Smart Homes and Policy: Privacy, Data Use, and the Privacy Paradox

With the rapid rise of internet-connected smart devices, the data that these devices produce on their users has grown at an unprecedented scale. Providing valuable insights into the way that people live, work, and behave, questions also surround the collection, storage, and sharing of smart home data. Previous blogs in this series discussed the current state of the smart home industry, interoperability, and cybersecurity. This final blog will explore privacy and data use issues with consideration of current and potential privacy legislation and its potential impacts on the smart home industry.

Data Collection and Sharing

Today, many smart device manufacturers collect and store massive amounts of user data with little government oversight, and users lack clarity about what information is being collected and stored. Companies often accumulate these extensive collections of any data they can get, regardless of relevance, under the defense that the user data is necessary for making improvements to technologies used in the devices, like voice recognition. For example, there are many instances in which smart speakers actively recorded users’ conversations in their homes without the users’ unawareness or consent.

The data produced from smart homes is powerful not only because of its direct uses but also in the ways that it can interact with the other information gathered about users online. Tech companies have been creating increasingly comprehensive and detailed profiles for their users, spanning data from a multitude of different sources and often referred to as a form of “big data.” This is particularly relevant given the trend of tech companies expanding to offer multiple, wide-ranging products and services, which each produce their own unique forms of data. For example, when paired with movement patterns from a mapping app, purchase data from a shopping app, and search data from a search engine, smart home data could grant companies immense knowledge and power to predict and profit off users’ lives. Each of these additional sources increases the predictive power and accuracy of these profiles and the models that they power. While this data can be used in familiar cases like targeted advertising, recent years have also seen companies laying the groundwork for more sophisticated applications. A 2018 report described recent efforts by insurance companies to gather immense amounts of wide-ranging data on subjects like TV viewing habits, timeliness of rent payments, and online purchase histories to further optimize insurance rates and risk assessment. With an ever-growing amount of information being collected and analyzed, these applications seem poised to grow more common.

User Knowledge and the Privacy Paradox

For policymakers weighing regulation of the smart home industry, considerations over data collection are particularly relevant because of the privacy paradox or the dichotomy between people’s claimed interest in privacy and their actual actions to provide personal information. The term, coined in a 2007 research paper, states the privacy paradox is “the relationship between individuals’ intentions to disclose personal information and their actual personal information disclosure behaviors.” A more recent 2019 study found this dichotomy exists for smart devices in our own homes – among consumers who expressed they were “very concerned” about privacy issues on smart devices were only 16% less likely to own one than a member of the general public.

The gap between concern about smart device privacy and ownership may be due in part to the lack of knowledge that consumers have about the types of data and methods of data collection that companies perform. Many users lack information about or understanding of the way that smart devices work, leading to speculation about data use. Companies like Amazon and Google have worked to refute persistent rumors that their devices are listening to analyzing users’ conversations in order to target ads – this is a myth that has spread widely in recent years despite being largely disproven. For consumers who do want to learn more about the ways that smart home data is used, such information is frequently buried in lengthy and complex terms of service documents that require considerable technical expertise to fully grasp. Some companies allow consumers to request information collected about them, but this could take up to 12 months as regulated under the California Consumer Privacy Act (CCPA). In the absence of easily accessible information on the subject, potential buyers are often forced to depend on anecdotes, rumors, and marketing materials to make purchasing decisions that involve privacy.

Policy Considerations

Though Congress’s legislative actions on smart home privacy specifically have been limited to date, several other general privacy bills could have wide-ranging impacts on the industry. The most widely discussed privacy bill in recent years, the American Data Privacy and Protection Act (ADPPA), would establish several key privacy rights for Americans, including controls that allow for accessing, correcting, and deleting data, as well as requirements that firms only collect and transfer data that is “reasonably necessary and proportionate.” While not designed to target the smart home industry, many of the industry’s largest companies would likely be subject to the bill’s definition of covered entities. Other major privacy bills, like the Children and Teens’ Online Privacy Protection Act, impose limitations on the retention of data and require easy access to a privacy dashboard detailing how personal information is collected and used.

Despite industry led efforts to standardize privacy practices through the Matter standard, federal privacy law could supersede these standards and reshape the way that the smart home industry approaches data privacy and data usage. Requirements to make available and delete stored data could require significant investment and change the way that data is stored. Rather than collecting any available data, regardless of relevance, companies may be forced to reconsider whether the compliance costs associated with handling the data would make it worthwhile. As is the case with many policies introducing new compliance costs, the regulations could improve consumer privacy and knowledge but may also negatively impact innovation or the costs for new entrants.

Conclusion

As this and other blogs in the series have explored, the internet of things and smart homes provide exciting new opportunities and conveniences to users, but they also come with new risks and concerns. The data that smart homes produce is highly powerful and valuable, but the industry faces little regulation in the way of collection and use. As policymakers weigh privacy regulations – specific to smart devices and the digital world more broadly – they should keep in mind the impacts that such decisions can have on innovation and user privacy, particularly as these devices grow ever more common. Striking a proper balance between user protection and transparency while allowing for experimentation and innovation will be crucial for the long-term success of the market and allowing it to reach its full potential.