Coincident with International Data Privacy Day, Lares Institute hosted an event on the future of the Internet of Things and privacy. With an audience full of privacy lawyers and Chief Privacy Officers, the event kicked off with a panel on the IoT in 2025. The discussion was fascinating – everything from an inventory of things our smart phones know about us to what potential buyers of that data want to do with it. One panelist showed us a B2B driver-safety system that, based on telemetry in the vehicle, records 12-second video snippets of both the driver and the view in front of the vehicle. It’s designed for employers to provide feedback to the drivers to improve safety. One video snippet showed a driver texting as he almost rear-ended the car in front of him. Obviously, this creates teachable moments for the drivers, but it’s also quite provocative with regard to privacy – and raises questions about how the video can be used in legal disputes after an accident.

Another fascinating example of IoT and data privacy was described by the privacy attorney for a company that delivers perishable food and flowers. He talked about how their service – and customer satisfaction – could be improved if they had information on when people were home (using their electricity-use data, for example) or the temperature and humidity characteristics of their homes so they could make product recommendations. (Smart sensors could communicate this.) If consumers wanted to share this information, it would be for a specific point in time, not indefinitely.

The broader issue here centers on the strong need for identity in IoT solutions so that trust can be established in a machine-to-machine context, and how Enhanced Privacy ID (EPID) technology can provide that while also protecting privacy. EPID allows for strong, hardware-based identity but can be used to identify the device or user associated with it as a member of a group instead of as an individual. For example, the smart driver’s license of the future could identify you as being of legal drinking age without sharing your name, birthdate, or address.

Another interesting topic at the event was data-use controls, or DUCS (has to be a favorite for a University of Oregon alumnus!). This work is really interesting in the context of the data-driven economy. This assumes that there is an understanding of data’s value by society as a whole, and that this understanding places value on individuals, businesses, and society. The idea is that people will increasingly make new types of personal data available in exchange for value. And personal data will be well protected, similar to financial data. Data-use controls could improve how our data is revealed and distributed, allowing it to be transacted. We could choose how services, businesses, and other individuals work with our data.

This event was a fascinating way to spend International Data Privacy Day – probably with the people who care the most.