Skip to main content

Commitment to Protection of User Data Essential To Consumer Adoption of IoT Devices – Three Things to Know about the New Hampshire Amazon Echo Case

Recently, Amazon refused (registration required) to provide data from an Amazon Echo device in a case involving the a double homicide in response to an order issued by a New Hampshire state judge.  Prosecutors believe that the Echo may have recorded data relevant to the crime; a potential perpetrator has already been charged.  Per a statement released November 20th, Amazon has stated that it “it “will not release customer information without a valid and binding legal demand properly served on us.”   New Hampshire does not provide electronic access to court records, so it is not known as of this post whether Amazon has been served with the court order and complied.  The order was signed by Justice Steven Houran on November 5. 

As we have discussed, CA recently passed legislation requiring manufacturers of connected devices, often referred to as Internet of Things (“IoT”) devices, to equip these devices with reasonable security feature(s) that are “appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, [and] designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.”  California’s legislature has apparently recognized that providing security for these devices needs to be a priority to protect consumers. 

Companies such as Amazon depend on consumers being willing to purchase and allow IoT devices such as Amazon’s Echo into their homes and their lives.  Consumers, in the aggregate, will likely only be willing to allow these devices into their homes if they trust that the company behind the device will provide protection their data that they feel comfortable with. 

Companies that wish to build and maintain this trust with consumers will need to ensure that they go beyond the barebones legal requirements and convince consumers through their corporate actions that they take privacy and data protection seriously.  This will involve implementing a comprehensive privacy and data security program that includes at least the three parts below.   

  1. Posting and Complying with Their Own Privacy Policy the IoT Device

Privacy policies are required in many cases where devices collect personally identifiable information, including under California law.  However, beyond the obvious legal implications of posting and complying with your own privacy policy, consumers may be less likely to use IoT devices from companies that have a demonstrable record of not living up to their own privacy commitments. 

  1. Provide Appropriate Security for the IoT Device

As outlined above, appropriate security for the IoT Device will be a legal requirement under California law.  Even so, device companies that are serious about large-scale adoption need to think beyond just the risk of legal enforcement.  How likely are consumers to introduce an IoT device that has access to their sensitive data, and could, for example, record audio or video of their daily activities, if they feel company is not serious about providing security measures to prevent unauthorized access? 

  1. Protecting Data Collected by the IoT Device Against Improper Use Or Request By Third Parties

This requirement goes beyond complying with a posted privacy policy or providing reasonable technological security measures – when push comes to shove, is the company providing sensitive data collected by the IoT device to third parties in ways that would concern consumers?  Here, Amazon is objecting to an order that it does not consider to be a “valid and binding legal demand” to turn over user data.  Whether that is legally sound, is not a point of examination for this post.  Consumers will want the security of knowing that not only will an entity comply with its own policies and provide reasonable technical security – the entity will not just hand over their sensitive data to third parties when a request is made unless it is required to do so.  By being willing to object to this demand, Amazon is arguably demonstrating that it takes user privacy seriously. 

If you have any questions as to how your entity could build and implement an effective privacy and data security program, please do not hesitate to contact the team at Mintz

Subscribe To Viewpoints

Author

Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.