Home FTC Urges Comprehensive Privacy Legislation to Safeguard Consumer Data in the IoT Era

FTC Urges Comprehensive Privacy Legislation to Safeguard Consumer Data in the IoT Era

Feb 05, 2015 10:56 CST Updated 10:56

Last week, the U.S. Federal Trade Commission (FTC) released a report on Internet of Things (IoT) trends, addressing the growing privacy and security concerns associated with connected health devices online. The report summarizes discussions from an FTC workshop held in November 2013 and includes recommendations from FTC members to the industry.

The panel of health experts at the seminar included: Scott Peppet, Professor at the University of Colorado Law School; Stan Crosley, Director of the Center for Law, Ethics, and Applied Research in Health Information at Indiana University; Joseph Lorenzo Hall, Chief Technology Officer at the Center for Democracy and Technology; Jay Radcliffe, Senior Security Analyst at InGuardians; and Anand Iyer, President and Chief Operating Officer at WellDoc.

FTC Commissioner Jeffrey Wright dissented, arguing that the FTC should not issue recommendations to IoT companies based solely on a single workshop and public comments.

Wright remarked, “If the purpose of the workshop were to examine dry-cleaning methods or evaluate equipment labeling, the Committee could indeed provide sound advice on such well-defined issues. However, the Committee faces greater constraints when studying emerging concepts like the Internet of Things (IoT). It would be difficult to predict its technological progress and ultimate impact on consumers based solely on limited consensus. A report that merely covers one day of meetings, along with accompanying public comments and FTC members’ impressions of these proceedings, cannot yield representative viewpoints or generate sufficient information to support legislation or inform policy recommendations, regardless of how long it took to prepare.”

Wright also stated that the FTC should conduct rigorous cost-benefit analyses before making recommendations, rather than merely asserting that its proposals would entail potential costs and benefits.

The report also notes that the Internet of Things (IoT) has introduced numerous security concerns for consumers.

“The Internet of Things (IoT) presents various security risks that may adversely affect consumers: first, the unauthorized access and misuse of personal information; second, the increased ease of launching attacks on other systems; and finally, the emergence of personal safety concerns.” Participants pointed out that privacy risks would stem from data such as personal information, habits, location, and changes in physical condition. Some further noted that certain companies might leverage this data to make decisions regarding credit, insurance, and employment. Others expressed concern that even in the absence of actual incidents, consumer confidence in the technology could be undermined merely by perceived privacy and security risks, which would also impact its widespread adoption.

Some FTC members have proposed that Congress take action on general data security regulation and enact broader privacy legislation that is not limited to the Internet of Things. “Such legislation should be flexible and technology-neutral, while providing companies with clear rules on these issues. Companies are required to provide privacy notices to consumers when collecting and using relevant data.”

Although efforts are underway to advance more comprehensive legislation, the agency has pointed out that health-related data and HIPAA do not cover all health-related data.

“Participants also discussed certain sensitive information protected by HIPAA, such as medical diagnoses, medication names, and health conditions, provided that such information is collected by physicians or insurance companies. However, a growing number of health apps are collecting this consumer data through their products, which falls outside the scope of HIPAA protection.” Committee members argued that consumers should have the right to be informed regardless of who collects such sensitive health information. Uniform standards would also create a level playing field for businesses.

(Want to be the first to knowInternet HealthcareFor startup-related information, please follow the VCBeat WeChat official account: vcbeat. You are also welcome to engage with us on topics of interest, contact us via WeChat, and share your startup projects or related research insights.