mark thristan

You should note that the FTC is not the only regulatory body / body of practice in play, and that specific vectors of data use or context may also apply. HIPAA/HITECH for instance has very specific security and privacy controls. The Banking sector equally has other controls which apply. You should also note that the IoT is often boundary-free, and therefore that other jurisdictions may apply where the concepts of privacy are not akin to those of the US (for instance the EU).

Roy Murdock

Hello Mark,

Great observations. That the FTC is not the be-all-end-all of IoT regulation is an important point and definitely deserves attention. We tried to qualify our discussion of the FTC guidance with this disclaimer: "Responsibilities for data privacy and security vary by industry and by country. In the US, when companies are not regulated by another agency (e.g. the Department of Health and Human Services for HIPAA rules on medical patient data), this responsibility usually falls under the jurisdiction of the Federal Trade Commission (FTC)."

Your comment also highlights just how fragmented (both by government oversight vertical and geographical vertical) the nascent regulation of the IoT market really is. We may cover the broader regulatory landscape in another post.

Thank you for reading.

