television addict man watching tv holding remote control mesmerizedOn Monday the Federal Trade Commission announced a $2.2 million settlement with VISIO, one of the world’s leading providers of smart TVs.  The deal settles charges by the FTC and New Jersey’s Attorney General that VISIO collected data from 11 million consumer TVs, without consumers’ knowledge or consent.  According to the complaint, the secretly collected data included second-by-second viewing data and IP addresses, to which data aggregators added demographic information, including age, sex, income, marital status, household size, education, home ownership, and household value – a covert data cornucopia, tailor-made for targeted advertising.

But in her concurring opinion, Acting Chair Maureen Ohlhausen (recently appointed by President Trump to lead the FTC) signaled a retreat from FTC enforcement based on unfair practices.

So, while we’re watching our TVs, and our TVs are “watching” us, who’s watching out for our privacy & security interests with the Internet of Things?

The FTC filed suit against VISIO under Section 5 of the FTC Act, which forbids unfair or deceptive practices in commerce.  According to the FTC’s complaint:

  • Since 2014, VISIO’s smart TVs were loaded with Inscape Service’s proprietary ACR data collection software. The software was turned on by default, and consumers received no notice at purchase about the data collection.
  • Beginning in early February 2014, VISIO also remotely installed this data collecting software on previously-sold TVs that did not originally have it.  On these TVs, a pop-up appeared for up to one minute, with no mention of the data collection, instead merely stating “The VIZIO Privacy Policy has changed. Smart Interactivity has been enabled on your TV, but you may disable it in the settings menu. See for more details.”
  • it was not until March 2016, after the FTC investigation was underway, that VISIO enabled a second pop-up notice, with a 30 second timeout.  This pop-up mentioned collection of viewing data and referred consumers to the Settings Menu, which under “Smart Interactivity” simply referred to “Enables program offers and suggestions.”

Under the settlement, VISIO (including its data collection subsidiary Inscape) also agreed to (1) prominently disclose its data collection practices and obtain affirmative consumer consent, (2) destroy the previously collected data (absent consumer consent), and (3) establish a comprehensive privacy program.

So … problem solved, right?  Not so fast.

Monetizing the data collected from Internet of Things’ consumer goods remains big business, especially in consumer product segments like TV sales.  Data collection offers the allure of revived profit margins, increasingly squeezed out of the commoditized manufacturing business for consumer products.  Just last year, California based VISIO agreed to be acquired by Chinese electronics company LeEco for $2 billion.  That deal is still pending.  Notably, VISIO’s founder William Wang is to become Chairman and CEO of the spin-off company Inscape, to “focus on the continued expansion and growth of the brand’s data business.”  It’s only natural that the providers of IoT consumer devices, from TVs to toasters, will continue to be motivated to collect our data and make their money.

In her concurring opinion to the FTC’s approval of the VISIO settlement, newly designated Acting Chair Ohlhausen agreed on “deception” but put the brakes on “unfairness.”  The FTC Act requires a showing of “substantial injury” to support a charge of unfair practices forbidden by FTC Act Section 5. Expressing doubt that “granular (household or individual) television viewing activity is sensitive information”, Acting Chair Ohlhausen stated that “[t]his case demonstrates the need for the FTC to examine more rigorously what constitutes ‘substantial injury’ in the context of information about consumers.”  She added “in the coming weeks I will launch an effort to examine this important issue further.”

This portends a retreat from the FTC’s efforts in recent years to enforce consumer privacy and security under the unfairness prong of FTC Act Section 5.  At a policy level, this would mean that the focus will be on requiring adequate notice to consumers, without deception, and then the consumer decides.

Choice is a beautiful thing, and focusing privacy and security enforcement on deception rather than unfairness certainly can be seen as fostering consumer choice.  There’s just one small problem – we, as consumers, have to wake up, pay attention, and actually make those choices.

Because under this approach, the answer to the question of who’s watching out for our privacy and security interests is simple.  It’s us.