Robust conversations about IoT, smart technology, and product safety continue across the federal government. On May 16, 2018, the Consumer Product Safety Commission (CPSC) held a public hearing on the Internet of Things (IoT) and consumer product hazards. (See previous related blog posts here and here about the hearing.)
On June 13, the House Energy and Commerce Committee’s Subcommittee on Digital Commerce and Consumer Protection (SDCCP) voted to send H.R. 6032, the State of Modern Application, Research, and Trends of IoT Act (SMART IoT Act), to the full committee for consideration. The SMART IoT Act directs the Secretary of Commerce to conduct a study on the state of the internet-connected devices industry and is authored by SDCCP Chairman Latta and Rep. Peter Welch. It will be interesting to see whether or how quickly the SMART IoT Act actually becomes a law. Smart IoT technology is one of the hottest topics these days other than blockchain and bitcoin. Many different stakeholders have vested interests in how the government chooses to engage on this issue. The SMART IoT Act is a first step for Congress to actively engage and survey the federal government on this issue.
Just two days later, FTC filed a public comment with the CPSC on the same issue as a follow-up to CPSC’s hearing on May 16th referenced above and its Federal Register notice seeking written comments on smart IoT technology and product hazards. The FTC voted 5-0 to authorize staff to file the comment. FTC’s Bureau of Consumer Protection (BCP) authored the comment, which
- “warned that poorly secured Internet of Things (IoT) devices could pose a consumer safety hazard … outlined ways to mitigate such risks”;
- “outlined the FTC’s education and enforcement work related to device and information security particularly as it relates to IoT”;
- “recommend[ed] that the CPSC consider how companies might provide consumers with the opportunity to sign up for communications about safety notifications and recalls for IoT devices”;
- “suggest[ed] that the CPSC use a technology-neutral approach that is sufficiently flexible so that it does not become obsolete as technology changes”; and
- “recommend[ed] that the CPSC should consider requiring manufacturers to publicly set forth the standards to which they adhere … as well as allow the FTC to exercise its authority under the FTC Act against companies that misrepresent their security practices in their certifications.”
Clearly safety, privacy and security issues related to smart IoT technology are not going away anytime soon. Stakeholders, including but not limited to product manufacturers and software designers, should be alerted to the issues associated with the IoT, keeping in mind the apparent desire by some government agencies to quickly intervene to regulate. A first step is to consult previous FTC guidance, which provides sound advice about getting ahead of these issues. Consulting with experts, effectively communicating with pertinent internal divisions, updating security procedures, engaging with consumers, and monitoring national and international IoT voluntary standards and discussions are all good points of advice pending definitive consensus about how to address the risks associated with emerging technologies.
Additionally, stakeholders will need to start evaluating their certification requirements for IoT devices, and consider potential product label changes that either describe these standards and/or the IoT risks in more detail.
With new and emerging technology such as IoT, it only makes sense that FTC, FDA, NHTSA, NIST and others coordinate approaches to streamline the compliance process. But stakeholders should not wait until a final consensus is reached, as IoT risks are upon us now, and it is now clear that they’re not going away anytime soon.