While those of us who follow the growth of the Internet of Things have become somewhat inured to the privacy and security concerns associated with smart meters, networked entertainment systems, refrigerators and autonomous cars, a recent U.S. class action has presented something entirely new to stress about: “smart” sex toys.
On Sept. 2, Illinois counsel for the plaintiff identified as “N.P.” brought a fascinating class action complaint and demand for a jury trial against Standard Innovation (U.S.) Corp., a Canadian company, for allegedly selling products that surreptitiously collected and transmitted highly sensitive personal information about the customers using them. Standard sells a high-end vibrator called the We-Vibe that permits users to download the “We-Connect” application from the Apple App store or the Google Play store and connect their smartphone via Bluetooth to the We-Vibe, allowing them — and their partners —remote control over the vibrator’s customizable settings and features. Using the “connect lover” feature, partners can exchange text messages, engage in video chats and control a paired We-Vibe device.
When partners initiated a “connect lover” session, Standard programmed We-Connect to show the following security promise: “Connect and share control of your We-Vibe from anywhere. Create a secure connection between your smartphones.” Marketing for the product also emphasized the We-Connect app functionality as a key selling point.
However, the action claims that Standard failed to notify or warn customers that (i) We-Connect monitors and records, in real time, how they use the device including the date and time of each use, the vibration intensity level selected by the user, the vibration mode or pattern selected by the user (collectively, the “usage information”) and, incredibly, the email address of We-Vibe customers who had registered with the app, allowing Standard to link the usage information to specific customer accounts; or (ii) that all this data was being transmitted and stored in Standard’s servers located in Canada. All We-Connect information was routed from the “connect lover” feature to its servers, including personal communications, We-Vibe temperatures and battery life — despite promising secure connections between smartphones. No consent was ever obtained from any customers before intercepting, monitoring, collecting and transmitting their usage information or any other data.
The claim alleged that Standard concealed its actual data collection policies from its customers knowing (i) that a personal vibrator that monitors, collects and transmits highly sensitive and intimate usage data back to the manufacturer is worth significantly less than a personal vibrator that does not, and (ii) most, if not all, of its customers would not have purchased a We-Vibe in the first place had they known that it would monitor, collect and transmit their usage information. Not surprising, the action asserts that N.P. would never have purchased a We-Vibe had she known that, in order to use its full functionality, Standard would be monitoring, collecting and transmitting her usage information through We-Connect.
The suit alleges that Standard violated myriad U.S. federal and state laws in its practices, including the Federal Wiretap Act, the Illinois Eavesdropping Statute, the Illinois Consumer Fraud and Deceptive Business Practice Act and constitutes “intrusion upon seclusion” (a privacy tort) as well as unjust enrichment. N.P., on her own behalf and on behalf of other Illinois purchasers, is requesting that Standard cease its unfair practices as well as seeking awards of actual, statutory and punitive damages and reasonable attorneys’ fees and costs.
Since the claim was filed, Standard has been taking steps to mitigate its reputational harm. As noted in its “We-Connect and Privacy Update” posted on Oct. 3, the company has vowed to “clearly communicate our privacy and data practices and to continue to enhance our app security measures.”
As a service to my loyal readers, I reviewed Standard’s updated privacy notice dated Sept. 26. It now states: “You can use We-Vibe products without the We-Connect app. No information related to your use of We-Vibe products is collected from you if you don’t install and use the app.” While Standard is still collecting certain information, it promises this does not include “your name, address or other personally identifying information as part of the We-Connect app installation process or otherwise.” Instead, an anonymous token will be provided the first time a user launches the app to “facilitate connections and share control of the We-Vibe with your partner using the Connect Lover feature.”
While the updated privacy notice repeatedly reassures that “data is collected in a way that does not personally identify individual We-Connect app users,” questions remain. The company still collects certain “limited data” for the app to function, including device hardware and operating system, unique device identifier, IP address, language setting and data and at what time the We-Connect app accesses its servers. Information is also still collected to “facilitate the exchange of messages between you and your partner and to enable you to adjust vibration controls.” In Canada, the Federal Privacy Commissioner has held IP addresses to be “personal information” so I am not sure how Standard insists that no personal information is being collected, at least from a Canadian perspective.
Also, the company is still collecting analytical information to help “improve our products and the quality of the We-Connect app” — namely, the app features used and the time spent on the app. However, users are now able to “opt out” of sharing this “aggregate anonymous data” through the We-Connect app settings under privacy rather than opt-in to proactively share the information, again contrary to Canadian privacy best practices and recommendations. Moreover, as the OPC is in the process of reviewing submissions on its call for input on the issue of consent under the Personal Information and Electronic Documents Act, a more fundamental question remains: Assuming the allegations in the class action complaint are true, given the nature of the product in question, how could any company ever think it would be reasonable to assume that the average consumer would actually consent to having sensitive personal information, such as vibrator settings, collected, used and stored by a third party, even with a more robust privacy notice? Canadian We-Vibe users, please take note!