Recently, Amazon refused (registration required) to provide data from an Amazon Echo device in a case involving the a double homicide in response to an order issued by a New Hampshire state judge. Prosecutors believe that the Echo may have recorded data relevant to the crime; a potential perpetrator has already been charged. Per a statement released November 20th, Amazon has stated that it “it “will not release customer information without a valid and binding legal demand properly served on us.” New Hampshire does not provide electronic access to court records, so it is not known as of this post whether Amazon has been served with the court order and complied. The order was signed by Justice Steven Houran on November 5.
As we have discussed, CA recently passed legislation requiring manufacturers of connected devices, often referred to as Internet of Things (“IoT”) devices, to equip these devices with reasonable security feature(s) that are “appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, [and] designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.” California’s legislature has apparently recognized that providing security for these devices needs to be a priority to protect consumers.
Companies such as Amazon depend on consumers being willing to purchase and allow IoT devices such as Amazon’s Echo into their homes and their lives. Consumers, in the aggregate, will likely only be willing to allow these devices into their homes if they trust that the company behind the device will provide protection their data that they feel comfortable with.
Companies that wish to build and maintain this trust with consumers will need to ensure that they go beyond the barebones legal requirements and convince consumers through their corporate actions that they take privacy and data protection seriously. This will involve implementing a comprehensive privacy and data security program that includes at least the three parts below.
- Posting and Complying with Their Own Privacy Policy the IoT Device
Privacy policies are required in many cases where devices collect personally identifiable information, including under California law. However, beyond the obvious legal implications of posting and complying with your own privacy policy, consumers may be less likely to use IoT devices from companies that have a demonstrable record of not living up to their own privacy commitments.
- Provide Appropriate Security for the IoT Device
As outlined above, appropriate security for the IoT Device will be a legal requirement under California law. Even so, device companies that are serious about large-scale adoption need to think beyond just the risk of legal enforcement. How likely are consumers to introduce an IoT device that has access to their sensitive data, and could, for example, record audio or video of their daily activities, if they feel company is not serious about providing security measures to prevent unauthorized access?
- Protecting Data Collected by the IoT Device Against Improper Use Or Request By Third Parties
This requirement goes beyond complying with a posted privacy policy or providing reasonable technological security measures – when push comes to shove, is the company providing sensitive data collected by the IoT device to third parties in ways that would concern consumers? Here, Amazon is objecting to an order that it does not consider to be a “valid and binding legal demand” to turn over user data. Whether that is legally sound, is not a point of examination for this post. Consumers will want the security of knowing that not only will an entity comply with its own policies and provide reasonable technical security – the entity will not just hand over their sensitive data to third parties when a request is made unless it is required to do so. By being willing to object to this demand, Amazon is arguably demonstrating that it takes user privacy seriously.