Finding a New Paradigm – Consent and Choice for the IOT
At the IoT Privacy Summit on June 17th a panel of four data privacy experts discussed, “Finding a New Paradigm – Consent and Choice for IoT.” The panel consisted of Marc Loewenthal, Director, Promontory Financial Group LLC; Emilio Cividanes, Partner, Venable LLP; Debra Farber, Senior Privacy Consultant & Product Manager, TRUSTe; and Erin Kenneally, Founder & CEO Elchemy, Inc., University of California at San Diego.
Old world technologies such as corporate telephone systems give clear notice that your conversation may be recorded. Callers can act on that information by hanging up or proceeding with the call thereby giving an implied consent to the possible recording of the conversation. The main consideration when providing consumer notice is that it is conspicuous and prior in time to the collection/use of data. A good example in mobile is Geo-location notice. Consumers see a pop-up notice that they can act upon that requests access to their location information and they can deny such access.
In the IOT it is fundamental to understand the nature of the information and the links between all of the entities that have legitimate interest in that data. One panelist felt that a consumer may not have to know every piece of data that is being collected and shared, but does have a right to have their data used in a way consistent with their expectations. Some saw notice in the IOT context evolving into a set of obvious symbols inferring what is happening with the data, which is in line with the proposed EU General Data Privacy Regulation (GDPR).
The IOT is transformational and there is a concern about regulation. The FTC expects clear notice and choice, but there is uncertainty as to how that will be enforced. For a long time FIPS (Fair Information Privacy Practices) and Privacy by Design have been good standards to follow. The feeling is that IOT developers need more concrete guidelines on what they should be building into their services and this is a good opportunity for self-regulation for the Internet of Things industry. Collaborative efforts with multi-stakeholders to develop guidelines would be quicker than waiting for regulators to develop their rules which could be over prescriptive.
One panelist put it simply when they said what IOT companies need to implement is “surprise mitigation,” i.e. prevent users from being surprised by an unexpected use of their data. Best practices can either be “hard” (regulations and case law), or “soft” (code of conduct, public shaming for bad practices).
There is a lot of complexity involved when looking at all the different parties with an interest in the data and types of data e.g., location>name>browsing behavior, and purchasers with different parties having legitimate interests in different parts of the data puzzle. One framework put forward consists of a three-pronged approach:
- Identify the utility of the data being collected and determine the risk associate with the utility goals.
- Apply disclosure controls using data templates, policy templates and technology templates.
- Assess and modify by periodically revisiting utility and risk and continue to iterate.
One also has to consider the data in light of the proposed EU GDPR and make sure there are ways to ensure data deletion mechanisms are in place as well as data portability if a user wants to terminate her relationship with your service and move her data to another service.
In the closing remarks, one of the panelists concluded that it would be nice to have guidelines in place and called out the OTA (Online Trust Alliance) as making strides in the right direction with the IoT Trustworthy Working Group that presented an update at the Summit.