On January 27, 2015, the Federal Trade Commission announced the release of a report on the Internet of Things: Privacy and Security in a Connected World (the “Report”). The Report describes the current state of the Internet of Things, analyzes the benefits and risks of its development, applies privacy principles to the Internet of Things and discusses whether legislation is needed to address this burgeoning area. The Report follows a workshop by the FTC on this topic in November 2013.
The first part of the Report acknowledges the explosive growth of the Internet of Things, noting how there will be 25 million Internet-connected devices by the end of 2015 and 50 million such devices by 2020. These devices range from cameras to home automation systems to bracelets.
Next, the Report discusses the benefits and risk from the Internet of Things. The benefits highlight such developments as:
- insulin pumps and blood pressure cuffs that can track an individual’s vital signs and submit the data to health care providers;
- smart meters that help homeowners conserve energy; and
- connected cars that can diagnose problems with the vehicle.
The risks that accompany such connected devices include:
- an unauthorized person accessing and misusing personal information of the user of the connected device;
- a hacker infiltrating the network to which the device is connected and wrecking havoc; and
- safety risks to the individual user, such as a risk of a third party accessing a vehicle while it is being driven and altering the braking system.
The incorporation of privacy principles contained the following recommendations on these critical areas:
- data security – companies should incorporate “security by design” similar to the concept of “privacy by design” and take additional steps such as encrypting sensitive health information;
- the concept of “security by design” was emphasized in the FTC’s settlement with TRENDnet, an Internet camera company;
- data minimization – companies can accomplish this by “mindfully considering data collection and retention policies and engaging in a data minimization exercise;”
- notice and choice – companies should only be required to notify consumers and offer them a choice for uses of their information that are inconsistent with consumer expectations;
- companies can obviate notice and choice issues by de-identifying data because there is no need to offer consumers choices regarding data that cannot be traced to them.
With respect to legislation, the FTC “does not believe that the privacy and security risks, though real, need to be addressed” by legislation or regulation at this time. Though it does not advocate legislation, the FTC intends to engage more vigorously in the Internet of Things arena by (1) using its enforcement authority, (2) developing consumer and business education materials, (3) convening multistakeholder groups to discuss important issues, and (4) advocating its recommendations with relevant federal and state government entitles.
In announcing the report, FTC Chairwoman Edith Ramirez stated that “by adopting the best practices [the FTC] laid out, businesses will be better able to provide consumers the protections they want and allow the benefits of the Internet of Things to be fully realized.”