Privacy & Information Security Law Blog

On August 11, 2015, the Online Trust Alliance, a nonprofit group whose goal is to increase online trust and promote the vitality of the Internet, released a framework (the “Framework”) for best practices in privacy and data security for the Internet of Things. The Framework was developed by the Internet of Things Trustworthy Working Group, which the Online Trust Alliance created in January 2015 to address “the mounting concerns and collective impact of connected devices.”

The Framework focuses on two categories within the Internet of Things: (1) home automation and connected home products, such as smart appliances and (2) wearable technologies, such as fitness trackers. The Framework lists 23 minimum requirements as a “proposed baseline for any self-regulatory and/or certification program” for the Internet of Things. These requirements include:

• making privacy policies easily available to review prior to purchasing or downloading a product;
• disclosing how long the consumer’s personal information will be retained;
• encrypting or hashing personal information in storage and in motion;
• developing and implementing a breach response and consumer safety notification plan, which should be reviewed at least semi-annually; and
• creating controls and/or documentation that enable the consumer to set, revise and manage privacy and security preferences, including what types of information are transmitted via a specific device.

In addition to the minimum requirements, the Framework lists 12 other recommendations and considerations for companies in the Internet of Things space. These include:

• disclosing whether personal information is being stored and accessed in the cloud;
• providing a history of privacy notice changes that the customer may review; and
• enabling the consumer to return a product without charge after reviewing the privacy practices that are presented during the initial product set up.

The Online Trust Alliance has requested public comments that it will incorporate into the formal release of the Framework. Comments may be submitted at the Online Trust Alliance’s website by September 14. The Framework comes at a time of increased scrutiny of this burgeoning area. In January, we reported on the Federal Trade Commission’s report on the Internet of Things.