I Told You So: An Approach to Notice & Choice in The Internet of Things

Posted: Updated:

From cellphones and computers, to refrigerators and televisions, to vacuum cleaners and dishwashers, everyday devices of consumers' lives are increasingly connected to the internet (and to each other). While connected devices have incredible benefits, they also raise significant privacy concerns. The expansive (and ever expanding) network of interconnected devices has also proliferated data collection. Devices now sense, measure, collect, analyze, and transmit voluminous amounts of data. Each bit of data, either individually or when combined together with other data, has the potential to reveal personal or sensitive information about consumers. In essence, companies can now gain (and potentially share) digital insight into otherwise private activities.
To address this growing new world, the Federal Trade Commission (FTC) advocates the fundamental privacy principle of "notice and choice." That is, companies must inform consumers how they plan to use and share their data and give consumers choices about use and sharing.
What does notice and choice entail?
According to the FTC, effective notice should contain relevant information that draws the consumer's attention. This can include:

• who the consumer is doing business with;
• what information the consumer will be sharing, with whom, and for what purpose;
• whether the consumer receives any benefit from the information sharing;
• what other parties are doing with the shared information and why;
• what options the consumer has if he/she changes his/her mind; and
• whether the consumer has any control over the deletion or removal of the information.

When should you provide notice and choice?
The FTC has stated companies must provide "consumers with the ability to make informed choices" but also acknowledges that "companies should not be compelled to provide choice before collecting and using consumer data for practices that are consistent with the context of a transaction or the company's relationship with the consumer." The FTC uses an example that a “smart oven” that transmits data so its owner can merely set baking temperatures using his/her cell phone is more consistent with the consumer's expectation than an oven transmitting usage statistics to marketing companies (who may then market to such consumers).
Tracking and transmitting information that is generally consistent with consumers' reasonable expectations does not necessarily require prior disclosure. However, notice and choice is particularly prudent when companies are collecting, using, and sharing data in a manner that is inconsistent with consumers' reasonable expectations. 
How and where to should companies provide notice and choice?
Providing notice and choice can be more difficult with Internet of Things (IoT) devices. Some devices, for example, lack a screen to support viewing lengthy privacy policies and terms of use. In order to overcome the technical and practical limitations of IoT devices, the FTC believes that companies must consider new techniques and methods to convey notice and choice information to consumers. Recently, researchers from Carnegie Mellon University, the RAND Corporation, and Google proposed an approach to deploying notices that takes into consideration various elements.
The timing of notice and choice:
Timing dictates when a consumer receives a privacy notice and has been "shown to have a significant impact on the effectiveness of notices." Timing choices include:

'At setup' notice that occurs when a system is used for the first time.
'Just in time' notice that can be used when a particular practice is activated.
'Context-dependent' notice that can be used based on a consumer's or a system's relevant context.
'Periodic' notice that is presented every time a practice occurs.
'Persistent' notice where a user is continuously informed of a practice, usually in a non-intrusive manner.
'On demand' notice is used to accommodate consumers' active requests for privacy information.

The channel of providing notice and choice:
How the notice is delivered depends on its channel.
Notice provided on the same platform or device with which a user interacts is a primary channel; a secondary channel leverages out-­of-­band communications. For example, wearables, smart home appliances, and IoT devices with very small or no displays make it difficult to display notices in an informative way. Out-of-band communications, like text messages or emails, can serve as secondary channels to overcome primary-channel limitations.
Public channels can be leveraged to provide notice (and potentially choices) in cases where systems are not aware of the identity of the consumer. While primary and secondary channels target specific users, public channels can serve mass notice–the way warning signs in public places inform about video surveillance.
The control the user has:
Whenever possible, privacy notices should not only provide information about data practices but also include privacy choices or control options. In contrast to traditional opt-­in (i.e., the user must explicitly agree to a data practice) or opt­-out (i.e., the user may advise the system provider to stop a specific practice) preferences, modern approaches advocate for a blend of opt-in and opt-out. Here, users can granularly control information collection and even sharing.
Controls "directly integrated into the notice" can then "be blocking or non­blocking, or they can be decoupled to be used on demand by users." Blocking notice precludes a consumer from performing any other activities before addressing the notice message; non-blocking notice allows a consumer to continue operating without being inhibited by the notice.
Starting with these fundamentals, companies can adopt various techniques to provide effective notice and choice to consumers. Companies should strive to properly inform their consumers about data collection, use, and sharing and what the consumers' rights are. The IoT poses new challenges for the design of privacy notices and controls, and it is up to companies to adopt an approach that provides consumers the necessary information to make informed decisions.

This article is part of Ice Miller’s Smart Connections | Internet of Things Guide. This guide can serve as a shared resource for your peer group discussions to give everyone the background he or she needs on the business and legal issues behind connected devices. Click here to learn more.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader's specific circumstances.

  • Perspectives

    • Startup Spirit Fuels Growth

      As the South Bend - Elkhart Region celebrates a $42.4 million grant from Lilly Endowment Inc., we know that the work to make the best investment with it is really just beginning. The spirit of entrepreneurship has been a vibrant part of our region for decades and the story of our family company could be somewhat of a guidebook for the region as it ventures forward. ITAMCO began as a dream of my uncle Donald Neidig and my father Noble Neidig to have their own business.



Company Name:
Confirm Email:
INside Edge
Morning Briefing
BigWigs & New Gigs
Life Sciences Indiana
Indiana Connections


  • Most Popular Stories

    • The Waterside project aims to transform 100-acres of the former GM Stamping Plant site. (photo courtesy of Ambrose Property Group)

      Ambrose, Glick Partner on Waterside

      Indianapolis-based Ambrose Property Group has announced a key partnership for the redevelopment of the former GM Stamping Plant in downtown Indianapolis. The commercial real estate firm is teaming up with the Gene B. Glick Co. to build and manage apartments as part of the $1.4 billion mixed-use redevelopment project. Ambrose says the partnership is also part of plans to catalyze "philanthropic and community-centric strategies to strengthen Indianapolis." The firm also...

    • NIBCO is headquartered in Elkhart. (photo courtesy of NIBCO)

      Companies Detail Closures, Layoffs

      Four companies have announced plans to lay off a total of nearly 300 employees. In separate notices filed with the state, the companies say the moves will affect workers in Indianapolis, Fort Wayne, Charlestown and Peru.

    • (Rendering provided by the city of Fishers.)

      Flexware to Break Ground on Headquarters

      Fisher’s based engineering servicing firm, Flexware Innovation Inc., will break ground Thursday on its new headquarters the Nickel Plate District Amphitheater. The $3.5 million project will feature a 35,000-square-foot office building with 12,000-square feet of office space for Flexware and what it calls “a build-to-suit area” in the remaining space. 

    • (rendering courtesy of Brightmark Energy)

      Construction to Begin on Plastics-to-Fuel Plant

      California-based Brightmark Energy will today break ground on its $260 million plastics-to-fuel plant in the northeast Indiana town of Ashley. The 112,000-square-foot facility, which the company says will be the first of its kind in the nation, is expected to create 136 full-time jobs when fully operational. The plant will use a state-of-the-art process to recycle plastic waste that has reached the end of its useful life, including items that normally cannot be recycled, such as...

    • Photo courtesy of Lafayette Elementary School

      Hammond to Close Three Schools, to Cut Jobs

      The  School City of Hammond board has voted to close three schools and cut 130-150 positions. Our partners at The Times of Northwest Indiana report Columbia and Lafayette Elementary schools, and the Miller School will close after this school year.