Apple installs the rock band U2 's newest album onto all iPhones for free. Amazon charges customers for Alexa to monitor all conversations in your home. One creates cries of consumer outrage for invasion of privacy; the other receives accolades for being a great new product, quickly appearing in every home. Why such different reactions?

Data generated by IoT devices can be valuable intellectual property (IP) for companies. However, collecting and using this data can expose them to potentially massive negative publicity and lawsuits.

Recent cases highlight three common strategies companies should consider when monetizing consumer data: (1) disclose data collection and usage in the Terms of Service (ToS), (2) adequately protect user data, and (3) promote clear user benefits from the data collected.

Clearly notify users of data collection and use

One of the most common—but also most avoidable mistakes companies make—is not notifying users what data is collected, or how it is used, through methods such as the ToS. Although users may not always read the ToS, not disclosing data use and collection may lead consumers (and courts) to assume the lack of disclosure was intentional.

For example, the email service UnrollMe, which unsubscribes users from unwanted emails, failed to disclose that information collected from user emails was sold to third parties. The complaint alleged that UnrollMe had not adequately disclosed the extent of their data collection and usage in part because “few (if any) consumers” would knowingly agree to sell their private email data.

In February 2017, Vizio settled a similar suit accusing the company of collecting and selling user data from its Smart TVs without divulging it in its ToS. As part of the settlement, Vizio agreed to pay $2.2 million, promised to “prominently disclose” its practices, and destroy existing data that had not been collected with proper notice or consent.

We-Vibe, an adult-toy manufacturer, was also accused of collecting detailed data on how consumers used its toys. Although We-Vibe assured users that they had not sold this data, the company nevertheless settled for about $3.75 million and promised to stop collecting personal data as well as destroy any existing data.

Each of these suits could have been mitigated had these companies more clearly noticed their data collection and usage. But doing so in a ToS is only the first step in securing basic legal protection and fostering consumer trust. Data security is a close second. 

Secure user data

Data security on any device is subject to scrutiny, and manufacturers should pay special attention when collecting particularly sensitive data.

The first IoT lawsuit in the Federal Trade Commission (FTC) involved baby monitors and cameras manufactured by TRENDnet. Hackers were able to access the devices, sparking allegations that TRENDnet used inadequate security measures. In the final settlement, the FTC required TRENDnet to address the security risks and prohibited the company from misrepresenting the security of its cameras.

We-Vibe's suit was also initiated in part by security concerns. Hackers revealed that sensitive data collected by We-Vibe may be accessed by third parties, which contributed to the class-action suit. In response, We-Vibe promised to work with “leading privacy and security experts” to improve security.

Even if no breach has yet occurred, companies may still be accused of security deficiencies. For example, a month after We-Vibe's settlement, consumer group Access Now charged that an adult toy manufactured by Svakcom had significant security holes.

According to Access Now, hackers could access Svakcom's product, including its built-in camera. Svakcom quickly responded, stating that they had stopped selling the adult toy, would recommend users change their WiFi passwords, and would update the toy app and hardware. Access Now, however, has not yet dropped the suit. Taking steps to secure user-data and accurately reporting the security of IoT devices is therefore essential in preventing both lawsuits and negative PR.

Promote user benefit from collected data

If a company collects data, it should be prepared to explain how it uses that data as either part of a product service, or to enhance user-experience. Apple's controversial “Location Services” and Amazon's Alexa are two successful examples.

When Apple's Location Services first came under fire in 2011 and later in 2016, Apple took steps to alleviate public concern, reassuring its consumers that no identifiable information was transmitted from the iPhones, and further, explained the measures taken to secure the user data. Apple also marketed the data collection as providing a beneficial service, such as enhancing location speeds.

Apple's approach combined all three strategies for reducing negative PR. Consequently, it has weathered lawsuits, bad publicity, and even Congressional questioning on the data collected through its Location Services.

Meanwhile, Amazon has preemptively responded to user concerns by assuring users that it only transmits voice data at certain times and implemented additional privacy measures, such as allowing users to choose when to share identifiable information with third parties.

As more and more IoT devices becomes available, corporations looking to monetize lucrative IoT data should take heed and learn from these examples. Such IP issues will dominate consumer minds in the growing IoT market.

Rachel Erdman is an attorney at Finnegan, Henderson, Farabow, Garrett & Dunner LLP. She follows data IP and privacy trends. Kenie Ho leads the IoT legal group at Finnegan. He is a thought leader on IP issues for IoT and frequently speaks and publishes on IoT legal topics.