The Internet of Things: What If Your Fridge Could Talk?

September 1st, 2015

The interconnection of devices and the issues regarding privacy.

HÉLÈNE BEAUCHEMIN, lawyer | Montreal

The age of the smart fridge has arrived. Thanks to the Internet of Things, your refrigerator now knows your dietary habits better than you do. It even knows when you need milk and how many bottles of juice are left on the shelf.

The number of devices connected to the Internet has already exceeded the number of humans on Earth. Some analysts are even predicting that by 2020 there will be 50 billion such devices worldwide. Given this explosive growth, it seems relevant to take a closer look at the legal issues surrounding this phenomenon.

What is the Internet of Things?

The Internet of Things (“IoT”) refers to the interconnection of everyday devices through the use of sensors, wireless technology and applications. An example is the popular Fitbit bracelet that measures your daily physical activity (steps taken, calories burned, hours slept, etc.). A similar technology is Nest, a smart thermostat that can change the temperature of your home automatically while you are away and allows you to adjust it remotely using a mobile application.

Main Issues Raised by the IoT

One of the main legal issues relating to IoT is privacy. In Quebec, the Act Respecting the Protection of Personal Information in the Private Sector (the “Act”) defines personal information as “any information which relates to a natural person and allows that person to be identified”. Since the IoT is now present in areas previously considered private, such as the home and even the human body itself, the data collected by devices such as Fitbit and Nest constitutes personal information within the meaning of the Act and is therefore subject to regulations governing personal information.

Thornier still is the question of consent. The Act provides that a person or organization collecting personal information on another individual must inform him or her of the purpose for which information is being collected and its use. Consent to this collection must be clear, free and informed and provided for specific purposes, such as targeted advertising. The organization collecting the information must also take reasonable security measures to ensure that the personal information that has been collected is appropriately protected in light of its nature, sensitivity and ultimate use.

The challenge is that IoT products do not necessarily incorporate a user interface allowing for the usual consent mechanisms. For instance, a Fitbit bracelet has no screen. The apps run in the background, which means that users are unable to observe the transfer of their data and therefore less able to exercise their privacy rights. Furthermore, the terms of use and privacy policies are often drafted in complex language. It is therefore difficult for a consumer to determine how his or her personal information will be used by the organization and identify who within the organization will have access to it. This is particularly important when devices are collecting very sensitive data, such as information on a user’s health. It is difficult to imagine that a consumer who has consented to data collection for the specific purposes of an application would agree to share personal information with third parties such as insurance companies and advertising agencies.

Potential Solutions

A number of government agencies have analysed legal issues relating to the IoT and proposed a variety of solutions. In January 2015, the American Federal Trade Commission (FTC) published a report on privacy and security issues related to the IoT. The European Commission has also published several studies, beginning in 2012, as part of its Digital Agenda for Europe.

One of the proposed solutions is to encourage developers to make privacy and security integral components of their product design. For instance, developers should ensure that a product’s default settings only allow the collection of the information necessary to use the product. This information should also be accessible only to a specific category of individuals within the organization in order to reduce the risk of theft and to reduce the risk of it being used for a purpose outside the scope of the user’s consent.

Organizations should also ensure that they obtain consumers’ consent to data collection and use, particularly where that collection occurs outside the parameters of the usual interaction between users and the organization. Many organizations will need to review their privacy policies to ensure that users are specifically informed of the nature of the data collection and the use of their personal information. Companies must also ensure that all technical changes and improvements continue to comply with these policies at all times, or that policies are modified accordingly (and that end user consent is obtained to those modifications).

A recent survey published by the University of Pennsylvania in June 2015 revealed that Americans are uncomfortable with the increased sharing of their personal information, but feel powerless against corporations. Important business opportunities will be available to companies that gain consumer confidence by building security and integrating privacy mechanisms into their devices at the outset, rather than as an afterthought.

Is your organization looking to find out more about the IoT in order to address privacy concerns? Contact us for further guidance.

Hélène Beauchemin is a member of BCF’s Internet strategic team, which offers our clients strategic advice regarding their online presence. This is a continually evolving environment which calls for the expertise of a multidisciplinary team like that of BCF.