Georgetown Law
Technology Review

The Internet of Things (IoT) is a concept dating back to the 1920s, when Nikola Tesla first described a wireless world “converted into a huge brain.”1E.g., Internet of Things (IoT) History, POSTSCAPES, https://www.postscapes.com/internet-of-things-history/ (last updated Feb. 1, 2016); Mark van Rijmenam, Where Does the Internet of Things Come From?, DATAFLOQ, https://datafloq.com/read/where-does-the-internet-of-things-come-from/524 (last visited Oct. 15, 2017). Now, almost a century later, we are experiencing the real possibility that we have created this “brain” through the Internet of Things. This begs the question: does the average consumer really know what information they have consented to contribute to this brain? As the IoT appears to be the next big wave of technological change, the importance of consent is already evolving.2Eve Maler, We Need a Totally New Approach to Consent and Privacy for the IoT Era, IOT AGENDA (Feb. 16, 2017), http://internetofthingsagenda.techtarget.com/blog/IoT-Agenda/We-need-a-totally-new-approach-to-consent-and-privacy-for-the-IoT-era.

The extent of the amount and type of information collected can be demonstrated by a few simple examples. One such example is how a Roomba, and other internet-connected vacuums, gather data that essentially map the layout of your home; they also track run times which may indicate lifestyle patterns such as when consumers are at home and or not.3Maggie Astor, Your Roomba May Be Mapping Your Home, Collecting Data That Could Be Shared, N.Y. TIMES (July 25, 2017), https://www.nytimes.com/2017/07/25/technology/roomba-irobot-data-privacy.html. Although Roomba does not currently sell this information, it has been reported that they at least have considered plans to enter the market of selling this information.4See Rhett Jones, Roomba’s Next Big Step Is Selling Maps of Your Home to the Highest Bidder, GIZMODO (July 24, 2017), https://gizmodo.com/roombas-next-big-step-is-selling-maps-of-your-home-to-t-1797187829; but see Jacob Kastrenakes, Roomba Creator Says It ‘Will Never Sell Your Data’ After Talking About Selling Your Data, VERGE (July 28, 2017), https://www.theverge.com/2017/7/28/16055590/roomba-wont-sell-data-irobot.

Smart cars are another example. Gartner consultancy estimates that by 2020, approximately 250 million cars will be connected to the internet.5Chris Neiger, What the Internet of Things Means for Car Companies, MOTLEY FOOL (Apr. 26, 2017, 4:07 PM), https://www.fool.com/investing/general/2016/04/29/what-the-internet-of-things-means-for-car-companie.aspx. Autonomous cars will not only require an immense amount of data to operate, but will also collect an extraordinary amount of data during the operation of the vehicle—such as mappings of roads, routes, time spent in the car, and how often a given location is visited—raising privacy concerns.6E.g., Jim Bronskill, Smart Cars Share Revealing Personal Data, Raise Privacy Concerns, STAR (Jan. 24, 2016), https://www.thestar.com/news/canada/2016/01/24/smart-cars-share-revealing-personal-data-raise-privacy-concerns.html.

Consent and the amount of information consumers have agreed to expose seem to have evolved through a slippery slope of consumer complacency; first, by consumers agreeing to small amounts of information in exchange for the use of a website or product, and then evolving into today’s technological world which largely could not operate without the collection of this data. Historically, emphasis has been placed on implied consent and privacy policies that attempt to limit a business’s liability.7See Maler, supra note 2. However, even now, given the amount of information that is shared over the internet through the use of cookies and other similar technologies, consumers seem unaware or unconcerned with the depth of information tracked.

A social experiment highlighted this casual attitude of sharing personal data when a New York artist offered to trade actual cookies in exchange for an individual’s maiden name, fingerprints, or partial social security numbers.8Lois Beckett, How Much of Your Data Would You Trade for a Free Cookie, PROPUBLICA (Oct. 1, 2014, 12:00 PM), https://www.propublica.org/article/how-much-of-your-data-would-you-trade-for-a-free-cookie. Nearly 400 individuals accepted this offer despite the artist refusing to say what she would do with the information she collected.9Id.

As early as the 1970s, the Fair Information Privacy Principles (FIPPs) were developed by the U.S. Secretary of Health, Education, and Welfare Secretary’s Advisory Committee on Automated Personal Data Systems10See SEC’Y’S ADVISORY COMM. ON AUTOMATED PERS. DATA SYS., RECORDS, COMPUTERS AND THE RIGHTS OF AMERICAN CITIZENS REPORT (1973). to provide guidance in the collection, maintenance, and dissemination of information. However, although widely referenced, the FIPPs have little binding effect except where they have been codified into a statute; in the United States, where privacy statutes are limited and largely industry dependent, the FIPPs remain more of a recommendation than an enforcement mechanism.11See, e.g., Privacy Act of 1974, 5 U.S.C. § 552a (2014); Electronic Communications Privacy Act of 1986, Pub. L. No. 99-508, 100 Stat 1848 (codified as amended in scattered sections of 18 U.S.C.).

Across the Atlantic, the European Union has recently taken a more rigorous stance on consumer consent. Its policy not only requires “unambiguous” consent, but also questions whether consent was “freely given” where consent is a condition to the terms of service, except where data processing is necessary for the service itself.12Regulation 2016/679, of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation), art. 7, 2016 O.J. (L119) 32, 37. The new EU General Data Protection Regulation (GDPR) is garnering a lot of attention, indicating society may be beginning to shift the ways in which consumers, businesses, and regulations interact and enforce consent of data collection and dissemination.13 Sean Michael Kerner, HPE Explains What European GDPR Privacy Regulations Mean to US Firms, EWEEK (May 1, 2017), http://www.eweek.com/security/hpe-explains-what-european-gdpr-privacy-regulations-mean-to-u.s.-firms.

Today, most consumers have a general sense that data pertaining to them is collected but likely have little insight into the degree of information collected nor its uses and potential for abuse.14See ORC International, The Internet of Things: Lack of Consumers Knowledge May Impact Bottom Line, PR NEWSWIRE (Apr. 23, 2015, 10:43 AM) https://www.prnewswire.com/news-releases/the-internet-of-things-lack-of-consumer-knowledge-may-impact-bottom-line-300071286.html. As the IoT becomes more pervasive, regulators have an opportunity to consider placing more controls on data. However, these controls must consider the chilling effects that may stem from limiting the information a business can collect and the ways it can be used, or waiting for consumers to reach the limit at which they no longer impliedly consent to the collection of data and abstain from products that require too much exposure. Because consumers may be unaware of the types and depth of information collected, the duty likely falls on regulators to balance these tensions by placing stricter limits on the types and uses of information or to at least provide mechanisms that aid consumer awareness of the collection, use, and dissemination of data.