CPSC Staff Addresses IoT 2018 Hearing Feedback, IoT Project Plans in New Report

Connected products can make the world a safer place: electronic sensors in the home can detect problems and send smartphone notifications to the homeowner; smart alert devices can notify family members or home help companies that an elderly person has fallen and needs assistance. But with over 64 billion connected products in the marketplace, there is a concern that connected devices could introduce hazards that might lead to a risk of injury due to problems with software updates or customization, faulty connections, and even consumer modifications.

As the body charged with overseeing consumer product safety in the U.S., over the last few years, the Consumer Product Safety Commission (CPSC) has shown an increasing interest in defining its role with regard to connected products. In May 2018, the CPSC held a public hearing on IoT, obtaining feedback from a range of stakeholders on potential risks of connected consumer products and the agency’s role. In late September, CPSC staff submitted to the Commission a status report outlining the CPSC’s work on consumer product IoT issues since the public hearing. The report also outlines how CPSC staff understands the agency’s role, which is safeguarding consumers from potential physical product risks, as well as how its work intersects with the jurisdiction of other agencies as they oversee connected products.

The report notes that this is an ongoing process, stating that CPSC staff is working on “how to define consumer product safety in terms of the IoT, the intersection of, and interdependencies among, consumer product safety, data security and privacy, and how our traditional risk management approaches apply to connected products.” The report acknowledges that privacy and data security are not within CPSC’s jurisdiction, but noted that at least one participant in CPSC’s 2018 hearing warned that “CPSC should pay attention to certain cybersecurity threats that create opportunities for physical harm, a risk not previously considered, and resist creating any prescriptive rules for IoT devices.”

To increase institutional knowledge of IoT benefits and challenges, CPSC has dedicated resources to develop its staff’s expertise. CPSC has also participated in developing voluntary standards, has taken a leadership role in establishing an interagency IoT working group, and has been developing its capability to simulate home networks at its laboratory.

The staff report outlines three ongoing internal projects relating to IoT. The first involves developing a methodology for assessing safety-related implications arising out of software and firmware updates to connected products. This project is at what CPSC views as the intersection of product safety and data security and potential “hazardization” of connected products as a result of data vulnerabilities. CPSC is also looking at connected heating appliances and the risks associated with their remote activation. Finally, CPSC is studying smart toys “in an effort to identify physical safety hazards.” It is surprising that CPSC staff would dedicate resources to toys as opposed to other products, like in-home safety devices, since the physical safety of toys is strictly regulated by the mandatory toy safety standard, ASTM F-963. The likelihood of physical hazardization of toys is far lower than, for example, connected home security devices and sensors. In those categories, connectivity, and thus security breaches that affect the operation of those devices, may be directly related to both safety risks and advantages. Indeed, home safety devices is a category where we have actually seen CPSC recall activity.

The report notes that CSPC is engaging in product safety assessments of connected& shared e-scooters. This is likely in response to reports of e-scooters that were vulnerable to hacking. The emerging hazards of micro-mobility devices such as shared e-scooters are also a focus of CPSC’s Operating Plan for Fiscal Year 2020 and represent another product category that appears to be more vulnerable to hazardization than connected toys.

CPSC staff intended to develop a best practices guide for industry and consumers on connected products, which was an enumerated project in the proposed Operating Plan for Fiscal Year 2020. However, an amendment introduced by Commissioner Feldman focuses CPSC’s resources on IoT intergovernmental work instead. Given the report’s acknowledgment that the agency is still working to develop staff expertise in IoT, attempting to create such a guide appears premature at this juncture.

The sharp increase in the number of connected devices in the market means it is necessary and appropriate for CPSC to continue to build expertise on IoT issues, even though very few examples of actual product safety hazards attributable to some type of connectivity failures exist. It would be useful for CPSC to focus its efforts and resources on product categories that pose a higher potential risk to the physical safety of consumers through hazardization or failure as a result of connectivity, without overstating potential risks. It is encouraging that through the intergovernmental initiatives a variety of federal agencies are working collaboratively to better understand the various consumer protection issues potentially raised by connected products that fit within their respective jurisdictions.


