Internet connected devicesOn May 16, 2018, the Consumer Product Safety Commission (CPSC) will hold a public hearing on the Internet of Things (IoT) and consumer product hazards. The CPSC has previously voiced concern about (or, at least the need to evaluate) the harms IoT technology and smart products may cause to consumers.

In 2016, former Chairman Kaye asked “CPSC technical, compliance, and information technology staff to research what new and potential consumer products may become available, or gain wider use, in the next 3 to 5 years, and to identify potentially new, increased, or decreased consumer hazards associated with these emerging technologies.” The result of that project was published in a January 2017 staff report, Potential Hazards Associated with Emerging and Future Technologies, which discussed the possible harms from IoT products. In the summer of 2017, Commissioner Robinson traveled to Israel to discuss with academic experts, business leaders, and industry stakeholders the “many possible consumer product safety consequences to new, innovative, and technologically advanced products” including smart technology. Her goal was to inspire Israeli scientists and technologists to find technical solutions for many of the emerging product safety hazards resulting from IoT and smart technology. In February 2018 at both the International Consumer Product Safety and Health Organization’s Annual Symposium and The New York Toy Fair, Acting Chairwoman Buerkle further reiterated the CPSC’s commitment to figuring out solutions to the potential hazards that connected products bring to the marketplace by working with CPSC stakeholders.

This upcoming hearing presents an opportunity for all stakeholders to help shape CPSC’s policy related to IoT and smart technology products. CPSC has broad jurisdiction over 15,000 product lines, including toys, cribs, power tools, ATVs, cigarette lighters, small appliances, furniture, electronics, and household products. For companies that sell, manufacture, or import consumer products connected to the Internet, the CPSC is requesting your direct input in this process. CPSC views concerns related to consumer products with IoT capability in two categories:

  1. prevention or elimination of hazardous conditions inherent in product design, such as high-risk remote operation or network-enabled control of a product; and
  2. prevention of incidents of hazardization, the situation created when a safely designed product becomes unsafe when connected to a network through exposure to potentially manipulated operational code.

Hazardization can result from remote operation of the product, unexpected operating conditions, loss of a safety function, or an intended product capability failure. CPSC has explicitly stated that it does not “consider personal data security and privacy issues related to IoT devices to be consumer product hazards” under the CPSC’s current framework. Stakeholders may, however, have information on how data security and privacy issues crossover into product safety issues in certain circumstances, such as when the absence of data security makes a device prone to hazardization. Such information will be critically important to the CPSC when it is formulating policy on IoT products.

The CPSC has identified the prevention of these concerns and has published an extensive list of questions addressing IoT and connected consumer product issues for which it would like stakeholder input. Questions include:

  • identifying the type and scope of potential safety hazards;
  • discussing the viability of voluntary standards and safety regulations; and
  • addressing whether controls or supervisory systems could mitigate potential hazards.

(For the full list of questions, please see the Federal Register notice.)

This IoT hearing will follow the CPSC’s Agenda and Priorities Hearing happening next week and underscores Acting Chairwoman Buerkle‘s commitment to increasing CPSC’s engagement with the broad stakeholder community, particularly on the potential safety issues presented with IoT technology and connected devices. Because IoT technology involves many new stakeholders, input from all parties is important at this upcoming hearing. For example, IT hardware designers, software developers, application generators, network security experts, and third-party programmers are just as important to this conversation as more traditional CPSC stakeholders (e.g., government agencies, trade associations, manufacturers, retailers, importers, consumer activists, consumers, voluntary standards organizations, and academics).

Additionally, many organizations and government agencies (FTC, NIST, state agencies, and others) are discussing their own polices when it comes to connected devices and smart technology. It is, however, important to understand that when it comes to IoT technology, the CPSC is the only agency with the authority to recall a dangerous or defective connected consumer product.

So, if you are a company that has spent millions (and maybe billions) of dollars on designing and developing connected products, and creating systems of robust data privacy and security around these products, the network, and the performance of the products, this hearing is an opportunity to showcase best practices around safe IoT products to ensure you are setting the minimum bar for this marketplace. If your organization is developing IoT certification programs around product safety, this hearing is also an opportunity to provide the CPSC with insight into how such programs would work and lead to safer products. There are many other stakeholders that should also participate in this hearing to ensure that the wrong policy decisions, misguided approaches, or ill-informed CPSC guidance do not result from CPSC’s attempt to solve issues around IoT consumer products.

Venable has a team of attorneys dedicated to consumer protection issues including those policy issues related to the data security and privacy of connected products. Companies will need to integrate their IoT product safety approach with their current data privacy and security polices to ensure consistent compliance with all potential requirements. If you have further questions, please contact Venable’s consumer product safety team.

The details for CPSC’s hearing are below:

What: The Internet of Things and Consumer Product Hazards – Public Hearing
When: May 16, 2018 at 10 a.m.
Where: CPSC Headquarters
Hearing Room, 4th Floor of the Bethesda Towers Building
4330 East-West Highway
Bethesda, MD 20814
Deadlines: Requests to make oral presentations and the written text of any oral presentations must be received by the Office of the Secretary not later than 5 p.m. on May 2, 2018.
The Commission will accept written comments, as well, through June 15, 2018.