GET IN TOUCH
Please contact us for more information. Our email is monitored seven days a week and we will get back to you shortly.
Hello, and welcome to this week’s blog on the law. This week we are taking a peek between the sheets of BC’s privacy laws as they pertain to the ever growing array of internet connected consumer devices that may be collecting your personal information.
Last week, a Canadian company that manufactures a Bluetooth and Wi-Fi connectable personal massage device, also known as a vibrator, was sued for breaching privacy laws. Although the lawsuit was commenced in the United States, the defendant company is Canadian, relating to a vibrator commonly sold in BC, and involves privacy laws that are similar to those in force in BC.
In this recent case the We-Vibe Rave vibrator, which uses Bluetooth or Wi-Fi to connect with a smart phone app and allows users to control various settings on the vibrator remotely over the internet, is alleged to have collected data about the patterns of use of the device, including times and frequency of use. This lawsuit is reflective of a growing industry of internet connected devices, ranging from vehicles and home thermostats, to refrigerators and washing machines, to other more, shall we say, personal devices. The evolving industry of connected consumer devices, commonly referred to as the “internet of things” (IOT), poses interesting challenges for privacy laws.
Importantly, the recent vibrator case alleges that the software used to connect users to the device collects and transmits enough information, including an email address, to enable the person using the device to be identified in the data collected. None of these allegations have been proven in court. However, in a world where small and large scale data breaches are common place, the idea that the pattern of use of someone’s vibrator has been collected, and therefore might be disclosed, could be terrifying. For some, this data might not only be personally embarrassing, but imagine your employer learning the device was in use at 3pm on a weekday when you were at work. The problems this type of data breach could raise are only limited by your imagination.
So, what does BC law do to protect people from their personal information being collected by others?
BC’s Personal Information Protection Act provides that a business cannot collect “personal information” without a person’s consent. But what is “personal information”?
This is answered by a two-part test.
Regarding the first part of the test, data that is collected along with the person’s name or email address, is obviously information reasonably capable of identifying that person. But what about the second part of the test, whether the purpose of collecting the information is related to the individual?
In the case of an internet connected vibrator, the manufacturer might say they are collecting data about the frequency and duration of use of the vibrator, along with its resulting battery life, as a means of improving future versions of the product or monitoring for defects, and therefore the data collected relates to the device, and not the individual using it. Sounds logical, right?
Unfortunately, no. Although the law is less than clear in this area, when the nature of the data makes it easier to determine the identity of an individual using the device, the more likely the collection of the data is a privacy breach. For example, data being collected about the mere number of passengers getting on and off a public bus is not a privacy breach because that data does not tell us anything about a particular individual. However, in the case of consumer items that are typically only used by one individual, such as an internet connected toothbrush, or a vibrator, collecting data from these devices where that person can reasonably be identified, is likely illegal, even if the intended purpose is not to collect data about the individual.
That said, the exception to this rule against collecting data is where the person has consented to the collection of personal information. This consent can be express (such as verbally or in writing), or it can be implied.
The BC Personal Information Protection Act states that a person is deemed (that is, implied) to have consented to the collection and use of their personal information if the purpose of collecting the information would be obvious to a reasonable person, and the person voluntarily provides the information for the purpose. In other words, if it is not reasonably obvious what the data would be used for, and you did not give up the information for that purpose, the other party cannot collect and use the data.
On the other hand, a business can only collect and use personal information if (and there are four to parts to this test):
Importantly, the notice of the collection and use of the data must be clear and understandable (in other words, it cannot be legal mumbo-jumbo), and must be given far enough in advance of the information being collected that the person can refuse if they want. Also, if the business collecting the information uses it for a purpose that is different from what they told the person, or they simply didn’t tell the person what the purpose was, its collection is illegal.
While it would be premature to comment on how this law might play out in the case of a spying vibrator, consumers of internet connected devices should read the fine print that comes with the devices, and ensure they are not buying more than they bargain for. We hope you enjoyed this peek between the sheets of BC’s privacy laws and have learned something by reading this blog.
Please feel free to like us on Facebook, follow us on Twitter and subscribe to our YouTube channel to receive notice of our future weekly video blogs on the law. League and Williams is a Victoria, BC based law firm with expertise in injury law, estate disputes and marine law and may be reached via email at firstname.lastname@example.org or phone at 250-888-0002.