Multistakeholder Group Seeks Comment on Draft Framework for IoT Device Manufacturers

Advertisement

Earlier this week, the Online Trust Alliance released a draft framework of best practices for Internet of Things device manufacturers and developers, such as connected home devices and wearable fitness and health technologies.  The OTA is seeking comments on its draft framework by September 14.

The framework acknowledges that not all requirements may be applicable to every product due to technical limitations and firmware issues.  However, it generally proposes a number of specific security requirements, including encryption of personally identifiable data at rest and in transit, password protection protocols, and penetration testing.  In addition, it proposes the following requirements:

Advertisement

  • A privacy policy that is readily available to review prior to product purchase, download or activation, and that discloses the consequences of declining to opt-in or opt-out of policies on key product functionality and features.

  • A privacy policy display that is optimized for the user interface to maximize readability.  The working group recommends layered privacy policies for this purpose.

    Advertisement

  • Conspicuous disclosure of all personally identifiable data collected.

    Advertisement

  • Data sharing is limited to service providers that agree to limit usage of data for specified purposes and maintain data as confidential or to other third parties as clearly disclosed to users.

  • Disclosure of the term and duration of the data retention policy.  In addition, the framework goes on to state that data generally should be retained only for as long as the user is using the device or to meet legal requirements.

  • Disclosure of whether the user has the ability to remove or anonymize personal and sensitive data other than purchase history by discontinuing device use.

    Advertisement

  • Disclosure of what functions will work if “smart” functions are disabled or stopped.

  • For products and services designed to be used by multiple family members, the ability to create individual profiles and/or have parental or administrative controls and passwords.

    Advertisement

  • Mechanisms for users to contact the company regarding various issues, transfer ownership, manage privacy and security preference.

In addition, the draft framework makes various other recommendations that go above and beyond the proposed baseline requirements, although acknowledging that the recommendations may not be applicable to every device or service.

Advertisement
ARTICLE BY Elizabeth H. Canter of Covington & Burling LLP

© 2015 Covington & Burling LLP

Published by

National Law Forum

A group of in-house attorneys developed the National Law Review on-line edition to create an easy to use resource to capture legal trends and news as they first start to emerge. We were looking for a better way to organize, vet and easily retrieve all the updates that were being sent to us on a daily basis.In the process, we’ve become one of the highest volume business law websites in the U.S. Today, the National Law Review’s seasoned editors screen and classify breaking news and analysis authored by recognized legal professionals and our own journalists. There is no log in to access the database and new articles are added hourly. The National Law Review revolutionized legal publication in 1888 and this cutting-edge tradition continues today.