New technologies and the expansion of the Internet of Things have allowed children of this generation to experience seamless interactive technologies through microphones, GPS devices, speech recognition, sensors, cameras and other technological capabilities. These advancements create new markets for entertainment and education alike and, in the process, collect endless amounts of data from children–from their names and locations to their likes/dislikes and innermost thoughts.

The collection of data through this Internet of Toys is on the tongues of regulators and law enforcement, who are warning parents to be wary when purchasing internet-connected toys and other devices for children. These warnings also extend to connected toy makers, urging companies to comply with children’s privacy rules and signaling that focused enforcement is forthcoming.

Federal Trade Commission Makes Clear That Connected Toy Makers Must Comply with COPPA

On June 21 2017, the Federal Trade Commission (FTC) updated its guidance for companies required to comply with the Children’s Online Privacy and Protection Act (COPPA) to ensure those companies implement key protections with respect to Internet-connected toys and associated services. While the FTC’s Six Step Compliance Plan for COPPA compliance is not entirely new, there are a few key updates that reflect developments in the Internet of Toys marketplace. Continue Reading Regulating the Internet of Toys

On April 28, 2015, the Italian Data Privacy Authority (the Authority) launched a public consultation on the Internet of Things aimed at collecting contributions from stakeholders and assessing its potential impact on consumers’ privacy. This public consultation in Italy follows the opinion of the EU Article 29 Working Party of September 2014 and a more recent report of the U.S. Federal Trade Commission of January 2015, which had identified a number of issues and challenges in relation to the Internet of Things. Interested parties can submit their comments to the Authority by e-mail within 180 days of the publication in the Official Journal of the decision to launch the consultation (expected in the next few days).

This is an outstanding opportunity for stakeholders to provide their contribution on issues such as users’ profiling, data anonymization, the applicability of the data protection by design principles and the use of certification and authentication tools, in order to identify a set of best practices to ensure that compliance with data privacy rules does not constitute a limit to the development of Internet of Things technologies. The consultation might hopefully result in the adoption of specific guidance by the Authority on the application of data privacy rules to businesses active in the Internet of Things market, which currently face significant compliance issues.

On January 27, 2015, U.S. Federal Trade Commission (FTC) staff released an extensive report on the “Internet of Things” (IoT). The report, based in part on input the FTC received at its November 2013 workshop on the subject, discusses the benefits and risks of IoT products to consumers and offers best practices for IoT manufacturers to integrate the principles of security, data minimization, notice and choice into the development of IoT devices. While the FTC staff’s report does not call for IoT specific legislation at this time, given the rapidly evolving nature of the technology, it reiterates the FTC’s earlier recommendation to Congress to enact strong federal data security and breach notification legislation.

The report also describes the tools the FTC will use to ensure that IoT manufacturers consider privacy and security issues as they develop new devices. These tools include:

  • Enforcement actions under such laws as the FTC Act, the Fair Credit Reporting Act (FCRA) and the Children’s Online Privacy Protection Act (COPPA), as applicable;
  • Developing consumer and business education materials in the IoT area;
  • Participation in multi-stakeholder groups considering guidelines related to IoT; and
  • Advocacy to other agencies, state legislatures and courts to promote protections in this area.

In furtherance of its initiative to provide educational materials on IoT for businesses, the FTC also announced the publication of “Careful Connections: Building Security in the Internet of Things”.  This site provides a wealth of advice and resources for businesses on how they can go about meeting the concept of “security by design” and consider issues of security at every stage of the product development lifecycle for internet-connected devices and things.   

This week’s report is one more sign pointing toward our prediction regarding the FTC’s increased activity in the IoT space in 2015. 

The “Internet of Things” (IoT) continues to grow.  (IoT refers to the ability of everyday objects to connect to the Internet and one another.)  It is estimated that there will be 4.9 billion connected appliances, devices and other “things” in use worldwide by the end of 2015, an increase of 30 percent from 2014.  The global market for IoT products is expected to reach $7.1 trillion by 2020.

Proponents of IoT believe that the data generated and shared by connected objects can provide tremendous benefits for individuals, businesses and society as a whole.  For example, IoT devices could be used to alert a person of an impending heart attack, improve a business’ manufacturing processes and reduce vehicle traffic congestion.  While IoT can provide many benefits, it also poses privacy and security challenges.  Internet connected devices, especially when used in an individual’s home or on his or her body, can generate voluminous amounts of highly personal and sensitive data about that individual, including information about physical activity, existing health conditions, energy consumption and entertainment choices.  Many users of these devices are unclear about how this data is being used and shared with others. Moreover, the sheer amount and sensitivity of the data collected and transmitted by many IoT products make them an appealing target for hackers.

The Federal Trade Commission (FTC) did not file an enforcement action against a manufacturer of IoT products for inadequate data privacy and security practices in 2014, as it had in 2013. Nonetheless, the privacy and security challenges associated with the massive collection of consumer data by IoT products still are on the FTC’s radar.  Commissioner Julie Brill has written extensively about the need to weave in privacy principles to IoT.  While IoT products ranging from automated door locks to internet connected pet trackers dominated this year’s International Consumer Electronics Show (CES), Chairwoman Edith Ramirez’s keynote address at the CES outlined several concerns about IoT, including ubiquitous data collection, the ability of IoT devices to capture sensitive personal information about consumers, unexpected uses of consumer data and data security concerns.

Since IoT is on the FTC’s radar, I predict that the FTC will carefully scrutinize manufacturers of IoT products during 2015 and perhaps bring another action against a maker of IoT products for inadequate data privacy or security practices.