I Told You So: An Approach to Notice and Choice in the Internet of Things
From cellphones and computers, to refrigerators and televisions, to vacuum cleaners and dishwashers, everyday devices of consumers' lives are increasingly connected to the internet (and to each other). While connected devices like fitness trackers and smart home devices have incredible benefits, they also raise significant privacy concerns. The expansive (and ever expanding) network of interconnected devices has also proliferated data collection. Devices now sense, measure, collect, analyze, and transmit voluminous amounts of data. Each bit of data, either individually or when combined together with other data, has the potential to reveal personal or sensitive information about consumers. In essence, companies can now gain (and potentially share) digital insight into otherwise private activities.
Why is notice and choice important?
The continued growth of interconnected devices has led to increasing concerns about consumer privacy and whether consumers are actually aware of the data collection around them.
To that end, the Federal Trade Commission (FTC), advocates the fundamental privacy principle of "notice and choice."
That is, companies must inform consumers how they plan to use and share their data, and give consumers choices about the use and sharing.
The FTC believes that "providing notice and choice remains important, as potential privacy and security risks may be heightened due to the pervasiveness of data collection inherent in the IoT."
This is particularly so when sensitive data is collected.
What does notice and choice entail?
Effective notice should contain relevant information that draws the consumer's attention.
This can include: (i) who the consumer is doing business with; (ii) what information will the consumer be sharing, with whom, and for what purpose; (iii) whether the consumer receives any benefit from the information sharing; (iv) what other parties are doing with the shared information and why; (v) what options does the consumer have if he/she changes his/her mind; and (vi) whether the consumer has any control over the deletion or removal of the information.
When to provide notice and choice?
The FTC has stated companies must provide "consumers with the ability to make informed choices," but also acknowledges that "companies should not be compelled to provide choice before collecting and using consumer data for practices that are consistent with the context of a transaction or the company's relationship with the consumer."
The FTC uses an example of an oven that is interconnected to allow a consumer to merely set baking temperatures using his/her cell phone. This is more consistent with a consumer's expectation, than an oven that also transmits oven usage statistics to marketing companies who may use that data (for example, to sell recipes to the consumer).
The operation of the oven in the former scenario is generally consistent with consumers' reasonable expectations and does not necessarily require prior disclosure. Generally speaking, notice and choice is prudent when companies are collecting, using and sharing data in manner that is inconsistent with consumers' reasonable expectations.
How and where to provide notice and choice?
The FTC states that "privacy choices [must be] clear and prominent, and not buried within lengthy documents."
In other situations, the fluidity, and interoperable nature of IoT devices precludes adequately notifying consumers of every aspect of data collection and use that occurs.
In order to overcome the technical and practical limitations of IoT devices, companies must consider new techniques and methods to convey notice and choice information to consumers. Recently, researchers from Carnegie Mellon University, the RAND Corporation and Google proposed an approach to deploying notices that takes into consideration various elements.
(i) The timing of notice and choice:
Timing dictates when a consumer receives a privacy notice, and has been "shown to have a significant impact on the effectiveness of notices."
Providing notice and choice at a time far removed from when the information is collected or used may not be effective. Timing choices include: at the time of initial set up; periodic notices where consumers are constantly apprised of notice and choice; persistent notices; context-dependent notices, "just-in-time" notices, or "on-demand" notices.
'At setup' notices occur when a system is used for the first time.
For example, when a consumer installs software for the first time, or when a consumer receives a privacy notice when first checking into a doctor's office.
'Just in time' notices can be used when a particular practice is activated.
For example, a map application on a mobile phone can present a notice to the user whenever the location tracking capabilities of the phone is activated.
'Context-dependent' notices can be used based on a consumer's or a system's relevant context.
For example, a change in a consumer's location, or a change in the operation of a system, can trigger a 'context-dependent' notice.
'Periodic' notices are presented every time a practice occurs.
For example, a mobile phone can trigger periodic notices for the duration of when its location tracking capabilities are enabled. A problem with periodic notices is that they can lead to "notice fatigue and habituation."
'Persistent' notices are where a user is continuously informed of a practice, and usually in a non-intrusive manner.
For example, Android and iOS display a small icon in the status bar whenever an application accesses the consumer's location; and if the icon is not shown, the consumer's location is not being accessed.
Lastly, 'on demand' notices are used to accommodate consumers' active requests for privacy information.
(ii) The channel of providing notice and choice:
How the notice is delivered depends on its channel. A system may leverage primary, secondary, and public channels to provide notices.
A privacy notice that is provided on the same platform or device a user interacts with is a primary channel, while a secondary channel leverages outofband communications.
For example, wearables, smart home appliances, and IoT devices with very small or no displays make it difficult to display notices in an informative way. Out-of-band communications, like text messages or emails, can serve as secondary channels to overcome primary channel limitations.
Finally, public channels can be leveraged to provide notice (and potentially choices), in cases where systems are not aware of the identity of the consumer.
While primary and secondary channels target specific users, public channels can serve mass notice- the way warning signs in public places inform about video surveillance.
(iii) The modality of providing notice and choice:
Modality refers to what interaction techniques are used to provide notice and choice. Selecting techniques like visual, auditory, haptic, or even machine code (e.g. software), depends on what the specific notice strives to achieve, the user's likely attention level, and the system's opportunities and constraints.
For example, a visual icon on a mobile phone is better indicative of an application tracking the consumer's GPS location, than a haptic feedback for the same purpose. However, on IoT devices without a screen, a haptic (or even an auditory) notice will be better suited to informing the consumer.
Companies also should be aware of, and account for consumer with disabilities. Accessibility issues due to physical or visual impairments need to be considered in notice design.
Thus, it is "important to evaluate the saliency of different modalities used in notice design."
Machine code modality refers to the exchange of information between systems to enforce, or indicate a privacy preference.
For example, web browsers can transmit Do Not Track (DNT) requests to a web application and request the web application to disable its tracking of the consumer.
Here, the web application is configured to receive the consumer's privacy preference via a machine code exchange.
(iv) The control the user has:
Whenever possible, privacy notices should not only provide information about data practices but also include privacy choices or control options.
In contrast to traditional optin
(i.e., the user must explicitly agree to a data practice), or optout
(i.e., the user may advise the system provider to stop a specific practice) preferences, modern approaches advocate for a blend of opt-in
Here, users can control the purposes for which collected information can be used, "specify recipients of information sharing, or vary the granularity of information collected or shared."
For example, some social media platforms allow a consumer to decide how much of their information gets shared, and to whom.
Controls can then "be directly integrated into the notice, in which case they may be blocking or nonblocking, or they can be decoupled to be used on demand by users."
A blocking notice, for example, precludes a consumer from performing any other activities on the mobile device before addressing the notice message. Conversely, a non-blocking notice allows a consumer to continue operating the mobile device, without being inhibited by the notice.
Starting with these fundamentals, companies can adopt various techniques to provide effective notice and choice to consumers. Companies should strive to properly inform its consumers about data collection, use, and sharing, and what the consumers' rights are. The Internet of Things poses new challenges for the design of privacy notices and controls, and it is up to companies to adopt a consumer centric approach that provides consumers the necessary information to make informed decisions.
This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader's specific circumstances.
Internet of Things, Privacy & Security in a Connected World, at p. 39.
I. Glazer, L. Hamady, H. Wachs, "The Maze of Online Retail: Privacy, Security, Notice & Consent", IAPP Global Privacy Summit, April, 2016.
Internet of Things, Privacy & Security in a Connected World, at p. 40.
A Design Space for Effective Privacy Notices, at p. 10.