AI, IoT and Consumer Privacy

Lawson Richard headshotThe Internet of Things and artificial intelligence are developing at a rapid pace, opening up new pathways for retailers to engage with consumers. However, retailers must be mindful of how consumer privacy laws are enforced by the Federal Trade Commission and state attorneys general. By Richard Lawson, partner at Manatt, Phelps & Phillips LLP


It has been estimated that 80 percent of the world’s data has been created in the past two years, and by all reasonable measures, we are only just getting started. Already, 2.5 billion gigabytes of data are generated per day. To give some context, a review of one gigabyte of emails is estimated to take about 500 man hours. Accordingly, a review of 2.5 billion gigabytes of data would take countless lifetimes.

Further, this number is set to explode in the next few years as the Internet of Things (“IoT”) takes off, with estimates running from 20 billion connected devices on the low end to 50 billion on the high end, each generating yet more data. This deluge will be simply unintelligible without the addition of artificial intelligence (“AI”). The combination of AI and IoT will affect the consumer experience in degrees that make the past few decades of technological innovation pale by comparison.

Already in health care, AI has increased life expectancies beyond the ability of the best doctors acting just a few years ago. In transportation, AI is the heart of autonomous vehicles which promise to save lives and decrease commute times. In the home, AI and IoT provide consumers with seamless conveniences and efficiencies, from sensors detecting when you need more milk to reducing costs for heating and cooling.

New Technology, Old Regulations

For all the new opportunities present in these three areas of the consumer experience – and for all the opportunity this creates for retailers to engage with consumers – it is important to remember these ‘new vintages’ of data will be poured into the relatively old and established ‘bottle’ of consumer privacy law, enforced with equal vigilance by the Federal Trade Commission (“FTC”) and state attorneys general (“AGs”).

The FTC and AGs have been engaged in privacy matters in the digital space for roughly 20 years. Yet the structure of these enforcement efforts dates back even further, to the early 1970s, and the Fair Information Practice Principles (“FIPPS”). The FIPPS address core issues that will have a profound impact on the development of IoT and AI. For example, notice and choice to consumers as to what is collected, minimizing the amount of data collected to only what is needed to provide the service at issue, and data security all have their formal origins in the FIPPS.

Providing Notice and Choice

Notice and choice to what data is being collected and consent to the collection has long been a core issue to the enforcement of consumer privacy laws. For example, when consumers visit a retailer’s website, they often see a link to the privacy policy of the site, detailing what and how the data collected from their visit may be used. In the IoT context, this raises significant issues.  How, for example, does one include a privacy policy on a bottle of aspirin or a light bulb? When these items are connected, consumers can be offered tremendous benefits. However, detailed pictures of their health and lifestyle can also be assembled which a consumer might not want shared. 

Minimizing Data Collected

Data minimization – the practice of not obtaining any more data than necessary for the service provided and not retaining, which is collected for any longer than necessary – also has profound implications for IoT and AI. If collected data can be monetized, this necessarily reduces costs allowing for greater implementation of IoT devices. For example, instead of a GPS connected device on a wrist, imagine IoT devices imbedded in shoes, which in turn connect to devices on a sidewalk creating a highly detailed and accurate portrait of various speeds along a run. 

Under traditional FIPPS minimization practices, companies should avoid keeping this data any longer than necessary and to not collect any more data than needed. However, massive amounts of data regarding pedestrian traffic flows, when combined with AI, could allow for developments in urban planning, well beyond the initial purpose of the IoT device tracking a runner’s speed.

Data Security

Security has seen the most activity from government enforcement agencies. With the volume of data that IoT will be collecting, the sensitivities will be even more acute. Further, IoT data combined with AI processing power has the potential to turn massive amounts of innocuous data into something that can create a highly detailed portrait of an individual. And of course additional issues of malevolent actors arise with IoT, from DDoS attacks to the fear of the hacked autonomous car.

Expect Continued Government Enforcement

The FTC and AGs have a long track record of enforcement efforts in these areas of notice and choice, data minimization, and security. More recently, FTC Acting Chairwoman Maureen Ohlhausen has indicated that enforcement and regulation of these areas – in particular data minimization and the notice and choice regime – should be tempered by a focus on concrete harm to consumers.

While this argues that innovations from industry in the IoT and AI spheres will be measured by a cost / benefit analysis to consumers, there are other government actors beyond the FTC. The state AGs are very experienced in technology issues – the AG offices for the four biggest states (California, Texas, Florida and New York) each have their own dedicated privacy units. Further, AGs, while often guided by decisions of the FTC, are independent sovereigns, and fully capable and willing to act independently of the federal government. 

We are set to witness yet another revolution in how technology will affect our health, homes and transportation. Retailers looking to take advantage of IoT and AI must be mindful that these fantastic opportunities are taking place within the established context of consumer privacy law. It will be essential to take into consideration the notice and choice regime, data minimization and data security. Incorporating these concerns will earn consumer trust, while failure to do so could secure unwelcome government investigations.

Richard Lawson is a partner in the Consumer Protection and Advertising, Marketing & Media practices of law firm Manatt, Phelps & Phillips LLP. Mr. Lawson can be reached at

Contact Us

Retail Merchandiser Magazine
150 N. Michigan Ave., Suite 900
Chicago, IL 60601


Click here for a full list of contacts.

Latest Edition

Spread The Love

Back To Top