I Told You So: An Approach to Notice & Choice in The Internet of Things

Posted: Updated:

From cellphones and computers, to refrigerators and televisions, to vacuum cleaners and dishwashers, everyday devices of consumers' lives are increasingly connected to the internet (and to each other). While connected devices have incredible benefits, they also raise significant privacy concerns. The expansive (and ever expanding) network of interconnected devices has also proliferated data collection. Devices now sense, measure, collect, analyze, and transmit voluminous amounts of data. Each bit of data, either individually or when combined together with other data, has the potential to reveal personal or sensitive information about consumers. In essence, companies can now gain (and potentially share) digital insight into otherwise private activities.
 
To address this growing new world, the Federal Trade Commission (FTC) advocates the fundamental privacy principle of "notice and choice." That is, companies must inform consumers how they plan to use and share their data and give consumers choices about use and sharing.
 
What does notice and choice entail?
According to the FTC, effective notice should contain relevant information that draws the consumer's attention. This can include:

• who the consumer is doing business with;
• what information the consumer will be sharing, with whom, and for what purpose;
• whether the consumer receives any benefit from the information sharing;
• what other parties are doing with the shared information and why;
• what options the consumer has if he/she changes his/her mind; and
• whether the consumer has any control over the deletion or removal of the information.

When should you provide notice and choice?
The FTC has stated companies must provide "consumers with the ability to make informed choices" but also acknowledges that "companies should not be compelled to provide choice before collecting and using consumer data for practices that are consistent with the context of a transaction or the company's relationship with the consumer." The FTC uses an example that a “smart oven” that transmits data so its owner can merely set baking temperatures using his/her cell phone is more consistent with the consumer's expectation than an oven transmitting usage statistics to marketing companies (who may then market to such consumers).
 
Tracking and transmitting information that is generally consistent with consumers' reasonable expectations does not necessarily require prior disclosure. However, notice and choice is particularly prudent when companies are collecting, using, and sharing data in a manner that is inconsistent with consumers' reasonable expectations. 
 
How and where to should companies provide notice and choice?
Providing notice and choice can be more difficult with Internet of Things (IoT) devices. Some devices, for example, lack a screen to support viewing lengthy privacy policies and terms of use. In order to overcome the technical and practical limitations of IoT devices, the FTC believes that companies must consider new techniques and methods to convey notice and choice information to consumers. Recently, researchers from Carnegie Mellon University, the RAND Corporation, and Google proposed an approach to deploying notices that takes into consideration various elements.
 
The timing of notice and choice:
Timing dictates when a consumer receives a privacy notice and has been "shown to have a significant impact on the effectiveness of notices." Timing choices include:

'At setup' notice that occurs when a system is used for the first time.
'Just in time' notice that can be used when a particular practice is activated.
'Context-dependent' notice that can be used based on a consumer's or a system's relevant context.
'Periodic' notice that is presented every time a practice occurs.
'Persistent' notice where a user is continuously informed of a practice, usually in a non-intrusive manner.
'On demand' notice is used to accommodate consumers' active requests for privacy information.

The channel of providing notice and choice:
How the notice is delivered depends on its channel.
 
Notice provided on the same platform or device with which a user interacts is a primary channel; a secondary channel leverages out-­of-­band communications. For example, wearables, smart home appliances, and IoT devices with very small or no displays make it difficult to display notices in an informative way. Out-of-band communications, like text messages or emails, can serve as secondary channels to overcome primary-channel limitations.
 
Public channels can be leveraged to provide notice (and potentially choices) in cases where systems are not aware of the identity of the consumer. While primary and secondary channels target specific users, public channels can serve mass notice–the way warning signs in public places inform about video surveillance.
 
The control the user has:
Whenever possible, privacy notices should not only provide information about data practices but also include privacy choices or control options. In contrast to traditional opt-­in (i.e., the user must explicitly agree to a data practice) or opt­-out (i.e., the user may advise the system provider to stop a specific practice) preferences, modern approaches advocate for a blend of opt-in and opt-out. Here, users can granularly control information collection and even sharing.
 
Controls "directly integrated into the notice" can then "be blocking or non­blocking, or they can be decoupled to be used on demand by users." Blocking notice precludes a consumer from performing any other activities before addressing the notice message; non-blocking notice allows a consumer to continue operating without being inhibited by the notice.
 
Starting with these fundamentals, companies can adopt various techniques to provide effective notice and choice to consumers. Companies should strive to properly inform their consumers about data collection, use, and sharing and what the consumers' rights are. The IoT poses new challenges for the design of privacy notices and controls, and it is up to companies to adopt an approach that provides consumers the necessary information to make informed decisions.

This article is part of Ice Miller’s Smart Connections | Internet of Things Guide. This guide can serve as a shared resource for your peer group discussions to give everyone the background he or she needs on the business and legal issues behind connected devices. Click here to learn more.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader's specific circumstances.

  • Perspectives

    • What’s Your Biggest Waste of Money?

      Americans are in the age of reducing waste. There’s a big push to purchase sustainable products, reduce our usage of plastics, and recycle. But has this trend carried over to our personal finances?  Not really.  In a study by The Ascent, the financial expertise arm of The Motley Fool, more than 60 percent of respondents felt they have wasteful financial tendencies. Why is that?

    More

Subscribe

Name:
Company Name:
Email:
Confirm Email:
HTML
INside Edge
Morning Briefing
BigWigs & New Gigs
Life Sciences Indiana
Indiana Connections
INPower
Subscribe
Unsubscribe

Events



  • Most Popular Stories

    • POET ethanol co. announced in Aug 2019 it was closing the plant in Cloverdale. (photo courtesy: POET)

      Cloverdale Ethanol Plant Closes

      South Dakota-based POET LLC, the nation’s largest biofuels producer, is moving forward with a plan to shut down its biorefining plant in Cloverdale, leaving 50 Hoosiers without jobs effective Friday. The company tells Inside INdiana Business that it is not making any changes to the plans announced two months ago. 

    • (IIB Photo/Joe Ulery)

      Neighborhood Concerned About Old GM Site, Too

      As the city of Indianapolis and Ambrose Property Group squabble about the future of the old GM Stamping plant site in downtown Indy, a fight that could end up in court, residents who live near the property are weighing in with their concerns. Jay Napoleon, president of The Valley Neighborhood Association, says it’s important the mixed-use vision for the property remain intact. Napoleon and Ambrose Property Group Vice President Mali Simone Jeffers talked about the future of...

    • (Image of downtown Shelbyville courtesy of Mainstreet Shelbyville Inc.)

      Shelbyville Unveils Major Downtown Redevelopment

      The city of Shelbyville is announcing what it calls a major downtown redevelopment project to boost overall quality of life. The project plans feature green spaces, increased parking, market-rate housing, and infrastructure for public entertainment and community events. 

    • What’s Your Biggest Waste of Money?

      Americans are in the age of reducing waste. There’s a big push to purchase sustainable products, reduce our usage of plastics, and recycle. But has this trend carried over to our personal finances?  Not really.  In a study by The Ascent, the financial expertise arm of The Motley Fool, more than 60 percent of respondents felt they have wasteful financial tendencies. Why is that?

    • The IU School of Informatics, Computing and Engineering will now be named for Fred Luddy for his $60M gift. (photo courtesy James Brosher/IU)

      $60M Gift to Fund AI Center

      An Indiana University alumnus who founded the information technology firm, ServiceNow, has given his alma mater $60 million to establish an artificial intelligence center. The university says the gift from cloud-computing pioneer Fred Luddy is the second largest in the history of the IU.