The FTC Will Not Leave Companies to Their Own Devices

Font Size:

The FTC recently issued regulatory recommendations for the growing platform of devices in the Internet of Things.

Font Size:

What was once a fantasy played out in television shows like The Jetsons is now a rapidly growing industry of internet-connected devices, dubbed the Internet of Things. Consumers can now speak to electronic assistants to handle everyday tasks. Electronic assistants can, in turn, order pizza, play music through speakers and TVs, and command home security to lock doors as an owner leaves her house to enter an Uber car—also ordered on command.

Growing just as rapidly as the market for interconnected devices are the databases of individual user information collected by and transferred between these devices, creating a cache of so-called big data and raising renewed concerns about the misuse of personal data. Social media data, streaming data, and publicly available sources of data can all now be incorporated together with device-collected information to create highly detailed profiles of users. These caches of user information, however, can pose a threat if used improperly.

Earlier this year, the Federal Trade Commission (FTC) issued a report that provides recommendations to companies that rely on big data. The report notes that improper use of big data might lead to consumer sorting that reinforces preexisting social disparities and perhaps promote illegal discrimination of protected classes. By connecting otherwise unrelated user data, companies can make predictive inferences about a person’s daily routine, financial circumstances, and even health. Such inferences, while potentially helpful, might also enable companies to deny some people certain opportunities based on information from big data libraries.

For example, the report posits that employers might rely on inferences derived from collected data to exclude candidates for reasons unrelated to job qualifications but instead based on information collected from data sources independent of an application and interview. The Commission’s report cautions against such use of big data.

The Commission challenges companies to understand how certain applications of consumer data might violate consumer protection laws such as equal opportunity laws and credit reporting laws. The Commission also urges companies to identify potential biases and inaccuracies in datasets collected by electronic devices in order to prevent incorrect inferences.

In spite of the Commission’s recommendations, some scholars argue for additional constraints on the use of big data and stronger consumer protection laws. For example, Scott Peppet, a professor of law at the University of Colorado Law School, endorses a strong, substantive approach to big data regulation, rather than solely a procedural self-check. That is, he believes that regulators should make companies accountable to substantive expectations in addition to compliance, or what he calls “hoop jumping.” He argues that big data should be restricted to specific uses in order to prevent activity that could potentially violate consumer protection laws. Even still, some stakeholders opine that future legal battles related to privacy will emerge and believe that despite the potential for firms to use big data to discriminate, regulators should instead prioritize the privacy and security threats raised by the Internet of Things.

However, the Commission actually addressed privacy and security concerns before publishing this report. Last year, it released a report that highlighted privacy and security concerns, and it offered a similar set of recommendations that urged self-regulation by companies that create and manufacture network-connected devices that use big data.

With this year’s report, the Commission continues to support innovation in technology, but also expands upon last year’s recommendations. This year’s guidance appears to signal to companies to be even more cautious of running afoul of consumer protection laws the Commission will enforce, in addition to adhering to traditional privacy protections that previous guidance has already addressed. The Commission’s current regulatory posture has already elicited some response. Currently, industry stakeholders are preparing themselves for a range of legal issues, as recent reports have noted.