Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
Aug. 13 — Industry working group Online Trust Alliance (OTA) Aug. 11 released a draft framework of best practices for Internet of things device manufacturers and developers, with a specific focus on security and privacy risks associated with connected home products, and wearable health and fitness technologies.
The OTA is seeking feedback on the 23 proposed minimum requirements and 12 additional recommendations. Comments may be submitted until Sept. 14.
In January, the OTA established the IoT Trustworthy Working Group, a multistakeholder initiative to develop a framework of voluntary best practices in privacy, security and sustainability. The draft framework represents broad consensus of nearly 100 participants, but there are cases where consensus is pending, OTA said. Although the framework was developed to apply to all connected home and wearable products, some of the requirements may not be applicable to every product due to technical limitations and embedded firmware.
Symantec Corp., Microsoft Inc., Twitter Inc. and TrustE are among the members of the OTA.
• manufacturers conspicuously display all personally identifiable data types and attributes that are collected;
• the terms and duration of the data retention policy be disclosed;
• manufacturers disclose whether users have the ability to have personal and sensitive data removed, purged or made anonymous upon discontinuing device use, loss, damage, sale or device end-of-life; and
• personally identifiable data must be encrypted or hashed to achieve “end-to-end encryption of all personal data.”
In addition to the proposed minimum requirements, OTA said that companies must abide by all applicable regulatory requirements, including child protection, breach notification and disclosure requirements.
• not transferring consumer data unless it is a “dependent part of the sale or liquidation of the core business” or unless company has taken steps to provide consumer notice and consent;
• taking steps to prevent personal data from being reidentified;
• adhering to the Fair Information Practice Principle of minimal data collection;
• agreeing to not materially change, without consumer consent, privacy policies after the product is purchased; and
• planning to include support for evolving standards and protocols.
Full text of the “IoT Trust Framework—Discussion Draft” is available at https://otalliance.org/system/files/files/resource/documents/iot_trust_frameworkv1.pdf.
Notify me when updates are available (No standing order will be created).
Put me on standing order
Notify me when new releases are available (no standing order will be created)