Internet-enabled sex toy maker falls foul of data privacy laws to the tune of $10,000 per customer
A $3.75m fine has been handed down to Canadian parent company, Standard Innovation, for secretly gathering personal information from users of the We-Vibe smart vibrator. This case highlights the risks for business and customers associated with big data and the increasing inter-connectivity of our devices, known as the 'Internet of Things'.
Interestingly, the issues in this case were first exposed at the Def Con 24 hacking conference in Las Vegas, at which hackers demonstrated both the ability to intercept data and remotely control Standard Innovation's products.
Customers responded with a lawsuit, alleging that they were unaware that whilst using the product, it was recording intimate details of their usage through a connected smart-phone device, linked to their email account. The company stated that data was being gathered for diagnostic purposes; however, the settlement in this case should serve as a warning to businesses that the protection afforded by the laws applies regardless of the channel through which it obtains data.
The ease with which data can be captured, stored and analysed makes it a commodity and gives it an intrinsic value as a unique business asset. The growth in wearable technology; diet and activity-logging apps and connected-devices enable businesses to capture data, often without the user having to actively record it. Businesses can often find a market to sell-on this data to other related companies without the real knowledge or consent of the original user. But where data relates to identifiable individuals, it must only be used in accordance with data protection legislation.
What we can learn from this headline-grabbing example is the need for sufficient controls to be put in place to ensure that data is appropriately and sensitively collected, in a manner that enables users to understand what they are signing up to.
Under the UK Data Protection Act, the collection and use of personal data needs to be fair and lawful; the Act sets out specific grounds for collecting data, and requires that data uses are limited to those the user would reasonably expect from the information that has been given. The existing rules will be significantly tightened from May 2018, when the long awaited European-wide General Data Protection Regulation comes into effect – promoting greater transparency for individuals about how organisations are using their personal data. Under the new GDPR the financial consequences of exercising poor data management and control will be much more severe than the current regime.
For guidance on implementing the new General Data Protection Regulations to the data collection processes in your business, please contact Liz Bell.