Sextech: Sticky Legal Issues?

February 20, 2017

This is the first time that I have thought it prudent to put a
warning before a legal article: while this is an article on the legal issues of
sextech, it does, inevitably, talk about sex and sex toys. If this is not for
you, please look away now.

FinTech. HealthTech. LegalTech. EdTech. Stick
anything before ‘Tech’, it seems, and you have a new product category. SexTech
is no different: sex and the Internet are long-standing bedfellows, so it
should come as no surprise that companies are looking to combine technology
with sex toys, to form the growing trend of ‘sextech’.

Of course, the combination of sex and technology
is far from new — many of the devices you might find in Ann Summers, for
example, contain an electric motor — and so one may question whether there is
anything particularly deserving of attention here. However, while there is no
common definition of ‘sextech’, the incorporation into sex toys of more
cutting-edge technology, including an Internet connection and data gathering
potential, presents a number of issues worthy of consideration, even if only in
terms of apply existing legal constructs to this particular product category.

So what are we talking about?

At one end of the spectrum is the ‘device plus
app’ approach. Consider the male sex toy ‘The Piu … which syncs with an app
that sells a selection of adult films designed to play in time with the app’. (See
https://www.theguardian.com/lifeandstyle/2016/jan/23/sex-tech-dildo-sexual-health-expo-los-angeles.) The constituent parts are not, in themselves, new, but their
combination is relatively innovative.

Moving up a stage, see the female-friendly ‘HUM’,
which is described as ‘the world’s first robotic, artificially intelligent
vibrator’, which uses ‘body response technology’ and ‘literally has a computer
that interprets many things for your pleasure’. Is it possible that your sex
toy knows more about what you like than you do? ( See https://www.indiegogo.com/projects/hum-the-first-artificially-intelligent-vibrator#/
and https://meethum.com/faq/
.)

Towards the other end of the spectrum, there is
a webpage for a $10,000 bespoke sex robot ‘Roxxxy’, which can be customised
with the buyer’s preferred eye colour, lipstick, skin tone and other physical
characteristics (see http://www.truecompanion.com/shop/roxxxy-truecompanion-sex-robot/roxxxy/)

Data and privacy considerations

‘Smart’ is often synonymous with ‘more data’. The
combination of hardware with apps enables device manufacturers to build
considerable databases of their users’ activities.

Data may be collated and processed for many
reasons, both valid and questionable. Perhaps this may be to use server-side
processing to analyse an individual user’s preferences, and to tailor the
functionality of the device to that user, to provide the best possible
experience. Perhaps to inform product design and development. Perhaps to permit
remote control of a device over the Internet, by a third party. Perhaps, of course,
to flog the data to third-party data brokers, to be used for whatever purposes
they want.

Given the sensitivity of the information which
may be collected from sex toys, considerable attention will need to be given to
privacy.

You may recall a story from last year, where a
US purchaser of a ‘smart’ sex toy sued the manufacturer, on the basis of their
data collecting.

The lawsuit claimed that ‘[u]nbeknownst to its
customers … [the defendant] designed We-Connect to collect and record highly
intimate and sensitive data regarding consumers’ personal We-Vibe use,
including the date and time of each use and the selected vibration settings,
and [to] transmit such usage data — along with the user’s personal email
address — to its servers in Canada’
(https://cdn.arstechnica.net/wp-content/uploads/2016/09/vibratorsuit.pdf).

In November 2016, the parties filed a brief
stating that there had been a ‘successful conclusion of their settlement
discussions’: a happy ending to this particular case, but most probably it is an
issue which we will see again (see
https://arstechnica.co.uk/wp-content/uploads/2016/12/vibsettlement1.pdf).

I set out below some of the key legal issues
relating to personal data and sextech. However, while a company would be ill-advised
not to do something which it was required to do, it is likely that, in this
context, the law is viewed as a baseline: to build trust among users;
manufacturers may need to go far beyond the bare legal minimum.

Do you really need personal data?

As a starting point, a manufacturer will need to
ask itself if it needs to process personal data at all. Particularly in the
context of data as sensitive as that relating to sex life, a manufacturer
should — and, under the General Data Protection Regulation, must — follow ‘privacy
by design’ principles, including the principle of data minimisation.

