Regulators are struggling. They are struggling to find a paradigm to protect consumer privacy in the face of rapid technological change. The FTC has historically enforced reasonable security as a part of its unfair practices purview. Yet, in IoT devices, what is deemed reasonable is largely based on context.
What types of information is the device collecting? Is it sensitive personal information (e.g., geolocation, protected health information, etc.)? What quantity of data is collected? The higher the risk profile associated with the data collected then the stronger the protections required on a device.
Why Do Companies Need All This Data?
Data minimization refers to both limitations on data collection and the use of data. The FTC report emphasizes the need for both.
Justin Brookman, a consumer advocate with the Center for Democracy & Technology, noted that the need for collection limitation was clear from the public outcry that occurred when it came to light that smart TVs were collecting the voices and conversations of consumers for otherwise legitimate purposes.
The major guiding question for companies considering how to limit their data collection is, “Why do we need all this data?”
The need for protection against nefarious uses, on the other hand, was well illustrated by Hilary Cain, an advocate for Toyota’s involvement in the self-regulation of connected vehicles. She noted that without reasonable use limitations, consumers would begin to receive ads for stores as they drove past in their cars, cueing the creepy feeling consumers distrust.
Both the collection and use limitation principles are tied directly to consumer expectations, which are established by offering them mechanisms for notice and choice. Brookman and Cain both emphasized the importance of tailoring notice and choice to the entire user experience of an IoT device, including the packaging of the device itself.
Getting creative with the education and involvement of users in their privacy choices can increase trust and accountability between brands and consumers.
As Cain aptly noted, most companies do not want to be “creepy data hoarders.” The framework presented through this panel can help innovative companies creating new and exciting IoT products take steps in the right direction toward protecting consumer privacy.