The Internet of Things (or "IoT") is a hot topic in
privacy circles, given its rapid expansion among everyday consumer
products. Broadly referring to Internet-connected-devices, the IoT
encompasses a variety of consumer goods, such as kitchen appliances
(smart ovens and refrigerators), home security, window blinds,
light bulbs, and lawn care equipment. Many personal devices are now
connected as well, including toothbrushes, a smart hairbrush that
measures hair density and brushing habits, a pillow that monitors
snoring and analyzes sleeping habits, and even sexual devices
— which brings us to the present story.
The company Standard Innovation Corp. sells a personal vibrator
product called the We-Vibe. According to the class complaint:
"To fully operate the We-Vibe, users download Defendant's
'We-Connect' application from the Apple App Store or the
Google Play store and install it on their smartphones. With
We-Connect, users can 'pair' their smartphone to the
We-Vibe, allowing them—and their partners—remote
control over the vibrator's customizable settings and
features." However, "[u]nbeknownst to its customers . . .
Defendant designed We-Connect to (i) collect and record highly
intimate and sensitive data regarding consumers' personal
We-Vibe use, including the date and time of each use and the
selected vibration settings, and (ii) transmit such usage
data—along with the user's personal email
address—to its servers in Canada." The plaintiffs also
allege that the company misrepresented the security of the app, as
evidenced by two hackers at the 2016 Def Con conference being able
to hack into and control someone else's device. The
proliferation of IoT hacking has led some to suggest that a better
name might be IoTTCBH, or Internet of Things That Can Be
Hacked.
As part of the settlement, in addition to monetary compensation
for the class, the company agreed to implement or change many of
its privacy practices. Specifically, the company agreed to (1) not
collect email addresses through its We-Connect app, (2) update its
privacy notice to specifically disclose its data collection and use
practices, (3) provide users with a method to opt out of their data
being provided to third parties, (4) take various steps to ensure
that all users with the We-Connect app receive notice of the
company's privacy policies, and (5) purge certain consumer
privacy information already collected.
As more devices are interconnected, concerns over the security
of those devices and the data collection/use practices of IoT
device makers are growing. The We-Vibe class action highlights the
importance of appropriate privacy policies and practices, as well
as technical device security.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
