The Future of Consumer Data Security, Privacy and the Internet of Things: Guidance from FTC Commissioner Terrell McSweeny

February 09, 2016

Mary-Elizabeth M. Hadley

In an event yesterday at the U.S. Chamber of Commerce, Federal Trade Commission (“FTC”) Commissioner Terrell McSweeny offered businesses the following guidance on current privacy, data security and the Internet of Things (“IoT”) issues.

Data Security is Key to the IoT: The key, according to Commissioner McSweeny, is ensuring that consumers can trust new IoT products. Although consumers also want transparency, ensuring their personal information is held securely is the “bedrock” in this context.
The Commissioner cited recent consumer surveys as evidence that data security is increasingly becoming a household concern as consumers decide whether to adopt particular technology. Accordingly, prioritizing data security is in everyone’s interest.
Companies should think about privacy and security as early in the design process as possible, and ensure their public commitments match their actual practices.
Smart Line-Drawing: Commissioner McSweeny noted that in using its deception and unfairness authority to target unreasonable practices, the FTC has sought to be “technology-neutral.” For example, its privacy by design and security by design guidance have not prescribed specific practices.
Following Wilson’s Lead: By studying industry, informing itself about what is happening to consumers and then deciding whether to take action, the Commissioner explained that the FTC is following the mandate of its creator, Woodrow Wilson.
Expanding Technical Expertise: Commissioner McSweeny further emphasized the need to increase technologists’ role in regulating and enforcing privacy and data security, particularly to understand the potential implications of building in encryption backdoors (which she has publicly opposed).
FTC Role in the Privacy Shield: When asked about the recent agreement between U.S. and EU authorities to replace the U.S.-Safe Harbor, Commissioner McSweeney emphasized that the FTC is “incredibly capable” of ensuring European consumers are provided appropriate security measures, citing the more than 30 cases the FTC brought to enforce the prior data transfer agreement. Although the United States employs a sector-specific approach to regulating privacy, the Commissioner characterized the U.S. and EU approaches as fundamentally similar. In her mind, the FTC can and should play a role in explaining its understanding of what the Privacy Shield will offer, why it’s believed to be a good agreement and what the Commission can do to enforce it.
Data Ethics by Design: Recognizing that data are currently the “life blood” of many companies, Commissioner McSweeney echoed themes from the FTC’s recent report, including the concern that big data can contribute to discrimination against consumers. To minimize that risk, the Commissioner called for a national conversation regarding “data ethics by design.” She further recommended that companies proactively evaluate (i) what their technology is doing with data; (ii) how problems will be detected; and (iii) how any such problems will be corrected and disclosed.
Room for Improvement: Noting that perfect privacy protection for consumers has yet to be achieved, Commissioner McSweeny suggested comprehensive data security legislation may be a step in the right direction. With the caveat that the FTC reserves the right to review and comment, she also recognized the potential value in self-regulation. Any such frameworks must be updated as best practices evolve, however.

Caveat Vendor is Paul Hastings’ Consumer Issues blog. We welcome your feedback. Please contact our blog editor with any thoughts or suggestions. [_Subscribe to Caveat Vendor](http://www.paulhastings.com/publications-items/blog/caveat-vendor/subscribe)_. You will receive an email when the blog has been updated.