© 2019 Keller and Heckman LLP

For more CSPC regulation, see the National Law Review Consumer Protection law page.

Product Liability in the Internet of Things

When California enacted SB 327 last year, it became the first state to regulate Internet of Things (IoT) devices, which refer to physical devices that are connected to the internet. Beginning next January, the new law will require manufacturers of IoT devices sold in California to implement reasonable security features that protect the software, data, and information contained within them. While the law regulates only the minimum security standards for IoT devices, its definition of a “connected device” (i.e., an IoT device) may impact product liability claims because “connected devices” are physical objects and not technology. SB 327’s definition suggests that manufacturers of the software in IoT devices may not be held strictly liable for software defects, because the law aligns with and reinforces the view of most courts that software is not a product, but a service.

A broad concept, the IoT comprises billions of devices worldwide. It includes everything from cell phones and tablets to smart speakers that respond to voice commands, smart refrigerators that help keep track of the food inside them, and even smart collars that track a dog’s fitness levels. There are wearable health monitors that send a patient’s real-time medical information directly to a health care professional, and smart pills that help keep track of the time when a patient last took one. If a product can be connected to the internet, it can become an IoT device.

Among other things, SB 327 requires manufacturers of “connected devices” to equip them with “reasonable security features.” The law defines a “connected device” to include only “physical objects,” which is significant because IoT devices combine a physical object with technology that changes the nature of the device. For example, a regular lamp is not part of the IoT. But when a manufacturer installs technology that connects the lamp to the internet and allows it to be turned on or off or dimmed by a tablet or smart phone, then the lamp becomes an IoT device. As written, SB 327 may exclude manufacturers of the intangible technology – such as software – from its requirements.

Combining a physical object and an intangible technology also creates a novel issue when it comes to strict product liability principles, which typically hold that a product manufacturer may be strictly liable for a product’s defect. The first task in a strict product liability case is to identify the product. In the context of a device that has no internet connectivity, the answer is straightforward. If a ladder is defective and causes an injury, the ladder’s manufacturer may be held strictly liable because a ladder is the product. But when it comes to IoT devices, the line may be blurred. Almost always, the software part of the IoT device is “manufactured” by a separate entity from the entity that manufactures the physical object. If the IoT device proves to be defective, the question becomes which entity may be held strictly liable.

A real-world example illustrates the issue. Medical professionals today are beginning to use implantable cardiac devices that transmit data directly from the device to the health care provider, which allow the medical professional to directly monitor the patient and device (For more information on these medical devices and other issues that surround them, see our previous blog post here). The benefits of this technology are obvious. It allows for real-time observation by medical professionals, which makes patients safer and reduces the need for long visits to the doctor’s office. But internet-based monitoring also may come with some risks that the statute attempts to address. For example, as the device is connected to the internet, it may be vulnerable to unauthorized access. Additionally, a software defect could potentially misread data, corrupt information, or even cause the device to malfunction.

If the defect is in the physical object of the device, then the entity that manufactured the device may risk being held strictly liable. But if the defect is in the software, the answer is less apparent because courts have not clearly indicated whether software is a product for purposes of strict product liability. Most observers expect courts to treat software in IoT devices as a service rather than a product, because for UCC purposes courts typically treat custom-made software (like that in IoT devices) as a service rather than a good. SB 327 aligns with this view and provides additional fuel for the argument that software is not a product.

The California Legislature may have placed the burden on an IoT device’s physical manufacturer to ensure safety when it comes to data stored inside the device. But physical device manufacturers may yet argue that the software was a component product when it comes to strict liability issues. Time will tell how courts will address that argument.

