New FTC Report Calls For Privacy Laws, Urges Companies To Minimize Data Collection

The potential privacy risks posed by the “Internet of Things,” or devices that connect with each other over the Web, is spurring the Federal Trade Commission to reiterate its calls for new legislation.

“Although the Commission currently has authority to take action against some IoT-related practices, it cannot mandate certain basic privacy protections — such as privacy disclosures or consumer choice — absent a specific showing of deception or unfairness,” the FTC says in a staff report released on Tuesday. “Commission staff thus again recommends that Congress enact broadbased (as opposed to IoT-specific) privacy legislation.”

The report recommends “flexible and technology-neutral” laws that will provide “clear rules of the road for companies about such issues as how to provide choices to consumers about data collection and use practices.”

The White House currently is readying a bill that is expected to include at least some of the features the FTC recommends in the report. President Obama signaled earlier this month that the proposed privacy “bill of rights” will limit companies' ability to collect data from consumers without their consent. The measure also appears likely to include limits on collecting data for one purpose and then using it for different ones. 

While the FTC says that the Internet of Things can offer benefits, the agency also discusses concerns that data collected from devices can be used in ways consumers aren't expecting.

“One researcher has hypothesized that although a consumer may today use a fitness tracker solely for wellness-related purposes, the data gathered by the device could be used in the future to price health or life insurance or to infer the user’s suitability for credit or employment,” the report says.

The agency recommends that companies minimize the data they collect and keep, in part, to guard against the risk that information about consumers will be used in unforeseen ways.

One scenario discussed in the report involves a wearable medical device that can assess a skin condition. “The device does not need to collect precise geo-location information in order to work; however, the device manufacturer believes that such information might be useful for a future product feature that would enable users to find treatment options in their area,” the report says. “As part of a data minimization exercise, the company should consider whether it should wait to collect geo-location until after it begins to offer the new product feature, at which time it could disclose the new collection and seek consent.”

Commissioner Joshua Wright dissented from the decision to publish the report. He said in a statement that the recommendations lack “analytical support” to show that they would “improve consumer welfare.”

Commissioner Maureen Ohlhausen concurred in the decision to publish, but said she she disagreed that new privacy legislation is needed. She added that the FTC already has the authority to require companies to notify consumers and obtain their explicitly consent before collecting “sensitive, personally identifiable information.”

The think tank Future of Privacy Forum said the report's approach to data minimization is “overly cautious.”

“In many cases, the FTC already has the ability to use deception or unfairness authority to take action when a company creates risk to consumers without countervailing benefit,” the organization states.  

Next story loading loading..