In one of the first Internet of Things (IoT) class action settlements, the maker of a Bluetooth-enabled personal vibrator agreed to settle privacy class claims for $3.75 million.

The We-Vibe product allows a user to connect the product to a smartphone. The user can then control the device from the phone via Bluetooth connection. The We-Vibe also allows different users to communicate with each other through video chats and text messages, and by remotely controlling their partner’s We-Vibe device in real-time. However, consumers must download the company’s mobile application, or “app,” to access these features. The class plaintiffs alleged that the company, through its app, collected a substantial amount of information about its customers and their usage habits without customer knowledge or consent. Such information purported to include (1) the date and time of each use, (2) the vibration intensity level selected by the user, (3) the vibration mode or pattern selected by the user, and (4) where available, the email address of customers who registered with the app.

The plaintiffs also alleged that the company assured users that the app was “secure” and could initiate “a secure connection between . . . smartphones.” However, in late 2016, two hackers at the Def Con hacking conference demonstrated that the device could be hacked and controlled by unauthorized users, revealing that the vibrator might not be as secure as the company indicated.

On March 14, 2017, a Northern District of Illinois federal judge preliminarily approved the class action settlement. In addition to a monetary payment, the settlement included prospective relief. The company agreed to stop requiring registration through its app and to not collect email addresses other than for normal newsletter or optional product registration purposes. The company also agreed to update its privacy policies to specifically disclose its data protection practices, including whether it discloses any data to a third-party processor for analytics purposes. The company further agreed to enable users to opt out of having their information shared with a third party for analytics purposes. Finally, the company agreed to purge certain email addresses it collected as well as the time and date of each device’s use, the vibration intensity level selected by the user, the vibration mode or pattern selected by the user, the temperature of the device, and the battery life.

As the IoT market continues to expand and more devices become interconnected, privacy concerns over the data collection practices of IoT device makers as well as the security of those devices may lead to more class actions and increased regulatory scrutiny. Although the We-Vibe maker maintains that users consented to the conduct alleged in the complaint and that it disclosed the collection of data in its privacy policy, this settlement highlights the importance of drafting company- and product-specific privacy policy disclosures as opposed to pro forma policies that use generalized statements.