, ,

Privacy and Security in an Age of Connected Toys, Smart Homes and IoT

Privacy and Security in an Age of Connected Toys, Smart Homes and IoT

A primer on what to be aware of – lean into the issues instead of away

When the US Senate, the Federal Trade Commission and the FBI all focus on the importance of security and privacy in the Internet of Things (IoT), that’s a big head’s up to the industry that they need to focus on these concerns from product inception.

Outlined below are four important “rules” that consumer product manufacturers need to be aware of that they may have never needed to know before.  These are the new “gotchas” in today’s connected product IoT World.

1) COPPA

The Federal Trade Commission kicked off the regulatory spurt with updated guidance on “new business models” such as IoT devices by making it clear that the Children’s Online Privacy Protection Rule (“COPPA”) applies to these kinds of connected devices. News about connected toys like the My Friend Cayla doll 

My Friend Cayla

which was easily hacked, and Mattel’s Hello Barbie have raised privacy concerns from both parents and regulators. 

As part of the latest guidance, the FTC updated their Six Step Compliance Plan for companies. The first step in the compliance plan is determining whether your company is collecting personal information from children under the age of 13, and if so, whether you have properly obtained parental consent – which is not a simple matter. 

Alexa and family

As companies that have not previously been subject to COPPA rules jump into the IoT space – with connected toys, smart cars, virtual assistants in the home and more – they are grappling with the impact of designing products to comply with COPPA or face fines up to $40,654 per violation.

The HBO show Silicon Valley

Silicon Valley

gave us an example of how a company could find themselves facing unforeseen penalties for COPPA violations when the Pied Piper gang discovered that their app was being used by tens of thousands of underage consumers, without any of the required infrastructure in place. 

2) Federal Cybersecurity Improvement Act

On August 1, 2017, Senators Mark Warner and Cory Gardner, co-chairs of the Senate CyberSecurity Caucus, introduced The Internet of Things Cybersecurity Improvement Act of 2017 which would require that devices purchased by the US government meet certain minimum security standards. The legislation attempts to address the “market failures” that have occurred with certain IoT products – for example, where products have shipped with hardcoded passwords, or have been used to launch DDoS attacks – by legislating how the Federal Government procures connected products.

Federal agencies are estimated to have spent $4 billion on sensors between 2011 and 2015, and departments like the Department of Agriculture and the Department of Defense rely heavily on sensors and wearables.

While this bill only applies to companies that are selling their IoT products to the Federal Government, Senator Warner hopes that “the sheer purchasing power” of the government will spur similar security improvements in products sold to consumers.

3) FBI Security Alert

Several weeks earlier, the FBI issued a security alert, warning parents (and others) that Internet-connected toys represent a privacy concern for children, and set out a list of best practices. While these recommendations are logical, many of them are likely out of reach by many parents. I confess that researching whether a toy can “receive firmware and/or software updates” or looking into where the user data is stored would be among the last things I would attempt to do as a mom setting up my child’s birthday present. However, this list of recommendations may end up serving as the basis for determining the reasonable standard of care required of companies in the IoT space.

4) EU General Data Protection Requirement

Further complicating the regulatory scheme for privacy and security is the looming General Data Protection Requirement (“GDPR”) in the European Union, which will impact ANY company doing business with an EU citizen, and which goes into effect May 2018.

What is the takeaway for manufacturers? Instead of putting their head in the sand, hoping to avoid the new laws, manufacturers need to wholly embrace this.

Manufacturers of connected products should lean into security and privacy issues, with clear messages on packaging, as part of the product and in their advertising, and leverage that to develop a trusted relationship with their consumers.

Embrace Privacy by Design

Add up all these regulations, not to mention specific rules in the health, finance and credit industries, along with state laws (a useful summary here), and it becomes evident that companies in the IoT need to proactively adopt Privacy by Design principles, follow FTC guidance, appoint Chief Privacy Officers and make security and privacy featured aspects of their business.

,

Ad Age Article re the Terror of Tech Toys

Forget Chucky. Today’s Tech Toys Are Much Scarier (for Marketers)

By . Published on .

They’re cute and fun, they answer “Why” questions with more patience than most parents, and they keep kids occupied for hours on end. But are tech toys a danger for kids?

As internet-connected products gain in popularity with both children and parents, toy marketers are grappling with the challenges of selling products that could be hacked, opening the door to privacy concerns and PR disasters. 

“If you’re traditionally a toy company and now you’re adding this layer of connectedness, you’re wading into areas you know nothing about,” said Michele Martell, an attorney who runs consultancy Martell Media House. “You’re not a tech company, but you’ve become one because now you’re an Internet-of-Things company.”

Security pitfalls aplenty

There’s already been fallout. When El Segundo, Calif.-based Mattel this year released Aristotle, a smart baby monitor that grows with a baby to become an AI-type friend for children, the Campaign for a Commercial-Free Childhood public service group immediately denounced the $300 device as a “data-collecting intruder.” Mattel declined a request for comment.

