September 10, 2019
IoT is Watching, Always Watching: Data Privacy and the Internet of Things
By now, most people have heard the term Internet of Things, or IoT, and even more have used IoT devices, whether they’re aware of it or not. But what exactly is IoT? IoT refers to devices connected to the internet that allows data to be collected and exchanged. The ability to connect the IoT device to the internet, or to other IoT devices, transforms ordinary “dumb” devices into “smart” devices. For example, previously, the only function a watch served was to tell time. Now, watches can connect to phones to track heartrate, steps, display texts and calls, and some even can be used for contactless payment. However, data breaches have been making headlines within the past few years, drawing attention to the need for data privacy laws.
One example of a data breach leading to a privacy exposure was the vulnerabilities in LG’s SmartThinQ mobile app and cloud application that enabled unauthorized remote access to SmartThinQ’s app. With this remote access, the hacker could control various IoT home appliances, most notably the LG Hom-Bot vacuum cleaner’s camera. This breach provided hackers a front-row seat to the most private part of someone’s life, their home.
With data breaches such as these coming to light, all eyes are on California as the California Consumer Privacy Act (“CCPA”) will go into effect on January 1, 2020 (though it will not be enforced until regulations are published by the Attorney General by July 1, 2020). The CCPA, modeled after the General Data Protection Regulation (“GDPR”), will provide consumers more control over their personal data being collected and offer protections against organizations that do not protect privacy.
The CCPA will apply to for-profit organizations involved in collecting and controlling the personal information of California residents, who do business in California, and meet at least one of the following requirements: (1) have annual gross revenues in excess of $25 million; (2) receive or disclose the personal information of 50,000 or more California residents, households, or devices on an annual basis; or (3) derive 50 percent or more of annual revenue from selling California residents’ personal information. The CCPA provides California consumers with five basic rights to privacy, (1) the right to know what personal data is being collected about them, including the source and purpose for why the data is being collected, (2) the right to know whether their personal information is being sold or distributed, (3) the right to say their personal data cannot be sold (an opt-out), (4) the right to access the personal information collected about them, and (5) the right to equal service and price no matter if they exercise any of their privacy rights.
IoT brings many new innovations to consumers that were never thought possible. Now, vehicles, jewelry, appliances, or just about anything imaginable can become a connected device. These innovations are astounding and deserve to be pursued, but data privacy needs to be top of mind when IoT is being developed and deployed into the market.
November 21, 2019