By Matthew E.S. Coleman, JD, CIPP/US, Enterprise Privacy Solutions Manager at TRUSTe
Regulators are struggling. They are struggling to find a paradigm to protect consumer privacy in the face of rapid technological change. This sentiment kicked off a panel titled, “Can Self-Regulation Meet Privacy Challenges of IoT?” at TRUSTe’s Internet of Things (IoT) Privacy Summit in Menlo Park, CA on Wednesday. The panel, moderated by Nancy Libin, former Chief Privacy Officer of the Department of Justice, contained a diverse array of privacy professionals from private, public, and, non-profit backgrounds. Panelists included Alex Reynolds, Director and Regulatory Counsel, Consumer Electronics Association; Justin Brookman, Director of Consumer Privacy, Center for Democracy & Technology; Hilary Cain, Director of Technology & Innovation Policy, Toyota Motor North America, Inc.; and Nithan Sannappa, Senior Attorney, Federal Trade Commission.
The panelists largely focused on the recommendations presented in the Federal Trade Commission’s January 2015 report titled, “Internet of Things: Privacy and Security in a Connected World.” There are three main principles from the report touted as a workable privacy standard for IoT device manufacturers: 1) Security; 2) Data Minimization; and 3) Notice and Choice.
The FTC has historically enforced reasonable security as a part of its unfair practices purview. In the context of IoT devices, what is deemed reasonable is largely based on context. What types of information is the device collecting? Is it sensitive personal information (e.g., geolocation, protected health information, etc.)? What quantity of data is collected? The higher the risk profile associated with the data collected then the stronger the protections required on a device.