IoT is Watching, Always Watching: Data Privacy and the Internet of Things

November 21, 2019

By now, most people have heard the term Internet of Things, or IoT, and even more have used IoT devices, whether they’re aware of it or not. But what exactly is IoT? IoT refers to devices connected to the internet that allows data to be collected and exchanged. The ability to connect the IoT device to the internet, or to other IoT devices, transforms ordinary “dumb” devices into “smart” devices. For example, previously, the only function a watch served was to tell time. Now, watches can connect to phones to track heartrate, steps, display texts and calls, and some even can be used for contactless payment. However, data breaches have been making headlines within the past few years, drawing attention to the need for data privacy laws.

One example of a data breach leading to a privacy exposure was the vulnerabilities in LG’s SmartThinQ mobile app and cloud application that enabled unauthorized remote access to SmartThinQ’s app. With this remote access, the hacker could control various IoT home appliances, most notably the LG Hom-Bot vacuum cleaner’s camera. This breach provided hackers a front-row seat to the most private part of someone’s life, their home.

With data breaches such as these coming to light, all eyes are on California as the California Consumer Privacy Act (“CCPA”) will go into effect on January 1, 2020 (though it will not be enforced until regulations are published by the Attorney General by July 1, 2020). The CCPA, modeled after the General Data Protection Regulation (“GDPR”), will provide consumers more control over their personal data being collected and offer protections against organizations that do not protect privacy.

The CCPA will apply to for-profit organizations involved in collecting and controlling the personal information of California residents, who do business in California, and meet at least one of the following requirements: (1) have annual gross revenues in excess of $25 million; (2) receive or disclose the personal information of 50,000 or more California residents, households, or devices on an annual basis; or (3) derive 50 percent or more of annual revenue from selling California residents’ personal information. The CCPA provides California consumers with five basic rights to privacy, (1) the right to know what personal data is being collected about them, including the source and purpose for why the data is being collected, (2) the right to know whether their personal information is being sold or distributed, (3) the right to say their personal data cannot be sold (an opt-out), (4) the right to access the personal information collected about them, and (5) the right to equal service and price no matter if they exercise any of their privacy rights.

As the CCPA is soon to go into effect, more states are looking to create privacy laws. New York drafted a privacy policy that has come to be known as even bolder than the CCPA. The New York bill would not only apply to companies of all sizes, but would require them to act as “data-fiduciaries” that would “legally bar businesses from using data in a way that benefits their companies to the detriment of their users.” Although a broader, bolder privacy bill may be what consumers want, some language in the bill may have been too broad to be effective. Such language includes the way organizations could use collected data, which would “prohibit them from using data in a way that causes users some sort of financial or physical harm or in a manner that would be ‘unexpected and highly offensive to a reasonable consumer.’” There is a hard balance between a privacy bill being too narrow or too broad, and it may be that New York slid over into the too broad category for the bill to pass. Further, Maryland introduced a privacy bill that mimics the CCPA in many ways, but has some notable differences that expand certain protections. Consumers can request deletion of their personal data maintained by an organization, not just the data the consumer provided. Additionally, the exceptions for when a company does not have to delete consumer data is reduced from those in the CCPA

IoT brings many new innovations to consumers that were never thought possible. Now, vehicles, jewelry, appliances, or just about anything imaginable can become a connected device. These innovations are astounding and deserve to be pursued, but data privacy needs to be top of mind when IoT is being developed and deployed into the market. 

Allie Russell

November 21, 2019