Aristotle follows in the footsteps of My Friend Cayla, a talking doll made by Genesis that records conversations. It was banned in Germany amid spying anxiety. VTech and Mattel’s Hello Barbie have also had security issues in recent years.

“Most of the really hot tech stuff is interactive,” acknowledged Chris Byrne, a toy industry consultant and content director for TTPM, which stands for Toys, Tots, Pets & More. “Whenever you have something that’s about data and people are connecting data, there’s a vulnerability there.”

 Some brands say that fully interactive toys are not always needed, especially for the youngest of consumers. Wicked Cool’s Teddy Ruxpin, which connects to an app via Bluetooth, engages with kids via LED eyes and is primarily a storyteller, said Jeremy Padawer, a partner at the Philadelphia-based company. Wicked Cool also makes Baby So Real, a Cabbage Patch doll equipped with 40 different facial expressions to communicate emotions. Neither exist in an “open universe” connection that could fall prey to hackers, Padawer said.

“The more open the architecture, the more risk you introduce to the kid,” he said. “Baby So Real is a baby doll that’s not going to engage with a 12-month-old on policy.”

A CogniToys Dino, a smart toy that talks with kids.
A CogniToys Dino, a smart toy that talks with kids. Credit: CogniToys

Robots in the family

Of course, the older children get, the more they expect. And tech-hungry youths, who are increasingly accustomed to having a robot in the family — whether Siri, Alexa or Google Home — can become disinterested in dumbed-down devices. That poses another hurdle for marketers, noted Martell. She suggests brands be more transparent on packaging, making disclaimers much like “Batteries not included,” about the risks associated with certain devices, or at least direct consumers to more details online. In addition, industry guidelines with a set of best practices could also help manufacturers.

“Toy companies need to lean forward into this and be super transparent with parents,” she said. “That’s a selling proposition [for marketing] as opposed to making it all about the shiny bells and whistles of the product.”

Higher pricetag

CogniToys, a three-year-old brand, tackled the issue head-on with a blog post in the recent holiday season. In the post, company executives sought to reassure consumers concerned about privacy around Cogni’s core product Dino, a speech-enabled smart dinosaur that converses with kids, by spelling out exactly how the device functions. Each Dino is individually encrypted, separate from the rest, which helps shield it from hackers. The security helps justify its relatively stiff $99 pricetag.

 “We wanted to get ahead of the questions, because inevitably a bunch of questions come with this,” said JP Benini, who co-founded Cogni parent company Elemental Path. “We wanted to state our policy and say this is what we’ve done to ensure and build it out.”

The action was well-received by both customers and the tech community. The company, which generated around $2 million in sales last year, will continue to work with security researchers to protect its products. But not all brands are proactive.

“Most of these toys aren’t toys — they’re consumer electronics that have more in common with a Canary camera or Rumba than a classic consumer toy,” said Benini. “As soon as you give an address, you’re inviting anyone out there to poke and prod and mess with it.”

,

FTC Cracking Down on Compliance with Disclosure Rules for Influencers

A new report by influencer marketing agency, MediaKix, revealed that as many as 93% of top celebrity endorsements are in violation of the Federal Trade Commission’s rules regarding disclosure and truth-in-advertising.

It has clearly not escaped the FTC’s notice, as they recently sent 90 letters to influencers and their brand partners in April 2017, warning them to comply with existing regulations.

The FTC has previously issued Endorsement Guidelines and Native Advertising Guidelines that require clear and conspicuous disclosures to help consumers understand when a communication is actually an advertisement. The area that most affects social media influencers is endorsements (or testimonials).

An endorsement is “any advertising message that consumers are likely to believe reflects the opinions, beliefs, findings, or experiences of a party other than the sponsoring advertiser, even if the views expressed by that party are identical to those of the sponsoring advertiser.”

Disclosure is required whenever an endorser is:

  • Given an incentive – whether financial or other (such as money, gift, free products, experience, etc.)
  • And where knowledge that the endorser has received such incentive would affect the weight and credibility of the endorser’s statements or actions

An endorser can’t talk about their experience with a product unless they’ve tried it:

  • You must be a bona fide user
  • If giving a positive review, you must have had a positive experience

An act or practice is deceptive if it misleads “a significant minority” of consumers – even if some followers are aware of the sponsorship, many might not be.

Simply tagging a post #sp or #spon is INSUFFICIENT to provide adequate disclosure.

The recent FTC letters further clarify these requirements, noting that disclosure is required if there is a “material connection” between the influencer and the brand. Material connections could consist of a business or family relationship, monetary payment, or the provision of free products to the endorser.

In addition, with respect specifically to Instagram posts, the FTC letters specify that the clear and conspicuous disclosure should be placed in the first three lines of the post, so that a consumer does not have to click “More” to see the disclosure.

With influencer marketing on Instagram alone a $1 Billion business – both influencers and brands should make compliance with FTC rules part of their authentic relationship with their fans.

Questions? Contact me to find out more.