In an aggressive expansion of its security and privacy enforcement programs, on September 15, 2021, the FTC issued what it characterized as a “Policy Statement” reinterpreting an old rule about personal health records.
First, some background. In 2009, Congress directed the FTC to create a rule requiring companies to provide notice when there
Regulatory interest in Internet of Things (“IoT”) devices is growing, partly in response to concerns about device security. In January, for example, California’s IoT Law (SB 327) went into effect. This law requires manufacturers of IoT devices to equip the devices with reasonable security features appropriate to the nature and function of the
On January 10, 2019, Massachusetts Governor Charlie Baker signed into law the Massachusetts’s Data Breach Notification Act, which amends Massachusetts data breach reporting laws. The new law, available here, amends the timing and content of individual and regulator data breach notifications, and provides for credit monitoring services when social security numbers may have been
Last month, CTIA, the wireless industry association, launched an initiative through which wireless-connected Internet of Things (“IoT”) devices can be certified for cybersecurity readiness. According to the CTIA announcement, the CTIA Cybersecurity Certification Program (the “Program”) is intended to protect both consumers and wireless infrastructure by creating a more secure foundation for IoT applications
If you follow our blog, you know that we often write about issues involving the FTC and the CPSC, but we usually do not write about both in the same post. Now those worlds have collided. The staff of the FTC’s Bureau of Consumer Protection (“BCP”), a prominent voice in the Internet of Things dialogue,
Manufacture, import, or sell a connected device? In addition to the potential hazards associated with the physical performance of the product, you also need to consider the potential hazards associated with the product’s connectivity. The Consumer Product Safety Commission (“CPSC”) is considering the Internet of Things and will hold a public hearing on May 16 for interested stakeholders to discuss the potential safety issues with connected products and the CPSC’s role in addressing these issues, along with industry best practices and current standards development. Privacy and personal data security issues in the IoT environment do not fall under the CPSC’s jurisdiction, but the agency has the authority to cover consumer hazards resulting from IoT products, which could include fire, burn, shock, tripping or falling, laceration, contusion, and chemical exposure.
The CPSC has identified two product safety challenges associated with IoT products: (1) preventing or eliminating hazardous conditions designed into products intentionally or without sufficient consideration; and (2) preventing and addressing incidents of hazardization. While the former falls into the CPSC’s wheelhouse of preventing and correcting consumer product issues, the latter is a non-traditional area of product safety activity and could pose some challenges with the high rate of growth of connected products. The CPSC defines hazardization as “the situation created when a product that was safe when obtained by a consumer, but which, when connected to a network, becomes hazardous through malicious, incorrect, or careless changes to operational code.” Examples include a connected cooktop with a software glitch that ignites without the consumer’s knowledge and starts a fire or an integrated home security system that fails to download a software update and the default condition is to deactivate the system, disabling the smoke alarms without the consumer’s knowledge.
Continue Reading CPSC to Hear About the Safety Consequences If a Smart Device Isn’t So Smart
Earlier this week, the FTC announced its first settlement involving internet-connected toys. The FTC alleged that the Kid Connect app used with some of VTech’s toys collected personal information from hundreds of thousands of children, and that the company failed to provide direct notice of its privacy practices to parents, or to obtain verifiable consent
Last Friday, ten consumer and privacy advocacy groups, including the Electronic Privacy Information Center, Center for Digital Democracy, and Consumer Watchdog, sent a letter to Acting Chairman Ann Marie Buerkle, requesting that the CPSC recall the Google Home Mini smart speaker. The speaker was designed to respond to the voice commands, “OK, Google” and “Hey,
On June 28, the FTC and National Highway Traffic Safety Administration (NHTSA) brought together a variety of stakeholders including regulators, automakers, software companies, and consumer groups to discuss connected cars, including current innovations and challenges in the field of data privacy. Acting FTC Chairwoman Maureen Ohlhausen opened the day by asserting that regulators will need
On Monday, the FTC submitted comments to the draft National Telecommunications and Information Administration (NTIA) guidance intended to improve Internet of Things (IoT) device security and increase consumer transparency. While recognizing the benefits (and proliferation) of IoT devices, the Commission’s comments caution that such benefits can only be realized when device manufacturers both incorporate –
