FTC Internet of Things (IoT) Report Focuses on Security and Consumer Expectations

In January, the Federal Trade Commission (FTC) released a detailed report, “Internet of Things: Privacy & Security in a Connected World”. The FTC’s Report urges product designers and manufactures to adopt best practices including a strong focus on data security and upholding consumer expectations. For purposes of FTC regulation, the IoT includes any consumer device – other than computers, smartphones or tablets – that connect and store data via the Internet.   This growing area includes diverse products from heart pacemakers to “smart” appliances that collect and transmit user data over the Internet in the name of household efficiency. IoT presents many challenges for government regulators, including rapidly advancing technology and the potential for widespread collection of sensitive consumer medical 6585232_xlinformation.

To address these challenges, the FTC Report attempts to strike a balance between prescriptive rules and more flexible guidelines. In terms of prescriptive rules, some of the best practices FTC urged include “security by design” and data minimization. FTC will evaluate IoT devices on whether data security appears to have been considered as an integral design principle (or as a later add-on), and whether the devices collect more data than is strictly necessary for their intended purposes. During FTC’s comment period, some industry representatives had criticized FTC’s proposed emphasis on “security by design” and data minimization as potentially stifling innovation and lacking sufficient cost/benefit analysis. They noted that what may be needed for security of a pacemaker may not be needed for less sensitive devices. Less controversial was the FTC’s direction that IoT device makers strive to meet the reasonable expectations of consumers regarding collection and use of personal data – expectations that vary from device to device. This regulatory standard is arguably more flexible, able to evolve alongside IoT technologies, and potentially less likely to become outdated quickly.

While IoT device makers are naturally those most concerned about the approach FTC is taking, any company desiring a high level of regulatory compliance regarding consumer personal data practices can benefit from application of the Report’s recommendations. The Report nicely encapsulates the FTC’s general regulatory approach with respect to its “unfair and deceptive trade practices” enforcement over the past decade. As the Report illustrates, application of a single set of rules to a diverse and changing set of circumstances and technologies can be very challenging, and consumer product manufacturers will benefit from the advice of legal counsel experienced in FTC privacy matters.

verskaAuthor Kim Verska is a Certified Information Privacy Professional (US) through the International Association of Privacy Professionals and a Partner in Culhane Meadows’ Atlanta office. She is a frequent speaker regarding evolving legal issues for the technology industry and other businesses and can be reached at kverska@culhanemeadows.com

*Culhane Meadows is ranked by U.S. News/Best Law Firms in Technology Law, Bankruptcy/Reorganization Law, and Information Technology Law. This website and the communications herein may be considered attorney advertising. Previous results are not a guarantee of future outcome. This website is for informational purposes only and does not constitute legal advice. The information herein is not intended to create an attorney-client or similar relationship. Until you establish such a relationship and receive an engagement letter, you have not hired a Culhane Meadows attorney nor become a client of the firm. Whether you are a new or existing client of the firm, Culhane Meadows must determine that there is no conflict of interest and that it is willing and otherwise able to accept the new engagement before representing you on a new matter. Only if and after Culhane Meadows has informed you it is willing and able to accept your new matter should you send the firm any information or documents that you consider private or confidential. Such information will not be treated as private, confidential or otherwise protected from disclosure until Culhane Meadows has communicated in writing that it is willing and able to accept your new matter and provide you with legal counsel. Whether you need legal services and which lawyer or law firm you select are important decisions that should not be based on this website alone.