Connected devices, or what is referred to as the “consumer internet of things” is big business right now. Consumers want to “talk” to their devices throughout their home wherever they are, and some organizations’ business models are heavily reliant on the analytics and monetization of the personal information they collect from these devices. As a result, manufacturers who traditionally provided products and services in the business-to-business (“B2B”) space are increasingly interested in dipping their toes into the business-to-consumer market (“B2C”), including the manufacturing and distribution of connected devices for which a business may collect volumes of personal information about their customers. While the B2C market represents a huge opportunity for traditional B2B businesses’ goods and services, manufacturers need to understand and be prepared for new and unique compliance challenges of the B2C markets. Below are some important tips to navigate these rough seas.
Generally, the manufacturing and distribution of consumer products, especially connected consumer products, involves the handling of consumer personal information. This information may be subject to rapidly evolving local, state, national and international consumer privacy laws, such as the California Consumer Protection Act (“CCPA”), the EU General Data Protection Regulation (“GDPR”), and the Massachusetts Standards for the Protection of Personal Information of the Commonwealth. These go beyond the regulation of traditional concepts of personal data in the United States, such as name, social security number, and credit card information. Instead, these laws cast a wider net by defining personal information as any data that relates to an identified or identifiable individual. The CCPA even extends this to include any information that describes, is capable of being associated with, or could reasonably be linked to a particular California consumer or household. This can include geolocation data, audio or visual information, commercial information (such as records of personal property or products and services purchased, obtained, or products that consumers are considering purchasing or obtaining), consumer histories or tendencies and other similar information.
These laws can create substantial compliance burdens that extend beyond just creating and posting a privacy policy. The obligations reach into the core internal policies and procedures of a business, including providing adequate security for consumer personal data. Lack of compliance can lead to significant exposure to civil and regulatory liability.
As a result, business seeking to get into the business of consumer data should tread carefully and deliberately to avoid pitfalls as a result of the personal data regulatory environment. Some key privacy action items that businesses should consider when seeking to expand from B2B and take a dip into the waters of the B2C are:
The B2C pool can be deep and sometimes filled with sharks. But businesses can manage the waters with some planning for privacy and security before they dive in. For questions and additional information on this topic, please contact any of the authors or additional members within Foley’s Privacy, Security, and Information Management team.