The Federal Trade Commission in June submitted comments to the working group convened by the U.S. Department of Commerce’s National Telecommunications and Information Administration (NTIA), which is studying the security of Internet of Things (IoT) connected devices and how they interact with consumers.
This request for comments focused on how IoT device manufacturers can effectively inform consumers about security updates for their devices so that consumers can make informed purchasing decisions. Many IoT observers have identified the risks associated with IoT devices that either are not designed to address data privacy and security vulnerabilities or quickly become vulnerable when security threats evolve, but the devices are not updated. The Commission, which has made effective disclosures a hallmark of its privacy and security enforcement and guidance, weighed in on best practices in IoT disclosures by suggesting a number of enhancements to NTIA’s proposed messaging.
Among other recommendations, the FTC suggested that manufacturers avoid telling consumers an “anticipated timeline” during which they will provide security support as such aspirational timelines can become misleading; instead, the Commission recommended that they communicate a minimum support period. Furthermore, if a device will stop functioning or become highly vulnerable after security support ends, manufacturers should inform consumers so that they are not misled. The FTC also suggested that manufacturers adopt a uniform notification method, such as a standard position on the device’s screen, so that consumers know where to expect to see information about security updates.
The Commission has previously brought enforcement actions against IoT device manufacturers, including TrendNet (for its home security cameras and baby monitors) and Vizio (for their smart TVs). In these cases, the Commission emphasized the need for companies to communicate clearly and honestly about the data privacy and security capabilities of their products, and to be upfront about what was done with consumers’ personal information. In the Vizio case, the FTC determined the company did not provide sufficient notice and choice options to consumers when it sold viewing data to third-party marketers who used it to target advertisements. These cases have underscored the Commission’s focus on the vast information-collection capabilities of connected devices and the need to adequately protect the use of this consumer information. These comments provide further context to how the Commission may frame further enforcement and guidance on this subject.