I Told You So: An Approach to Notice & Choice in The Internet of Things

Posted: Updated:

From cellphones and computers, to refrigerators and televisions, to vacuum cleaners and dishwashers, everyday devices of consumers' lives are increasingly connected to the internet (and to each other). While connected devices have incredible benefits, they also raise significant privacy concerns. The expansive (and ever expanding) network of interconnected devices has also proliferated data collection. Devices now sense, measure, collect, analyze, and transmit voluminous amounts of data. Each bit of data, either individually or when combined together with other data, has the potential to reveal personal or sensitive information about consumers. In essence, companies can now gain (and potentially share) digital insight into otherwise private activities.
 
To address this growing new world, the Federal Trade Commission (FTC) advocates the fundamental privacy principle of "notice and choice." That is, companies must inform consumers how they plan to use and share their data and give consumers choices about use and sharing.
 
What does notice and choice entail?
According to the FTC, effective notice should contain relevant information that draws the consumer's attention. This can include:

• who the consumer is doing business with;
• what information the consumer will be sharing, with whom, and for what purpose;
• whether the consumer receives any benefit from the information sharing;
• what other parties are doing with the shared information and why;
• what options the consumer has if he/she changes his/her mind; and
• whether the consumer has any control over the deletion or removal of the information.

When should you provide notice and choice?
The FTC has stated companies must provide "consumers with the ability to make informed choices" but also acknowledges that "companies should not be compelled to provide choice before collecting and using consumer data for practices that are consistent with the context of a transaction or the company's relationship with the consumer." The FTC uses an example that a “smart oven” that transmits data so its owner can merely set baking temperatures using his/her cell phone is more consistent with the consumer's expectation than an oven transmitting usage statistics to marketing companies (who may then market to such consumers).
 
Tracking and transmitting information that is generally consistent with consumers' reasonable expectations does not necessarily require prior disclosure. However, notice and choice is particularly prudent when companies are collecting, using, and sharing data in a manner that is inconsistent with consumers' reasonable expectations. 
 
How and where to should companies provide notice and choice?
Providing notice and choice can be more difficult with Internet of Things (IoT) devices. Some devices, for example, lack a screen to support viewing lengthy privacy policies and terms of use. In order to overcome the technical and practical limitations of IoT devices, the FTC believes that companies must consider new techniques and methods to convey notice and choice information to consumers. Recently, researchers from Carnegie Mellon University, the RAND Corporation, and Google proposed an approach to deploying notices that takes into consideration various elements.
 
The timing of notice and choice:
Timing dictates when a consumer receives a privacy notice and has been "shown to have a significant impact on the effectiveness of notices." Timing choices include:

'At setup' notice that occurs when a system is used for the first time.
'Just in time' notice that can be used when a particular practice is activated.
'Context-dependent' notice that can be used based on a consumer's or a system's relevant context.
'Periodic' notice that is presented every time a practice occurs.
'Persistent' notice where a user is continuously informed of a practice, usually in a non-intrusive manner.
'On demand' notice is used to accommodate consumers' active requests for privacy information.

The channel of providing notice and choice:
How the notice is delivered depends on its channel.
 
Notice provided on the same platform or device with which a user interacts is a primary channel; a secondary channel leverages out-­of-­band communications. For example, wearables, smart home appliances, and IoT devices with very small or no displays make it difficult to display notices in an informative way. Out-of-band communications, like text messages or emails, can serve as secondary channels to overcome primary-channel limitations.
 
Public channels can be leveraged to provide notice (and potentially choices) in cases where systems are not aware of the identity of the consumer. While primary and secondary channels target specific users, public channels can serve mass notice–the way warning signs in public places inform about video surveillance.
 
The control the user has:
Whenever possible, privacy notices should not only provide information about data practices but also include privacy choices or control options. In contrast to traditional opt-­in (i.e., the user must explicitly agree to a data practice) or opt­-out (i.e., the user may advise the system provider to stop a specific practice) preferences, modern approaches advocate for a blend of opt-in and opt-out. Here, users can granularly control information collection and even sharing.
 
Controls "directly integrated into the notice" can then "be blocking or non­blocking, or they can be decoupled to be used on demand by users." Blocking notice precludes a consumer from performing any other activities before addressing the notice message; non-blocking notice allows a consumer to continue operating without being inhibited by the notice.
 
Starting with these fundamentals, companies can adopt various techniques to provide effective notice and choice to consumers. Companies should strive to properly inform their consumers about data collection, use, and sharing and what the consumers' rights are. The IoT poses new challenges for the design of privacy notices and controls, and it is up to companies to adopt an approach that provides consumers the necessary information to make informed decisions.

This article is part of Ice Miller’s Smart Connections | Internet of Things Guide. This guide can serve as a shared resource for your peer group discussions to give everyone the background he or she needs on the business and legal issues behind connected devices. Click here to learn more.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader's specific circumstances.

  • Perspectives

    • Take Time to Face Reality

      When is the last time that you as a business owner truly stopped for 30 minutes or an hour and truly took some quiet time to reflect on your business? Like most owners, it’s probably been quite some time. We all get busy doing things, working hard, taking care of customers, running the business. But if we don’t take some time each day, week, month or quarter to slow down, we are setting ourselves up for failure. Business leaders and owners need the time to slow down to...

    More

Subscribe

Name:
Company Name:
Email:
Confirm Email:
HTML
INside Edge
Morning Briefing
BigWigs & New Gigs
Life Sciences Indiana
Indiana Connections
INPower
Subscribe
Unsubscribe

Events



  • Most Popular Stories

    • (Image provided by the Capital Improvement Board.)

      Indy Alters Plans for Downtown Hotels

      The city of Indianapolis has announced plans to change the framework for a major project in downtown Indy that has sparked controversy. The $120 million project, announced in October 2018, calls for an expansion of the Indiana Convention Center and two new hotels at Pan Am Plaza, which would add about 1,400 rooms. The project has drawn criticism from a group of hoteliers, who have expressed concern of a potential oversaturation in downtown Indy. Indianapolis Mayor Joe Hogsett issued...

    • How Elkhart Became The RV Capital of The World

      Today we all know Elkhart, Indiana as the RV Capital of the World. More than 80 percent of global RV production is based throughout the region. That means that if you see an RV rolling down the road anywhere in the world, chances are that it was built with the craftsmanship and dedication of Hoosiers.

    • Shelly Timmons

      IU Health Names New Leader of Neurosurgery

      The Indiana University School of Medicine and IU Health Physicians have named Shelly Timmons to lead the department of neurosurgery. She previously served at Penn State Health Milton S. Hershey Medical Center as vice chair for administration in the department of neurosurgery and director of neurotrauma.  

    • Elanco is headquartered in Greenfield.

      Elanco Finishes Deal on Pet Therapeutics Purchase

      Greenfield-based Elanco Animal Health Inc.(NYSE: ELAN) completed its purchase Thursday of Aratana Therapeutics (Nasdaq: PETX), a pet therapeutics company located near Kansas City. As Inside INdiana Business first reported Tuesday Aratana shareholders voted overwhelmingly in favor of the $245 million deal. 

    • On-Air

      Find out when and where you can watch and listen to our reports.