Internet of Things: FTC staff report and a new publication for businesses

We’ve all been talking about the Internet of Things – the ability of everyday objects to connect to the Internet to send and receive data. (We wouldn’t be surprised if our devices are talking about it, too.) A just-released FTC Staff Report recaps what we learned at our November 2013 workshop on the subject and discusses four ongoing initiatives to address the consumer protection implications. There’s also a new nuts-and-bolts publication, Careful Connections: Building Security in the Internet of Things, for businesses developing the next generation of connected devices.

What kind of products are part of the Internet of Things? It’s the bracelet that shares with friends how far you walked in a day, the home automation system that switches the lights on as you turn onto your street, and maybe that under-wraps innovation your company is working on right now.

The scope of the industry is vast. Six years ago, the number of connected devices surpassed the number of people and the total now tops 25 billion worldwide. Experts estimate that by the end of the decade, that figure will bump to 50 billion. And it’s no wonder, given the potential benefits to consumers.

But businesses should think about the potential for risk, too. Protecting against unauthorized access to consumers’ personal information – something companies have been dealing with for decades now – is just one consideration. The Internet of Things poses new challenges, too. For example, if a consumer can use a device to lock the front door remotely, could a weak spot in the system let a burglar unlock it? The success of the industry depends, in part, on whether it can earn consumer confidence.

You’ll want to read the Report for an in-depth analysis of discussions at the 2013 workshop. The Report offers staff’s insights into how the principles of security, data minimization, notice, and choice apply in the developing Internet of Things marketplace.

Here’s just one example. Some people at the workshop suggested that offering notice and choice is challenging in the Internet of Things since many products don’t feature a traditional user interface – a screen, let’s say. Even so, FTC staff believes that providing consumers with easy-to-find information remains important. Building on recommendations in the 2012 Privacy Report, the staff called on industry members to consider creative options – for example, video tutorials, QR codes on devices, and choices at point of sale, within set-up wizards, or in a privacy dashboard. There’s no one-size-fits-all approach, of course, but well-settled principles about clear and prominent disclosures still apply.

The Report also highlights the Commission’s bipartisan recommendation for federal data security and data breach notification legislation that would strengthen the existing tools.

Where do we go from here?  The Report describes four ongoing initiatives:

  • Law enforcement:  The FTC enforces – among other statutes – the FTC Act, the Fair Credit Reporting Act, COPPA, and the health breach notification provisions of the HI-TECH Act. When it’s appropriate, the staff will recommend that the Commission take action when there’s reason to believe the law is being violated.
  • Consumer and business education.  We’re continuing our effort to provide advice for businesses with the publication of Careful Connections: Building Security in the Internet of Things.  And there will be more where that came from both for companies and for consumers.
  • Participation in multi-stakeholder groups.  We’re already working with groups considering guidelines and best practices – and those efforts will continue.
  • Advocacy.  We’ll look for opportunities to share our perspectives with other government agencies, state legislatures, and courts to promote protections in this area.


The message mentions Consumers but no advice is provided for consumers. The only advice you provide is for business education. You should provide a booklet to assist consumers using language that consumers can understand.

You're right that the publication is meant for a business audience. Plans are underway to offer more information for consumers soon. In the meantime, here's a post about the Internet of Things from the FTC's Consumer Blog.

Add new comment

Comment Policy

Privacy Act Statement

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system (PDF), and user names also are part of the FTC’s computer user records system (PDF). We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.