The Internet of Things is “a game-changing moment in our relationship with technology and personal data as we stand on the edge of a data explosion from interconnected devices,” according to TRUSTe, which played host to a discussion on July 10 to try to answer an important question: “Can we have privacy and the Internet of Things?”

Yen Nguyen, deputy attorney general for the privacy enforcement & protection unit at the California Department of Justice, observed that her state is ahead of others in the regulation this phenomenon. “California law regulates certain sects of the internet of things. For example, California recently began to regulate smart meters.” California is providing minors an online right to be forgotten, rolling out  transparency in online tracking, making recommendations for mobile app privacy and cybersecurity for businesses, as well as stiffening data security requirements. Nguyen’s boss, Attorney General Kemala Harris, was rated one of the top 10 government players in consumer data privacy this year.

The Golden State is usually a leader on data privacy and data security (not always a positive thing for the survey, opinion and marketing research profession.)

She went on to lament the absence of overarching privacy laws in the U.S. Asked about the relevance of privacy policies, Nguyen said they were “still useful,” and still read by regulators and consumer activist groups. More importantly, however much the model may be threatened by the Internet of Things, Nugyen concluded that “notice and choice is still the law.”

Nancy Libin, a partner at Wilkinson Barker Knauer LLP, argued that “a very rigid application of the notice and choice regime… is not feasible in an Internet of Things.” She suggested instead moving to a framework based on “reasonable use.”

“We really need to predict and analyze business models,” Libin said, which is “going to be really hard,” but she warned that “premature regulation would be detrimental” to the full development and value of the Internet of Things. “We are entering an era when even just-in-time notice is causing a lot of friction” and is becoming too cumbersome.

The FTC can go beyond – and in some respects has already gone beyond – notice and choice. FTC Attorney Laura D. Berger argued that the agency has moved on to enforcing “reasonable expectations of a consumer.” She warned the audience that “having something in the fine print your privacy policy or EULA will not inoculate you if a reasonable user would have had a different impression.”

Although the FTC has been requesting that Congress pass a “baseline privacy law” for several years, Berger noted that, in the meantime, the agency’s “unfair and deceptive trade practices is a powerful tool.” That power helped make the FTC the top legal issue for the research profession in 2014.

Berger presented on data security best practices at an MRA privacy officer training seminar back in 2007.

Dan Caprio, managing director at McKenna Long & Aldridge LLP, argued that notice and choice gives too much information and too much choice to the consumer. He generally counsels his clients to fix their known flaws before anything else. He concluded that a self-regulatory approach to privacy is more helpful to everyone in making that work.

For more details and discussion on the Internet of Things, see this 5-part report from an FTC workshop:

  1. The Internet of Things: Connected devices are changing the world for consumers and data users
  2. Trust and context in a connected world: what can marketing research tell us?
  3. Vint Cerf and the Internet of Things: "Privacy may be an anomaly"
  4. Smart Home, Smart Health, Smart Cars: What will inter-connected devices mean for users and data users?
  5. Ubiquitous Data: Privacy and Security in a Connected World