Data Privacy in the Era of Smart Devices and Wearables
For several years now, business leaders far and wide have acknowledged the primacy of data as the 21st-century currency of the global economy. However, the concept of data ownership still presents a thorny legal and ethical quandary that has no easy answer. This is especially true as it pertains to the voluminous data produced by consumer-owned wearables and other smart devices. For the businesses behind those devices, user data is a commodity that, once properly de-identified and anonymized, may be worth many times the value of the sales revenue generated by the devices themselves. The users, on the other hand, must contend with the very real threats to their privacy created by that data collection. They must also do adequate due diligence to try and make sure their data remains protected by the entity in possession of it.
The problem is the average wearable or smart device end-user may not know anywhere near enough about the topic of data privacy to protect themselves. To do it, they must understand the various types of data collected by such devices, who might have access to it, and how the data gets stored. Plus, they need to contextualize that information with an understanding of the privacy risks involved, the current and future regulatory environment pertaining to it, and what, if any, control they presently have over their data. It is a broad topic that requires hours of careful study to fully comprehend. This article discusses data privacy in the era of smart devices and wearables and offers concise answers to some of those questions.
Is Data Privacy a Concern for the Average User?
There is no easy way to fully summarize all the reasons that an average user should worry about the privacy of their data. The reason is that the privacy threats which apply to individual users are nebulous and sometimes a few steps removed from them. However, those threats are both real and persistent.
Consider, for example, a recent incident where cybersecurity researchers found and accessed a database containing over 60 million records belonging to users of various fitness tracker wearables. The records had various data points about each user, including their location, names, dates of birth, and other biometric data.
The most troubling aspect of the incident, however, is that the database belonged to a company called GetHealth—and not the wearable companies that originally collected the data. That illustrates how far custody of such user data may spread beyond where consumers believed it would. It also highlights the mistaken belief on the part of consumers that data collected by a health-oriented wearable would fall under the protection of regulations like PIPEDA and equivalent legislation around the world.
What Kinds of Data Do Wearables and Smart Devices Collect?
The sheer number and variety of wearables and smart devices on the market defies a simple answer as to the types of user data getting collected. However, broadly speaking, most such devices collect data that falls into the following categories:
- Location data
- Personally identifiable data like names, birthdates, and addresses
- Biometric information
- Personal preferences and habit data
- Sleep and daily activity patterns
- Purchase patterns
- Financial data
The scope of the data that people hand over to the technology firms behind wearables and smart devices is massive. In most cases, the data contains enough detail to construct a comprehensive lifestyle profile of a given user. In the hands of advertisers and marketers, the data could inform a slew of highly targeted ads and other offers aimed at end users. In the hands of a cybercriminal—it is often enough to facilitate identity theft and other types of fraud.
How Users Can Protect Their Data
Fortunately, end users do have some control over the data collected by the vast majority of wearables and smart devices. Although the level of control does vary from device to device, there are a set of best practices that broadly serve to help users protect their data.
1. Explore and Activate Privacy Controls
On most data-collecting connected devices, there are user-customizable privacy settings. Depending on the device, users may have the option of altering how much data their device collects and whom it gets shared with. For example, most wearables allow users to disable social sharing features, and many even provide some level of third-party data sharing limitations.
2. Read and Understand Privacy Policies
Although end users may not have complete control of the personal data collected by their wearables and smart devices, the law generally requires manufacturers to disclose what types of data they collect and who they might share it with. That information is always contained within the company’s privacy policy—albeit couched in a thick layer of legalese. End users need to take the time to read and comprehend the privacy policies that apply to their devices. Additionally, they should contact device manufacturers for clarification of details in the policies that are not immediately clear.
3. Physically Secure All Devices
It is also a good idea to set strong passwords and enable two-factor authentication on all wearables and other smart devices. That can prevent data theft in case of loss or theft. It is also a good idea to enable automatic security updates, where available, on all devices. Doing so reduces the odds of the device experiencing a security breach that may put user data at risk. Users should also take care to wipe all disused devices to prevent subsequent owners from gaining access to stored data.
The Future of Data Privacy Regulations
At the time of this writing, the regulatory authority that encompasses data collected by wearables and smart devices remains in flux. Current laws broadly require that businesses obtain informed consent from end users before any significant data collection. However, the rules that impose those requirements stem largely from legacy privacy legislation that never contemplated the widespread data collection we now see today.
There is an effort underway throughout Canada and elsewhere in the world to modernize data privacy laws to reflect today’s digital data realities. Here, multiple legislative efforts are moving forward at both the federal and provincial levels that aim to enhance both the security of users’ data as well as their rights regarding it. Collectively, such legislation should end up giving users various new rights, including the right to be forgotten—meaning total removal from search indexes—and the right to demand the deletion of their stored data at will, among other things. Together, the new data privacy laws should bring regulations much more in line with the needs of citizens and give businesses a solid framework within which to operate.
A Complex and Ever-Changing Subject
Currently, businesses have somewhat free rein concerning how and where they use some user data they collect. Users do, however, have some control over their data, though those controls are not uniform. As a result, legislators are pursuing various regulatory solutions aimed at standardizing user data rights and business responsibilities on the subject. For now, the topic remains complex and very much in flux from one jurisdiction to the next.
Fortunately, Outsource IT can help businesses make sense of their obligations and technical requirements with respect to user data. Our experts understand the intricacies of multiple data compliance schemes and know how to assist businesses in meeting them. For help, they need only contact one of our expert account managers to discuss their business needs.
