prevent a cybersecurity incident all together). A company's data security protections may only be as strong as its weakest employee.

10. DON'T Overlook Industry Standards for Data Security Best Practices

Existing and future industry standards can help offer companies guidance on implementing best practices to secure data collected from their IoT devices. In addition, companies may be required to abide by certain industry standards depending on the type of information collected. For instance, companies that collect payment card information through or related to their IoT device may be subject to the industry's Payment Card Industry Data Security Standards (PCI DSS). Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures , Version 3.2 (Apr. 2016).

PCI DSS includes twelve security requirements and numerous sub-requirements designed to provide reasonable security for PCI handled by merchants, payment processors and other service providers that store, process or transmit payment card information. It also requires development and publication of a written security policy and risk-assessment process. Generally, all merchants are bound to comply with PCI DSS through a merchant agreement executed between the merchant and its merchant bank. The payment card brands can, and do, enforce compliance, and some states have codified portions of the PCI DSS to require certain protections for PCI.

General Do's and Don'ts
11. DO Apply Extra Scrutiny When It Comes to Collecting Sensitive Data

When developing an IoT device that can collect sensitive consumer data, companies should apply extra scrutiny to such collection and anticipated consumer use. Companies should review the device design and data collection practices to ensure that data are collected for a legitimate, defensible business purpose, and is appropriately secured while in the company's or its agents' control, or when stored locally on the device. This can include, for example, credit card or other financial information stored in a virtual wallet, personal health information collected through wearable devices, precise geolocation information or information collected about special populations like the elderly or children.

12. DON'T Overlook Your Third-Party Service Providers

Develop an internal documented process for overseeing and monitoring third-party service providers and business partners who will have access to or handle customer information. Such process may include: (a) performing due diligence on prospective partners' information security practices for third parties who will have access to sensitive or financial information, and confirm that they are acceptable before executing an agreement or sharing such information with them; (b) executing agreements that contain robust privacy and data security provisions; and (c) monitoring ongoing relationships with third parties through the use of periodic reviews, questionnaires and/or certificates or statements regarding compliance. See, e.g., Decision and Order, In the Matter of Credit Karma, FTC File No. 132-3091 (Aug. 2014); see also 201 Mass. Code Regs. §17.03(f). Data breaches resulting from vulnerabilities caused in part or full by service providers or contractors have proven to be costly for many entities, including resulting in FTC investigations.

13. DO Monitor and Address Consumer Complaints and Public Reports

Companies should monitor, investigate and appropriately and promptly address spikes in consumer complaints and security vulnerability reports concerning their IoT device to mitigate the risk of harm to users, as well as regulatory examination or litigation. See, e.g., In re Credit Karma, Inc., FTC File No. 132-3091; In re Fandango, LLC, FTC File No. 132-3089; In re HTC America Inc., FTC File No. 122-3049. As part of the security program, companies should ensure that they track publicly reported vulnerability reports that may be relevant to the device and take steps to address concerns presented.

14. DON'T Underestimate the FTC's Interest in Third Party Liability

The FTC takes the position that a company can be liable for the acts and practices of a third party if the company knew or should have known of the challenged conduct, financially benefited from such conduct and failed to take appropriate or prompt steps to address the concerns. See e.g., ., Case No. 2:14-cv-01038-JCC (W.D. Wash. Apr. 26, 2016). In many of the FTC's privacy and data security third-party liability cases, the company often overstates the level of oversight or protection it provides over third parties or does not take reasonable steps to confirm that its third-party vendors or business partners can reasonably use and/or protect personal data shared with them. See, e.g., In the Matter of Credit Karma, FTC File No. 132-3091.

15. DON'T Forget to Monitor for New Developments at the FTC

Many of the FTC's enforcement actions came soon after the agency held workshops or seminars or issued other educational briefings addressing new areas or after the FTC staff issues reports with recommended business guidance. By monitoring developments at the FTC, companies can determine what may be next on the agency's enforcement agenda.

Recently, the FTC announced a series of workshops designed to address ransomware and related data security issues; privacy and other considerations associated with the use of drones; and tracking consumer habits through their Smart TVs. The FTC also announced an upcoming financial technology forum, and will hold its second PrivacyCon event, seeking to explore new and evolving technologies, such as targeted advertising, cross-device tracking, smart homes, wearable devices, voice-controlled technologies, connected cars and commercial drones. These IoT issues and options may soon appear in future FTC enforcement fact patterns.


The FTC will continue to make IoT privacy and data security a priority at the agency. As our interconnected world continues to grow, the FTC will closely scrutinize companies' practices with respect to the collection, use, handling and security of consumers' personal information in the Internet of things. Staying mindful of FTC enforcement actions and the lessons learned from such cases can help companies proactively identify and address privacy and data security risks or issues, and hopefully help to avoid them from being next on the FTC's agenda.

Request Bloomberg Law Privacy and Data Security