The Internet of Things: What All Companies Need To Know About the FTC Report

The FTC released its Report on the Internet of Things (“IoT”) on January 27, 2015 (“Report”).  While the Report is specific to IoT, including devices such as wearable fitness trackers and internet connected cameras and televisions, there are key takeaways for all companies operating online[1].

The FTC defines IoT as “’things’ such as devices or sensors – other than computers, smartphones, or tablets – that connect, communicate or transmit information with or between each other through the Internet.”

As a starting point, the FTC appears most concerned with security and privacy risks to consumers.  The Report identifies several key risks, which it recognizes exist with traditional computers as well:

  • unauthorized access and misuse of personal information and sensitive personal information, including precise geolocation, financial account numbers or health information (and the concern that this information could be used for credit, insurance, and employment decisions);
  • attacks on other systems;
  • safety risks, including where someone is able to break in and control a device such as an automobile or a pacemaker.

The FTC also raises the concern that collection of certain information (e.g. personal information, habits, locations, and physical conditions) may allow an entity to infer sensitive information that the consumer has not provided directly.

The FTC highlighted three primary compliance issues, and the guidance in the Report provides significant guidance not just for IoT but to all online companies:

1.  The Need for “Reasonable Security”

The Report lays out specific actions that the FTC considers important in order to properly address the security issues inherent in IoT:

A.  Security by Design. The Report stresses that companies should practice “security by design” – building security into devices from the beginning, rather than as an afterthought. Security by design likely should encompass a few key steps:

“As part of the security by design process, companies should consider: (1) conducting a privacy or security risk assessment; (2) minimizing the data they collect and retain; and (3) testing their security measures before launching their products.”

B.  Internal Training.  The FTC expects companies to train all employees on security and to ensure that security issues are handled at the appropriate level, which typically means at a high level within the organization.

C.  Vetting Service Providers.  The Report further states that companies should only utilize service providers that maintain reasonable security and that there should be reasonable oversight for service providers.

D. Security Controls.  The Report anticipates that companies will consider implementing reasonable access control measures, and that those companies that identify significant risks will implement a “defense-indepth approach, in which they consider implementing security measures at several levels.”  Further, companies should monitor a device throughout its life cycle and, to the extent feasible, patch known vulnerabilities.  And, companies should reasonably secure data both in transit and storage, which will often require encryption – particularly for sensitive information, such as health-related information.

The FTC does acknowledge that IoT encompasses a wide variety of products and services, and, thus, the specific security measures that a company needs to implement will depend on a variety of factors, including whether the device collects sensitive information, whether there could be physical security or safety risks, and whether the device connects to other devices or networks, such that there is a risk of being compromised by third parties.

2. Minimize the Data Collected

The Report states that companies should minimize the data that is collected and stored to the extent possible, taking into account the business needs. In determining the data that should be collected and the time period for which it will be stored, companies should consider the sensitivity of the data, as more sensitive data presents more risks to consumers. Where data needs to be collected, the FTC suggests companies consider if it can be stored in de-identified form (see further discussion below on de-identification).

3. Notice and Choice

The FTC reiterated its position, previously stated in its 2012 Privacy Report, that not all collection and use demands choice, but only “unexpected” uses -- those that are not reasonably expected by the consumer based on the relationship with the company or the overall context of the transaction. In addition, if the data is effectively and immediately de-identified, choice is not required.   Where choice is required, it should be clear and conspicuous and not just buried in a long policy.

The Report recognizes there will need to be new approaches to providing notice and choice through connected devices, and that there are limitations inherent to IoT.  The Report encourages companies to consider innovative ways to provide notice and choice, including:

  1. Choices at point of sale;
  2. Tutorials (typically online videos walking consumers through the information collected and their privacy choices);
  3. Codes on the device (a QR code or similar code that  takes the consumer to a website with information collected and their privacy choices);
  4. Choices during set-up of the device;
  5. Management portals or dashboards (e.g., privacy setting menus that a consumer can access and update at any time)
  6. Icons (which would communicate general privacy settings)
  7. “Out of Band” communications requested by consumers (e.g., emails and text messages)
  8. General privacy menus; and
  9. User experience approach (which would apply learning from consumer behavior on IoT devices in order to personalize choices; for example, if a consumer opted out on one device they would be opted out on all).

The Report also discusses two additional key topics: de-identified data and enforcement.

De-identified Data.  As discussed above, de-identified data can be useful both in the context of data minimization and reducing the need for notice and choice.  However, it is essential that the data, in fact, be reasonably de-identified and that any third parties with access to the data agree not to re-identify it.  Accordingly, the Report states that companies should have accountability mechanisms in place:

"When a company states that it maintains de-identified or anonymous data, the Commission has stated that companies should (1) take reasonable steps to de-identify the data, including by keeping up with technological developments; (2) publicly commit not to re-identify the data; and (3) have enforceable contracts in place with any third parties with whom they share the data, requiring the third parties to commit not to re-identify the data.” 

Enforcement:  The Report reminds those companies that collect data through connected devices that other regulation may apply to the data collected, including the FTC Act, the FCRA, the health breach notification provisions of the HI-TECH Act, the Children’s Online Privacy Protection Act.  This is a reminder worth heeding for all companies collecting consumer data, whether through IoT or otherwise.

It is clear from the Report that the FTC is looking closely at IoT, including how technology will develop and the potential impact on consumers.  In addition, the Report provides guidance to companies developing or selling IoT devices  regarding the key issues the FTC is concerned about and the compliance steps they expect companies to take to reasonably protect consumers.   The Report builds upon existing FTC guidance and should not be ignored by companies who are not currently offering IoT devices.  The Report provides key insight into issues of concern to the FTC as well as specific steps the FTC considers reasonable to protect consumers.  There is something for everyone here.

 


[1] The FTC’s Report is further limited to those devices used by or sold to consumers.

FTC, PrivacyJustine Gottshall