 

© 2019 Schiff Hardin LLP
This post was written by Gregory Dickinson and Jeffrey Skinner of Schiff Hardin LLP.

IOT (Internet of Things) Legislation Makes an Appearance in the U.S. Senate

For those who are not familiar with the acronym, IoT or ‘Internet of things’ refers to the interconnection of network devices and everyday objects for increased control and ease of use.

The US Government has been steadily increasing the amount of IoT devices used in day-to-day business. In response to mounting concerns surrounding this, a bipartisan group in the Senate revealed a piece of legislation that will govern the use of IoT devices in the government context.

As we have blogged previously, the implementation of IoT brings with it an array of potential security issues and vulnerabilities. If hackers are able to access one device, there’s the possibility for them to manipulate others connected on the same network. This could result in national security risks, citizen information breaches or high-scale ransom attacks.

Under the bill, the National Institute of Standards and Technology (NIST) will give recommendations to the federal government, including minimum security requirements and how the government should approach potential cybersecurity issues. These policies and recommendations would be revisited every five years to keep them fresh and responsive to ever-changing cyber threats.

The potential that such standards would provide more industry wide guidance is to be encouraged, as several years into the growth of IoT there remains huge variability in security. The internet of things is generally less of a focus than most people’s computers, but the impact and ability to propagate is arguably greater.

Ella Richards and Cameron Abbott of K&L Gates contributed to this post.

Copyright 2019 K&L Gates.

FTC’s Settlement in Vizio May Provide Hint at Direction of Internet of Things Regulation

Internet of ThingsThe Federal Trade Commission’s (FTC’s) Settlement in FTC v. Vizio, Inc.may signal the direction that agency is heading on Internet of Things (IoT) enforcement. With veteran FTC enforcer Jessica Rich leaving and new appointee Maureen Ohlhausen taking over, Ohlhausen’s separate concurring statement in that matter is insightful.

The settlement took a broad view on the types of data that require protection. While the “Covered Information” included information like personal identifiers, IP address, and geolocation, it also included “Viewing Data,” which is essentially data about the content viewed on a television. Ohlhausen criticized this expansion and the FTC’s foray into this public policy basis for alleging an unfair practice. She notes, “But here, for the first time, the FTC has alleged in a complaint that individualized television viewing activity falls within the definition of sensitive information.” Hinting that this broad view of personal data may not continue, Ohlhausen writes, “There may be good policy reasons to consider such information sensitive…. But, under our statute, we cannot find a practice unfair based primarily on public policy. Instead, we must determine whether the practice causes substantial injury that is not reasonably avoidable by the consumer and is not outweighed by benefits to competition or consumers.” She then promises that “[i]n the coming weeks I will launch an effort to examine this important issue further.”

© MICHAEL BEST & FRIEDRICH LLP

House Energy and Commerce Committee Holds Hearing on Security of Internet of Things

What the experts are saying.

The hearing was motivated by the revelation that cybersecurity is no longer just about protecting  laptops or securing digital data. IoT insecurity puts human safety at risk, as everything from home appliances to automobiles and medical technology are becoming connected to the Internet. Representatives from both committees pressed expert witnesses Mr. Dale Drew of Level 3 Communications, Dr. Kevin Fu of Virta Labs and the University of Michigan, and Mr. Bruce Schneier of the Harvard Kennedy School of Government for examples of legislation that could target the cybersecurity concerns related to the Internet of Things.

These experts shared conflicting opinions about whether it is in fact possible for the government to establish one set of security standards that covers all Internet-connected devices, as these devices do many different things and are powered by many different types of technology. Mr. Schneier reminded the subcommittees that “[your smartphone] is not a phone; it’s a computer that makes phone calls.” The same applies to a long list of devices including WiFi-connected baby monitors, thermostats, refrigerators, DVR players, GPS systems, children’s toys, and of course, electronic voting booths. In his testimony, Mr. Drew explained that “bad actors are increasingly attracted to IoT devices since they can use those devices without being detected for long periods of time, they know most devices will not be monitored or updated, and they know there are no endpoint protection capabilities on IoT devices to remove threats.” Nevertheless, they agreed that a collaborative and, above all, proactive approach by both the government and manufacturers of these devices will be essential.

