25 June 2019
The Internet of Things (IoT) has the potential to make people's lives easier and more efficient, but the trade-off could be the potential issues that could arise over the security of collected personal data.
If you're developing IoT devices, you must address these privacy issues when designing your device. Do so despite the current lack of an up-to-date guiding law in the area.
Recently a report was released by the FTC (Federal Trade Commission) which provides guidance for companies and manufacturers on how they can build privacy and security measures into their devices.
Without proper privacy practices, the FTC Chairwoman Edith Ramirez believes that consumer confidence could be damaged:
The only way for the Internet of Things to reach its full potential for innovation is with the trust of American Consumers. We believe that by adopting the best practices we've laid out, businesses will be better able to provide consumers the protections they want and allow the benefits of the Internet of Things to be fully realized.
Please be aware that if your spoken words include personal or other sensitive information, that information will be among the information captured and transmitted to a third party.
The spoken words needed to use the TV are those for using the TVÃ•s functions, such as changing the channel, it is easy to see that users may be concerned that any other information spoken around the TV may also be stored.
Recommendation 1: Data minimization
FTC's suggestion is that you limit the user data that you collect and how long you keep it for. This is known as data minimization.
This practice essentially reduces two risks in one:
The FTC is flexible as to how you can approach data minimization.
You can choose collect no data, collect data limited to the categories required to provide the service offered by the device, collect less sensitive data, or de-identify the data you collect.
Recommendation 2: Notice and choice
Another guideline by the FTC is that you notify your users and give them choices about how their information will be used, especially when the data collection may go beyond the users' reasonable expectations.
With the ever-developing world of IoTs notification will become more and more difficult and the FTC has acknowledged that there can be no one-size-fits-all approach, so there are other ways to make your users feel more at ease with the use of their data:
What's clear from the FTC's report is that you must consider the privacy of the data when manufacturing IOT devices, but you must also balance this with the potential to collect valuable data.
Europe's Article 29 Working Party has published an opinion, called Opinion 8/2014 on the on Recent Developments on the Internet of Things, that focuses on:
Europe's Article 29 Working Party is the same entity that issued a guidance to Google to ensure that Google is in compliance with EU data protection laws.
If you're a designer or developer developing a new IoT device within the categories mentioned above, the opinion by the Article 29 Working Party would be useful to you as guidance when implementing your first privacy practices.
The Working Party found the following issues with the current IoT devices:
Based on their guidance document, here's what the Article 29 Working Party suggests to IoT developers:
Here's are the current steps you can follow to increase your chances of compliance:
Here's how an iOS app would ask users to provide their location:
Here are some of these principles that you can follow:
Ask users to provide you with a contact information - email address, mail address - that you can use to inform users about upcoming changes.
Here's the email Pinterest sent out when their legal agreement was being updated:
If you are also developing a mobile app for the IoT device, follow these tips too:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.