Yesterday at the DC Auto Show The Future of Privacy Forum (FPF) and the National Automobile Dealers Association (NADA) released a guide to help consumers understand how new cars might be collecting personal information. This guide, Personal Data In Your Car, gives examples of the types of data that most cars collect now. Older technology, such as Event Data Recorders (EDRs) have been installed in cars since the 90’s. EDRs record technical information about a car before and after a crash. Many new cars contain features such as navigation, blind spot detection, parking assist, and infotainment centers. User recognition technology may even scan a … Continue reading If You Own a Car, Read This Privacy Guide
In exchange for technology advances that make our day-to-day lives easier and safer, we are providing more and more personal information. Connected cars are an example of advances in technology that make our lives easier and safer. Today, cars use networks of internal computers that can use hundreds of sensors to collect information about our driving habits or physical vehicle information. The European Commission is keeping up with these changes and suggesting ways to ensure that personal data that we provide for the conveniences and improved safety that come along with technology advances are kept safe. It has established the … Continue reading European Commission Comments on Connected Cars and Privacy
250 privacy professionals converged in San Francisco this week to discuss the challenges they face in managing emerging privacy risks and share strategies for success. They enjoyed a packed day of inspiring keynotes, expert panels and, of course, networking acquiring new ideas and practical advice to take back to the office. The TRUSTe Privacy Risk Summit brought together over 50 speakers across 24 sessions and 4 parallel tracks. A highly engaged audience was captivated from the start by a culinary-inspired keynote from Hilary Wandall at Merck & Co., Inc. “Deconstructing the Privacy Risk Dish” to a personal and historic perspective on the new EU-U.S. Privacy Shield … Continue reading TRUSTe Privacy Risk Summit 2016 – Highlights
The Internet of Things (or the Internet of Everything, as some refer to it) is changing the way of the world for businesses, governments and consumers, as devices and services are increasingly connected to the Internet in real-time, 24/7. This allows for the practically ubiquitous collection, storage and sharing of data on an always-on basis, which heralds countless innovations for enterprises and individuals alike. However, with increased connectivity comes the potential for increased vulnerability—in both the cyber and physical worlds. This is why Privacy by Design is a paramount business practice for companies engaged in the IoT space, as well … Continue reading Privacy Risk Summit Preview: Privacy by Design for IoT
At the IoT Privacy Summit on June 17th a panel of four data privacy experts discussed, “Finding a New Paradigm – Consent and Choice for IoT.” The panel consisted of Marc Loewenthal, Director, Promontory Financial Group LLC; Emilio Cividanes, Partner, Venable LLP; Debra Farber, Senior Privacy Consultant & Product Manager, TRUSTe; and Erin Kenneally, Founder & CEO Elchemy, Inc., University of California at San Diego.
Old world technologies such as corporate telephone systems give clear notice that your conversation may be recorded. Callers can act on that information by hanging up or proceeding with the call thereby giving an implied consent to the possible recording of the conversation. The main consideration when providing consumer notice is that it is conspicuous and prior in time to the collection/use of data. A good example in mobile is Geo-location notice. Consumers see a pop-up notice that they can act upon that requests access to their location information and they can deny such access.
In the IOT it is fundamental to understand the nature of the information and the links between all of the entities that have legitimate interest in that data. One panelist felt that a consumer may not have to know every piece of data that is being collected and shared, but does have a right to have their data used in a way consistent with their expectations. Some saw notice in the IOT context evolving into a set of obvious symbols inferring what is happening with the data, which is in line with the proposed EU General Data Privacy Regulation (GDPR).
By Matthew E.S. Coleman, JD, CIPP/US, Enterprise Privacy Solutions Manager at TRUSTe
Regulators are struggling. They are struggling to find a paradigm to protect consumer privacy in the face of rapid technological change. This sentiment kicked off a panel titled, “Can Self-Regulation Meet Privacy Challenges of IoT?” at TRUSTe’s Internet of Things (IoT) Privacy Summit in Menlo Park, CA on Wednesday. The panel, moderated by Nancy Libin, former Chief Privacy Officer of the Department of Justice, contained a diverse array of privacy professionals from private, public, and, non-profit backgrounds. Panelists included Alex Reynolds, Director and Regulatory Counsel, Consumer Electronics Association; Justin Brookman, Director of Consumer Privacy, Center for Democracy & Technology; Hilary Cain, Director of Technology & Innovation Policy, Toyota Motor North America, Inc.; and Nithan Sannappa, Senior Attorney, Federal Trade Commission.
The panelists largely focused on the recommendations presented in the Federal Trade Commission’s January 2015 report titled, “Internet of Things: Privacy and Security in a Connected World.” There are three main principles from the report touted as a workable privacy standard for IoT device manufacturers: 1) Security; 2) Data Minimization; and 3) Notice and Choice.
The FTC has historically enforced reasonable security as a part of its unfair practices purview. In the context of IoT devices, what is deemed reasonable is largely based on context. What types of information is the device collecting? Is it sensitive personal information (e.g., geolocation, protected health information, etc.)? What quantity of data is collected? The higher the risk profile associated with the data collected then the stronger the protections required on a device.