FPF Advisory Board Member, Cameron F. Kerry, Senior Counsel, Sidley Austin LLP, and Maarten Meulenbelt, Partner, Sidley Austin LLP, published Privacy Shield: Essentially Equivalent, on July 14, 2016. The paper discusses how the Privacy Shield fulfills EU legal requirements. The authors explain:
“The Privacy Shield requirements far surpass those under Safe Harbour and ensure that EU residents whose data is transferred to the US receive protection essentially equivalent to what they receive in the EU.”
At FPF, we recognize the benefits that connected home technologies can provide to individuals, families, and kids. We also know that privacy issues can make or break adoption of connected home tech – particularly questions about whether kids’ privacy and security are sufficiently safeguarded. Families are using voice controlled devices to search the web, play games, and order products. Kids are playing with dolls that listen and talk, interactive animals, and apps that link toys to digital services. Parents are using smart home technology to keep their families safe – connected tech can warn of fires or alert parents when a child falls into a backyard pool.
These technologies and many others are generating opportunities for interactive play and education, but also creating new challenges. Toys that can become a child’s closest friend, collect intimate information, and provide advice are raising questions about how to ensure families can make appropriate choices about how data is collected and used.
I think there are 5 key questions we need to answer about kids, connected homes, and privacy.
First: does COPPA apply to connected toys? Yes. Nearly all connected toys connect to online services or interact with apps that do. This means that they are subject to COPPA protections.
Second: Do connected toys require a legislative update to COPPA because toys often lack screens and keyboards for parents to use to grant parental consent? No. COPPA requires companies to provide notices and obtain consent from parents when online technologies collect personal data from kids. Although many connected toys do not have built-in screens, toymakers are able to interact with parents through app-based or web-based interfaces. And the COPPA rule allows for a range of alternative ways to verify parental permission and gives the FTC leeway to assess new methods as they become technically feasible.
Third: Are general home devices that serve families covered by COPPA? They are not and should not be. General purpose home devices like alarm systems, security cameras, smart TVs and home assistants are not targeted at children and don’t have actual knowledge of personal information about children. Today, connected devices aren’t able to distinguish between an adult and a child. This is similar to general purpose websites, search engines and other services that serve families – COPPA was designed to avoid placing its burdens on all users interacting with a service, simply because some children are using it. The services that can understand speech are relying on speech recognition, not unique voice recognition, as we explain in a recent FPF whitepaper.
Fourth: Do parents have appropriate controls in light of kids’ interactions with the connected home? Sometimes they do, sometime they do not. Law is a blunt tool, offering binary choices, on or off, legal or illegal. But, as connected devices are becoming more integrated in our lives, parents must be able to have nuanced options to aid in their decision making. More sophisticated and more usable design is going to be needed to help us manage the increasing number of options. Carnegie Mellon’s Norman Sadeh and his team point the way to what is possible, with an app that uses artificial intelligence to learn what a user wants and then makes the hundreds of choices needed to fully configure the privacy options on a typical smartphone.
We will need technology and policy that allows parents to make choices consistent with their goals and values and that recognizes that not every household looks the same. In some households, the child is the only English speaker, an elderly grandparent is the primary caregiver, no one has a credit card needed for age verification and the service needed is increasingly essential for school, work or play.
Finally: Are all connected home products sufficiently secure? No. Many digital devices have security vulnerabilities, and connected home systems are no different. Does COPPA’s security requirement provide an adequate incentive for companies to work hard to provide reasonable security? Starting August 1, 2016, the maximum civil penalty for violating COPPA will more than double from $16,000 to $40,000 per violation. A violation is defined as each child an operator collects personal information from in violation of COPPA. A connected toy directed at children under 13 with only 1000 users would face a potential civil penalty of as much as $40,000,000. The FTC has super hero powers here – but it will take more than penalties. Getting home security right requires education of device makers, software providers, home routers, and consumers who end up configuring these items. Too hard to set up or use, the consumer turns the security off. Too easy, the hacker gets in. The research needed to ensure useable security must be a priority.
We aren’t just thinking about toys and entertainment when we talk smart home. We are talking about inclusion of people with disabilities, the elderly, the underprivileged. We are talking safety and education and health.
Some examples:
Seal SwimSafe, a wristband alerting parents parents if a user is submerged in the water for too long, if the band has been removed, or if the user is out of range.
The Starling is a wearable word counter that helps you maximize your child’s language development. Starling shows how much stimulation your child is getting every day, suggesting activities, story time, and more in order to increase word count and engagement crucial for development. Studies show babies who hear more words talk earlier, process language faster, and end up with larger vocabularies.
The Ring, a connected doorbell and home security solution, allow alert deaf or hard of hearing consumers to remotely monitor their door.
Evermind helps with the issues of elderly living alone by alerting relatives when electrical appliances are switched on and off, signaling a possible change in routine which can be concerning.
Samsung’s Smart Sense Motion helps people remain connected to their elderly relatives by receiving immediate alerts if they failed to get out of bed, failed to open their medicine cabinet, if a caregiver hasn’t arrived, or other important situations.
And of course people are familiar with the Nest and its money saving, environmental and safety benefits. For people with mobility-related disabilities, smart home technology allows users to control things in the home that can be physically challenging to access such as lights, door locks, or security systems.
It is true that these services are collecting detailed information about our day-to-day activities within our most private places, our homes. But it is important not to lose sight of the fact that for adults and for kids, many of these smart devices are critical for health and wellness and security and sometimes just for fun.
Podcast: Lauren Smith Speaks with Bloomberg Law
Lauren Smith, Policy Counsel, spoke with Bloomberg Law today about connected cars and the legal implications of data collection. Lauren discussed the importance of privacy and highlighted many principles that are covered in the our report, “The Connected Car and Privacy: Navigating New Data Issues.” You can listen to the interview beginning at 5:50.
Brenda Leong, FPF Senior Counsel and Director of Operations, contributed to a story in CSO about big data and elections. She explained:
Big data analytics offers, “great new ways to engage with voters on the things that really matter to them, which results in more motivated, and hopefully better informed, participants in the electoral process, and likely higher turnouts on election day.”
“Every campaign needs to treat security and privacy needs seriously, and have meaningful training for workers. We strongly recommend that every campaign have a chief privacy officer to monitor just these issues,” she said.
Future of Privacy Forum Statement Regarding Finalization of the US-EU Privacy Shield Agreement
In response to today’s finalization of the US-EU Privacy Shield agreement, FPF CEO Jules Polonetsky issued the following statement:
“Today’s finalization of the US-EU Privacy Shield agreement preserves an important data transfer mechanism that is supported by robust privacy safeguards. But for the long term EU-US relationship, it is important to see Privacy Shield as the beginning of a process, not the end. Data flows between the US and EU economies and the services used by individuals across the Atlantic are too important to be strained by constant uncertainty. It will be essential for companies, policymakers, regulators and civil society to build on the legal documents by seeking ongoing efforts to build trust and support responsible data practices.”
EU Approves Privacy Shield: The Agreement Will Benefit Companies and Individuals in the US and Europe
Today, EU member states strongly supported finalization of the EU-US Privacy Shield, a renewed framework for transatlantic data flows that replaces the EU-US Safe Harbor arrangement. The Privacy Shield agreement enables member companies to transfer data between the EU and US, subject to privacy safeguards and commitments.
“Approving the Privacy Shield preserves a key legal mechanism for EU-US data flows,” stated FPF Vice President of Policy John Verdi. “There are, of course, challenges ahead. Surveillance reform must continue on both sides of the Atlantic. But today’s approval provides much needed certainty for American companies that rely on the EU-US framework to pay and manage their EU-based employees, as well as for the 150+ EU companies that use the framework to transfer data to US subsidiaries.”
The Safe Harbor agreement was struck down last year amid concerns regarding US government surveillance programs – concerns that were amplified by the 2013 Snowden revelations. The Privacy Shield approval comes in the wake of surveillance reforms and additional commitments by the US government. FPF and Professor Peter Swire previously detailed the more than two dozen significant reforms to US surveillance law and practice since 2013. A previous FPF study revealed that Safe Harbor included 152 companies who are headquartered or co-headquartered in European countries, which span across a wide range of industries and countries.
July 20th Event: Kids & The Connected Home
Join us for a discussion on kids, connected toys and devices, and privacy.
The debate over the relationship between children and technology has been heated and complex. Issues ranging from the right amount of screen time, online privacy, safety and security have occupied policymakers, parents, and advocates for quite some time. New technologies such as dolls that listen and talk, interactive teddy bears, smart home devices, virtual reality, and artificial intelligence have intensified the debate. As new types of data are collected, these technologies will generate both opportunities for interactive play and education, but also new challenges.
Security concerns around outsiders accessing children’s information or accessing a parent’s home are already in the news. The nature of dolls and toys that become a child’s best friend – that can discuss intimate information, provide advice, and be a buddy – are raising questions about the right balance. When artificial intelligence enters the mix, the debate will only be intensified.
This talk is free and open to the public though space is limited. Doors open at 9:30 am for networking.
FPF Advisory Board Member William McGeveran Publishes Privacy and Data Protection Law
We are pleased to share that FPF Advisory Board member William McGeveran published Privacy and Data Protection Lawon June 24, 2016. The textbook covers statutory and regulatory structures including FTC enforcement, medical privacy, and the Patriot Act, as well as standard topics like Torts and the Fourth Amendment.
William teaches courses in Data Privacy Law, Internet Law, Trademark Law, Civil Procedure I and II, and Law in Practice at the University of Minnesota Law School. He is an affiliated professor at the School of Journalism and Mass Communications. Order your copy of Privacy and Data Protection Lawtoday!
Protecting privacy and promoting inclusion with the 'Internet of Things'
To technologists and innovators, the “Internet of Things” (IoT) represents a world of exciting new benefits that will solve important technical and social problems. To critics, IoT represents a world of pervasive surveillance, with toys that spy on kids and microphone-enabled devices recording and retaining our most personal data. As a think tank focused on helping chief privacy officers of companies both large and small navigate privacy challenges, as well as advocating for ethical data practices in support of emerging technologies, we believe they are both right. From traffic management to healthcare improvements, there is a wide range of possible benefits that will be derived from information networks created by the IoT. There is the potential to improve personal safety, improve public safety, increase consumer convenience, provide environmental benefits and promote business innovation. However, if we do not have the right guiding principles or necessary privacy safeguards, consumers will lose trust in the evolving technologies. We need to address security and privacy issues to ensure that the IoT achieves its full potential.
Recognizing this need, Samsung recently hosted a conference bringing together leaders from both government and industry to discuss the future of IoT. In his opening remarks, Oh-Hyun Kwon, vice chairman and CEO at Samsung Electronics, emphasized that the conversation around the possibilities of IoT should shift from focusing on smart homes, offices and factories, to smart communities, smart nations and a smarter world with better living standards for everyone, everywhere. In comments we filed recently for input into a new Department of Commerce green paper on shaping the future of IoT, we discussed ways IoT technologies are improving the day-to-day quality of life for people with low income, people with disabilities and traditionally underserved populations, among others. For example:
The OrCam is a wearable video camera that is designed for the visually impaired, translating text to audio in real time;
The Dot, the world’s first braille smartwatch, features a series of dull pins that rise and fall at customizable speeds and allows users to read text messages and e-books;
The Ring, a connected doorbell and home security solution, alerts users to motion as soon as it is detected, so they can remotely monitor their door;
Some airports, like the Miami International Airport, have rolled out programs that use beacons to help users find the correct gate and send push notifications for restaurant and store deals when travelers are walking around; and
M2M technology, integrated with new payment platforms, is expanding access to credit by enabling two new payment methods: pay-as-you-go (PAYG) asset financing, which allows consumers to pay for products over time, and prepaid, where consumers pay for services on an as-needed basis.
It is important that we do not lose sight of the broad hope that IoT technology will not simply be more gadgets for the affluent, but also a platform for improving quality of life for the traditionally underserved. As government policymakers and regulators examine, understand and embrace emerging IoT technologies, they must encourage strategies that benefit everyone, while at the same time apply commonsense privacy protections that build trust in IoT technologies to help ensure that consumers enjoy the full benefits of IoT sensors and devices.
“According to the authors, companies increasingly conduct research in order to decide what products to build and to improve customers’ experience with those products. But they say that existing ethical guidelines for research do not always completely address the considerations that industry researchers face, and they argue that companies should develop principles and practices that take into account the values set out in law and ethics. In Facebook’s case, this means maintaining a standing committee of five employees, including experts in law, ethics, communications, and policy to vet research proposals and identify ethical concerns.”
