FTC Says Privacy Still Matters on “Internet of Things”
Written by Alex Bradshaw
The Federal Trade Commission released its report, “Internet of Things: Privacy & Security in a Connected World” on Tuesday. The report summarizes the Commission’s November 2013 workshop and includes recommendations for how companies can design connected devices that both enhance consumers’ lives and protect their privacy. The Internet of Things (“IoT”) is changing our everyday lives and potentially for the better, provided that individual rights vis-a-vis these new technologies are secured. While some have suggested that traditional privacy principles are outdated, the FTC appears to have roundly rejected this idea, stressing that the full range of Fair Information Practice Principles still apply as much as ever.
One core conclusion of the Commission’s report is that data minimization is still an essential concept, despite the potential for beneficial secondary uses of personal information. The report notes that minimization is key to avoiding two harms: (1) data thieves will be more attracted to large data sets, increasing the chances of theft; and (2) the increased risk that data retained for longer than necessary will be involved in a data breach and/or used in ways that do not meet consumers’ reasonable expectations.
According to the report, companies should reevaluate their business practices and needs, keeping privacy by design top of mind. If, for example, geolocation data is not necessary for a device to function but still useful to the business (for future product features, etc.) the Commission recommends waiting to collect such data types until the new feature is unveiled and/or collecting less specific data of that type (such as zip code instead of precise geolocation). If it is determined that geolocation or a similar data type is needed, the company should fully disclose its intention to collect this data and receive the users’ affirmative express consent. However, IoT devices should not just collect all possible data points on the off-hand chance that they could prove interesting one day in the future.
CDT agrees with this recommendation. Purposeful, strategic data collection and retention is not only good for consumers’ privacy – it is good for business. Companies that implement thoughtful processes on the front-end for determining what data to collect and how long to keep it are arguably less susceptible to data breaches and the reputational damage and loss of consumer trust that accompany a breach.
The FTC’s report also stresses that consumer control is critical to IoT devices. While the Commission rightly notes that companies need not provide users with conspicuous notice and opt-in consent for all types of data collection, it states that collection of certain data types — particularly those that are “sensitive” or that consumers may not expect a device to collect — should be clearly disclosed and the user should be empowered to make decisions about collection and use.
The Commission recognized that there is no “one size fits all” approach to providing user notice and choice and suggested multiple methods for accomplishing this task, including video tutorials, affixing QR codes on devices and providing choices at point of sale. The report also recommended a “General Privacy Menu” strategy suggested by CDT’s Joseph Lorenzo Hall, which would allow consumers to aggregate their choices into “packets” indicating whether a particular data type is “low privacy,” “medium,” or “high.”
The Commission recommended against a solely use-based model, which predetermines permitted and prohibited uses of data and does not require consumer notice. The report notes that this approach alone will not adequately respond to consumers’ desires, expectations, and needs: users and companies may well disagree about what uses are “beneficial” or “harmful.” At the end of the day, consumers are the ones paying for these devices — they should be the ones empowered to make decisions about what personal information those devices collect.
We are pleased the Commission continues to support user control over limitless consumer data collection. As CDT has argued in the past, there are important privacy interests implicated upon collection, before any use is made. Given the increasingly present risk of data hacks and misuse — and widespread consumer skepticism about IoT privacy practices — consumer choice is critical to gauging consumer preferences and determining appropriate standards for future collection and use.
Many sections of the report recommend de-identification as a method for securing data, and in some sections de-identification was suggested as an alternative to implementing the report’s suggested practices. CDT has historically supported de-identification of data, but we note that de-identification alone will not provide robust protection. Given reports of the risks of re-identification — including the most recent report released this week — it is increasingly clear that de-identifying data should not relieve companies of the responsibility to implement additional safeguards. These safeguards must include, among others, minimizing collection and retention of data, providing users with meaningful control over what data is collected, and implementing appropriate sharing limitations. Today more than ever, digital consumers are faced with threats of harm and actual harm to their privacy and security. Therefore realizing the full potential of a connected world requires coupling innovation with strong data privacy and security frameworks.