MANEESHA MITHAL: We don’t think disclosures should be buried in privacy policies. They should be out in the user interface. But with the IoT, we often hear, “Well, there is no real user interface.”
In our IoT report, we point to the innovations that some companies have been making in order to provide disclosures for consumers. You need to look at touchpoints. Are there disclosures that can be put in setup wizards? Are there video tutorials that could be put online? Is there training that can be done when you buy a product? Are there icons or dashboards that companies can use? Those are all things to consider.
How does the FTC keep pace with technical innovation?
First, we hire tech-savvy people. A lot of the attorneys we’ve hired in the last few years are tech-savvy, and we’ve created new positions for technologists. We also have a chief technology officer.
Second, we have OTech [the FTC Office of Technology Research and Investigation], which has done original research on smart TVs, drones, ransomware and changing demographics. It’s a useful way for us to gain knowledge about the products and services out there.
And third, we try to build ties with the academic and tech communities outside the FTC. We host an annual PrivacyCon event, and we’re always soliciting research from tech researchers as well as encouraging researchers to disclose security vulnerabilities they find to us.
Consumers aren’t always clued in to the vast ecosystem of third parties collecting, selling and sharing their data online. How do you educate consumers about the data collection potential of the IoT?
That is one of the big issues we’re facing. It’s a challenge for consumers to understand the multiplicity of players in the ecosystem. If you look at our data broker report, we talk about the fact that data can take so many hops. You might provide your data to a retailer, and the retailer might share it with hundreds of data brokers. We’ve called for greater transparency for consumer-facing entities.
It’s a similar concept in the IoT. Consumer-facing companies have a particular responsibility because they’re the ones consumers can go to if they have a problem, and they’re the ones whose brand will be affected if something happens downstream that the consumer finds inappropriate.
There’s an onus on the consumer-facing entity to do some due diligence on anybody they’re sharing data with. It’s not a strict liability, but we do look to see if the company took reasonable steps to ensure that the downstream players were good players.
The Internet of Things is a good example of innovation getting ahead of regulation. A smart thermostat knows what temperature someone’s house is, which is a banal detail, but it can also know when someone isn’t home. Where does the FTC draw the line between what is considered sensitive data and what is not?
There are four categories of information that we deem sensitive: health, financial, children’s information and precise geolocation. We’ve also said that there is a fifth category, which is content of communications; for example, the contents of emails. Beyond that, our framework has been that if what you’re doing with data is inconsistent with consumer expectations, you need to disclose that and explain to consumers how you’re using it.
There’s no hard and fast rule, but anything that’s new, ubiquitous and raises new data issues is something that’s likely to be on our radar screen.
These workshops inform us as we work on our investigations and on consumer and business education going forward. Sometimes at the end of the workshop, we will start developing a report with a summary of the workshop for people who couldn’t be there and some sort of best practice guidance for companies.
It’s been a while, but is the FTC planning to issue a report based on the cross-device workshop in Nov. 2015?
We are developing reports on the Cross-Device Tracking workshop. I can say it’s coming soon.