Fortunately, we already have a potential starting point. The National Institute of Standards and Technology recently issued a comprehensive set of guidelines and best practices for securing IoT devices and systems throughout their entire life cycle. But simply establishing these best practices on paper will not be enough. Dr. Fu reiterated the most important takeaway from the hearing: that proper security measures for IoT devices must be “built in, not bolted on.” Protective measures like encryption must be incorporated into the fundamental design of a device, not tacked on as an afterthought. They also must secure a device from its creation, through its life with a consumer, and after “retirement” since old but active devices are still vulnerable to hijacking by botnets like the one used in last month’s massive distributed denial of service (“DDoS”) attack on global Internet routing company Dyn.

Looking ahead to the future.

Currently, there are few market incentives to spend time and money producing more secure encrypted devices.  There are likewise no significant legal or economic penalties for selling devices to consumers that are insecure. In short, consumers are focused on buying sleek and affordable new products rather than on the networks that connect them. However, if massive DDoS attacks continue the same way that data breaches have in recent years, the priorities of consumers and manufacturers alike are bound to evolve.

Will a greater focus on security slow down the rate of technological innovation? Despite some concerns, Dr. Fu and Mr Schneier reassured the subcommittees that efforts to improve cybersecurity will spur innovation in the tech industry, not hold it back. As consumers and manufacturers become more aware of the implications of poorly secured devices, incorporating features like end-to-end encryption will be understood not as necessary obstacles, but as valuable solutions to very real and costly problems.

ARTICLE BY Cynthia J. Larose, Michael B. Katz & Joanne Dynak of Mintz Levin
©1994-2016 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

FAST Act Calls for Examination of Internet of Things

The Internet of Things (IoT), as defined by Wikipedia, is the network of physical objects or “things” embedded with electronics, software, sensors, and network connectivity, which enables these objects to collect and exchange data. The IoT allows objects to be sensed and controlled remotely across existing network infrastructure, creating opportunities for more direct integration between the physical world and computer-based systems, and resulting in improved efficiency, accuracy and economic benefit.  Each thing is uniquely identifiable through its embedded computing system but is able to interoperate within the existing Internet infrastructure.

In short, if we look at the objects we use in everyday life – from our phones, to our laptops, to even our copy machines or printers at work – each is able to collect and potentially exchange vast amounts of data.  While the capabilities of these devices and objects to collect data and exchange data will likely improve our daily lives, it is also important to examine how to protect the privacy and security of the information and data which is collected and shared.

The Fixing America’s Surface Transportation Act (FAST Act) includes a number of provisions related to privacy, including an amendment to the Gramm-Leach-Bliley Act (GLBA) as well as the enactment of the Driver Privacy Act of 2015.  Interestingly, the FAST Act also requires a report on the potential of the IoT to improve transportation services in rural, suburban, and urban areas.

Specifically, Section 3024 of Title III, requires the Secretary of Transportation to submit a report to Congress not later than 180 days after December 4, 2015 (the enactment date of the FAST Act).  The report, presumably to address the issues discussed above, is to include (1) a survey of the communities, cities, and States that are using innovative transportation systems to meet the needs of ageing populations; (2) best practices to protect privacy and security, as determined as a result of such survey; and (3) recommendations with respect to the potential of the IoT to assist local, State, and Federal planners to develop more efficient and accurate projections of the transportation.

While it is unclear exactly what information will be captured in the report, it’s clear the drafters of Section 3024 have recognized the importance of data privacy and security while utilizing the IoT to improve transportation.  On a more personal note, I have to believe I am not alone in hoping that the report will finally address (and correct!) the traffic patters related to my daily commute!

