Cybersecurity and data protection is front and center on the Federal Communications Commission’s (FCC) agenda. The latest manifestation of this is the FCC’s issuance of a Notice of Proposed Rulemaking (NPRM) on August 25, 2023, which seeks comments on a proposed voluntary cybersecurity labeling program for Internet of Things (IoT) devices or products.

Companies that volunteer to join the proposed program would have their qualifying products bear a new “U.S. Cyber Trust Mark,” which the agency believes would help consumers identify trustworthy products and make informed purchasing decisions, incentivizing better cybersecurity standards. There are a couple of aspects of the NPRM that are worth highlighting.

First, and perhaps most obvious, is the labeling program’s voluntary aspect. The onus is on the participant to ensure that their IoT products conform with the program’s standards. Those considering participation may therefore want to carefully assess whether the benefits of participating outweigh the risks.

For example, the NPRM contemplates that participants file for renewal each year to demonstrate that their products continue to meet the FCC’s IoT requirements. If a participant fails to comply with whatever renewal standard is adopted but continues to use the mark, that participant’s product packaging could be open to Lanham Act false advertising exposure.

Second, the NPRM seeks comment on the standard it would use to determine whether a product qualifies for the U.S. Cyber Trust Mark. The FCC seeks to deviate from the National Institute of Standards and Technology (NIST) cybersecurity requirements in several respects. This may make compliance with the program more difficult for industry.

In terms of what IoT device would be covered by the rule, the FCC contemplates adding that a covered device be “internet-connected” and “intentionally emitting RF energy” to NIST’s definition of an IoT device. Covered devices therefore would be: “(1) an Internet-connected device capable of intentionally emitting RF energy that has at least one transducer (sensor or actuator) for interacting directly with the physical world, coupled with (2) at least one network interface (e.g., Wi-Fi, Bluetooth) for interfacing with the digital world.”

The FCC also seeks comment on whether the rule should cover IoT “products” rather than “devices,” to include components such as backend, gateway, and mobile apps necessary to use an IoT device.

Finally, though the FCC proposes adopting NIST’s recommended baseline IoT cybersecurity criteria, the NPRM seeks comment as to how the FCC could develop its own IoT security standards based on feedback from industry and government stakeholders.

The ultimate question is whether the mark will actually inform consumers’ purchasing decisions. The NPRM does seek comment on the education of consumers. The notice also suggests the use of a QR code or URL to provide consumers with more detailed information about the specific device or product. Comments are due September 25, 2023.