There has been a growing wave of concern from consumers about privacy with connected products. While the rise of Google, Facebook, and Twitter have shown that most people will sacrifice privacy in exchange for compelling value, the ongoing concerns about the privacy implications of smart home products have undoubtedly slowed the growth of connected products.
GDPR - the new EU regulations about consumer privacy - promises to transform the way consumers view privacy, and it could not have come at a better time. This is an opportunity for the leaders in the connected-product industry to strengthen consumer trust, to build brands that embody that trust, and to bring real value to consumers. GDPR will curtail some of the most concerning industry practices and can help give consumers confidence that they can buy connected products while maintaining control over their personal data.
With the disclaimer that you should check with your legal department, we see four areas of GDPR that are important for connected products. Below we outline some of the specific implications.
1. You must get consent
We have worked with dozens of companies making connected products and every single one of them is thinking about privacy and consent. With some of the most trusted brands getting into the internet of things, companies are being thoughtful about how they collect and share data collected from customers and how they inform customers of the data they collect.
Typically the terms and conditions for connected products have been difficult for people to understand, and the details are buried in legalese in the fine print. With GDPR, we are seeing companies provide clearer language around privacy. The opt-out rate for data collection is typically very low, so building trust through transparency and honesty is the best policy.
2. You must provide access to data
If a customer requests access to the data you have collected, you are obligated to provide the data to the customer. Many companies store data across different systems and even different vendors, so having the ability to quickly and efficiently aggregate that data to respond to customer requests can be difficult.
We don’t yet know the scale of the requests, but at a minimum, you should scope out what you will provide when you do receive a request and make sure that you have the ability to pull the data and deliver it. As time goes on, we’ll get a clearer sense of the volume of requests and how much to automate this process or make it self-service. Most companies we talk with intend to provide this capability to customers both inside and outside the EU, even where they are not required by law to do so, with the goal of building trust with consumers.
3. You must let people be forgotten
The right to be forgotten is especially tricky for connected products because the products may or may not be connected to the internet when the person makes the request. How can a customer be forgotten if their product is in a box somewhere with the history of that customer in non-volatile memory? How can a customer request to be forgotten?
Many of the companies we work with have not effectively addressed this issue. We recommend having a robust factory-reset procedure both on the device and in the cloud. Most companies have a device-driven factory reset process (“hold the power button for 10 seconds…”), and have a way to delete an account, but don’t effectively force the device to factory reset when it comes back online.
When a user makes the request to be forgotten, the connected-product company should create commands to factory reset the relevant devices. And when the devices next connect to the cloud, those commands should be sent down to the devices. The company should then delete the user’s account. Also, make sure to clean up any logging-related data and data in 3rd party services. (Note: Cirrent provides this capability for our customers, so any customer-related data on Cirrent’s servers can be deleted.)
4. You must provide notification of data breaches
Most people think about data breaches as being in the cloud, but the VPNFilter attack and the Mirai botnet attack have made it clear that there are a huge number of connected products that are vulnerable to hacking, and that breaches may happen in the field. Most companies regularly monitor their cloud infrastructure, but don't have the same capability on the devices, which is subject to the notification requirements. Addressing on-device security to identify breaches is difficult for product companies. Most companies do not have sufficient monitoring of devices to be able to reliably provide notifications of device breaches. This is an active area of innovation, and if you’d like to learn more about how to identify device breaches you can contact us [firstname.lastname@example.org].
GDPR is coming at the right time for our industry. With increasing concerns from consumers around privacy, we as an industry can use this as an opportunity to build consumer trust and accelerate the adoption of connected products. Compliance with GDPR -- getting consent, providing access to data, giving people a way to be forgotten, and monitoring for data breaches -- is now mandatory for any company operating in Europe and doing this in an efficient, scalable way will be critical for the success of individual products and for the broader connected-product industry.