Privacy & Information Security Law Blog

On January 6, 2015, Federal Trade Commission Chairwoman Edith Ramirez gave the opening remarks on “Privacy and the IoT: Navigating Policy Issues” at the 2015 International Consumer Electronics Show (“International CES”) in Las Vegas, Nevada. She addressed the key challenges the Internet of Things (“IoT”) poses to consumer privacy and how companies can find appropriate solutions that build consumer trust.

Chairwoman Ramirez acknowledged that the IoT “has the potential to provide enormous benefits for consumers, but it also has significant privacy and security implications.” She offered “three key challenges…the IoT poses to consumer privacy: (1) ubiquitous data collection; (2) the potential for unexpected uses of consumer data that could have adverse consequences; and (3) heightened security risks.”

The first challenge from the IoT, ubiquitous data collection, arises from the “digital trail” consumers leave behind as more technology is introduced into intimate spaces and sensitive data is collected. Companies monitor and analyze this data and can “make additional sensitive inferences and compile even more detailed profiles of consumer behavior.” The second challenge of “unexpected uses,” raises the question of whether these uses are “inconsistent with consumers’ expectations or relationship with a company.” According to Chairwoman Ramirez, the risks may include that the collected information may “paint a picture” of the consumer that the consumer “will not see but that others will,” including others that might make decisions about the consumer. Finally, Ramirez highlighted the heightened security risk associated with IoT devices, as the small size, limited processing power, and often low-cost and disposable nature of such devices may inhibit appropriate protections.

In the second half of her speech, Chairwoman Ramirez addressed three things companies can do to address these challenges. The first is to prioritize security and incorporate security into the device design process. Second, companies should “follow the principle of data minimization,” and only collect data needed for a specific purpose and destroy the data after it has served its purpose. She acknowledged that limits on data collection can hinder a company’s access to potentially valuable information, but she questioned whether “we must put sensitive consumer data at risk” to reap unknown benefits in the future. According to Ramirez, “reasonable limits on data collection and retention are a necessary first line of protection for consumers.” Finally, while recognizing the risk of burdening consumers with too much information and too many choices, she noted that companies should nevertheless find ways to provide consumers “clear and simple notice” of how their data is being collected and used.

Chairwoman Ramirez concluded by emphasizing the importance of a balanced approach to the IoT that allows it to continue to evolve and flourish while also protecting consumer privacy.

The International CES is a major global consumer electronics and consumer technology tradeshow hosted by the Consumer Electronics Association, a technology trade association representing the U.S. consumer electronics industry.