If you follow our blog, you know that we often write about issues involving the FTC and the CPSC, but we usually do not write about both in the same post. Now those worlds have collided. The staff of the FTC’s Bureau of Consumer Protection (“BCP”), a prominent voice in the Internet of Things dialogue, recently filed comments in response to a CPSC request for information about the potential safety hazards linked to internet-connected products. The request follows a May 16 hearing that included speakers representing a variety of industries and organizations, such as Retail Industry Leaders Association, Underwriters Laboratories Inc., Consumer Reports, and the Electronic Privacy Information Center. The BCP staff’s comments specifically address the following topics:
- Best practices for mitigating against safety hazards. The BCP staff’s comments placed security and safety hand in hand with the following recommendations for companies offering connected devices: (1) risk assessments to evaluate their security programs and pinpoint possible threats before launching a product; and (2) oversight of service providers, including the incorporation of security standards into contracts and ensuring that the providers are complying with applicable security standards.
- Registration for safety alerts and information related to recalls. The BCP staff recommended implementing a process similar to the CPSC’s current protocol for alerts related to infant and toddler products, wherein manufacturers and retailers are required to provide a safety registration card with the product. Instead of requiring the consumer to mail-in a registration, however, a URL could be included for online registration.
- The role of government in regulating IoT security. The BCP staff did not take a position on whether the CPSC should implement regulations specific to IoT device hazards, but suggested that, if the CPSC considers such regulation, it should take a technology-neutral approach so that any such regulation does not quickly become obsolete.
The CPSC continues to evaluate these issues while coordinating with other federal entities like the FTC and NIST, tracking state legislative developments, and exploring the role of voluntary standards. Any company that makes, imports, distributes, or sells a connected product should continue to watch for developments.