Bad Vibes: sex toy maker breaches data privacy laws

A $3.5m fine has been handed down to Canadian parent company, Standard Innovation, for secretly gathering personal information from users of the We-Vibe 4 Plus smart vibrator. This case highlights the risks for business and customers associated with big data and the increasing inter-connectivity of our devices, known as the ‘Internet of Things’.

Interestingly, the issues in this case were first exposed at the Def Con 24 hacking conference in Las Vegas, at which hackers demonstrated both the ability to intercept data and remotely control Standard Innovation’s products.

Customers responded with a lawsuit, alleging that they were unaware that whilst using the product, it was recording intimate details of their usage through a connected smart-phone device, linked to their email account. The company stated that data was being gathered for diagnostic purposes; however, the settlement in this case should serve as a warning to businesses that the protection afforded by the laws applies regardless of the channel through which it obtains data.

The ease with which data can be captured, stored and analysed makes it a commodity and gives it intrinsic value asa unique business asset. The growth in wearable technology, diet and activity-logging apps and connected-devices enable businesses to capture data, often without the user having to actively record it. Businesses can often find a market to sell-on this data to other related companies without the real knowledge or consent of the original user. However, where data relates to identifiable individuals, it must only be used in accordance with data protection legislation.

What can we learn?

This headline-grabbing case study illustrates the need for sufficient controls to be put in place to ensure that data is appropriately and sensitively collected, in a manner that enables users to understand what they are signing up to.

Under current UK data protection laws, the collection and use of personal data needs to be fair and lawful; the legislation sets out specific grounds for collecting data, and requires that data uses are limited to those the user would reasonably expect from the information that has been given. The existing rules will be significantly tightened from May 2018, when the long-awaited European-wide General Data Protection Regulation (“GDPR”) comes into effect – promoting greater transparency for individuals about how organisations are using their personal data. Under the new GDPR the financial consequences of exercising poor data management and control will be much more severe than the current regime.

For further guidance or advice on implementing the new General Data Protection Regulation to the data collection processes in your business, please contact us.

Tidman Legal is a firm of business and intellectual property law specialists based in Edinburgh.