Forrester logo Download the report

How to Respect and Protect Your Users’ Privacy in the Internet of Things

A tech executive I know has his vacation home totally wired. Using his mobile phone, he can find out who’s arrived at the house, whether the boat’s at the dock, and even whether there are enough eggs in the refrigerator. He’s a guy who loves to play with gadgets and to be on the cutting edge of technology. Soon, with more connected products available off-the-shelf and simpler ways to connect them, this ability to draw information from a variety of internet-connected sensors, cameras and devices will be everyone’s expectation.

The so-called internet of things, or IoT, could have as great an impact on business and society as the original internet did, and we’re just beginning to get a glimpse of some of the surprising ways we’ll use it.

With these new opportunities comes the responsibility to protect consumer data and also to reassure customers. I may be willing to let my auto insurance company monitor my driving, for example, to make sure I’m not speeding or slamming on the brakes. But I want to be sure that it’s not also maintaining a database of all the places I’ve driven.

While government regulators and trade associations are still trying to keep up with privacy and security on the commercial internet, regulators are already taking a look at the internet of things. A presidential panel on big data and consumer privacy considered whether the current notice-and-consent data collection model works in today’s environment, where consumer data is shared among many entities.

In a recent talk, Federal Trade Commission Chairwoman Edith Ramirez, said, “As an increasingly large number things become ‘smart’ – our TVs, cars, and household appliances, to name just a few – even companies that seek to provide meaningful notice and choice may find it challenging to do so.”

Companies that don’t take steps now to ensure security and privacy of consumer data could face regulation and sanctions. Those that do will have a head start on delivering the personalized experiences all of us increasingly demand. Cisco says the IoT is a $14 trillion opportunity.

Here are the practices we recommend for maintaining consumer privacy and trust in an internet of things:

1. Implement a Seamless Sign-In Process

Enabling social sign-in allows your customers to log in with an already-trusted identity provider, making it more likely that they will register and connect your app, service or device with their existing identity. Most consumers actively manage their social identities — although they might not call it that — every day. By posting photos and messages about things that are relevant to them, as well as simply by liking or sharing, they’re building up what they feel are authentic personal profiles. They know that they can also reshape their profiles by deleting things from their timelines. They feel a high degree of confidence in their social media profiles, as they should. So they can feel confident that with social login, your company will see who they truly are.

2. Give Customers Options

Offer several options for connecting your product with a customer’s total identity, instead of limiting them to a single social network. We’re already seeing a rapid proliferation of new social networks and we’ll likely see many more that are more directly related to the IoT. As an example, we took a look at the registration and login process for Nest, the internet-connected thermostat. Nest has excellent brand recognition thanks to a strong advertising campaign and many positive mentions in the press. The company has chosen to only enable social logins through Facebook. While it’s likely that the early adopters of Nest’s technology have Facebook accounts, its new owner, Google, will want to offer more options, including, of course, its own Google+.

3. Communicate Your Commitment to Data Privacy

Notify your customers that you will protect their data privacy by stating clearly what you will do with the data collected by a device connected to the internet of things and how you will secure their data. For example, Preventice, maker of the BodyGuardian wearable device for people at risk of heart attack, clearly states its security strategies on its website.

A best practice is to display a pop-up or dialog box on the registration form that lists which data points you’ll collect. Do this whenever you ask for more information.

4. Offer Opportunities to Opt Out

Provide opportunities for opting out and for fine-tuning data collection, so that your customers can decide how closely your device or service embraces the internet of things. For example, consumer electronics manufacturer LG got dinged by a privacy expert last year for not making it clear enough that its smart TVs would track and transmit viewing information to company servers in order to make content recommendations. While the company did explain this and allow users to opt out from its Settings screen, it could have avoided the bad press and an investigation by a UK privacy commission by providing a link to this information at the bottom of its main screen.

The Rise of Customer Identities in the IoT

We saw one expansion of identity with the rise of the first social networks. Suddenly, everyone was findable in the digital realm. Consumer identities will expand even more as the products we use join our social circles. Smart companies that are ready to embrace these wider identities will get a warmer embrace from customers.

By Susan Kuchinskas

Meet us at

Consumer Identity World USA
Seattle, USA

September 12 - 13, 2017
View Event >
Consumer Identity World USA, September 12-13, 2017, Seattle