Commodifying Consumer Data in the Era of the Internet of Things

Abstract

Internet of Things (“IoT”) products generate a wealth of data about consumers that was never before widely and easily accessible to companies. Examples include biometric and health-related data, such as fingerprint patterns, heart rates, and calories burned. This Article explores the connection between the types of data generated by the IoT and the financial frameworks of Article 9 of the Uniform Commercial Code and the Bankruptcy Code. It critiques these regimes, which enable the commodification of consumer data, as well as laws aimed at protecting consumer data, such as the Bankruptcy Abuse Prevention and Consumer Protection Act, various state biometric data statutes, and the Health Insurance Portability and Accountability Act. This Article contends that in addition to privacy policies, financial frameworks can also play a critical role in facilitating the transfer and disclosure of consumer data in a manner that is opaque and potentially harmful to consumers. Furthermore, existing privacy frameworks that rely heavily on a notice and choice model and the provisions of a company’s privacy policy to determine the level of protection given to consumers, and which may not always apply to IoT companies, do not effectively safeguard consumers in the IoT setting. This Article proposes several solutions to engender movement away from an overreliance on the notice and choice model and the terms of privacy policies, and to reduce the various moments of data disclosure authorized by financial frameworks. It also offers ways to preserve the value of IoT data as a source of financing for companies while simultaneously protecting the privacy of consumers.