Dipping Your Toes into the Cool Waters of Consumer Devices? Complying with Key Personal Data Regulations Will Be Your Life Raft

Connected devices, or what is referred to as the “consumer internet of things” is big business right now.  Consumers want to “talk” to their devices throughout their home wherever they are, and some organizations’ business models are heavily reliant on the analytics and monetization of the personal information they collect from these devices. As a result, manufacturers who traditionally provided products and services in the business-to-business (“B2B”) space are increasingly interested in dipping their toes into the business-to-consumer market (“B2C”), including the manufacturing and distribution of connected devices for which a business may collect volumes of personal information about their customers. While the B2C market represents a huge opportunity for traditional B2B businesses’ goods and services, manufacturers need to understand and be prepared for new and unique compliance challenges of the B2C markets.    Below are some important tips to navigate these rough seas. 

Generally, the manufacturing and distribution of consumer products, especially connected consumer products, involves the handling of consumer personal information. This information may be subject to rapidly evolving local, state, national and international consumer privacy laws, such as the California Consumer Protection Act (“CCPA”), the EU General Data Protection Regulation (“GDPR”), and the Massachusetts Standards for the Protection of Personal Information of the Commonwealth. These go beyond the regulation of traditional concepts of personal data in the United States, such as name, social security number, and credit card information. Instead, these laws cast a wider net by defining personal information as any data that relates to an identified or identifiable individual. The CCPA even extends this to include any information that describes, is capable of being associated with, or could reasonably be linked to a particular California consumer or household. This can include geolocation data, audio or visual information, commercial information (such as records of personal property or products and services purchased, obtained, or products that consumers are considering purchasing or obtaining), consumer histories or tendencies and other similar information.

These laws can create substantial compliance burdens that extend beyond just creating and posting a privacy policy.  The obligations reach into the core internal policies and procedures of a business, including providing adequate security for consumer personal data. Lack of compliance can lead to significant exposure to civil and regulatory liability.

As a result, business seeking to get into the business of consumer data should tread carefully and deliberately to avoid pitfalls as a result of the personal data regulatory environment.  Some key privacy action items that businesses should consider when seeking to expand from B2B and take a dip into the waters of the B2C are:

• Conduct a data mapping exercise to understand the types of personal data to be collected, the intended use of that data, and where data will be collected, stored, and transferred.
• Review information security policies to ensure appropriate protection of consumer personal data. Some laws require that a business collecting consumer personal information maintain a written information security policy that addresses key security areas.
• Unlike most devices targeting B2B customers, consumer devices are out “in the wild” where they can be hacked (possibly even by the consumer itself). Consider security and privacy by design, including how the software in consumer devices may be updated/upgraded in a secure fashion. A new California law will mandate that all devices capable of connecting to the internet, directly or indirectly, be equipped with reasonable security features appropriate for the nature and use of the device and information collected or transmitted. Moreover, these devices must contain a preprogrammed unique password or a means for a user to generate a unique password before use, if authentication can occur outside a local area network.
• Review if your product is directed towards or will otherwise collect personal information from children under the age of 13. If so, the U.S. Federal Children’s Online Privacy Protection Act (“COPPA”) requires a business to use an approved method of verifiable parental consent, which can be expensive and burdensome.
• Draft and/or revise your privacy notice to consumer to ensure that it accurately reflects your use of personal information and that it does not over promise protections with absolute statements. Regulators (such as the Federal Trade Commission) will interpret promises in a privacy notice very broadly in favor of the consumer. As a result, businesses should make sure that their privacy notices reserve the right to share information as necessary, such as for compliance with law enforcement, to protect their rights and property, or in the event of a merger or acquisition. Furthermore, some privacy laws require that a consumer privacy notice address specific items, such as notifying consumers of their various rights and how they can be exercised.
• Review agreements with third party service providers for compliance with the requirements of applicable laws.
• Ensure that there are adequate business resources to monitor and ensure compliance with all applicable regulations (including the exercise of the rights of consumers under the applicable regulations), for training, and for the proper handling of consumer personal data.

The B2C pool can be deep and sometimes filled with sharks. But businesses can manage the waters with some planning for privacy and security before they dive in. For questions and additional information on this topic, please contact any of the authors or additional members within Foley’s Privacy, Security, and Information Management team.