Dipping Your Toes into the Cool Waters of Consumer Devices? Complying with Key Personal Data Regulations Will Be Your Life Raft

06 June 2019 Blog
Authors: Steven M. Millendorf Kathryn Parsons-Reponte
Published To: Manufacturing Industry Advisor Privacy, Cybersecurity & Technology Law Perspectives

Connected devices, or what is referred to as the “consumer internet of things” is big business right now.  Consumers want to “talk” to their devices throughout their home wherever they are, and some organizations’ business models are heavily reliant on the analytics and monetization of the personal information they collect from these devices. As a result, manufacturers who traditionally provided products and services in the business-to-business (“B2B”) space are increasingly interested in dipping their toes into the business-to-consumer market (“B2C”), including the manufacturing and distribution of connected devices for which a business may collect volumes of personal information about their customers. While the B2C market represents a huge opportunity for traditional B2B businesses’ goods and services, manufacturers need to understand and be prepared for new and unique compliance challenges of the B2C markets.    Below are some important tips to navigate these rough seas. 

Generally, the manufacturing and distribution of consumer products, especially connected consumer products, involves the handling of consumer personal information. This information may be subject to rapidly evolving local, state, national and international consumer privacy laws, such as the California Consumer Protection Act (“CCPA”), the EU General Data Protection Regulation (“GDPR”), and the Massachusetts Standards for the Protection of Personal Information of the Commonwealth. These go beyond the regulation of traditional concepts of personal data in the United States, such as name, social security number, and credit card information. Instead, these laws cast a wider net by defining personal information as any data that relates to an identified or identifiable individual. The CCPA even extends this to include any information that describes, is capable of being associated with, or could reasonably be linked to a particular California consumer or household. This can include geolocation data, audio or visual information, commercial information (such as records of personal property or products and services purchased, obtained, or products that consumers are considering purchasing or obtaining), consumer histories or tendencies and other similar information.

These laws can create substantial compliance burdens that extend beyond just creating and posting a privacy policy.  The obligations reach into the core internal policies and procedures of a business, including providing adequate security for consumer personal data. Lack of compliance can lead to significant exposure to civil and regulatory liability.

As a result, business seeking to get into the business of consumer data should tread carefully and deliberately to avoid pitfalls as a result of the personal data regulatory environment.  Some key privacy action items that businesses should consider when seeking to expand from B2B and take a dip into the waters of the B2C are:

  • Conduct a data mapping exercise to understand the types of personal data to be collected, the intended use of that data, and where data will be collected, stored, and transferred.
  • Review information security policies to ensure appropriate protection of consumer personal data. Some laws require that a business collecting consumer personal information maintain a written information security policy that addresses key security areas.
  • Unlike most devices targeting B2B customers, consumer devices are out “in the wild” where they can be hacked (possibly even by the consumer itself). Consider security and privacy by design, including how the software in consumer devices may be updated/upgraded in a secure fashion. A new California law will mandate that all devices capable of connecting to the internet, directly or indirectly, be equipped with reasonable security features appropriate for the nature and use of the device and information collected or transmitted. Moreover, these devices must contain a preprogrammed unique password or a means for a user to generate a unique password before use, if authentication can occur outside a local area network.
  • Review if your product is directed towards or will otherwise collect personal information from children under the age of 13. If so, the U.S. Federal Children’s Online Privacy Protection Act (“COPPA”) requires a business to use an approved method of verifiable parental consent, which can be expensive and burdensome.
  • Draft and/or revise your privacy notice to consumer to ensure that it accurately reflects your use of personal information and that it does not over promise protections with absolute statements. Regulators (such as the Federal Trade Commission) will interpret promises in a privacy notice very broadly in favor of the consumer. As a result, businesses should make sure that their privacy notices reserve the right to share information as necessary, such as for compliance with law enforcement, to protect their rights and property, or in the event of a merger or acquisition. Furthermore, some privacy laws require that a consumer privacy notice address specific items, such as notifying consumers of their various rights and how they can be exercised.
  • Review agreements with third party service providers for compliance with the requirements of applicable laws.
  • Ensure that there are adequate business resources to monitor and ensure compliance with all applicable regulations (including the exercise of the rights of consumers under the applicable regulations), for training, and for the proper handling of consumer personal data.

The B2C pool can be deep and sometimes filled with sharks. But businesses can manage the waters with some planning for privacy and security before they dive in. For questions and additional information on this topic, please contact any of the authors or additional members within Foley’s Privacy, Security, and Information Management team.

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.

Related Services