This article originally appeared in the E-Commerce Times, and is republished here with permission.
No one knows for sure how many “things” are connected to the Internet, but the Federal Trade Commission reported last year that it was more than 8 billion, and that it would exceed 20 billion by the end of 2020! Astonishing as it seems, it turns out that U.S. privacy laws do not apply to all of those devices and the data they collect.
So, for the third time in three years, the Senate has proposed a new law, the Internet of Things Cybersecurity Improvement Act of 2019, which actually would apply to IoT products — but only those purchased by the U.S. government. It seems that the FTC’s approach to IoT data privacy is “put on your own mask first before helping those around you.”
What seems really unbelievable is that Internet-connected things communicate enormous volumes of data from our cellphones, watches, health devices, televisions, door bells, security cameras…well you get it, virtually everything is connected to the Internet in 2019. Should we feel that our privacy is properly protected? We would like to think so.
For instance, everyone relies on maps on their cell devices to know which routes to drive to work or home, or to explore a new town. We know that when the maps show a green road we can safely assume there is no traffic, while yellow indicates traffic is slow, and red means traffic is not moving.
However, most people do not stop to think about how the data is acquired. It comes from the cellphones in the vehicles on those roadways. How? Well, remember when you clicked that “allow access” button that popped up on your map application? You essentially consented to sharing your personal data. Either we are unaware of what “allowing access” means, or we do not really care.
What Did Brittany Say?
In 2018, Brittany Kasier, cofounder of the Digital Asset Trade Association, made the Cambridge Analytica revelation that much of the information people assume is private actually is provided freely to social media, apps on mobile devices, and online e-commerce companies. Brittany highlighted the fact that most of us are not really aware of what data we are sharing — voluntarily or otherwise — or how that data is being stored and used.
Brittany also pointed out that the popularization of big data relates to IoT, social media and mobile devices, and all of the personal identifiable information (PII) from individuals is cobbled together into big data. Data aggregators buy this PII from various sources because the terms of service (ToS), click agreements, and privacy policies that no one reads give these IoT, social media and mobile devices the right to share our PII.
FTC to the Rescue?
The FTC is the U.S. government agency charged with the responsibility of protecting U.S. citizens’ personal privacy. In a report on big data it released a few years ago, the FTC disclosed some serious, and alarming concerns about where we are headed.
Despite its concerning findings, the FTC only made “recommendations” for the consumer market, which arguably are more general questions than suggestions. For example, the FTC has made the following recommendations to manufacturers, software providers, and other related businesses:
- Take steps to protect data they collect and store;
- Identify who owns the data;
- Provide notice of how and what data is collected, and promptly notify individuals when that data is exposed.
These are only recommendations, however. The Cybersecurity Improvement Act of 2019 takes the next step: requiring that manufacturers of government devices comply with certain security standards. What about the rest of us, you ask? Well, according to Sen. Mark Warner, D-Va., “this legislation will use the purchasing power of the federal government to establish some minimum security standards for IoT devices.”
GDPR to the Rescue?
Unlike the U.S., the EU has implemented stringent privacy protection laws. The EU’s GDPR, which became effective last spring, appears to have had a larger impact around the world. That’s likely due to its application being based on the location of EU citizens, regardless of where they might reside in the world.
Because of the global application, many U.S. companies have proceeded under the assumption that they were obligated to protect all EU citizens’ data under GDPR — a higher standard than the guidelines suggested by the FTC. As a result, many U.S. companies have upped their IT security standards. However, we have not seen any tests in court to see if the GDPR really might apply in the U.S.
Under the GDPR, “easy to understand” is the critical legal requirement. GDPR requires that privacy policies be written in plain language, not legalese. For example, if you look at Google’s Privacy Policy, in effect since May 2018 (and recently updated), you will see an easily comprehensible set of policies, complete with illustrative cartoons.
California to the Rescue!
Many U.S. companies believe it is impossible to verify whether someone living in the U.S. is in fact an EU citizen. These companies have refused to comply with GDPR requirements until U.S. courts direct them to do so.
California last year established a new privacy law, the California Consumer Privacy Act (CCPA), which is akin to the GDPR and goes into effect in 2020.
Other states have been considering similar laws, and if enough states pass these new stricter data protection laws, it is possible that a federal law could be enacted. Which is what Brittany has been hoping for.