Four Strategies for Protecting User Data

You probably do not have sinister plans for collecting consumers' data, but when deploying a customer-facing IoT system, you need to carefully plan how, when, where and why data is collected and stored.
By Mary Catherine O'Connor
Feb 18, 2016

Two lawyers walk into a conference room full of technologists.

No, that is not the beginning of a bad joke. It's what happened last week at the IoT Nexus conference in San Francisco.

Laura Berger
Laura Berger, an attorney in the Federal Trade Commission's Division of Privacy and Identity Protection, and Gail Gottehrer, a partner with the firm Axinn, Veltrop & Harkrider LLP, appeared on a panel designed to help companies that are deploying Internet of Things technologies to, as the panel's title put it, "align privacy requirements with business needs."

Early in the session, Berger asked any attorneys in the room to raise their hands. Not a single one of the approximately 50 attendees in the conference hall at San Francisco's Kabuki Hotel moved a finger. She said that did not surprise her, and that companies deploying IoT technologies that capture and store consumer data often fail to engage their legal team in determining what information will be collected, for how long, for what purpose, and how the firm will go about informing consumers about this data collection and provide options for opting in or out. That is partly why she is currently working on 50 different court cases involving privacy protections and consumer data, she added.

Gottehrer reminded the audience that they should be thinking critically about not just consumer data collection, but also data collection related to employees. Her firm represents businesses that have faced litigation brought from workers who allege that they were fired because data collected by their employer tracked their whereabouts.

Say, for example, a company uses telematics or geofencing to monitor a fleet of trucks. The firm might not take into account where the driver goes during a lunch break, but if that driver is later fired, he could allege that the employer terminated him because, say, he visited an AIDS clinic or attended a political rally. "Oftentimes," she said, "the employee was fired for poor performance and the company did not even realize it was tracking location data when the driver was off-duty and never planned to use it." In these cases, "the company has to prove a negative, which is very hard to do."

During the course of the panel, Berger and Gottehrer offered a number of best practices that businesses integrating IoT technologies into their products or operations ought to heed.

Be careful about the types of data you collect. What you can collect and what you should collect are not always the same things. Say you make a smart-home device and, in order to set up a user account and send alerts to the user, request an e-mail address. You could also request that users send you their e-mail account passwords, and a surprisingly high percentage of users might comply with this request, not realizing how vulnerable this makes them in the event that your corporate database is hacked. There is no benefit to storing users' e-mail passwords (unless you plan on hacking into their accounts) and plenty of risk in doing so, Berger said, so businesses shouldn't collect it in the first place. "We tell people to think about the potential for data collection to harm consumers," she said, adding that as a rule of thumb, the more consumer data you collect, the bigger your burden is to responsibly and securely store it.

Simply enter a question for our experts.
Sign up for the RFID Journal Newsletter
We will never sell or share your information
RFID Journal LIVE! RFID in Health Care LIVE! LatAm LIVE! Brasil LIVE! Europe RFID Connect Virtual Events RFID Journal Awards Webinars Presentations