Jackson Lewis P.C. © 2015

Three Trending Topics in IoT: Privacy, Security, and Fog Computing

Cisco has estimated that there will be 50 billion Internet of Things (IoT) devices connected to the Internet by the year 2020. IoT has been a buzzword over the past couple of years. However, the buzz surrounding IoT in the year 2015 has IoT enthusiasts particularly exerted. This year, IoT has taken center stage at many conferences around the world, including the Consumer Electronics Show (CES 2015), SEMI CON 2015, and Createc Japan, among others.

1. IoT will Redefine the Expectations of Privacy

Privacy is of utmost concern to consumers and enterprises alike. For consumers, the deployment of IoT devices in their homes and other places where they typically expect privacy will lead to significant privacy concerns. IoT devices in homes are capable of identifying people’s habits that are otherwise unknown to others. For instance, a washing machine can track how frequently someone does laundry, and what laundry settings they prefer. A shower head can track how often someone showers and what temperature settings they prefer. When consumers purchase these devices, they may not be aware that these IoT devices collect and/or monetize this data.

The world’s biggest Web companies, namely, Google, Facebook, LinkedIn, and Yahoo are currently involved in lawsuits where the issues in the lawsuits relate to consent and whether the Web companies have provided an explicit enough picture of what data is being collected and how the data is being used. To share some perspective on the severity of the legal issues relating to online data collection, more than 250 suits have been filed in the U.S. in the past couple of years against companies’ tracking of online activities, compared to just 10 in the year 2010. As IoT devices become more prevalent, legal issues relating to consent and disclosure of how the data is being collected, used, shared or otherwise monetized will certainly arise.

2. Data and Device Security is Paramount to the Viability of an IoT Solution

At the enterprise level, data security is paramount. IoT devices can be sources of network security breaches and as such, ensuring that IoT devices remain secure is key. When developing and deploying IoT solutions at the enterprise level, enterprises should conduct due diligence to prevent security breaches via the IoT deployment, but also ensure that even if an IoT device is compromised, access to more sensitive data within the network remains secure. Corporations retain confidential data about their customers and are responsible for having adequate safeguards in place to protect the data. Corporations may be liable for deploying IoT solutions that are easily compromised. As we have seen with the countless data breaches over the past couple of years, companies have a lot to lose, financially and otherwise.

3. Immediacy of Access to Data and Fog Computing

For many IoT solutions, timing is everything. Many IoT devices and environments are “latency sensitive,” such that actions need to be taken on the data being collected almost instantaneously. Relying on the “cloud” to process the collected data and generate actions will likely not be a solution for such IoT environments, in which the immediacy of access to data is important. “Fog computing” aims to bring the storage, processing and data intelligence closer to the IoT devices deployed in the physical world to reduce the latency that typically exists with traditional cloud-based solutions. Companies developing large scale IoT solutions should investigate architectures where most of the processing is done at the end of the network and closer to the physical IoT devices.

The Internet of Things has brought about new challenges and opportunities for technology companies. Privacy, security and immediacy of access to data are three important trends companies must consider going forward.

© 2015 Foley & Lardner LLP

Multistakeholder Group Seeks Comment on Draft Framework for IoT Device Manufacturers

Earlier this week, the Online Trust Alliance released a draft framework of best practices for Internet of Things device manufacturers and developers, such as connected home devices and wearable fitness and health technologies.  The OTA is seeking comments on its draft framework by September 14.

The framework acknowledges that not all requirements may be applicable to every product due to technical limitations and firmware issues.  However, it generally proposes a number of specific security requirements, including encryption of personally identifiable data at rest and in transit, password protection protocols, and penetration testing.  In addition, it proposes the following requirements:

  • A privacy policy that is readily available to review prior to product purchase, download or activation, and that discloses the consequences of declining to opt-in or opt-out of policies on key product functionality and features.

