Member Article

Smart buildings offer individuals, businesses and even cities better and more efficient ambient experiences. However, the connected technologies that make buildings “smart” tend to require processing massive amounts of data inputs, often including personal information. The collection and use of personal information requires consideration of the data privacy and security risks to individuals, as well as the possible associated legal and compliance obligations of developers, managers and operators of smart buildings.

Smart technologies enable interoperability across networked devices to produce a desired or defined output. For smart buildings, these outputs span a broad range of capabilities, such as automatically adjusting the temperature of a room based on the number of occupants detected, or even designating individual work spaces based on daily calendars or ambient conditions. Generation of an output requires an input, and in the case of smart buildings the inputs tend to be data collected from sensors placed in and around the buildings, as well as from connected systems and devices.

Inputs that include data collected from or about individuals inherently implicate data privacy considerations. In recent years there has been a global privacy law push that has seen the enactment of comprehensive data privacy laws, such as the General Data Protection Regulation in the European Union, and the California Consumer Privacy Act domestically.

Historically in the U.S., privacy law is treated as a form of property right – i.e., a right to exclude, with privacy rights extending from the Fourth Amendment right against unreasonable searches and seizure where persons have a reasonable expectation of privacy. Accordingly, individual privacy rights typically do not exist where individuals do not have a reasonable expectation of privacy, such as in public spaces where individuals cannot exclude others – e.g., a commercial space.

Most modern privacy laws rest upon a foundation of transparency and control principles. Their distinguishing characteristic from historical approaches to privacy is that they grant individuals limited property rights over their personal information – i.e., rights to exclude certain uses of their personal data. Such laws intersect tenuously with smart technologies that perform better as their data inputs increase. The parallel development tracks of smart technologies entering the marketplace and evolving consumer privacy laws require careful consideration by developers and operators of smart buildings.

On one hand, smart technologies typically aim to improve routine tasks, activities and processes. For example, artificial intelligence/machine learning technologies can recognize patterns from data sets and enable highly efficient process automation. Common applications in smart buildings may include the use of facial recognition technology for building access and security controls, or improving energy efficiency by adjusting lighting or temperature settings based on room occupancy. The more smart technologies there are across a network – i.e., the more data inputs that are processed – the more personalized and streamlined the outputs will be.

On the other hand, smart technologies are still relatively new, and are far from perfect. Despite best intentions, the output of smart systems can have a detrimental impact across the fields they aim to improve. Facial recognition technology provides a good example of this. Deploying facial recognition in a commercial space is desirable for many reasons, such as to improve security by limiting access to restricted spaces or accounts. In retail settings it can be used to create personalized shopping experiences for customers, or improve service by providing real-time feedback based on inferences drawn from facial cues as customers move about the space.

Yet studies have shown some facial recognition deployments to be less accurate for people of color and women. For example, a 2019 study published by the National Institute of Standards and Technology (NIST) found that certain facial recognition algorithms underperformed on Black, Asian and Native American faces, and showed bias against women, the elderly, and children. Used in commercial or retail settings, these types of inaccuracies could result in poor customer experiences, or even worse, false allegations of shoplifting. Where relied upon as a security control, this type of inaccuracy could result in mistakenly prohibiting access by authorized individuals, or granting access to unauthorized individuals.

In response to the findings by NIST as well as other studies, some jurisdictions have enacted laws banning certain uses of facial recognition technologies. For example, last fall in Portland the City Council passed two ordinances prohibiting or limiting certain uses of facial recognition technologies by both city bureaus as well as private entities. Accordingly, any contemplated use of facial recognition technologies in smart buildings must be analyzed against the applicable local laws or ordinances in effect where the building is located.

Facial recognition is an easy example to point to where the use of smart technology intersects with privacy legal considerations, but it is hardly an outlier. Any jurisdiction with a comprehensive consumer privacy law in effect is going to have legal requirements related to the collection and use of personal information, a term that is broadly defined under such laws to generally encompass any information that relates to an identifiable individual.

These laws typically require entities that collect or process personal information to make detailed disclosures about their data processing activities, as well as grant certain rights to individuals related to the personal information collected about them. While not absolute, these rights tend to include, among others, the right to know and access what information an entity has collected about an individual, as well as certain other rights conferring some form of control to the individual over their personal information.

Smart buildings provide exciting and innovative capabilities, but also raise the potential for increased data privacy risks. Performing diligent steps to understand how, why, and by, from, or with which parties data will be collected, used and shared by a smart technology can highlight and mitigate these risks, and inform as to any legal or compliance obligations. Before incorporating a smart technology into a space, developers should consult their attorneys and advisors about the legal, compliance and risk considerations that the technology may present.

This article summarizes aspects of the law; it does not constitute legal advice. For legal advice for your situation, you should contact an attorney.

Column first appeared in the Oregon Daily Journal of Commerce on August 5, 2021.