Web of Things Security, Privacy Law Premature: FTC

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Ellie Smith

June 7 — Federal legislation specifically regulating privacy and security for the Internet of things (IoT) would be premature, Federal Trade Commission staff recently said.

Instead, Congress should enact “technology-neutral data security legislation,” FTC said in a comments letter to the Department of Commerce's National Telecommunications and Information Administration (NTIA).

Although the FTC may be hesitant to suggest specific legislation, the FCC may be moving to a more activist approach to IoT oversight, analysts told Bloomberg BNA.

The FTC letter reveals the FTC's vision of its own role in overseeing the IoT, according to Norma M. Krayem, senior policy adviser at Holland & Knight LLP in Washington and the co-chair of the firm's Data Protection and Cybersecurity Group.

FTC Reaffirms Its Role

“The FTC's comments really drill into what they believe their core jurisdiction should be,” Krayem said. “In some ways, their comments are more about the public benefits of what the FTC is already doing,” Krayem told Bloomberg BNA June 7.

The NTIA would likely not write new privacy requirements, because the administration isn't as much of a “hard-core regulator,” she said.

As the FTC and NTIA consider ways to regulate the IoT, it's likely the Federal Communications Commission (FCC) will also increase its oversight, Craig Spiezle, executive director, founder and president of the Online Trust Alliance, told Bloomberg BNA June 7.

“Think about the connected homes and all these devices connected there and the data collection in that scenario,” Spiezle said. “It’s reasonable to expect you’re going to see more across the lines between FCC with regulatory oversight.”

FTC Recommendations

The June 2 FTC staff letter recommended that businesses build security measures into products and update them continually, minimize the amount of data they collect from IoT devices and give consumers “notice and choice” when collecting data.

NTIA should also adopt standards for interoperability, so IoT products can interact predictably, the commission staff wrote.

“To the extent that NTIA considers adopting policies or taking actions to promote interoperability standards, it should consider policies and actions to promote safeguards that support the full realization of these standards' potential benefits,” FTC staff wrote.

The FTC's response was largely based on a Jan. 2015 commission report on IoT privacy and security (18 PRA, 1/28/15). The advice in the response “expanded in greater detail” information from the original report, according to the letter.

The NTIA asked for FTC insight in a request for comment April 1 as part of their survey on the IoT environment (67 PRA, 4/7/16).

To contact the reporter on this story: Ellie Smith in Washington at esmith@bna.com

To contact the editor responsible for this story: Jimmy H. Koo at jkoo@bna.com

For More Information

Full text of the FTC letter is available at http://src.bna.com/fFR.

Request Bloomberg Law Privacy and Data Security