Earlier this week, the Online Trust Alliance released a draft framework of best practices for Internet of Things device manufacturers and developers, such as connected home devices and wearable fitness and health technologies.  The OTA is seeking comments on its draft framework by September 14.

The framework acknowledges that not all requirements may be applicable to every product due to technical limitations and firmware issues.  However, it generally proposes a number of specific security requirements, including encryption of personally identifiable data at rest and in transit, password protection protocols, and penetration testing.  In addition, it proposes the following requirements:

  • A privacy policy that is readily available to review prior to product purchase, download or activation, and that discloses the consequences of declining to opt-in or opt-out of policies on key product functionality and features.
  • A privacy policy display that is optimized for the user interface to maximize readability.  The working group recommends layered privacy policies for this purpose.
  • Conspicuous disclosure of all personally identifiable data collected.
  • Data sharing is limited to service providers that agree to limit usage of data for specified purposes and maintain data as confidential or to other third parties as clearly disclosed to users.
  • Disclosure of the term and duration of the data retention policy.  In addition, the framework goes on to state that data generally should be retained only for as long as the user is using the device or to meet legal requirements.
  • Disclosure of whether the user has the ability to remove or anonymize personal and sensitive data other than purchase history by discontinuing device use.
  • Disclosure of what functions will work if “smart” functions are disabled or stopped.
  • For products and services designed to be used by multiple family members, the ability to create individual profiles and/or have parental or administrative controls and passwords.
  • Mechanisms for users to contact the company regarding various issues, transfer ownership, manage privacy and security preference.

In addition, the draft framework makes various other recommendations that go above and beyond the proposed baseline requirements, although acknowledging that the recommendations may not be applicable to every device or service.

Tags: health and fitness, mHealth, smart devices
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports…

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state privacy laws, including the California Consumer Privacy Act and California Privacy Rights Act.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.

Read more about Libbie CanterEmail
Show more Show less