A recent open letter sent to the Federal Trade Commission (FTC) jointly by consumer advocacy groups, including Consumer Reports, US PIRG and fifteen other entities, may be an early signal of future FTC focus.1 The letter addresses software issues for connected devices or any other tangible products, whether embedded or separately accessed. More specifically, the letter urges the FTC to address three practices that allegedly hinder consumer’s expected use of the connected device: (1) placing software behind an additional or later subscription pay wall; (2) deprecating or failing to update software, effectively “bricking” the product; and (3) preventing software access from moving to a second-hand buyer.
How Have These Issues Been Addressed Historically?
The FTC has publicly investigated the issue of software deprecation for a connected device under its Section 5 powers in at least one instance in 2016, but declined to take enforcement action.2 Simultaneously with this 2016 closing letter, the FTC issued a blog post titled, What happens when the sun sets on a smart product?, which set out these specific issues for companies to consider when launching a connected device:
- Would consumers regard the brand’s offering as primarily a device or software?
- Are consumers getting a fixed-term rental or subscription, or are they getting something they will own and can rely on for the life of the device?
- Would reasonable consumers expect to be able to keep using the device – and have it be fully functional – even if the brand “rides off into the sunset”?
- Would consumers expect the device to have an “expiration date”?
- Could consumers keep using the device in the ways they would reasonably expect based on their experience with similar devices?
- What representations did the brand make to consumers – or what would consumers otherwise expect – about the time period for which security would be provided?
The FTC did not provide answers or any further discussion of these six points. The FTC did raise the related point that failure to maintain technical support and security updates could leave consumer devices more vulnerable to attack, an issue at the forefront of the FTC’s recent proposed settlement against Verkada, Inc. in connection with security failures and misrepresentations for its connected security cameras.3 Privacy and security concerns, specifically, have been the focus of prior FTC comments, including the subject of FTC comments to the Department of Commerce identifying concerns of Internet of Things products in 2016.4
The recent open letter mirrored many of the issues identified in 2016, providing specific recommendations around required disclosures of guaranteed minimum support, obligations related to maintaining unaffected core functionalities and protection of “adversarial interoperability” for products with inoperable original software.
How Does This Impact My Company?
While neither this open letter nor any specific FTC guidance currently requires any specific action,5 the open letter and past FTC commentary does suggest that this may be an area in which the FTC may initiate rulemaking, an inquiry, administrative proceeding, or court action.
What Should I Do Now?
It’s an opportune moment to review the breadth of current advertising claims and warranty commitments across relevant products, as well as other documentation and marketing materials to identify any commitments as to continued software use, access and updates.
What if the FTC Contacts Me?
If you receive a confidential inquiry letter or other communication from the FTC, consumer groups, or individual consumers, we can advise you as to next steps, including any potential response.
1 Open letter dated Sept. 5, 2024, available at https://advocacy.consumerreports.org/wp-content/uploads/2024/09/FTCLetter9.5.2024.pdf.
2 See Closing letter to Richard J. Lutton, Jr., Head of Legal and Regulatory Affairs, Nest Labs, Inc. FTC File No. 162-3119 (Jul. 7, 2016) available at https://www.ftc.gov/system/files/documents/closing_letters/nid/160707nestrevolvletter.pdf (“The FTC staff was concerned that reasonable consumers would not expect the Revolv hubs to become unusable due to Revolv Inc.'s actions, and that unilaterally rendering the devices inoperable would cause unjustified, substantial consumer injury that consumers themselves could not reasonably avoid.”).
3 US v. Verkada Inc., Case No.: 3:24-cv-06153 (N.D. Cal. Sept. 4, 2024) (Stipulated Order for Permanent
Injunction, Civil Penalty Judgment, And Other Equitable Relief).
4 In the Matter of The Benefits, Challenges, and Potential Roles for the Government in Fostering the Advancement of the Internet of Things, Docket No. 160331306-6306-01 (Comments of the Staff of the Federal Trade Commission’s Bureau of Consumer Protection and Office of Policy Planning, Jul. 2, 2016).
5 This Alert does not address any state or federal laws or certification programs generally relating to the cybersecurity of IoT devices. See, e.g., California Internet of Things Cybersecurity Improvement Act of 2017, Cal. Civ. Code § 1798.91.04 (Jan. 1, 2023); O. R. S. § 646A.813 (Nov. 15, 2019); FCC US Cyber Trust Mark Labelling Program, 88 Fed. Reg. 58211-01 (Aug. 25, 2023) and related rules adopted by Report and Order, FCC 24-26 (Mar. 15, 2024).
