Requirements for Connected Toys and Smart Home Products in the Age of the Internet of Things
When the US Senate, the Federal Trade Commission (FTC), the FBI and the European Union all focus at once on security and privacy in the Internet of Things (IoT), it’s time for manufacturers of connected products to read that as a big “head’s up.”
Here are four new regulatory “gotchas” that may stand in the way of your product marketing and sales, if you aren’t paying attention:
1) COPPA
Is your company collecting personal information from children under the age of 13? If so, you had better obtain parental consent — not a simple matter.
Failure to comply with the Children’s Online Privacy Protection Rule (COPPA) can result in fines up to $40,654 per violation. The Federal Trade Commission kicked off the recent spurt of regulations with updated guidance on “new business models” by making it clear that it applies to toys and other connected devices. Privacy concerns from regulators (and that powerful consumer block, parents) have already brought negative attention to connected toys like Mattel’s Hello Barbie and the easily hacked My Friend Cayla doll (image).
This past season of the HBO show Silicon Valley provided an example of a company facing unforeseen penalties for COPPA violations when the fictional Pied Piper gang realized that its app was used by tens of thousands of underage consumers, without any of the required infrastructure in place. Had the entrepreneurs paid attention to the FTC’s updated Six Step Compliance Plan for companies, Pied Piper would never have found itself in such a fix.
2) Federal Cybersecurity
On August 1, Senators Mark Warner and Cory Gardner, co-chairs of the Senate CyberSecurity Caucus, introduced The Internet of Things Cybersecurity Improvement Act of 2017, which would require that devices purchased by the US government meet certain minimum security standards. The legislation attempts to address the “market failures” that have occurred with certain IoT products – for example, where products have shipped with hardcoded passwords, or have been used to launch distributed denial of service (DDoS) attacks – by legislating how the Federal Government procures connected products.
Federal agencies are estimated to have spent $4 billion on IoT sensor products between 2011 and 2015, and departments like the Department of Agriculture and the Department of Defense rely heavily on sensors and connected wearables. While this bill only applies to companies selling their IoT products to the federal government, Warner hopes that “the sheer purchasing power” of the government will spur similar security improvements in products sold to consumers.
3) FBI Security Alert
Several weeks before the senators introduced their legislation, the FBI issued a security alert, warning parents (and others) that Internet-connected toys represent a privacy concern for children, and set out a list of best practices. While these recommendations are logical, many of them are likely out of reach by many parents. I confess that researching whether a toy can “receive firmware and/or software updates” or looking into where the user data is stored would be among the last things I would attempt to do as a mom setting up my child’s birthday present. However, this list of recommendations may end up serving as the basis for determining the reasonable standard of care required of companies in the IoT space.
4) EU General Data Protection Requirement
Further complicating the regulatory scheme for privacy and security is the looming General Data Protection Requirement (GDPR) in the European Union, which will impact ANY company doing business with an EU citizen, and which goes into effect May 2018.
What’s the takeaway for manufacturers?
Consider the four “gotchas” outlined above as early warning signs that it’s time to lean in, rather than away, from privacy and security efforts. More are certainly on the way in the form of specific rules in the health, finance and credit industries, along with state laws (a useful summary here). [bctt tweet=”Avoid the gotchas of #IoT connected products. Summary of privacy and security rules.” username=”MartellComm”]
How to lean in? By doing the following, starting now:
- Adopt Privacy by Design principles
- Follow FTC guidance
- Appoint a chief privacy officer and staff, and follow their advice
Tell consumers about your initiatives and compliance through your website, your social media, your packaging and your advertising. Being proactive will demonstrate that you take their security and privacy seriously, and you value their business.
About the Author
Michele Martell is a rare commodity as a community, marketing and legal strategist and implementer. Michele provides business strategy and implementation as an experienced legal, marketing and business executive. She leads digital marketing and social media programs for Internet of Things clients and other technology companies. With a background in entertainment and edtech as well as intellectual property law and a focus on innovative storytelling for every screen, Michele has been part of the executive management teams for The Jim Henson Company, Cinedigm Entertainment, SD Entertainment as well as WWE. She can be found tweeting at Austin music shows, food festivals and edtech events or speaking on panels at SXSW on virtual reality issues.
Michele is on the Development Council for the Denius-Sams Gaming Academy at the University of Texas, at Austin. Michele was a 2013 nominee for the Women in Toys Wonder Woman Award, and serves on the WiT Legal Committee. Michele obtained her JD from UCLA School of Law, and her undergraduate degree from Pomona College.