We welcome guest blogger, Anastasia Gubanova! More about her below.
The Internet of Things (IoT), is a fast-growing network of Internet-connected sensors attached to billions of “things.” It allows collection of huge amounts of personally identifiable information (such as an individual’s precise location and social interactions) that can be used not only to personalize IoT products and services, but also to profile the customer and be used for new and different purposes. Most of the personal data are generated by smart devices in moments or circumstances where users do not expect the data to be collected, making it impossible for them to authorize or prohibit collection or processing of their personal data.
Personal data protection laws are currently inadequate to deal with unauthorized collection and use of data. For more than a decade, the most common approach to regulation of the IoT has been the “notice and consent” model. This model assumes that privacy policies give a consumer sufficient opportunity to control the use of his or her personal data by third parties. The predominance of this approach stemmed from the inconvenience of other options, such as expensive “privacy by design,” requiring that privacy be taken into account throughout the whole engineering process.
The existing laws regulating privacy issues through “notice and consent,” including the FTC Act and the EU Directive 95/46/EC, presume that people actively volunteer all personal information. They fail to address the situation where huge amounts of data are passively generated by IoT devices, making it difficult to apply notice and consent requirements. As an alternative, some scholars suggest shifting the focus from limiting the collection of data through consent requirements to controlling data at the moment when it is used. The use-based approach has recently been supported by the Obama administration in its 2015 Big Data report and many large IoT players, such as AT&T, General Electric, Intel Corporation, and Oracle Corporation. It represents a reasonable solution in the light of expanding IoT and wearable technologies for which giving notice and obtaining consent to data collection is not feasible.
 See Daniel J. Solove, “Privacy Self-Management and the Consent Dilemma”, 126 HARV. L. REV. (2013), p. 1880
 See M. Ryan Calo, “Code, Nudge, or Notice?” Legal Studies Research Paper No. 2013-04, 99 Iowa L. Rev. (2014), p. 788
 See 15 U.S.C. §§ 45(a)(1) and (2) (2012), available at https://www.law.cornell.edu/uscode/text/15/45
 See World Economic Forum (WEF) prepared in collaboration with Kearney, A.T., “Rethinking Personal Data: A New Lens for Strengthening Trust” (May 2014), p. 16, available at http://www3.weforum.org/docs/WEF_RethinkingPersonalData_ANewLens_Report_2014.pdf
 See Craig Mundie, “Privacy Pragmatism: Focus on Data Use, Not Data Collection.” Foreign Affairs (2014), p. 29, available at https://www.foreignaffairs.com/articles/2014-02-12/privacy-pragmatism
 See Letter from Daniel W. Caprio, Jr., Senior Strategic Advisor, Transatlantic Computing Continuum Policy Alliance, to Donald S. Clark and FTC (January 10, 2014), available at https://www.ftc.gov/sites/default/files/documents/public_comments/2014/01/00017-88305.pdf
 See Jill Valenstein, “Will Individual Notice and Consent Become a Relic of the Past? The White House Report on Big Data Suggests Privacy Regulation Should Focus on Data Use, Rather Than Data Collection.” Privacy & Security Law Blog (May 20, 2014), available at http://www.privsecblog.com/2014/05/articles/marketing-and-consumer-privacy/will-individual-notice-and-consent-become-a-relic-of-the-past-the-white-house-report-on-big-data-suggests-privacy-regulation-should-focus-on-data-use-rather-than-data-collection/