  • A privacy policy display that is optimized for the user interface to maximize readability.  The working group recommends layered privacy policies for this purpose.

  • Conspicuous disclosure of all personally identifiable data collected.

  • Data sharing is limited to service providers that agree to limit usage of data for specified purposes and maintain data as confidential or to other third parties as clearly disclosed to users.

  • Disclosure of the term and duration of the data retention policy.  In addition, the framework goes on to state that data generally should be retained only for as long as the user is using the device or to meet legal requirements.

  • Disclosure of whether the user has the ability to remove or anonymize personal and sensitive data other than purchase history by discontinuing device use.

  • Disclosure of what functions will work if “smart” functions are disabled or stopped.

  • For products and services designed to be used by multiple family members, the ability to create individual profiles and/or have parental or administrative controls and passwords.

  • Mechanisms for users to contact the company regarding various issues, transfer ownership, manage privacy and security preference.

In addition, the draft framework makes various other recommendations that go above and beyond the proposed baseline requirements, although acknowledging that the recommendations may not be applicable to every device or service.

© 2015 Covington & Burling LLP

FTC Releases Extensive Report on the “Internet of Things”

Mcdermott Will Emery Law Firm

On January 27, 2015, U.S. Federal Trade Commission (FTC) staff released an extensive report on the “Internet of Things” (IoT). The report, based in part on input the FTC received at its November 2013 workshop on the subject, discusses the benefits and risks of IoT products to consumers and offers best practices for IoT manufacturers to integrate the principles of security, data minimization, notice and choice into the development of IoT devices. While the FTC staff’s report does not call for IoT specific legislation at this time, given the rapidly evolving nature of the technology, it reiterates the FTC’s earlier recommendation to Congress to enact strong federal data security and breach notification legislation.

The report also describes the tools the FTC will use to ensure that IoT manufacturers consider privacy and security issues as they develop new devices. These tools include:

  • Enforcement actions under such laws as the FTC Act, the Fair Credit Reporting Act (FCRA) and the Children’s Online Privacy Protection Act (COPPA), as applicable;

  • Developing consumer and business education materials in the IoT area;

  • Participation in multi-stakeholder groups considering guidelines related to IoT; and

  • Advocacy to other agencies, state legislatures and courts to promote protections in this area.

In furtherance of its initiative to provide educational materials on IoT for businesses, the FTC also announced the publication of “Careful Connections: Building Security in the Internet of Things”.  This site provides a wealth of advice and resources for businesses on how they can go about meeting the concept of “security by design” and consider issues of security at every stage of the product development lifecycle for internet-connected devices and things.

This week’s report is one more sign pointing toward our prediction regarding the FTC’s increased activity in the IoT space in 2015.

It’s Data Privacy Day 2015

Mintz Levin Law Firm

Today is Data Privacy Day, and as you might expect, we have a few bits and bytes for you.

Use the Opportunity

Data Privacy Day is another opportunity to push out a note to employees regarding their own privacy and security — and how that can help the company.

The Federal Trade Commission Issues IoT (Internet of Things) Report

Following up on its November 2013 workshop on the Internet of Things, the Federal Trade Commission (“FTC”) has released a staff report on privacy and security in the context of the Internet of Things (“IoT”), “Internet of Things: Privacy & Security in a Connected World” along with a document that summarizes the best practices for businesses contained in the Report.  The primary focus of the Report is the application of four of the Fair Information Practice Principles (“FIPPs”) to the IoT – data security, data minimization, notice, and choice.

Data PrivacyThe report begins by defining IoT for the FTC’s purposes as “‘things’ such as devices or sensors – other than computers, smartphones, or tablets – that connect, communicate or transmit information with or between each other through the Internet,” but limits this to devices that are sold to or used by consumers, rather than businesses, in line with the FTC’s consumer protection mandate.  Before discussing the best practices, the FTC goes on to delineate several benefits and risks of the IoT.  Among the benefits are (1) improvements to health care, such as insulin pumps and blood-pressure cuffs that allow people avoid trips to the doctor the tools to monitor their own vital signs from home; (2) more efficient energy use at home, through smart meters and home automation systems; and (3) safer roadways as connected cars can notify drivers of dangerous road conditions and offer real-time diagnostics of a vehicle.

