Even the White House is on it

Data privacy isn’t dead with the internet of things, just different

Stay on Top of Enterprise Technology Trends

Get updates impacting your industry from our GigaOm Research Community
Join the Community!

Even as websites, wearable computers and, increasingly, every piece of technology we touch gathers and analyzes our data, there’s still hope that privacy will survive. Making that case, however, might mean working from a different definition of privacy than we’re used to.

One cold, hard fact about data privacy is that the data-collection ship sailed long ago, never to return. With limited exceptions, consumers can’t really stop tech companies from collecting data about them. When we log into web services, make phone calls, play our favorite apps or buy the latest in connected jewelry, we’re giving those companies the right to collect just about whatever information they please about who we are and how we use their products.

The situation isn’t wholly good or bad — data analysis is behind lots of user experience improvements as well as targeted ads, for example —  but understanding it is critical to understanding what the future of data privacy might look like. There’s not much point in debating what companies can or should collect (because doing so is too easy and regulating it is so hard), but there is an opportunity to put some limits on what companies do with data once they have it.

This why the White House, as part of its new consumer privacy push unveiled on Monday morning, is talking about how student data is used and smart grid data is secured rather than what’s collected. It’s why Federal Trade Commission chairperson Edith Ramirez, speaking about the internet of things at last week’s Consumer Electronics Show, spoke about how long companies should store user data and not whether they should collect it.

The internet of things, in fact, is a prime example of why we’ll probably never be able to put a lid on data collection: because many people actually crave it. The whole point of connected devices is that they collect our data and do something with it, presumably something that users view as beneficial. If I love my fitness tracker or my smart thermostat, I can’t really be upset that it’s sucking up my data.

What I can be upset about, however, is when the company does something unethical or negligent with my data, or something I didn’t agree to (at least constructively) in the privacy policy. It seems this is where a lot of regulatory energy is now being spent, and that’s probably a good thing. (We’ll also delve into this topic at our Structure Data conference in March, with FTC Commissioner Julie Brill.)

Even if it’s forced on them, companies selling connected devices need a framework for thinking of user data not just as a valuable resource, but also as something over which they’re the stewards. Collect the data, analyze it, make your money — the whole industry is predicated on these things. But know there will be penalties in place if you do something bad, or even just stupid.

The August lock.
The August lock.

Of course, the devil here will be in the details. What constitutes an acceptable use, security protocol or retention period could vary widely based on industry, company, product, cost or any other of a number of variables. A connected car is not a fitness tracker. A smart door lock is not a connected toothbrush.

But hopefully, the attention the internet of things is getting early on means lawmakers and regulators will be able to come up with some workable, flexible and relatively future-proof rules sooner rather that later. The last thing we want — especially when dealing with data about our physical-world activity — is a repeat of the web, where it’s 25 years later and we still haven’t figured out what privacy means.

7 Responses to “Data privacy isn’t dead with the internet of things, just different”

  1. Peter Fretty

    Privacy and security should not be allowed slip as a result of a tech evolution. This is really where data governance needs to come into play. Obviously, privacy may need to evolve slightly, but that doesn’t need to mean it lessens. Customer data is one of the most valuable assets any organization can possess — that needs to become central in strategy development.

    Peter Fretty, IDG blogger working on behalf of SAS.

  2. Steve Dallas

    This article sounds like a love letter to Big Brother. Of course data collection should be regulated and restricted when prudent. Apathy is certainly not the answer.

    • Derrick Harris

      It’s very difficult to regulate data collection, especially in a free market with freedom of contract. What’s more, much of what companies collect is arguably necessary for business or product purposes. I think the biggest issue is when that stuff is used for other purposes, sold, retained for too long, etc.

  3. asharbaig

    Data privacy is one of the biggest concerns and obstacles to the wide adoption of IoT. Who has access to your data? What can they do with it, Who can they share it with? are the questions that we need to address before IoT becomes mainstream.

  4. MedicalQuack

    I’m a big privacy advocate and former developer and data base person so I watch and know the mechancis here and this is a big deal. I have campaign to where all data sellers should be licensed. Why? So we know who they are. Nothing wrong with transparency and as my data and yours is resold and repackaged with errors, you have no way to find sometimes where the source is to even correct.


    Granted, none of us minded too much when this was done just for better ads but it’s not that anymore at all, it’s all about selling data for money. I read recently the market, and this doesn’t even include banks at all was around $165 billion made a year, selling data. Now I just received a call from an offshore marketing business, you could tell the caller was from Asia by the accent, and they wanted to talk to me about a clinical trial.

    This was not a bolt out of the blue call as they had my name and said they were calling me about this trial as they saw I have been taking blood thinners. Houston, we have a problem, I have never taken blood thinners and before I could get more information the caller was off the phone quickly. This is the danger and it’s happening more and more. So where this pop up next? Where do I have to go to fix it? I don’t know. So it hangs around on data files, flawed as heck, and I’m stuck with this and it may deny me access to something too.

    This is why we need to license data sellers as who are they? What kind of data do they sell and to what kinds of clients. It’s a big secret and thinking as the White House did today asking companies to voluntarily be careful with consumer data is like asking stock brokers to self regulate. We need an index on who they all are and that’s why privacy doesn’t work as far as any progress. It’s a joke with the nutty lawyers that think their legal verbiage can have impact on the code and algorithms that do all of this. So far all lawyers have accomplished with privacy are complex privacy statements on web sites that even they can’t understand, much less us.

    Check out Argus selling your credit card transactions that are scored to health insurers, banks and yes even to the government at the CFPB…another lawyer at the helm there too, Richard Cordary.


    How about this software that insures use to evaluate your state of mind while you are on the phone with them at their call centers, and yes this gets scored and sold too.


    Consumers need a look up as the flawed data is growing and they don’t care as flawed data gets the same price as good data.

  5. The whole idea of companies being “stewards” of this sort of data is ludicrous.

    Companies collecting personal data, especially American companies, have shown over and over that they consider my personal data to be theirs to abuse.

    This “Internet of things”, much of it rather ridiculous, is a slippery slope into a hole from which we won’t be able to extract ourselves when it turns bad.

    But nobody cares, if one gets a bit of frivolous convenience.

    • The EU is so far ahead and proactive regarding this issue. Before they’ll let companies (and governments) collect and have access to, for example, smart thermostat or power-consumption data, they are carefully defining what information is relevant and necessary, and how long data controllers can retain it. (Violation of data-protection laws in most EU countries is a criminal, not a civil, issue.)

      The EU has outlined how careful analyses of home smart data can map out a household’s daily routine, the number of people in the house, when they are active and what they are doing at any particular time. This is possible because each electrical device has a device-specific signature. These can be compiled into scary diaries of what we do privately inside our homes.

      Like anything on the Internet, once that data is in the wild, regardless of who is the “steward”, it’s fair game for anyone to seek and capture.