Thought Leaders: The Future of Consumer IoT

Guest Contributor, Thought Leaders

Presenting the first article in our Thought Leadership series.  For each article, we ask an expert or thinker to share his or her thoughts on a specific aspect of the Internet of Things.  Thus, we’re overjoyed to kick off the whole series with a piece by Roy Smith, CEO of PrivacyCheq.


The Future of Consumer IoT: Transparency of Privacy

IoT devices capture all sorts of information as they increasingly track and control more personal details about consumers’ lives. If it became public, this data could be benign or embarrassing. How much someone weighs or how well they sleep might not be too concerning. On the other hand, the loss of personal financial data or disclosure of a child’s exact location could potentially lead to disaster.

How is one to know what happens to all that personal information that is captured by these devices? Manufacturers are not in the business of doing malicious things with their consumers’ information. They very much want consumers to continue to put their trust the proper stewardship of their personal information.

But how is a consumer to trust a manufacturer? Traditional privacy policies are multi-page legal documents that were designed to protect the interests of the manufacturer, not instill trust from the consumer.

In order to build “digital trust” with consumers, IOT manufacturers need to explain their efforts to protect consumer privacy and security in a way that consumers can easily understand. The way to do that is to create a new form of notice that is designed for consumers.   These easy-to-understand condensed privacy disclosures are called “privacy notices”.

What is the difference between a privacy policy and a privacy notice?

A privacy policy is a comprehensive description of an organization’s policies and procedures for dealing with personal information, typically written in highly technical legal language by a legal professional. Its purpose is to protect the company against legal challenges.

A privacy notice is a brief document that describes how an organization treats personal information. It is written in plain language, and often uses graphics to help explain the details. It tells users what types of personal information will be captured, how it is stored, if it is shared, and what will happen in the event of a breach. The privacy notice should be available “just in time” as the consumer is asked to provide their personal information.

Privacy notices do not replace privacy policies. These documents have different purposes, despite containing information about the same subject.

In the U.S., before the passage of the Nutrition Labeling and Education Act in 1990, food packages only needed to contain a list of the net quantity of their contents. Making healthy choices about products from a grocery store was very much a “buyer beware” situation. Manufacturers who could cut corners or mislead consumers about their nutrition choices would do so. Since the passage of the act, consumers have had a way to make informed decisions on their own about their food.

Simpler “plain language” privacy notices that condense and simplify the details covered in the legal privacy policies will allow IOT consumers to easily make choices about the products they trust to wear or bring into their home or car.

What are the benefits of adding a consumer-friendly privacy notice?

For consumers, the benefits are simple to see. Communicating how personal information is used in plain language rather than through a multi-page legal document just makes the policy easier and quicker to digest.   Attractive graphical iconography and associative colours can also go a long way toward communicating with consumers. A lightweight privacy notice can be viewed “just in time” as the personal information is being requested. That way, consumers don’t have to go searching for the policy as well. Finally, simpler privacy notices give consumers the capability to compare brands’ privacy and security in a real “apples to apples” way.

These changes add value for manufacturers as well. Concise “just in time” privacy notices build consumers’ trust in a brand in several real ways. Privacy notices can contain subtle marketing cues by discussing a service’s benefits and features as it reveals to consumers the reason for asking for personal information. Just the fact that the brand offers a privacy notice is reassuring for consumers. In the future when all IoT products utilize standard privacy notices, consumers will be able to make purchasing decisions that are informed by privacy, a great competitive advantage… if the manufacturer handles privacy properly.

Privacy is a competitive advantage

With all of the consumer interest in digital privacy spurred on by Edward Snowden, near-daily privacy breaches from big retailers and brands, and sensationalist news media coverage, there is a window of opportunity for forward-thinking manufacturers to use privacy as a competitive advantage. “First movers” who take the lead in promoting consumer understanding of their good privacy practices will have an advantage over companies that continue to hide behind multi-page privacy policies.

A poll of 3,543 business and technology decision-makers located in Australia, Brazil, Canada, China, France, Germany, India, New Zealand, the UK, and US over a three-month period in 2015 revealed that 26% of these global security decision makers consider privacy a competitive differentiator for their organization. Apple is already leading by example in the marketplace, but some organizations are skeptical. They question what they have to gain by making policies that could be viewed poorly more visible.

Don’t simple Privacy Notices create more outrage?

AVG published a new “plain language” privacy policy in the form of a video, and caught some criticism. More people were able to see and understand what AVG did, and that is what caused some concern. One might make the case that since their business model isn’t different from their competitors, the fact that AVG made their privacy procedures easily digestible by the average person gave them a black eye. Why feature something that could cause stress and force a consumer to second-guess using a service?

On the other hand, changes to a privacy policy written by a lawyer to completely protect a company from any sort of litigation might cause a similar uproar. Spotify’s recent change to their privacy policy caused a similar problem, but rather than earning points for being transparent the company got a reputation for being creepy. Since that debacle, Spotify has also created a new “plain language” privacy policy. In the long run, it is in the best interest of industry to lead with a simple privacy notice, and keep the multi-page privacy policy in reserve for legal purposes only. At the very least, the industry should embrace it before government forces them to do it.

Why should the IoT industry standardize and self-govern through ‘best practices’ for privacy notice?

If we truly think that the IoT industry can’t honestly tell users what it is doing with their data, how can the industry move forward? As the industry lurches from its current state of obfuscated privacy toward transparency, there will certainly be more cases of surprised outrage when consumers actually find out what is happening with their sensitive data.   But the risk to IoT of continuing to hide privacy issues behind inscrutable privacy policies is much higher.

Today, consumers are thinking about their privacy differently. Privacy-concerned Internet citizens have already taken steps to inform the public about services that they feel prey on those who invade their privacy unnecessarily for financial gain. For example, many are joining a movement to quit using Facebook because of what they view as a loss of control over their privacy.

According to a recent Pew Research Center poll, 91% of adults “agree” or “strongly agree” that consumers have lost control over how personal information is collected and used by companies.

At an October 2015 IoT conference in Lund, Sweden, Ericcson and Phillips executives openly supported a standardized way to present privacy and security information to consumers (not unlike the “Nutrition Facts” labels on food). The industry should embrace several “best practices” for communicating privacy concerns with their consumers. These practices should form the backbone of self-regulation and make sure that any “bad actors” within the industry who don’t follow these practices are marked with shame.

If the IOT industry does not do something about its privacy problem, eventually it could find itself handcuffed by complex and arbitrary rules created by academics and politicians. In her keynote speech at the 2015 Consumer Electronics Show, the FTC’s Chairwoman essentially told the IOT industry to regulate itself or face government intervention.

Threats of data breaches are always a concern for consumers as well as industry. However, regulation often favors a “one size fits all” approach to handling security rather than a thoughtful comparison on risk. Why should developers spend the same amount of resources to protect their “high score” list as they do their consumers’ financial information? It just doesn’t make very much sense.

In summary, I think it’s clear that privacy is an growing concern that’s not going to go away any time soon. Consumer IoT devices definitely capture a lot of data that the industry must properly protect and manage. But history shows that consumers want transparency and trust and the IoT industry must do a better job of communicating its privacy and security activities in order to build and maintain that trust.