Internet of Things Industry Needs Privacy Guidance

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Jimmy H. Koo

March 31 — Data generated by connected devices making up the Internet of things may allow businesses to improve their products and services, but the connected devices industry needs more best practices guidance on addressing privacy issues, analysts said.

Enforcement actions might spur companies to better address privacy issues, but there are more “company-friendly ways,” Denise Zheng, deputy director of Strategic Technologies Program at Center for Strategic and International Studies, said March 30 at an Internet of Things National Institute event

The panel session during the institute, which was organized by the American Bar Association Section of Science & Technology Law and hosted by Jones Day, discussed the risks and benefits of the collection, use, sharing and retention of data collected by IoT devices; how Fair Information Practice Principles (FIPPs)—security, data minimization, notice and choice—should apply to IoT; and strategies to address privacy issues.

Enterprise Use Outweighs Consumer Use

The benefits of data generated by connected devices are limited only by imagination, Maneesha Mithal, chief of the Bureau of Consumer Protection at the Federal Trade Commission, said. However, the risks include: ubiquitous collection of data; unexpected uses of data; and security of the data, she said.

National Institute of Standards and Technology Senior Privacy Policy Advisor Naomi Lefkovitz said the availability of such massive amounts of data could pose “risks to civil liberty.”

According to Zheng, despite the recent proliferation of consumer use of connected devices, “the vast majority of new uses of devices are by enterprises, not consumers.” She cited the decrease in price of hardware and the technological advances in analytics software as reasons for adoption of connected devices by various industries, including aviation and insurance.

Further, FIPPs have withstood the test of time and technological advances and are still helpful in the context of Internet of things devices, according to Mithal. Zheng, however, cautioned that the different countries may have different standards and definitions of “consent, ” citing the final text of the European Union General Data Protection Regulation , which specifies that consent must be “freely given,” as well as “specific, informed and unambiguous,” and it must be given by a “clear affirmative action” .

There are too many laws and standards governing the collection and use of data, Zheng said, calling for harmonization of such rules.

This is a “tough problem” but there are some “common sense” things that companies can do to better protect privacy, including encrypting data, Zheng said.

Ruth Hill Bro, a privacy attorney and past chairwoman of the ABA Section of Science & Technology Law, who moderated the panel, said that companies should focus on keeping up with the change and “thinking about privacy from the start.”

Mithal agreed, saying that companies should think of “privacy by design.”

To contact the reporter on this story: Jimmy H. Koo in Washington at

To contact the editor responsible for this story: Donald G. Aplin at

Request Bloomberg Law: Privacy & Data Security