To the extent that the processing of personal
data is necessary for the device’s functionality, manufacturers must think
about how they fulfil their obligations towards their users, including a clear
identification of the purposes of processing, using the minimum amount of data
necessary and being clear and transparent about what data are being used and
for what purpose.

Consensual processing

From a European point of view, data about a
natural person’s sex life falls squarely in the ‘special categories of data’,
both under the current data protection framework and under the GDPR.

The impact of this is that any processing of
those data must either be done anonymously, or else after obtaining the data
subject’s explicit consent. And, as with consent to sexual activity, the
absence of a ‘no’ does not mean ‘yes’: consent must, among other things, be an ‘unambiguous
indication of the data subject’s wishes’, and Recital 32 of the GDPR provides
that ‘[s]ilence, pre-ticked boxes or inactivity should not … constitute consent’.

In this context, the requirement is one not just
of ‘consent’ but of ‘explicit consent’, and so the standard is higher still.

In practice, to ensure that this standard is
met, manufacturers will need to be communicating very clearly to users about
what data they will be processing for what purpose, and obtain a clear,
recordable record of that user’s consent. To ensure that consent is valid, each
purpose should be covered separately; users must not be required to accept non-essential
processing (eg for product development purposes) to be able to make use of the
product which they have bought.

Security, storage and pseudonymisation

Under both the current regime and the GDPR,
where personal data are processed, the controller is required to take
appropriate technical and organisational measures to protect those data. What
is ‘appropriate’ will depend on the particular circumstances, and will require
a careful case-by-case analysis.

Measures which a manufacturer might consider
include the location of the data, and the degree of identifiability. For
example, while there may be more processing power or analytical capability
available if the data are extracted and processed outside the device — for example,
on a manufacturer’s server or even ‘in the cloud’ — the data may be safer if
left on the individual devices or apps, ideally in encrypted containers. If the
data are to be stored centrally, a robust set of information security
procedures, along with non-technical controls, will be essential, and usual
considerations around the use of platforms outside the EEA, if applicable, will
be required.

Pseudonymisation is also likely to be an important
factor. Unless there is a compelling reason to retain records which use a
user’s name or other real-world identifier (and so which could readily identify
users if the records were compromised), pseudonymising the records can be a
valuable part of a system’s security. (Pseudonymous data are still personal
data, both under the current directive and the GDPR, and so must still be
protected appropriately.)

AI and sextech

The smarter sex toys become, the more
interesting the legal issues. Take the ‘HUM’, for example, which is described
as an ‘artificially intelligent vibrator’. The incorporation of AI, or other
learning technologies, into a device may mean that, through assessment of your
reactions to particular stimuli, the software on the device knows more about
your preferences than you do. If these data are communicated back to the device
manufacturer or any other party, a very rich and hugely personal dataset is
created.

Looking beyond issues of consent and data
gathering, data subjects have, for many years, had the right of access to data
processed about them: device manufacturers must ensure that they have
mechanisms of communicating these data to their customers and, where the data
are generated through machine-learning or other forms of automated decision
making, they must also provide ‘knowledge of the logic’ (Article 12(a),
95/46/EC) or ‘meaningful information about the logic involved’ (Article
15(1)(h) GDPR).

Building on this, the GDPR introduces the right
of data portability, at Article 20. Under this, a data subject has the right to
receive the personal data ‘in a structured, commonly used and machine-readable
format’, so that they can give the data to another data processor: a data
subject might transfer a device’s knowledge about them to another device
manufacturer which offers an appropriate import function.

To be clear, neither of these rights are limited
to AI-derived data, but they may pose particular compliance challenges to more
sophisticated data sets, and so would need to be considered early on in the
design process, to avoid breach or costly re-engineering.

Additional considerations under the GDPR

Once the GDPR takes effect in May 2018, device
manufacturers and other sextech data controllers will have more compliance
obligations.

