Web of Things Producers' Best Practices Drafted

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

Aug. 13 — Industry working group Online Trust Alliance (OTA) Aug. 11 released a draft framework of best practices for Internet of things device manufacturers and developers, with a specific focus on security and privacy risks associated with connected home products, and wearable health and fitness technologies.

The OTA is seeking feedback on the 23 proposed minimum requirements and 12 additional recommendations. Comments may be submitted until Sept. 14.

In January, the OTA established the IoT Trustworthy Working Group, a multistakeholder initiative to develop a framework of voluntary best practices in privacy, security and sustainability. The draft framework represents broad consensus of nearly 100 participants, but there are cases where consensus is pending, OTA said. Although the framework was developed to apply to all connected home and wearable products, some of the requirements may not be applicable to every product due to technical limitations and embedded firmware.

Symantec Corp., Microsoft Inc., Twitter Inc. and TrustE are among the members of the OTA.

Minimum Requirements, Additional Recommendations

The proposed minimum requirements include that:

• the privacy policy be readily available to review before product purchase, download or activation and be easily discoverable to the user;

• the privacy policy display be designed to maximize readability;

• manufacturers conspicuously display all personally identifiable data types and attributes that are collected;

• the terms and duration of the data retention policy be disclosed;

• manufacturers disclose whether users have the ability to have personal and sensitive data removed, purged or made anonymous upon discontinuing device use, loss, damage, sale or device end-of-life; and

• personally identifiable data must be encrypted or hashed to achieve “end-to-end encryption of all personal data.”

In addition to the proposed minimum requirements, OTA said that companies must abide by all applicable regulatory requirements, including child protection, breach notification and disclosure requirements.

The draft framework also contained a preliminary list of recommendations that “organizations may wish to consider,” including:

• not transferring consumer data unless it is a “dependent part of the sale or liquidation of the core business” or unless company has taken steps to provide consumer notice and consent;

• taking steps to prevent personal data from being reidentified;

• adhering to the Fair Information Practice Principle of minimal data collection;

• agreeing to not materially change, without consumer consent, privacy policies after the product is purchased; and

• planning to include support for evolving standards and protocols.


Full text of the “IoT Trust Framework—Discussion Draft” is available at https://otalliance.org/system/files/files/resource/documents/iot_trust_frameworkv1.pdf.

Request Bloomberg Law: Privacy & Data Security