Yet Another Federal Agency Looks to Regulate the Internet of Things

According to a pre-publication version of tomorrow’s Federal Register, the Consumer Product Safety Commission (CPSC) will host a May 16 hearing to initiate a public analysis of the physical safety risks of internet-connected devices.  This hearing is likely the first public event in a larger, long-term regulatory effort.  The CPSC’s foray into the regulation of IoT devices, and the regulatory processes that appear likely to follow, could have critical impacts on IoT companies and their products.  Innovators should watch this and consider engaging.

The CPSC is concerned about the potential for IoT devices to bridge the Internet-physical divide to uniquely create a physical hazard over an Internet connection.  The CPSC is being careful to carve out data security and privacy risks from the scope of its hearing.  This may reflect attention already being paid to those topics by other agencies, but it is entirely possible that CPSC could have collateral effects on these issues. 

CPSC’s announcement identifies a list of physical hazards about which they are concerned, including “fire, burn, shock, tripping or falling, laceration, contusion, and chemical exposure.”  But, of that list, it appears the Commission’s primary focus is on the electrical or fire hazards that are unique to IoT devices which can be remotely activated, or which control non-IoT devices.  For example, the Commission states that an IoT stove could pose a fire hazard if a heating element or burner was turned on while nobody was home, presumably if a flammable object were inadvertently left on the stove.

The CPSC also appears concerned about the fact that IoT devices can be updated in the future, and is seeking public input on whether a future malfunction or future software update could introduce a hazard.  Secure updates and patching have received attention in several settings and present complexities and policy challenges.

To help commenters prepare for the hearing, CPSC has provided a litany of topics and questions on which it is requesting feedback.  Critically for industry, CPSC asks whether existing or future voluntary standards will effectively manage these potential risks and, if not, who should be responsible for drafting such standards.  This is a key topic for the future because CPSC’s opinion holds great sway with standards organizations.  The agency’s position and/or participation on standards development significantly influences the outcome of those standards, even if the CPSC itself does not draft the standards.

Other topics on which CPSC is seeking input include (among many others):  controls and systems which can mitigate physical hazards; best practices for predicting IoT-related hazards; whether incidents are already known to have occurred; whether to ban remote-activation for potentially hazardous devices; who should be liable for hazard incidents involving an IoT device; and how to conduct IoT recalls.

CPSC will be accepting written comment ahead of the hearing, and after the hearing through June 15.  Anyone who wants to make a presentation at the event must request a time slot no later than 5pm ET on May 2.

Companies and industries invested in IoT should pay close attention to CPSC’s effort, and should consider whether to comment, attend and/or make a presentation at the hearing.  This early hearing may well set the stage for many years of regulatory action.