On January 27, 2015, the Federal Trade Commission ("FTC") issued a 71-page report on the Internet of Things ("IoT"), the vast – and explosively growing – universe of interconnected devices that can collect information and communicate with other devices to make our lives easier. The IoT includes over 25 billion connected devices worldwide, including fitness trackers, Wi-Fi connected appliances, and more, and this number is only growing. In fact, estimates are that by 2020 – only five years from today – between 50 billion and 75 billion devices will exist in the IoT.

The FTC report was drafted after a November 2013 workshop hosted by the FTC, where participants discussed benefits and risks of the IoT, as well as how current best practices (including the Fair Information Practice Principles ("FIPPS")) could apply to the IoT, specifically IoT devices used by individual consumers. Despite their significant benefits, connected devices raise numerous privacy and security concerns, many of which could impact consumer confidence. The report sets forth specific recommended practices, with the stated goal of providing consumer protections while still allowing the benefits of the IoT to be fully realized.

The FTC recommends device manufactures take concrete steps to protect the security of information collected by and available through the device. Such steps include:

  • building security into devices from the outset, rather than as a design afterthought;
  • training employees on the critical nature of security and ensuring that security is managed at an appropriately high level in the organization;
  • ensuring that when outside service providers are engaged, those providers are capable of maintaining reasonable security measures and providing appropriate oversight;
  • when a security risk is identified, using a "defense-in-depth" strategy whereby multiple layers of security may be used to defend against the identified risk;
  • considering measures to keep unauthorized users from accessing a consumer's device, data, or personal information; and
  • monitoring connected devices throughout their expected life cycle and providing security patches to cover known risks.

The FTC report also encourages companies to consider "data minimization" – limiting the collection of consumer data in the first place, and retaining it for a set period of time rather than holding on to this data indefinitely. Data minimization reduces the risk that a company with a large store of consumer data will become an increasingly enticing target for data thieves or hackers, and the risk that consumer data will be used in ways the consumer does not expect. Under the data minimization recommendations, which the FTC intends to be flexible, companies could choose among three options: collect no data; only collect data limited to the categories required to provide the service offered by the device or less sensitive data; or, choose to de-identify the data collected.

The FTC further recommends that companies notify consumers about data collection and use, and also provide consumers with choices about how their information will be used, particularly when the data collected is greater than what a consumer might reasonably expect. The report indicates that there is no "one-size-fits-all" approach to how notice should be given to consumers, particularly since some IoT devices may have no consumer interface. The report identifies four ways that companies could provide notice and choice to consumers: (i) providing opt-in choices at point of sale; (ii) providing a video tutorial informing consumers of available choices; (iii) providing a code that would direct the user to a website with information about choices; and (iv) providing choices during device set-up.

The report concludes that any IoT-specific legislation would be premature given the rapidly evolving nature of the technology. The report, however, calls for strong data security and breach notification legislation, reiterating the FTC's previous suggestion in its 2012 Privacy Report to enact broad-based, technology-neutral privacy legislation. Interestingly, one Commissioner voted not to issue the report and another Commissioner issued a concurrent statement disagreeing with the Report's recommendation that additional legislation is needed. In the concurring statement, Commissioner Ohlhausen explained that additional legislation isn't necessary because FTC's current Section 5 authority to prohibit unfair and deceptive acts or practices already requires notice and choice for collecting sensitive personally identifiable information and protects against uses of consumer information likely to cause substantial consumer harm. Furthermore, there are sector-specific laws such as the FCRA and HIPAA that already provide privacy protections.

The lack of unanimity underscores the complexity of the legal and policy issues of the IoT. We recommend that anyone involved in any aspect of the IoT monitor developments by the FTC and Congress and adopt strong privacy and security measures. As part of these monitoring efforts, connective device manufactures are encouraged to review the FTC's concurrently released publication "Careful Connections: Building Security in the Internet of Things," which advises companies to adopt security practices, such as encryption and authentication.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.