, ,

Privacy and Security in an Age of Connected Toys, Smart Homes and IoT

Privacy and Security in an Age of Connected Toys, Smart Homes and IoT

A primer on what to be aware of – lean into the issues instead of away

When the US Senate, the Federal Trade Commission and the FBI all focus on the importance of security and privacy in the Internet of Things (IoT), that’s a big head’s up to the industry that they need to focus on these concerns from product inception.

Outlined below are four important “rules” that consumer product manufacturers need to be aware of that they may have never needed to know before.  These are the new “gotchas” in today’s connected product IoT World.


The Federal Trade Commission kicked off the regulatory spurt with updated guidance on “new business models” such as IoT devices by making it clear that the Children’s Online Privacy Protection Rule (“COPPA”) applies to these kinds of connected devices. News about connected toys like the My Friend Cayla doll 

My Friend Cayla

which was easily hacked, and Mattel’s Hello Barbie have raised privacy concerns from both parents and regulators. 

As part of the latest guidance, the FTC updated their Six Step Compliance Plan for companies. The first step in the compliance plan is determining whether your company is collecting personal information from children under the age of 13, and if so, whether you have properly obtained parental consent – which is not a simple matter. 

Alexa and family

As companies that have not previously been subject to COPPA rules jump into the IoT space – with connected toys, smart cars, virtual assistants in the home and more – they are grappling with the impact of designing products to comply with COPPA or face fines up to $40,654 per violation.

The HBO show Silicon Valley

Silicon Valley

gave us an example of how a company could find themselves facing unforeseen penalties for COPPA violations when the Pied Piper gang discovered that their app was being used by tens of thousands of underage consumers, without any of the required infrastructure in place. 

2) Federal Cybersecurity Improvement Act

On August 1, 2017, Senators Mark Warner and Cory Gardner, co-chairs of the Senate CyberSecurity Caucus, introduced The Internet of Things Cybersecurity Improvement Act of 2017 which would require that devices purchased by the US government meet certain minimum security standards. The legislation attempts to address the “market failures” that have occurred with certain IoT products – for example, where products have shipped with hardcoded passwords, or have been used to launch DDoS attacks – by legislating how the Federal Government procures connected products.

Federal agencies are estimated to have spent $4 billion on sensors between 2011 and 2015, and departments like the Department of Agriculture and the Department of Defense rely heavily on sensors and wearables.

While this bill only applies to companies that are selling their IoT products to the Federal Government, Senator Warner hopes that “the sheer purchasing power” of the government will spur similar security improvements in products sold to consumers.

3) FBI Security Alert

Several weeks earlier, the FBI issued a security alert, warning parents (and others) that Internet-connected toys represent a privacy concern for children, and set out a list of best practices. While these recommendations are logical, many of them are likely out of reach by many parents. I confess that researching whether a toy can “receive firmware and/or software updates” or looking into where the user data is stored would be among the last things I would attempt to do as a mom setting up my child’s birthday present. However, this list of recommendations may end up serving as the basis for determining the reasonable standard of care required of companies in the IoT space.

4) EU General Data Protection Requirement

Further complicating the regulatory scheme for privacy and security is the looming General Data Protection Requirement (“GDPR”) in the European Union, which will impact ANY company doing business with an EU citizen, and which goes into effect May 2018.

What is the takeaway for manufacturers? Instead of putting their head in the sand, hoping to avoid the new laws, manufacturers need to wholly embrace this.

Manufacturers of connected products should lean into security and privacy issues, with clear messages on packaging, as part of the product and in their advertising, and leverage that to develop a trusted relationship with their consumers.

Embrace Privacy by Design

Add up all these regulations, not to mention specific rules in the health, finance and credit industries, along with state laws (a useful summary here), and it becomes evident that companies in the IoT need to proactively adopt Privacy by Design principles, follow FTC guidance, appoint Chief Privacy Officers and make security and privacy featured aspects of their business.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *