"How are you capturing the data? How is that data being shared? What was the customer told? What did the customer consent to? These are issues that have to be looked at. And if you go international, there's such a state of uncertainty now that you really have to pay attention to those things," said Daren Orzechowski, a partner at law firm White & Case, in an interview.
As more traditional products, such as refrigerators, take on the non-traditional roles of generating, collecting, and disseminating data, it may not be possible to anticipate all of the data ownership issues upfront, since data collected for one purpose at one point in time may be used for another purpose later when combined with other types of data.
"This is the Wild West right now when it comes to data ownership questions. It's a murky area, a very undefined area, and it's an area that we'll certainly see an uptick in litigation in the coming years," said Goodnow.
The data generated by devices, such as a user's heart rate, is currently treated as owned by the hosting company or device manufacturer, Goodnow said. Manufacturers are using that information to understand customers -- and they may also be selling the information to third parties.
"This information, including sensitive health information, is being widely disseminated and brokered. The question is, what legislation is there, and federally, it's essentially none," said Goodnow.
Not All Lawsuits Will Succeed
In the US, some class-action suits for privacy breaches are being dismissed. Either the members of the class are unable to demonstrate actual harm (specifically, a quantifiable amount of monetary damage) or they fail to share a common injury (e.g., one person suffers full-blown identity theft while another simply has credit card information stolen).
"The idea of a class action is there's one set of common facts," said Orzechowski. "There's a case right now with the Supreme Court involving Spokeo that's looking at what kind of [damages need to be shown] to go forward with these types of cases where there's an information that's been [disseminated] or a privacy breach."
Businesses sharing data internationally have to understand the rules of the various jurisdictions. For example, the EU is overhauling its data protection rules to make them more uniform among member countries, including fines of up to four percent of a company's global revenue.
"Data is one of the main unsettled questions in American privacy law. There has been a push to say that I as an individual own information about myself," said Reed Smith's Bond. "The idea of individual ownership doesn't fit in with most ideas of what property is, so it's really more of a question of who controls it."
The level of legal uncertainty is symptomatic of early stage, technology-fueled innovation that outpaces lawmaking ability -- which means we'll likely see some high-profile breaches and disputes in the near future. The dynamics will likely influence business practices, technology adoption, consumer expectations, and the legal landscape, although to what extent is not yet obvious.