The risks highlighted by the Report include, among others, (1) unauthorized access and misuse of personal information; (2) unexpected uses of personal information; (3) collection of unexpected types of information; (4) security vulnerabilities in IoT devices that could facilitate attacks on other systems; and (5) risks to physical safety, such as may arise from hacking an insulin pump.

In light of these risks, the FTC staff suggests a number of best practices based on four FIPPs. At the workshop from which this report was generated, all participants agreed on the importance of applying the data security principle.  However, participants disagreed concerning the suitability of applying the data minimization, notice, and choice principles to the IoT, arguing that minimization might limit potential opportunities for IoT devices, and notice and choice might not be practical depending on the device’s interface – for example, some do not have screens.  The FTC recognized these concerns but still proposed best practices based on these principles.

Recommendations

Data Security Best Practices:

  • Security by design.  This includes building in security from the outset and constantly reconsidering security at every stage of development. It also includes testing products thoroughly and conducting risk assessments throughout a product’s development

  • Personnel practices.  Responsibility for product security should rests at an appropriate level within the organization.  This could be a Chief Privacy Officer, but the higher-up the responsible part, the better off a product and company will be.

  • Oversee third party providers.  Companies should provide sufficient oversight of their service providers and require reasonable security by contract.

  • Defense-in-depth.  Security measures should be considered at each level at which data is collected stored, and transmitted, including a customer’s home Wi-Fi network over which the data collected will travel.  Sensitive data should be encrypted.

  • Reasonable access control.  Strong authentication and identity validation techniques will help to protect against unauthorized access to devices and customer data.

Data Minimization Best Practices:

  • Carefully consider data collected.  Companies should be fully cognizant of why some category of data is collected and how long that data should be stored.

  • Only collect necessary data.  Avoid collecting data that is not needed to serve the purpose for which a customer purchases the device. Establish a reasonable retention limit on data the device does collect.

  • Deidentify data where possible.  If deidentified data would be sufficient companies should only maintain such data in a deidentified form and work to prevent reidentification.

Notice and Choice Best Practices:  The FTC initially notes that the context in which data is collected may mean that notice and choice is not necessary. For example, when information is collected to support the specific purpose for which the device was purchased.

When notice or choice are necessary, the FTC offers several suggestions for how a company might give or obtain that, including (1) offer choice at point of sale; (2) direct customers to online tutorials; (3) print QR codes on the device that take customers to a website for notice and choice; provide choices during initial set-up; (4) provide icons to convey important privacy-relevant information, such a flashing light that appears when a device connects to the Internet; (5) provide notice through emails or texts when requested by consumers; and (6) make use of a user experience approach, such personalizing privacy preferences based on the choices a customer already made on another device.

Legislation.  The FTC staff recommends against IoT-specific legislation in the Report, citing the infancy of the industry and the potential for federal legislation to stifle innovation.  Instead, the FTC recommends technology-neutral privacy and data security legislation.  Without saying it explicitly, this appears to be a recommendation for something akin to the Consumer Privacy Bill of Rights recently proposed by the President, along with giving the FTC authority to enforce certain privacy protections, including notice and choice, even in the absence of a showing of deceptive or unfair acts or practices.

In the meantime, the FTC notes that it will continue to provide privacy and data security oversight of IoT as it has in other areas of privacy.  Specifically, the FTC would continue to enforce the FTC Act, the Children’s Online Privacy Protection Act, and other relevant statutes.  Other initiatives would include developing education materials, advocating on behalf of consumer privacy, and participating in multi-stakeholder groups to develop IoT guidelines for industry.