Commodifying Consumer Data in the Era of the Internet of Things Stacy-Ann Elvy New York Law School, [email protected]
Total Page:16
File Type:pdf, Size:1020Kb
digitalcommons.nyls.edu Faculty Scholarship Articles & Chapters 2018 Commodifying Consumer Data in the Era of the Internet of Things Stacy-Ann Elvy New York Law School, [email protected] Follow this and additional works at: https://digitalcommons.nyls.edu/fac_articles_chapters Part of the Bankruptcy Law Commons, Consumer Protection Law Commons, Internet Law Commons, and the Privacy Law Commons Recommended Citation Boston College Law Review, Vol. 59, Issue 2 (February 2018), pp. 423-522 This Article is brought to you for free and open access by the Faculty Scholarship at DigitalCommons@NYLS. It has been accepted for inclusion in Articles & Chapters by an authorized administrator of DigitalCommons@NYLS. COMMODIFYING CONSUMER DATA IN THE ERA OF THE INTERNET OF THINGS STACY-ANN ELVY INTRODUCTION ........................................................... 424 I. THE IOT DATA GOLD RUSH ...................................................... 435 A. Biometric, Health, andHighly Sensitive Data.............. ......................... 435 B. IoTPrivacy Policies................ ....................... ........... 439 C. Consumer Harms & Risks.... ............................................... 448 1. Consensual Disclosures and Data Analytics ..................... ....... 449 2. Non-Consensual Disclosures and Data Breaches. ........................ 452 3. Non-Consensual Disclosures and Initial Data Collectors .............. ...... 455 II. DATA TRANSFERS & CoMMERCIAL REGIMES ................................... 456 A. Article 9 of the UCC ...................... 457 B. Data Ownership vs. Rights in the Data......................... ............ 463 C. Bankruptcy Implications ..................................................... 472 III. PRIVACY FRAMEWORKS .................................................. 475 A. BAPCPA ........................................................... 475 B. The FTCA & FTC Intervention .....................................................483 C. Biometric Data Statutes .................................................... 488 D. HIPAA .... ......................................................... 496 IV. PATHS FORWARD....................................................... 500 A. Transfer & Assignment Restrictions........................................50 1. Separate State Statutes........................ .................. 504 2. Article 9 Amendments..........................................505 3. Bankruptcy Code Amendments....................................511 4. Criticisms of Transfer & Assignment Restrictions........................512 B. Require CPOs in Article 9 Foreclosures.....................................518 C. Require CPOs in All Bankruptcy Transfers...................................520 CONCLUSION ............................................................. 522 423 COMMODIFYING CONSUMER DATA IN THE ERA OF THE INTERNET OF THINGS STACY-ANN ELVY* Abstract: Internet of Things ("loT") products generate a wealth of data about consumers that was never before widely and easily accessible to companies. Examples include biometric and health-related data, such as fingerprint pat- terns, heart rates, and calories burned. This Article explores the connection be- tween the types of data generated by the JoT and the financial frameworks of Article 9 of the Uniform Commercial Code and the Bankruptcy Code. It cri- tiques these regimes, which enable the commodification of consumer data, as well as laws aimed at protecting consumer data, such as the Bankruptcy Abuse Prevention and Consumer Protection Act, various state biometric data statutes, and the Health Insurance Portability and Accountability Act. This Article con- tends that in addition to privacy policies, financial frameworks can also play a critical role in facilitating the transfer and disclosure of consumer data in a manner that is opaque and potentially harmful to consumers. Furthermore, ex- isting privacy frameworks that rely heavily on a notice and choice model and the provisions of a company's privacy policy to determine the level of protec- tion given to consumers, and which may not always apply to JoT companies, do not effectively safeguard consumers in the JoT setting. This Article propos- es several solutions to engender movement away from an overreliance on the notice and choice model and the terms of privacy policies, and to reduce the various moments of data disclosure authorized by financial frameworks. It al- so offers ways to preserve the value of JoT data as a source of financing for companies while simultaneously protecting the privacy of consumers. INTRODUCTION The Internet of Things ("loT") has been described as "the next evolu- tion of the Internet" and it is expected to usher in a new economic age with "changes rivaling the industrial revolution."' However, the rapid "digitali- © 2018, Stacy-Ann Elvy. All rights reserved. * Professor of Law, New York Law School (J.D., Harvard Law School; B.S., Cornell Univer- sity). For helpful feedback, comments or insights, I am grateful to Paul Schwartz, Xuan-Thao Nguyen, Pamela Foohey, Edward Janger, Sharona Hoffman, Stephen Sepinuck, Heather Hughes, Juliet Moringiello, Jim Hawkins, Lucy Thomson, Cedric Powell, Sudha Setty, Audrey McFarlane, Nordia Elvy, Euklyn Elvy, Richard Chused, Gerald Korngold, Robert Blecker, and participants at the 2017 Property Implications of the Sharing Economy Conference at Penn State Law School. 