New FTC Report on IoT Maintains Need for Baseline Privacy Legislation and Begins to Recognize Limitations of FIPPS in a Connected World
The Federal Trade Commission released its long awaited staff report on privacy and security issues presented by the emerging market for connected devices, also known as, the Internet of Things (“IoT”) (the “Report”) this morning. The report follows up on the Workshop held in November 2013 and defines the IoT as “devices or sensors – other than computers, smartphones, or tablets – that connect, store or transmit information with or between each other via the Internet.” The scope of the recommendations contained within the Report is limited to those devices sold to or used by consumers. Although the Report builds on principles developed during the Workshop, it does not break new ground (other than to formally recognize the limits of notice, choice and data minimization practices in the IoT ecosystem).
Notably, the Report recognizes that “there is great potential for innovation in this area, and that IoT-specific legislation at this stage would be premature.” However, the Report does re-iterate the need for a national data breach notification law and a baseline consumer privacy statute, as recently outlined by the President. In the meantime, the Commission will rely on its existing authority under laws such as the FTC Act, the Children’s Online Privacy Protection Act and the Fair Credit Reporting Act to protect consumer privacy and information security in this emerging sector.
The Report reinforces prior Commission guidance, including recommendations to:
- incorporate multi-layered privacy and security into the design of such devices;
- establish a privacy and security program, with organizational accountability and training;
- conduct risk assessments;
- ensure service providers are capable of maintaining the required privacy and security requirements;
- test and monitor the security of the devices before they are launched and throughout the life cycle; and
- apply the Fair Information Practice Principles (FIPPs) – including data minimization, notice and choice.
At the same time, the Report recognizes that certain principles may have limited effect when applied to the IoT. For example, with regard to notice and choice, the Report recognizes the practical difficulties of providing notice or consumer choices when certain IoT devices lack consumer interfaces (or simply have a small screen), and that a one-size-fits-all approach will not work in every instance. As an alternative, the Report proposes to incorporate certain elements of a use-based model, where choice is keyed to the context of the interaction with the connected device. Ultimately, the Report concludes that notice to consumers is essential in order to allow them to make meaningful choices, and companies can find innovative and alternative methods, such as giving notice through tutorials or providing choices at the point of sale or during device set-up.
Recognizing that data minimization in the IoT ecosystem is challenging, the Report recommends a “flexible” approach to data minimization, such that companies tailor their data retention needs by: choosing to collect no data; collecting data limited to the categories required to provide the service offered by the device; collecting less sensitive data; or choosing to de-identify the data collected. The Report did not squarely address a primary concern raised during the workshops, that the need for continuous data feeds is a critical element to many connected devices operating in the IoT ecosystem.
Although Commissioner Ohlhausen concurred in the Report’s release and in a separate statement, praised the scope and several of the recommendations, she did not support the call for baseline privacy legislation and expressed concern over the data minimization recommendation, stating, “without examining costs or benefits, encourages companies to delete valuable data – primarily to avoid hypothetical future harms. Even though the report recognizes the need for flexibility for companies weighing whether and what data to retain, the recommendation remains overly prescriptive.” Commissioner Wright wholly dissented to the publication of the Report, stating that staff had failed to provide the requisite “analytical support to establish the likelihood that [the best practices and recommendations for broad-based privacy legislation practices], if adopted, would improve consumer welfare.”