Where a controller is processing personal data
about sex life on a ‘large scale’, it will need to appoint a data protection
officer to oversee its processing operations. The GDPR does not define what ‘large
scale’ means, and the Article 29 Working Party’s Guidelines
on Data Protection Officers (‘DPOs’)
is equally vague, recognising that
this is a ‘large grey zone’. It provides examples (at para 2.1.3) which it
considers will constitute ‘large scale’ but none are particularly helpful here,
and it recommends that controllers consider a number of factors in making their
determination, including number of data subjects, volume or data, duration or
permanence of processing activity, and the activity’s geographical extent.
Unfortunately, it will require a judgment call on a case-by-case basis and,
until we have seen how regulators and courts will interpret this provision,
there is very little to go on.

Whether or not they require a data protection
officer, data-using sextech companies are likely to be required to conduct data
protection impact assessments (although, frankly, they should probably be doing
so irrespective of a legal mandate). They will also be required to consult the
relevant data protection supervisory authority before beginning the processing,
if the processing activities would ‘result in a high risk’ to the rights and
freedoms of natural persons, leaving aside any controls which the controller
might have in place to prevent this.

The less data used, or the more restricted
purposes for which it is used, the easier the compliance burden will be.

S&M agreements

No, not what you ‘Fifty Shades of Grey’ readers
are thinking. Support and maintenance.

The more advanced systems become, the more
likely they are to need care and attention, be that hardware upkeep or ongoing
software maintenance activity.

A manufacturer may build this into the sale
price of its device, offering to deliver software updates without further
charge for a defined period of time. Given the new consumer protection
framework, they would want to consider whether they were obliged to ensure that
their updates did not remove functionality that had been promised to users: the
Consumer Rights Act 2015, s 40(2) requires that ‘digital content [must
continue] to match the description of it given by the trader to the consumer’.

If the device is Internet-connected (why, God,
why?), I suspect that it is only a matter of time before users will find themselves
needing to apply security patches, or else we will read about sextech being
hacked. Could we see device manufacturers attempting to thwart malware which
tries to stop a device from working at a critical point, or else which attempts
to blackmail the user if personal data is successfully exfiltrated?

And what if your system requires more extensive
maintenance than you might be willing to provide on a pre-paid basis? In the
commercial context, support and maintenance agreements are commonplace — but
for sextech?

Taking the example of the robot ‘Roxxxy’, the
manufacturer’s website provides that ‘[e]very sex robot will need to have a
current monthly subscription for updates and general support’. You may be
paying $10,000 or more for the device, but it looks as if there is a
requirement for an ongoing subscription service too. Softbank’s ‘Pepper’,
discussed below, appears to require a services agreement too.

Virtual reality

The Piu, described above, touted the
synchronisation of device movement with on-screen pornography as one of its key
features. In this case, it appears that the display mechanism is reasonably
traditional: a screen of some sort. But it is inevitable that sextech
manufacturers and pornography retailers will attempt to make use of more immersive
technologies, including virtual reality. Indeed, in early 2016, an ‘adult VR
game controller’, named ‘VirtuaDolls’ was launched on crowdfunding website
Indiegogo and was subsequently relaunched — and successfully funded — as ‘Girls
of Arcadia – A VR Game’.

Rights licensing

For content producers, things are likely to be
pretty similar to content production today, albeit with an eye to ensuring that
the rights which they obtain are sufficient to cover their intended use: making
sure that licences expressly cover use in virtual reality content may be
worthwhile.

Platform rules

However, unless content producers control the
virtual reality devices and marketplaces, they are likely to be at the whim of
those who do. Will companies want their app stores to be full of apps for the
display of pornography? As with application stores for devices today, different
operators may apply different rules, but it is highly likely that they will
remain gatekeepers of their environments, particularly if they are trying to ensure
a high quality experience.

Before committing to a substantial investment in
VR content linked to a sextech device, a VR content developer will need to get
comfortable that it will be permitted to distribute its work, or run it on its
chosen platform. And, even if a platform’s rules permit the distribution of
such material today, there may be very little to stop the rules changing in the
future, perhaps in the event of acquisition by a company with a different
perspective, leaving a developer unable to make use of its investment.

Personalised robots and image rights

In April 2016, various sources reported that a
man in Hong Kong had made a robot at home which looked at least passingly
similar to Scarlett Johansson. Although there is nothing to suggest that this
was a sex robot, such a development would not be a quantum leap.

Companies engaging in this type of manufacturing
on a commercial basis are likely to face challenges if they proceed without a
celebrity’s consent — and, let’s face it, outside a relatively limited number
of actors and actresses appearing in pornography, consent is unlikely to be
forthcoming.

