Because the Furby responded to certain voice commands, it was thought that the Furby could listen to, store and even repeat conversations. To some, the Furby was a tool for espionage. While the toy’s manufacturer denied that the Furby had any such abilities, the possibility was certainly enough to garner the attention of the United States’ intelligence community. The Furby was perhaps the first popularized voice-controlled device. Today far more advanced, voice-activated devices are becoming popular and more common, and privacy concerns still exist in the popular consciousness.

 

Today’s voice-controlled devices come in many forms. Most smartphones can understand and respond to the human voice. Probably the most familiar example is iPhone’s Siri®. Many new automobiles include voice controls for phone calls, media and climate control. Smart appliances and many other internet-connected devices have also incorporated voice recognition abilities. Most, if not all, of these voice-controlled devices are internet enabled – they work by recording and then transmitting voice commands over the network to remote servers. The servers do the heavy processing and translate the voice commands into machine instructions.

 

More recent devices are not simply controlled by the human voice, but also are activated by the human voice – devices that are always on and always listening. The most popular examples are the Amazon Echo and Google Home. However, similar technology is finding its way into phones, smart televisions, toys, cars and other internet-connected devices. 

 

Both the Amazon Echo and the Google Home act upon a “wake word,” which is a specific word or phrase that will “awaken” the device and prepare it to respond to voice commands. Unlike more traditional voice-controlled devices that require manual activation of the voice-recognition feature, voice-activated devices are constantly listening to and analyzing the audible environment for the “wake word.” According to manufacturers, these devices are constantly streaming the audio environment searching for the locally coded "wake word.” The manufacturers assure that the devices do not record or transmit conversations or other audio until they hear that “wake word.” Despite manufacturers' denials, it is clear that many believe these devices record more information.

 

While denying that these devices are constantly recording, manufacturers admit that the voice interactions that follow the “wake word” are recorded, transmitted over the internet, and in many cases, archived. According to investigations performed by WIRED Magazine, different devices save past interactions in different ways with different details. The two most popular manufacturers, Amazon and Google, save past interactions with their devices, and allow the owner of the user account connected to the device to review past interactions.

 

 As these devices become more ubiquitous, we are seeing hotels and other hospitality companies incorporate these devices into their properties. As the technology matures, such devices will likely be found in more properties for more uses. The possibilities for voice-controlled devices are exciting – voice-controlled in-room entertainment, voice-controlled amenities, and voice-controlled electronic concierges are just a few possibilities. These devices give guests a novel and unexpected experience, but as these devices enter areas with a clear expectation of privacy, such as a guestroom, the privacy and legal implications must be considered.

 

Personally Identifiable Information

 

The most obvious privacy issue is whether these devices are collecting protected personal information. Regardless of the relevant definition of personally identifiable information (PII), it is likely that voice recordings, conversations, questions or other interactions will fall within the ambit of personal information privacy laws and regulations. Under many privacy laws, biometric data, such as voice prints, qualify as PII and is subject to protection regardless of its content.

  

What a hotel can do with such personally identifiable information may be limited by data privacy regulators, such as the United States Federal Trade Commission, state Attorneys General, and for European properties, the onerous requirements of the General Data Protection Regulation. Whether the hotel can store this information, share it, transmit it across borders, and how it can use the data may all be strictly limited.

 

When incorporating voice-activated devices, especially in private areas such as guestrooms, it is important to understand how the device works and consider the legal privacy implications. Important questions to ask include: What is recorded? Are voices stored? Are the interactions stored? Where is the information sent? Who has access to the information? Have the privacy implications been communicated to the guest? Once these questions are answered, applicable privacy regulations should be considered and the information communicated to customers in various manners, not the least of which is the company’s published privacy policies.

 

Anti-wiretapping Laws

 

A less obvious trap for the unwary is the possibility of violating anti-wiretapping laws. The United States Federal Government, most state governments, and many other countries throughout the world have laws prohibiting or greatly limiting the circumstances under which conversations can be recorded. The laws vary widely depending on the jurisdiction. Some laws permit recording if even one party to the conversation is aware, while other laws prohibit any surreptitious recording absent the consent of all parties.

 

Privacy advocates have asked the U.S. Federal Trade Commission to investigate whether voice-activated devices violate federal wiretapping laws. It is unlikely that any hotel is installing voice-activated devices with the intent to record private conversation, and their presence should be apparent to most hotel guests, but many anti-wiretapping laws were written before such devices existed and at a time when this technology seemed like science fiction. Depending on the language of applicable laws, placing voice-activated devices in private areas such as guestrooms could run afoul of anti-wiretapping laws. It is strongly recommended that the specific locality’s laws be referenced prior to introducing voice-activated devices into an area considered to be private.

 

Even if the hotel does not run afoul of wire-tapping laws, it could be opening the door for malicious third parties to do so. The Amazon Echo, Google Home, and the other common consumer devices all incorporate security features, and most encrypt the information sent over the network, but no device is perfectly secure. Installing these and similar network connected devices into guestrooms may be an invitation for hackers. 

 

Third-party Requests

 

Whether these devices actually do or do not record everything that goes on around them, many, including governmental authorities, believe that they may. This potential source of evidence means that civil litigants and criminal investigators will try and get at it. Such investigations are already making headlines. In one incident, authorities believed an Amazon Echo was a potential witness to an Arkansas murder. There, following a suspected murder, Arkansas police served a search warrant on Amazon seeking data from an Echo located in the home at the time of the death. According to reports, Amazon eventually complied with the requests and turned over the requested data.  

 

As law enforcement and litigants become more familiar with these devices such requests will increase. Hotels should expect to receive subpoenas and other legal requests for information captured, or believed to be captured, by these devices. In determining how to respond to such requests it is important to remember that the guest has a strong privacy interest in this data. It may be necessary to inform the guest whose voice or interactions may have been recorded about the request and give them an opportunity to weigh in. A uniform position for responding to such requests should be established in advance.

 

Another interesting caveat is how this information could be used in lawsuits involving the hotel itself. In cases alleging negligent security or premises liability, audio recordings could provide invaluable evidence. Any time an incident with the potential for litigation occurs, the hotel’s investigation should include identifying what evidence may be available from voice-activated devices, and if any potential evidence is available, it should be preserved if possible.

 

Voice-activated devices have the potential for enriching the guest experience. However, as the hospitality industry incorporates this technology it will need to address public (mis)conceptions about the devices and needs to consider what laws may apply. Before implementing any of these devices it is important to carefully consider how the devices are being used, how they could be used, how they function, what data they collect, and how that data is used and stored. Several potential pitfalls have been examined, but once the hotel understands how the devices work it is absolutely necessary to then understand all relevant privacy laws and clearly communicate with guests how the devices are being used and how they work.

 

Sean Cox, CIPP/US, is an attorney in the Atlanta office of Hall Booth Smith. His practice involves both domestic and global data privacy and security regulation. He is well-versed in data incident response, and provides the experience to guide clients through the regulatory, legal and business pitfalls of any data incident.