1DAvE EVANS, THE INTERNET OF THINGS: HOW THE NEXT EVOLUTION OF THE INTERNET IS CHANGING EVERYTHING 2 (Apr. 2011), https://www.cisco.com/c/dam/enus/about/ac79/docs/in nov/IoT_IBSG_041 1FINAL.pdf [https://perma.cc/CMR6-5KS7]; Kenie Ho, Protecting the Revo- 424 2018] Commodifying Consumer Data in the JoTEra 425 zation of our physical world" raises significant concerns for consumers. 2 In 2016, researchers at the University of California, Berkeley Center for Long- Term Cybersecurity ("Berkeley Center") published a report that evaluated five cybersecurity scenarios that could potentially occur in 2020.3 Two of the most alarming scenarios involve: (1) a financial crisis in which compa- nies sell their customer "data assets" to third parties (including unwittingly selling to parties that would use consumer data for perverse purposes), while companies become increasingly vulnerable to cyberattacks, and (2) the ubiquitous use of wearable devices that collect and monitor "real-time" biometric and health-related data, including emotional state and hormone levels, and the widespread use of these data to control and manipulate con- sumers. Consumers are already experiencing the effects of the "new normal" of 2020 identified by the Berkeley Center, in which companies routinely suffer from cyberattacks. In 2016, Dyn, a business that "manages crucial parts of the [I]nternet's infrastructure," reported a serious attack on its systems that disrupted access to various websites, such as Twitter, Netflix, and the New York Times. 6 The hackers manipulated vulnerable loT devices to initiate the lution: Internet of Things Trade Secrets, LAW.COM: INSIDE COUNSEL (Oct. 6, 2016, 6:04 AM), http://www.law.com/insidecounsel/2016/10/06/protecting-the-revolution-intemet-of-things-trade/ [https://web.archive.org/web/20180103 172900/https://www.law.com/insidecounsel/2016/10/06/p rotecting-the-revolution-intemet-of-things-trade/?slreturn-20180003 122859]. The Internet of Things ("loT") has been described as a network of connected products that accumulate and transfer data over the Internet. AIG, THE INTERNET OF THINGS: EVOLUTION OR REVOLUTION? 6-7 (2015), http:// www.aig.com/content/dam/aig/america-canada/us/documents/business/casualty/aigiot-english- report.pdf [https://perna.cc/BA7X-Y9VV]. 2 JESSICA GROOPMAN & SUSAN ETLINGER, CONSUMER PERCEPTIONS OF PRIVACY IN THE INTERNET OF THINGS: WHAT BRANDS CAN LEARN FROM A CONCERNED CITIZENRY, ALTIMETER 2 (June 2015), http://www.altimetergroup.com/pdf/reports/Consumer-Perceptions-Privacy-loT- Altimeter-Group.pdf [https://perna.cc/KP7V-H9LF]. Business Insider reports that "[n]early $6 trillion will be spent on loT solutions over the next five years." John Greenough & Jonathan Cam- hi, Here Are loT Trends That Will Change the Way Businesses, Governments, and Consumers Interact with the World, BUS. INSIDER (Aug. 29, 2016, 10:18 AM), http://www.businessinsider. com/top-intemet-of-things-trends-2016-1 [https://penna.cc/73LE-LQY3]. U.C. BERKELEY CTR. FOR LONG-TERM CYBERSECURITY, CYBERSECURITY FUTURES 2020, at 1 (2016), https://cltc.berkeley.edu/wp-content/uploads/2016/04/cltcReport_04-27-04apages. pdf [https://perma.cc/M523-YEZE]. ' Id. at 6-7. As used in this Article, the term "health-related data" refers to data associated with the mental, emotional, or physical well-being and health of individuals, such as calories burned, sleep patterns, glucose levels, and the like. As used in this Article, the term "biometric data" refers to biometric identifiers, such as voice and face prints; scans and images of biometrics, such as fingerprint scans; other data related to and that can be transformed into biometric identifi- ers, such as a recording of an individual's voice or a photograph of an individual; and the authen- tication codes, templates, text, or mathematical representations associated with any such data. 5 Id. at 9-10. 6 Nicole Perlroth, Hackers Used New Weapons to DisruptMajor Websites Across U.S., N.Y. TIMES (Oct. 21, 2016), https://www.nytimes.com/2016/10/22/business/intemet-problems-attack. html [https://perma.cc/N95B-H2FX]. 426 Boston College Law Review [Vol. 59:423 attack.7