Can Self-Regulation Meet Privacy Challenges of IoT?
By Matthew E.S. Coleman, JD, CIPP/US, Enterprise Privacy Solutions Manager at TRUSTe
Regulators are struggling. They are struggling to find a paradigm to protect consumer privacy in the face of rapid technological change. This sentiment kicked off a panel titled, “Can Self-Regulation Meet Privacy Challenges of IoT?” at TRUSTe’s Internet of Things (IoT) Privacy Summit in Menlo Park, CA on Wednesday. The panel, moderated by Nancy Libin, former Chief Privacy Officer of the Department of Justice, contained a diverse array of privacy professionals from private, public, and, non-profit backgrounds. Panelists included Alex Reynolds, Director and Regulatory Counsel, Consumer Electronics Association; Justin Brookman, Director of Consumer Privacy, Center for Democracy & Technology; Hilary Cain, Director of Technology & Innovation Policy, Toyota Motor North America, Inc.; and Nithan Sannappa, Senior Attorney, Federal Trade Commission.
The panelists largely focused on the recommendations presented in the Federal Trade Commission’s January 2015 report titled, “Internet of Things: Privacy and Security in a Connected World.” There are three main principles from the report touted as a workable privacy standard for IoT device manufacturers: 1) Security; 2) Data Minimization; and 3) Notice and Choice.
The FTC has historically enforced reasonable security as a part of its unfair practices purview. In the context of IoT devices, what is deemed reasonable is largely based on context. What types of information is the device collecting? Is it sensitive personal information (e.g., geolocation, protected health information, etc.)? What quantity of data is collected? The higher the risk profile associated with the data collected then the stronger the protections required on a device.
Data minimization refers to both limitations on the collection of data and the use of data. The FTC report emphasizes the need for both. Justin Brookman, a consumer advocate with the Center for Democracy & Technology, noted that the need for collection limitation was clear from the public outcry that occurred when it came to light that smart TVs were collecting voices and conversations of consumers for otherwise legitimate purposes. The major guiding question for companies considering how to limit their data collection is, “Why do we need all this data?”
The need for protecting against nefarious uses, on the other hand, was well illustrated by Hilary Cain, an advocate for Toyota’s involvement in the self-regulation of connect vehicles. She noted that without reasonable use limitations, consumers would begin to receive ads for stores as they drove past in their cars, cueing the creepy feeling consumers distrust.
Both the collection and use limitation principles are tied directly to consumer expectations, which are established by offering them mechanisms for notice and choice. The panelists emphasized the importance of tailoring notice and choice to the entire user experience of an IoT device, including the packaging of the device itself. Getting creative with the education and involvement of users in their privacy choices can increase trust and accountability between brands and consumers.
As Cain aptly noted, most companies do not want to be “creepy data hoarders.” The framework presented through this panel can help innovative companies creating new and exciting IoT products take steps in the right direction toward protecting consumer privacy.