Internet-of-Things

We live in a world of the Internet of Things (IoT), surrounded by cameras, microphones, and sensors. There is a "smart" version of nearly anything you can think of, from cars, to thermostats, to doorbells, to dishwashers. What are the privacy implications of these devices, and have they (or will they) effectively "kill" privacy?

IoT devices do present challenges for companies when it comes to traditional privacy practices. Traditionally, the consumer consents to a company's privacy policy by checking a box or clicking a button on a screen before being allowed to access or use the company's product. But many IoT devices have no screen or direct user interface. And while many IoT devices must be paired with an app on a mobile device, displaying the lengthy privacy policies of the past on these smaller screens can be difficult. These difficulties have led to the increased use of layered privacy policies, which provide a summary of key points at the top level, with more detailed information available as the consumer drills down.

Yet even layered privacy policies may not be the solution to the problem. As a general matter, consumers are loathe to read privacy policies, which over the years morphed into lengthy statements full of legalese. While layered privacy policies present information to the consumer in a more digestible manner, it is not clear that they will change perceptions that a company's privacy policy is designed to protect the company from legal liability, not to protect the consumer's personal information. These problems are compounded when consumers are faced with a take it or leave it choice of accepting a company's privacy policy as a condition of gaining access to an application or service.

Therefore, there has been an increasing emphasis on encouraging IoT device manufacturers to include consumer privacy considerations from the very beginning of product conception and design. The thought is that if privacy is a key consideration during the entire product lifecycle, companies can protect consumer privacy in a proactive manner, rather than reacting to security issues once the product is on the market. Under this practice, companies design and launch products with the most restrictive privacy safeguards that are feasible. That way privacy is the default, and the consumer must actively make changes to authorize the collection, processing or sharing of additional information that may not be essential to the product's core functionality.

Such concepts are fundamentally important when it comes to IoT devices. The operating systems and firmware on IoT devices are notoriously hard to patch. Additionally, IoT devices often lack a means to install third-party antivirus software. Therefore, security vulnerabilities may be difficult to detect. And even if they are detected, there is no simple way to fix them. Consequently, IoT device manufacturers cannot take a reactive approach to security. They must be proactive and prioritize privacy by design and privacy by default.

Given the emphasis on privacy by design and privacy by default, can we rely on industry self-regulation, or will adequate privacy protection only come through government oversight? In some sense, self-regulation is the preferred course. Device manufacturers are likely more knowledgeable about cutting-edge technologies and how those technologies can be used to protect consumer privacy. Device manufacturers know what data they do and do not need to collect to make their devices functional. And device manufacturers are generally more innovative and adaptive than government bureaucracy. Therefore, putting device manufacturers on the forefront of consumer privacy makes sense.

The consumer role in driving self-regulation cannot be overstated. If consumers expect the industry to self-regulate, then they have to show the industry that privacy practices can help or hurt a company's bottom line. Consumers need to show that privacy is important to them by buying products from companies that prioritize consumer privacy and shy away from those that do not. This goes beyond accepting or rejecting a company's privacy policy. Consumers need to reward companies that "sell privacy" and back up their marketing with adequate policies and safeguards. Companies will have an increased incentive to self-regulate if they know that privacy is at the forefront of the consumer's mind when making purchasing decisions.

The government plays an important part in protecting this consumer role through traditional tools, such as consumer protection and antitrust enforcement. For example, if a company misrepresents its privacy practices, consumers may spend their dollars in ways they would not if they had accurate information. Similarly, if a company enjoys substantial market power in a particular space, consumers may have little choice to go elsewhere, no matter how draconian the company's privacy practices. In both situations, the consumer's role in regulating the marketplace is distorted. Therefore, while the government may not have the personnel and resources available to suitably police the privacy field when it comes to IoT, it can help to ensure that the consumer function in regulating the field remains on an even keel.

So is privacy dead? Not by a long shot. But our conception of privacy has changed. There may have been a time where it was possible to go through life while remaining relatively anonymous with respect to the products and services one purchased. Those days are over. There are numerous "smart" products on the market that will change the way we interact with the world. And a large number of those products require, in some degree, that the user provide his or her personal information to make the product fully functional. Sacrificing anonymity for personal convenience is a bargain consumers appear to feel increasingly comfortable making.

Nevertheless, consumers still expect companies to treat their personal data with care and respect. Although data breaches may be seen as inevitable, they are not necessarily seen as acceptable. Consumers still want to remain in control of their personal information, even if they are more willing to share that information with others. And isn't maintaining control of personal information what privacy is all about?

Brian Kint is a Philadelphia-based member of the Data Privacy & Security Practice at Cozen O'Connor. Brian is both an attorney and a certified information privacy professional (CIPP/US) and therefore uniquely capable of speaking the language of the law as well as the language of the IT professionals responsible for developing and implementing technology solutions to adhere to the law and to the organization's data security strategy.