I Told You So: An Approach to Notice & Choice in The Internet of Things
Subscriber Benefit
As a subscriber you can listen to articles at work, in the car, or while you work out. Subscribe NowFrom cellphones and computers, to refrigerators and televisions, to vacuum cleaners and dishwashers, everyday devices of consumers’ lives are increasingly connected to the internet (and to each other). While connected devices have incredible benefits, they also raise significant privacy concerns. The expansive (and ever expanding) network of interconnected devices has also proliferated data collection. Devices now sense, measure, collect, analyze, and transmit voluminous amounts of data. Each bit of data, either individually or when combined together with other data, has the potential to reveal personal or sensitive information about consumers. In essence, companies can now gain (and potentially share) digital insight into otherwise private activities.
To address this growing new world, the Federal Trade Commission (FTC) advocates the fundamental privacy principle of "notice and choice." That is, companies must inform consumers how they plan to use and share their data and give consumers choices about use and sharing.
What does notice and choice entail?
According to the FTC, effective notice should contain relevant information that draws the consumer’s attention. This can include:
• who the consumer is doing business with;
• what information the consumer will be sharing, with whom, and for what purpose;
• whether the consumer receives any benefit from the information sharing;
• what other parties are doing with the shared information and why;
• what options the consumer has if he/she changes his/her mind; and
• whether the consumer has any control over the deletion or removal of the information.
When should you provide notice and choice?
The FTC has stated companies must provide "consumers with the ability to make informed choices" but also acknowledges that "companies should not be compelled to provide choice before collecting and using consumer data for practices that are consistent with the context of a transaction or the company’s relationship with the consumer." The FTC uses an example that a “smart oven” that transmits data so its owner can merely set baking temperatures using his/her cell phone is more consistent with the consumer’s expectation than an oven transmitting usage statistics to marketing companies (who may then market to such consumers).
Tracking and transmitting information that is generally consistent with consumers’ reasonable expectations does not necessarily require prior disclosure. However, notice and choice is particularly prudent when companies are collecting, using, and sharing data in a manner that is inconsistent with consumers’ reasonable expectations.
How and where to should companies provide notice and choice?
Providing notice and choice can be more difficult with Internet of Things (IoT) devices. Some devices, for example, lack a screen to support viewing lengthy privacy policies and terms of use. In order to overcome the technical and practical limitations of IoT devices, the FTC believes that companies must consider new techniques and methods to convey notice and choice information to consumers. Recently, researchers from Carnegie Mellon University, the RAND Corporation, and Google proposed an approach to deploying notices that takes into consideration various elements.
The timing of notice and choice:
Timing dictates when a consumer receives a privacy notice and has been "shown to have a significant impact on the effectiveness of notices." Timing choices include:
‘At setup’ notice that occurs when a system is used for the first time.
‘Just in time’ notice that can be used when a particular practice is activated.
‘Context-dependent’ notice that can be used based on a consumer’s or a system’s relevant context.
‘Periodic’ notice that is presented every time a practice occurs.
‘Persistent’ notice where a user is continuously informed of a practice, usually in a non-intrusive manner.
‘On demand’ notice is used to accommodate consumers’ active requests for privacy information.
The channel of providing notice and choice:
How the notice is delivered depends on its channel.
Notice provided on the same platform or device with which a user interacts is a primary channelsecondary channel leverages out-of-band communications. For example, wearables, smart home appliances, and IoT devices with very small or no displays make it difficult to display notices in an informative way. Out-of-band communications, like text messages or emails, can serve as secondary channels to overcome primary-channel limitations.
Public channels can be leveraged to provide notice (and potentially choices) in cases where systems are not aware of the identity of the consumer. While primary and secondary channels target specific users, public channels can serve mass notice–the way warning signs in public places inform about video surveillance.
The control the user has:
Whenever possible, privacy notices should not only provide information about data practices but also include privacy choices or control options. In contrast to traditional opt-in (i.e., the user must explicitly agree to a data practice) or opt-out (i.e., the user may advise the system provider to stop a specific practice) preferences, modern approaches advocate for a blend of opt-in and opt-out. Here, users can granularly control information collection and even sharing.
Controls "directly integrated into the notice" can then "be blocking or nonblocking, or they can be decoupled to be used on demand by users." Blocking notice precludes a consumer from performing any other activities before addressing the notice message; non-blocking notice allows a consumer to continue operating without being inhibited by the notice.
Starting with these fundamentals, companies can adopt various techniques to provide effective notice and choice to consumers. Companies should strive to properly inform their consumers about data collection, use, and sharing and what the consumers’ rights are. The IoT poses new challenges for the design of privacy notices and controls, and it is up to companies to adopt an approach that provides consumers the necessary information to make informed decisions.
This article is part of Ice Miller’s Smart Connections | Internet of Things Guide. This guide can serve as a shared resource for your peer group discussions to give everyone the background he or she needs on the business and legal issues behind connected devices. Click here to learn more.
This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.