How the Internet of Things Is Grappling With Protecting Consumers as Privacy Laws Evolve

The world of IoT is now facing real business consequences if it mishandles personal information

With GDPR and looming privacy laws in America, the Internet of Things must rapidly adapt.
Headshot of Kelsey Sutton

Mark Sorsa-Leslie feels fortunate that the internet-connected device he started designing in 2016 was built to comply with stringent privacy requirements set by the U.K.’s National Health Service. Two years later as privacy rules tighten, he says his Internet of Things (IoT) device is well-positioned to comply with the European Union’s General Data Protection Regulation (GDPR).

Whether for consumer use or for commercial or government applications, interest in obtaining and installing connected devices has exploded. By 2019, about 14.2 billion connected devices are expected to be in use around the world, according to the research and insights company Gartner; nearly double that—about 25 billion—are expected to be plugged in by 2021. While some IoT devices have in the past faced scrutiny over lax security protocols, privacy regulations like GDPR or similar rules being drafted in the U.S. mean that the massive and largely unregulated world of IoT is now facing real business consequences if it mishandles personal data.

Sorsa-Leslie is the co-founder of Beringar, a smart building sensor that helps companies and organizations use space by calculating information like occupancy levels and foot-traffic patterns. Beringar sensors, which the NHS is using in its buildings, capture information about the movement of people and objects in and out of rooms, data that is processed remotely on their devices before being transmitted over a wireless connection for further analysis. Being able to transmit information while respecting a private and sensitive setting like a doctor’s office is crucial, Sorsa-Leslie said.

Beringar says it doesn’t collect any personal data through its system, but the same can’t be said for all of the billions of connected devices around the world that are growing in popularity each year.

“A lot of companies who thought they were coming up with these groundbreaking whiz-bang devices are running into all of these challenges they never really imagined,” said Tim Panagos, CTO of Microshare, a data leveraging platform for IoT companies. “They spent their time worrying about power consumption and radio selection, which is all important, but it’s very far removed from whether somebody would have a right to be forgotten, and how that applies to the data they’re collecting.”

And connected devices create data—loads of it.

“Tracking a [connected] vehicle implicitly tracks its driver, and monitoring equipment behavior and usage may implicitly collect data about the equipment operator,” Gartner analyst Nick Jones explained. “… Even relatively simple devices like smart lightbulbs and the apps that control them may collect personally identifiable data.”

While the types of data vary, they’re a key part of some IoT companies’ business models. More than a third of IoT companies surveyed by Gartner in 2017 said they were selling or planned to sell data collected from the devices and services. This adds another layer of complexity when it comes to tracking and deleting data originating from IoT devices.

Some IoT companies, like Beringar, have dodged the issue of obtaining consent to use personal data—a key component of GDPR—by nixing personal data collection altogether. Other IoT devices are designed explicitly to collect personal information—think wearable fitness devices—and are getting consumers’ permission to collect their data. Companies that don’t have a simple consumer-facing interface but do collect personal information may find themselves in a bind, Jones said.

Under GDPR, individuals own the data that they create, not the companies that collect it. While those same constraints don’t apply to companies doing businesses in the U.S., that could soon change if stateside federal privacy regulations take cues about data ownership from GDPR. Obtaining consent, too, can be easier said than done. How does a device recognize when different people are providing the data it is collecting? Or how does a device gain consent from everyone in a room? Companies are still grappling with those problems.

“In IoT, the world changes around the devices in a way that makes it dynamic in terms of determining whose behavior are you sensing at any point in time,” Panagos said.

Like it or not, IoT suppliers need to adjust to a new way of thinking about who owns data streaming in from connected devices, Sorsa-Leslie said.

“Be prepared for a lot more scrutiny on what you do with the data, what the data looks like and where you’re keeping it,” Sorsa-Leslie said. “Be prepared to think about how you treat data that you may have previously considered your property, because ultimately, the custodianship of data is changing.”

This story first appeared in the Jan. 7, 2019, issue of Adweek magazine. Click here to subscribe.

@kelseymsutton Kelsey Sutton is the streaming editor at Adweek, where she covers the business of streaming television.
Publish date: January 8, 2019 © 2020 Adweek, LLC. - All Rights Reserved and NOT FOR REPRINT