FTC Backs Self-Regulation for ‘Internet of Things’ Market

The Telecommunications Law Resource Center is the most comprehensive reference and news platform for communications law, covering broadcasting, cable, broadband, telephony and wireless;...

By Alexei Alexis

Jan. 27 — A staff report unveiled by the Federal Trade Commission urges best practices to address data privacy and security concerns surrounding the “Internet of Things,” while stopping short of calling for industry-specific legislation.

The report released Jan. 27 recommends that companies take steps such as building security into devices in the design process—rather than as an afterthought—and ensuring that any outside service providers are capable of maintaining “reasonable security.”

“The FTC got it right by opposing industry-specific legislation and understanding that not all information on the Internet of Things is personally identifiable,” Dan Caprio, a senior consultant for McKenna Long & Aldridge LLP, told Bloomberg BNA.

The report reflects the fact that prescriptive regulation might stifle the Internet of Things market, which is in its infancy, according to Christopher Wolf, a partner at Hogan Lovells LLP.

“The report focuses on cybersecurity and recognizes that application of fair information practice principles needs to be flexible, taking into account the nature of the technology and the context of the data collection,” Wolf told Bloomberg BNA.

General Privacy Bill Urged

However, Susan Grant, of the Consumer Federation of America, said that industry self-regulation will not be enough to protect consumers.

“It is important to underscore the need for baseline privacy legislation, a point that the FTC has made before and reiterates in this report,” Grant told Bloomberg BNA. “No multistakeholder processes, voluntary codes of conduct, or best practices can effectively help to protect consumers’ privacy and security unless they are based on fundamental rights and responsibilities set by law.”

Meanwhile, Sen. John Thune (R-S.D.), chairman of the Senate Commerce, Science, and Transportation Committee, has announced plans for a Feb. 11 hearing on the Internet of Things.

“By engaging early in this debate, Congress can ensure that any government efforts to protect consumers are tailored for actual problems and avoid regulatory overreach,” Thune said in a statement.

The Internet of Things refers to the ability of everyday objects to become connected to the online world and to send and receive data. While such connected devices have the potential to offer benefits such as improved health monitoring, safer highways, and more efficient home energy use, they also raise numerous consumer privacy and security concerns, according to the FTC report.

“The only way for the Internet of Things to reach its full potential for innovation is with the trust of American consumers,” FTC Chairwoman Edith Ramirez said in a statement announcing the report. “We believe that by adopting the best practices we’ve laid out, businesses will be better able to provide consumers the protections they want and allow the benefits of the Internet of Things to be fully realized.”

Experts estimate that there will be 25 billion connected devices as of this year, and 50 billion by 2020, the report noted.

Republican Objections

The FTC held a workshop on privacy concerns surrounding the Internet of Things in 2013. The commission voted 4-1 to approve the resulting staff report, with Commissioner Joshua Wright, a Republican, dissenting. Wright said the report's recommendations weren't backed by appropriate analytical support.

“An economically sound and evidence-based approach to consumer protection, privacy, and regulation of the Internet of Things would require the Commission to possess and present evidence that its policy recommendations are more likely to foster competition and innovation than to stifle it,” he said in a dissenting statement.

While the report did not urge legislation to regulate the Internet of Things specifically, it reaffirmed the commission's support for general data security breach legislation. It also renewed a call for Congress to pass a broad-based privacy bill, although Commissioner Maureen Ohlhausen, another Republican, issued a concurring statement saying that she didn't see the need for such legislation.

Besides ensuring security by design and maintaining oversight of outside service providers, the FTC report urges companies to take steps such as:

• training employees in the importance of security and ensuring that security is managed at an appropriate level in the organization;

• considering measures to keep unauthorized users from accessing a consumer’s device, data, or personal information stored on the network; and

• monitoring connected devices throughout their expected life cycle, and where feasible, providing security patches to cover known risks.

 

Commission staff also recommended that companies consider data minimization—that is, limiting the collection of consumer data, and retaining that information only for a set period of time, not indefinitely. In addition, staff recommended that companies notify consumers and give them choices about how their information will be used, particularly when the data collection is beyond consumers’ reasonable expectations.

The report was slammed by TechFreedom, a Washington-based think tank and staunch critic of the FTC.

“At best, this is just another exercise in Workshop Theater; at worst, the FTC is trying to regulate the Internet of Things by stealth,” said TechFreedom President Berin Szoka.

To contact the reporter on this story: Alexei Alexis in Washington at aalexis@bna.com

To contact the editor responsible for this story: Heather Rothman at hrothman@bna.com

The report is available at http://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf.