The FTC fined Visio for collecting and selling its smart TV owner data. As outlined in a recent IEEE IoT newsletter, good transparency principles aren’t exclusive to IoT, but require understanding that privacy threats in an IoT system are unique and require transparent disclosure related to three inputs:
- Personal data collected or generated.
- Data actions performed on that information.
- The context surrounding the collection, generation, processing, disclosure and retention of this personal data.
This isn’t just a question of a company doing right by its consumer base. For example, General Data Protection Regulation (GDPR) in Europe seeks verifiable consumer agreement to how each of these three inputs are managed via notice and consent. In general, it’s best to state your data collection practices, as well as privacy, security and support policies, in an easily discoverable location on your company website, which can be reviewed prior to purchase or service opt-in. Further, disclose what and how features will fail to function if users decline to consent.