On January 27, 2015, the United States Federal Trade Commission
(FTC) released a report discussing privacy and data security in
consumer devices connected to the internet.
The Internet of Things (IoT)
The FTC defined the IoT to include things such as devices or
sensors, other than computers, smartphones or tablets, that
connect, communicate or transmit information with or between each
other through the internet. For example, smart thermostat
systems or washers and dryers that utilize Wi-Fi for remote
Data Security and Privacy Risks
While the FTC acknowledged some benefits of the IoT, it
cautioned that the IoT presents a variety of data security and
privacy risks. The risks include: (i) the enabling of
unauthorized access to and misuse of personally identifiable
information (PII), (ii) the facilitation of attacks on other
interconnected systems, and (iii) the creation of safety
risks. While the first two risk factors are common in the
traditional computing environment, the third represents a new,
physical type of risk. For example, it may be possible to
remotely hack into a connected medical device and change its
settings, impeding its therapeutic function.
The FTC recommended that companies focus on data security when
developing connected devices and offered the following approaches
to IoT companies when developing their products:
building security into the devices at the outset of development
by conducting an initial privacy or security assessment,
considering how to minimize the data collected and retained, and
testing security measures before launching the product;
ensuring that their personnel practices promote good
retaining service providers that are capable of maintaining
reasonable security and providing reasonable oversight;
implementing a defense-in-depth approach for systems with
significant risk in which security measures are considered at
imposing reasonable access control measures to limit the
ability of an unauthorized person to access a consumer's
device, data or network; and
continuing to monitor products throughout the life cycle and,
to the extent feasible, patch known vulnerabilities.
The FTC also recommended that IoT companies should reasonably
limit their collection and retention of PII. These practices,
known as data minimization, can help mitigate privacy-related
risks. The FTC recommended that:
IoT companies should examine their data practices and business
needs and develop policies and practices that impose reasonable
limits on the collection and retention of PII; and
to the extent there is a need to collect and store PII, IoT
companies should consider whether they can do so while maintaining
the PII in a de-identified form.
Notice and Choice
The FTC acknowledged the difficulty of notifying customers of a
company's privacy practices and offering customers a method to
modify privacy settings in the IoT context. However, the FTC
website is not sufficient – the FTC recommended that
companies should find ways to meaningfully present privacy notices
and choices to customers, including in the set-up or purchase of
the IoT device itself.
The Office of the Privacy Commissioner of Canada previously
highlighted the IoT as creating potential privacy issues. In
September 2014, the Commissioner
called for proposals under the 2015–16
Contributions Program and specifically highlighted the IoT as an
area that needed to be explored.
The recommendations contained in the FTC's report provide
useful guidance and best practices for companies operating in the
IoT space in Canada to mitigate privacy and data security
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).