Throughout 2015, the Online Trust Alliance ("OTA") (a
U.S.-based non-profit organization which originated in 2005 as an
informal industry working group drawn largely from the technology
and marketing communities) has been working on a so-called
"Trust Framework" for the Internet of Things. An earlier
post covered the release of the first discussion draft in August.
Although this draft is described as "pre-release", the
OTA's consultation process for the framework appears to be over
now. The organization seems to be turning its attention to
implementation and adoption. It plans to develop a voluntary
code of conduct and certification program, based on the
The new pre-release draft framework consists of 30 numbered
elements (some of which seem to themselves consist of more than one
obligation), which are classified as either "required" or
"recommended"2 for each of the scope
categories of "connected home" and "wearable
tech". The draft has been structured to allow a given
specification to be required for connected home devices, but only
recommended for wearable devices, or vice versa; but currently the
classifications are identical.
The specifications have been re-ordered and grouped under
headings of "Security", "User Access &
Credentials", and "Privacy, Disclosures &
The pre-release draft is less prescriptive and generally
somewhat weaker than the initial discussion draft. For example:
Specific design-oriented requirements like the obligation to
provide for individual user profiles or parental controls have been
The obligation to conduct penetration testing now seems to
apply only to support sites, and not to the devices
The requirement to adopt "best practices" for
encryption has been loosened to "current generally accepted
security standards";4 and
The express obligation to provide mechanisms for transfers of
ownership has been replaced with an obligation to disclose "if
and how" device ownership may be transferred.5
However, some obligations have been strengthened. For example,
the organization's breach response and consumer notification
plan must now be tested at least annually, rather
than merely reviewed semi-annually.6 Also, a new
obligation to "Ensure all IoT devices and associated software,
have been subjected to a rigorous, standardized software
development lifecycle process including unit, system, acceptance,
regression testing and threat modeling" has been
added.7 These are helpful additions which, if
adopted, should tend to improve product quality and, ultimately,
Furthermore, some of the "additional recommendations"
of the discussion draft have become requirements. For example, the
obligation to allow consumers to return products (potentially
subject to retail exchange policies) after reviewing privacy terms
is now mandatory, albeit with an added caveat that it only applies
where the terms are not "conspicuously disclosed prior to
The lead-in to the new draft now also expressly clarifies that
compliance with the framework does not mean
compliance with applicable law. As previously
discussed, the framework is based on the same "Fair
Information Practice Principles" that Canadian privacy law
draws upon. The basic concepts are therefore similar and broadly
compatible. But the framework is intended as practical
guidance, based on a rough consensus across different industry
sectors and jurisdictions. It is not a substitute for
understanding the legal obligations that apply in particular
2. A "not applicable" class is also
contemplated, but not used in the current draft.
3. See item #4, which contains two sentences, the first
of which is limited to "IoT support sites".
4. See item #1.
5. See item #22.
6. See item #15.
7. See item #7.
8. See item #26. Note that item #16 requires that these
terms be "discoverable, clear and readily available for
review" prior to purchase. But a footnote acknowledges
the need for flexibility and endorses a layered approach to
disclosure and contextual notices on first use or activation of
some features. The Office of the Privacy Commissioner
recommends a similar approach in the Guidelines of Online Consent. In practice,
information may be "available" without being actually
disclosed to a particular purchaser.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).