Multistakeholder Group Seeks Comment on Draft Framework for IoT Device Manufacturers
Friday, August 14, 2015
Multistakeholder Group Seeks Comment on Draft Framework for IoT Device

Related Practices & Jurisdictions
Print Mail Download i

Earlier this week, the Online Trust Alliance released a draft framework of best practices for Internet of Things device manufacturers and developers, such as connected home devices and wearable fitness and health technologies.  The OTA is seeking comments on its draft framework by September 14.

The framework acknowledges that not all requirements may be applicable to every product due to technical limitations and firmware issues.  However, it generally proposes a number of specific security requirements, including encryption of personally identifiable data at rest and in transit, password protection protocols, and penetration testing.  In addition, it proposes the following requirements:

  • A privacy policy that is readily available to review prior to product purchase, download or activation, and that discloses the consequences of declining to opt-in or opt-out of policies on key product functionality and features.

  • A privacy policy display that is optimized for the user interface to maximize readability.  The working group recommends layered privacy policies for this purpose.

  • Conspicuous disclosure of all personally identifiable data collected.

  • Data sharing is limited to service providers that agree to limit usage of data for specified purposes and maintain data as confidential or to other third parties as clearly disclosed to users.

  • Disclosure of the term and duration of the data retention policy.  In addition, the framework goes on to state that data generally should be retained only for as long as the user is using the device or to meet legal requirements.

  • Disclosure of whether the user has the ability to remove or anonymize personal and sensitive data other than purchase history by discontinuing device use.

  • Disclosure of what functions will work if “smart” functions are disabled or stopped.

  • For products and services designed to be used by multiple family members, the ability to create individual profiles and/or have parental or administrative controls and passwords.

  • Mechanisms for users to contact the company regarding various issues, transfer ownership, manage privacy and security preference.

In addition, the draft framework makes various other recommendations that go above and beyond the proposed baseline requirements, although acknowledging that the recommendations may not be applicable to every device or service.

© 2024 Covington & Burling LLP

Current Legal Analysis

More from Covington & Burling LLP

Standing Issues in Data Breach Litigation: An Overview
by: Priscilla Fasoro , Lauren Wiseman
Financial Agencies Release Joint Statement on Innovative Efforts to Combat Money Laundering and Terrorist Financing
by: Lucille C. Bartholomew
Senate Confirms Kraninger as BCFP Director
by: Luis Urbina
FTC Solicits Public Comment on Identity Theft Detection Rules
by: S. Burr Eckstut
Significant FDA Digital Health Policy Development for Prescription Drug Sponsors
by: Mingham Ji , Christina G. Kuhn
First Significant Pay-to-Play Legislation for the District of Columbia Approved by D.C. Council
by: Kevin Glandon
FTC Settles with PR Firm and Publisher Over Social Media Endorsements
by: Inside Privacy Blog at Covington and Burling
Senate Testimony Highlights Tensions in BSA/AML Reform Efforts as Lawmakers Consider Bipartisan Legislation
by: Sam Adriance
Reprieve in U.S.-China Trade Tensions: U.S. Tariffs on $200 Billion in Chinese Imports to Stay at 10 Percent for 90 Days; China to Purchase U.S. Goods
by: Christopher Adams , John Veroneau
AI Update: FCC Hosts Inaugural Forum on Artificial Intelligence
by: Thomas Parisi

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins