Is Privacy Dead in the World of the Internet of Things?
There may have been a time where it was possible to go through life while remaining relatively anonymous with respect to the products and services one purchased. Those days are over.
August 26, 2019 at 07:00 AM
6 minute read
We live in a world of the Internet of Things (IoT), surrounded by cameras, microphones, and sensors. There is a "smart" version of nearly anything you can think of, from cars, to thermostats, to doorbells, to dishwashers. What are the privacy implications of these devices, and have they (or will they) effectively "kill" privacy?
IoT devices do present challenges for companies when it comes to traditional privacy practices. Traditionally, the consumer consents to a company's privacy policy by checking a box or clicking a button on a screen before being allowed to access or use the company's product. But many IoT devices have no screen or direct user interface. And while many IoT devices must be paired with an app on a mobile device, displaying the lengthy privacy policies of the past on these smaller screens can be difficult. These difficulties have led to the increased use of layered privacy policies, which provide a summary of key points at the top level, with more detailed information available as the consumer drills down.
Yet even layered privacy policies may not be the solution to the problem. As a general matter, consumers are loathe to read privacy policies, which over the years morphed into lengthy statements full of legalese. While layered privacy policies present information to the consumer in a more digestible manner, it is not clear that they will change perceptions that a company's privacy policy is designed to protect the company from legal liability, not to protect the consumer's personal information. These problems are compounded when consumers are faced with a take it or leave it choice of accepting a company's privacy policy as a condition of gaining access to an application or service.
Therefore, there has been an increasing emphasis on encouraging IoT device manufacturers to include consumer privacy considerations from the very beginning of product conception and design. The thought is that if privacy is a key consideration during the entire product lifecycle, companies can protect consumer privacy in a proactive manner, rather than reacting to security issues once the product is on the market. Under this practice, companies design and launch products with the most restrictive privacy safeguards that are feasible. That way privacy is the default, and the consumer must actively make changes to authorize the collection, processing or sharing of additional information that may not be essential to the product's core functionality.
Such concepts are fundamentally important when it comes to IoT devices. The operating systems and firmware on IoT devices are notoriously hard to patch. Additionally, IoT devices often lack a means to install third-party antivirus software. Therefore, security vulnerabilities may be difficult to detect. And even if they are detected, there is no simple way to fix them. Consequently, IoT device manufacturers cannot take a reactive approach to security. They must be proactive and prioritize privacy by design and privacy by default.
Given the emphasis on privacy by design and privacy by default, can we rely on industry self-regulation, or will adequate privacy protection only come through government oversight? In some sense, self-regulation is the preferred course. Device manufacturers are likely more knowledgeable about cutting-edge technologies and how those technologies can be used to protect consumer privacy. Device manufacturers know what data they do and do not need to collect to make their devices functional. And device manufacturers are generally more innovative and adaptive than government bureaucracy. Therefore, putting device manufacturers on the forefront of consumer privacy makes sense.
The consumer role in driving self-regulation cannot be overstated. If consumers expect the industry to self-regulate, then they have to show the industry that privacy practices can help or hurt a company's bottom line. Consumers need to show that privacy is important to them by buying products from companies that prioritize consumer privacy and shy away from those that do not. This goes beyond accepting or rejecting a company's privacy policy. Consumers need to reward companies that "sell privacy" and back up their marketing with adequate policies and safeguards. Companies will have an increased incentive to self-regulate if they know that privacy is at the forefront of the consumer's mind when making purchasing decisions.
The government plays an important part in protecting this consumer role through traditional tools, such as consumer protection and antitrust enforcement. For example, if a company misrepresents its privacy practices, consumers may spend their dollars in ways they would not if they had accurate information. Similarly, if a company enjoys substantial market power in a particular space, consumers may have little choice to go elsewhere, no matter how draconian the company's privacy practices. In both situations, the consumer's role in regulating the marketplace is distorted. Therefore, while the government may not have the personnel and resources available to suitably police the privacy field when it comes to IoT, it can help to ensure that the consumer function in regulating the field remains on an even keel.
So is privacy dead? Not by a long shot. But our conception of privacy has changed. There may have been a time where it was possible to go through life while remaining relatively anonymous with respect to the products and services one purchased. Those days are over. There are numerous "smart" products on the market that will change the way we interact with the world. And a large number of those products require, in some degree, that the user provide his or her personal information to make the product fully functional. Sacrificing anonymity for personal convenience is a bargain consumers appear to feel increasingly comfortable making.
Nevertheless, consumers still expect companies to treat their personal data with care and respect. Although data breaches may be seen as inevitable, they are not necessarily seen as acceptable. Consumers still want to remain in control of their personal information, even if they are more willing to share that information with others. And isn't maintaining control of personal information what privacy is all about?
Brian Kint is a Philadelphia-based member of the Data Privacy & Security Practice at Cozen O'Connor. Brian is both an attorney and a certified information privacy professional (CIPP/US) and therefore uniquely capable of speaking the language of the law as well as the language of the IT professionals responsible for developing and implementing technology solutions to adhere to the law and to the organization's data security strategy.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250