On June 3, 2016, the Federal Trade Commission (FTC) responded to a Request for Comments issued by the Department of Commerce, National Telecommunications and Information Administration (NTIA) regarding the Internet of Things (IoT). The NTIA, which issued its Request for Comments on April 5, 2016, stated that it will use commentary to expand on its “broader agenda promoting economic growth and opportunity to help develop an approach that will foster IoT innovation.”
The FTC has consistently taken an active role in setting forth a framework for protection of consumer privacy and bringing enforcement actions against companies that it alleges have failed to protect consumer privacy rights. In January 2016, the FTC announced that it had brought nearly 60 enforcement actions related to consumer data privacy and security since 2002. During that time, the FTC also issued preliminary comments, followed by its final report on best practices for businesses to protect consumer privacy. The recently filed Comment provides additional detail to its previous recommendations regarding mobile device privacy, and continues to reflect ever-increasing consumer concerns about online privacy.
The Comment defines the IoT as “the ability of everyday objects to connect to the Internet to send and receive data.” These devices may be used directly by consumers or by businesses that use, maintain and transfer information, and can include such devices as smartphones, wearable health monitors and machines that can communicate automatically with each other. The Comment focuses particularly on those devices that are sold to or used by consumers.
The Comment notes that while the IoT has the potential to greatly benefit individuals, businesses and society, it can also pose risks to them by (1) enabling unauthorized access to and misuse of personal information, (2) facilitating attacks on other systems and (3) creating safety risks. For example, health and fitness tracking devices allow individuals to analyze their daily habits and make healthier choices. However, in order to do so, these devices collect, transmit and store individual health information – thus raising the possibility that this information could be exposed. As another example, security vulnerabilities in devices that track consumer activities could also potentially allow greater opportunities for unauthorized individuals to exploit them to commit fraud and identity theft.
Following its concerns about the potential risk posed to individuals by the IoT, the FTC sets forth recommended best practices for IoT businesses that emphasize data security and data minimization, and that allow meaningful notice and choice about the collection and use of consumer data. Namely, the FTC recommends that businesses pay special attention to the following security practices: (1) building security into devices at the outset, (2) training employees on good security practices, (3) ensuring downstream privacy and data protections through vendor contracts and oversight, (4) applying defense-in-depth strategies that offer protections at multiple levels and interfaces, and (5) putting in place reasonable access controls. It additionally recommends that businesses implement policies and procedures that limit the amount of data they collect and retain, and securely dispose of this data once it is no longer needed. Finally, the Comment recommends that, where practicable, businesses provide information that allows consumers to decide if and how their data will be collected and used.
The recent Comment is not the first time the FTC has issued a public statement relating to potential IoT risks and benefits. In January 2015, it issued a staff report that examined the IoT and issued recommendations for best practices. The recent Comment makes clear that the FTC will hold the IoT industry accountable for implementing policies and procedures that reflect its recommended best practices, and that ultimately protect consumer data security and privacy.