Federal Trade Commission (FTC) chairwoman Edith Ramirez’s remarks at the International Consumer Electronics Show on Tuesday signal that FTC may be paying increased attention to privacy and security issues in the mobile health industry.

The speech focused on how “the introduction of sensors and devices into currently intimate spaces – like our homes, cars, and even our bodies” results in increased data sensitivity and heightened challenges for consumer protection.  Those challenges, according to Ramirez, stem from three overarching issues: (1) ubiquitous data collection; (2) using data in ways consumers don’t expect (and the adverse consequences of such use); and (3) heightened security risks.

While FTC has been focused on consumer issues raised by the “Internet of Things” (IoT) era for quite some time, the examples cited by Ramirez suggest that e-health products are among the IoT applications of greatest salience when it comes to consumer protection.  She specifically called out smart glucose meters, heart monitors and health monitoring wearables in the speech.

Ramirez’s speech also offered set of prescriptions for IoT product makers:

  • Security by design.  Mirroring FTC’s focus on “privacy by design”, Ramirez stressed that “security by design” must be given priority and incorporated into devices at the outset of product development.  She also cited the need to continue to monitor, test, troubleshoot and improve security features and to build in high-level security customer defaults.
  • Data minimization.  Companies were urged to minimize the data they collect, or delete it after its initial purpose has been served.  Rebuffing some of the claimed promises of big data, Ramirez “question[ed] the notion that we must put sensitive consumer data at risk on the off-chance a company might someday discover a valuable use for the information.”  Companies were further urged to de-identify the data that they do collect to the extent possible.
  • Notice and Choice for Unexpected Uses.  Ramirez cautioned against collecting types of data that consumers may not expect.  She advised that when unexpected kinds of data are collected, or when data is used for unexpected purposes, companies should give consumers (1) “clear and simple notice” and (2) a chance to opt-out.  She also stressed that such notifications and opt-out functionalities should be separate from (and additional to) “lengthy” or complex privacy policies and terms of use.

FTC has indicated that Ramirez’s speech is meant to preview the guidance that will likely emerge from FTC’s forthcoming report on IoT.  The report follows from a workshop that FTC held to gather comment on IoT in November of 2013.  Read Covington’s takeaways from that workshop on our InsidePrivacy blog and do stay tuned — as we will post an update on the contents of the IoT report when released.