As protection of image rights is weak in the UK,
a claim in passing off — that the manufacturer’s use of the person’s image
amounts to a misrepresentation of endorsement — is a likely cause of action,
along with a potential argument that the processing of a celebrity’s
photographs for the purpose of creating the model was an unlawful processing of
personal data. Although the manufacturer might attempt to claim that the
processing was necessary for its legitimate interests, the assessment of ‘unwarranted
harm’ would make for interesting reading.

In other parts of the world, courts may take a
firmer stance around image rights — a ‘right of publicity’ may give a celebrity
sufficient basis to take action before a US court, for example.

Robots, laws and ethics

If you, like me, were fortunate enough to hear
Roger Bickerstaff’s contribution to the British Academy’s event ‘Do We Need
Robot Law?’, you’ll probably already be thinking about both the legal and
ethical frameworks for the development, operation and control of robots. (For
those who were not so lucky, an audio recording is available at:
http://www.britac.ac.uk/audio/do-we-need-robot-law.)

Perhaps unsurprisingly, given the general timbre
of the ‘robot law’ discourse so far, killer robots and robots which cause
injury formed the mainstay of the debate, but issues of robots and sex have
been debated for quite some time. For example, David Levy, an expert in AI,
wrote ‘Love and Sex with Robots’ in 2009, and discussion of ‘virtual rape’ in
the virtual worlds predates that.

Fascinating issues around sentience or capacity
remain to be explored. Could a sex robot commit rape, for example? Or be raped?
Is a sex robot capable of giving consent, or is consent something which needs
to be contemplated?

In contrast to ‘Roxxxy’, and its male
counterpart, ‘Rocky’, both designed exclusively as sex robots, not all robot
manufacturers welcome the idea of their products being used for sexual
gratification. For example, Softbank’s ‘Pepper’ robot is described as a ‘robot
who understands your emotions’ and ‘is able to adapt his attitude to suit your
own as closely as possible’. (Note the interesting use of language: ‘his’, and ‘who’,
rather than ‘which’: not only does the robot have a humanoid form, it is
marketed in personal, rather than object, terms.)

Softbank has published a list of rules for use
of Pepper, one of which prohibits ‘[a]cts aimed at sexual acts or obscene acts’.
(Put http://cdn.softbank.jp/mobile/set/data/static/robot/legal/pepper_notes.pdf
through Google translate, and see point 4 under ‘Prohibited items’.) Although I
cannot be sure, given the translated nature of the text, it would appear that
attempting to have sex with Pepper would be a breach of contract.

Others are less willing to leave prohibitions as
a matter between buyer and seller. The Campaign against sex robots
was launched in 2015, and argues that ‘these kinds of robots are potentially
harmful and will contribute to inequalities in society’, on the basis that
development ‘further sexually objectifies women and children’. It appears —
although I may be wrong — that the mainstay of the campaign relates to humanoid
robots, and the risk that human users will be ‘manipulated into thinking a
robot is able to reciprocate or care about their feelings’.

And even if you are comfortable with the idea of
a humanoid sex robot, how would you feel — and how should society handle — sex
robots built to emulate children, or animals? Would such a robot fall within
the scope of obscenity law, criminalising its sale? If not, and if no other
rule exists, should there be a law specifically prohibiting the creation or
sale of such a device? Uncomfortable things to contemplate, but perhaps areas
which will need to be addressed.

There is clearly considerable work to be done on
the topic of robots and their roles in society. Should robots be capable of
forming (simulating?) emotional attachment, for example? Should it always be
possible for a human to identify whether they are interacting with a robot or a
person? Perhaps — sextech or not — there is an opportunity for members of the
SCL to engage in this dialogue, building on a debate which so often focusses
solely on liability.

Concluding thoughts

The combination of digital technologies and sex
toys represents a growing trend, and it brings with it a number of interesting legal
issues. In most cases, these are limited to the application of existing
principles and rules to the new products but, in the case of robots and
artificial intelligence, it is more than possible that the frameworks which we
have today are insufficient for the task at hand.

Neil Brown is a solicitor and the managing director of law firm
decoded:Legal, and enjoys advising on the interaction of law with new
technologies.