HWG Regulatory Advisory: New FTC Guidance on Privacy and Security in the “Internet of Things”
Jennifer Bagg and Adrienne Fowler
On January 27, 2015, the staff of the Federal Trade Commission (FTC) released a long-awaited report on privacy and data security in the so-called “Internet of Things.” Though there is no settled definition for what falls into the ambit of the Internet of Things, the report narrows its scope to objects other than computers, smartphones, or tablets that connect, communicate, or transmit information through the Internet, such as health sensors, fitness monitors, home security devices, and connected cars and appliances. The report further limits the scope to devices that are sold to or used by consumers. The report provides concrete steps for businesses to take and signals that the FTC will not depart from its basic approach toward consumer privacy regulation and data security in the Internet of Things context. But, it foreshadows an increased regulatory emphasis on preventing hackers from taking control over Internet-connected devices.
Privacy. The term “privacy” generally encompasses what information a company gathers from consumers online and how that information is used. For many years, the FTC has asked companies operating online to only collect consumer data that they need, provide consumers with notice about how their data will be used, and give consumers the opportunity to choose whether or not to use a company’s services in light of the company’s privacy notices. It is the FTC’s expectation that the degree of notice that a company should provide about its privacy practices depends on whether the company will use any data it collects in a way that consumers reasonably expect (which calls for little notice) or in a way that consumers would not expect (which calls for more extensive notice). If a company fails to offer sufficient “notice-and-choice” to its customers and its practices were unfair or deceptive, or if a company fails to honor its promises with respect to privacy, the company could face an enforcement action from the FTC.
The report rejects industry calls for a lighter-touch regulatory framework in the context of the Internet of Things and applies the same general privacy framework instead. The report contends that the FTC’s notice-and-choice and consumer expectation models can apply in a quickly evolving field and asserts that companies can use a variety of ways, including notices in set-up wizards or at the point of sale, to obtain consumer consent for privacy practices.
Data security. The FTC is also heavily focused on “data security,” which generally covers protections that companies put in place to avoid unauthorized persons from gaining access to a company’s collection of personally identifiable consumer data. Over the past several years, the FTC has brought a number of enforcement actions against companies for failure to maintain reasonable data security, contending that such a practice is “unfair” and violates the FTC Act. Potential penalties for failure to maintain reasonable data security are the same as for privacy violations: extensive injunctive relief, consumer redress, and, under certain circumstances, civil penalties of up to $16,000 per unfair or deceptive act.
The report follows the same data security “reasonability” framework, but takes an extra step to account for new concerns presented by the Internet of Things by expanding the scope of data security to include not only protecting consumer data but also protecting Internet-enabled devices themselves. In other words, the report concludes that the FTC Act would require a manufacturer to take reasonable steps to stop third parties from taking control over an Internet-enabled device and changing how it operates. For example, the report raises concerns about the consumer harm that would arise from a hacker who gained control over consumers’ Internet-connected pacemakers—and signals that the FTC is prepared to take enforcement action to prevent such a harm from occurring.
The report also provides additional details to help companies meet the reasonable data security practices described in the report. First, it states that reasonable data security practices depend on a number of factors, most notably, data minimization and de-identification. That is, if a company reduces the amount of data it collects from consumers or reliably alters the data so it cannot be linked back to a specific consumer, then the reasonability bar is generally significantly lower.
Additionally, the report provides a useful compilation of the FTC’s prior guidance on how to design a comprehensive data security program. The report calls on companies to: (1) Take security considerations into account at every step in the design process, including when deciding what data will be collected from consumer; (2) Work with qualified data security professionals; (3) Assess security vulnerabilities and design solutions, where possible; (4) Test security before product launch; (5) Implement personnel practices, including training, that promote data security; (6) Ensure agents, sub-contractors, and other third parties will implement good data security practices; (7) Continue to monitor data security throughout a product’s lifecycle and provide patches for vulnerabilities when possible; and (8) Use a more intensive, or “defense-in-depth,” approach if the company is collecting particularly sensitive information. The FTC also published an accompanying guide for businesses with practical tips for accomplishing these goals.
Finally, the report renews calls for Congress to enact technology-neutral legislation to strengthen the FTC’s data security enforcement tools and authority to mandate baseline privacy standards. In the meantime, the staff recommends that the Commission use its authority to take action against actors in violation of laws under the FTC’s authority that might apply to the Internet of Things.
* * * * *
For more information regarding FTC regulation of privacy and data security or Harris, Wiltshire & Grannis LLP’s Privacy practice, please contact Jennifer Bagg at 202-730-1322 or firstname.lastname@example.org, or Adrienne Fowler at 202-730-1343 or email@example.com.
This client advisory is not intended to convey legal advice. It is circulated to HWG clients and friends as a convenience and is not intended to reflect or create an attorney-client relationship as to its subject matter.