FTC Internet of Things (IoT) Report Focuses on Security and Consumer Expectations March 11, 2015

by Kim Verska In January, the Federal Trade Commission (FTC) released a detailed report, “Internet of Things: Privacy &

Security in a Connected World”. The FTC’s Report urges product designers and manufactures to adopt best

practices including a strong focus on data security and upholding consumer expectations. For purposes of FTC

regulation, the IoT includes any consumer device – other than computers, smartphones or tablets – that connect

and store data via the Internet. This growing area includes diverse products from heart pacemakers to “smart”

appliances that collect and transmit user data over the Internet in the name of household efficiency. IoT

presents many challenges for government regulators, including rapidly advancing technology and the potential

for widespread collection of sensitive consumer medical information.

To address these challenges, the FTC Report attempts to strike a balance between prescriptive rules and more

flexible guidelines. In terms of prescriptive rules, some of the best practices FTC urged include “security by

design” and data minimization. FTC will evaluate IoT devices on whether data security appears to have been

considered as an integral design principle (or as a later add-on), and whether the devices collect more data than

is strictly necessary for their intended purposes. During FTC’s comment period, some industry representatives

had criticized FTC’s proposed emphasis on “security by design” and data minimization as potentially stifling

innovation and lacking sufficient cost/benefit analysis. They noted that what may be needed for security of a

pacemaker may not be needed for less sensitive devices. Less controversial was the FTC’s direction that IoT

device makers strive to meet the reasonable expectations of consumers regarding collection and use of personal

data – expectations that vary from device to device. This regulatory standard is arguably more flexible, able to

evolve alongside IoT technologies, and potentially less likely to become outdated quickly.

While IoT device makers are naturally those most concerned about the approach FTC is taking, any company

desiring a high level of regulatory compliance regarding consumer personal data practices can benefit from

application of the Report’s recommendations. The Report nicely encapsulates the FTC’s general regulatory

approach with respect to its “unfair and deceptive trade practices” enforcement over the past decade. As the

Report illustrates, application of a single set of rules to a diverse and changing set of circumstances and

technologies can be very challenging, and consumer product manufacturers will benefit from the advice of

legal counsel experienced in FTC privacy matters.

Author Kim Verska is a Certified Information Privacy Professional (US) through the

International Association of Privacy Professionals and a Partner in Culhane Meadows’ Atlanta office. She is

a frequent speaker regarding evolving legal issues for the technology industry and other businesses and can be

reached at kverska@culhanemeadows.com