Regulating the IoT: Discrimination, Privacy, and Cybersecurity in the Artificial Intelligence Age

The field of consumer Internet of Things (IoT) has exploded as business and researchers have sought to not only develop Internet-connected products but also define the common structure in which IoT devices will operate, including technological standards and responsive architectures. Yet, consumer IoT continues to present a host of potential risks to consumers, cascading from the multidimensional nature of IoT devices: IoT combines well-known consumer products with cutting-edge infrastructures including big data solutions, distributed data storage or “cloud,” and artificial intelligence (AI) utilities. The consumer device is no longer only the product, it is the product, the data, the algorithms, and the infrastructure. Consumer products have shifted from analog to connected technologies, introducing new risks for consumers related to personal privacy, safety issues, and potential for discriminatory data. Broad, ubiquitous data collection, internet connectivity, predictive algorithms, and overall device functionality opacity threaten to undermine IoT market benefits by causing potential consumer injury: broad unfairness and disparate impact, data breaches, physical safety issues, and property damage. Existing regulatory regimes have not anticipated these damages to effectively avoid injury, and it is yet unknown how existing products liability, common law civil recovery under contracts or torts schemes, and due process procedures will apply to these products and the data they process. This Article explores the technology and market of IoT, potential consumer impacts resulting from a lack of consistent and complete legal framework, whether IoT regulation is appropriate, and how the United States can balance market needs for innovation with consistent oversight for IoT manufacturers and distributors.