How can manufacturers and providers of consumer Internet of Things (IoT) products and services best comply with data protection law? We summarise the new guidance of the ICO.
The ICO guidelines on IoT
The Information Commissioner’s Office (ICO) has published new guidance aimed at organisations that design, manufacture, or provide consumer Internet of Things (IoT) products and services. The main objective of the guidance for consumer IoT products and services is to help businesses understand how to handle personal data in compliance with the UK GDPR and privacy regulations, in a clear and practical way.
What is IoT and which products and services are covered by the guidance?
IoT is a broad term that applies to a network of physical products incorporating sensors, software, processing ability, and different types of connectivity (including the internet), which enable these products to process information. IoT products can often connect to one or more IoT products.
The ICO guidance concerns consumer IoT products, such as home entertainment and automation devices, security products, over-the-counter medical products, peripherals, and domestic appliances. Among others, it does not cover connected and autonomous vehicles, smart cities, IoT products in business and industrial settings, or mobile phones.
Data protection issues with IoT
Such IoT products and services generate a large amount of data, which are provided by the user directly or indirectly during their use. These data reach the servers of the organisations that design, implement, or provide the products or services: hence the need for guidance on their proper processing, especially when personal data or special category (so-called sensitive) data are involved.
The ICO provides recommendations by distinguishing between what an organisation must do (by law), should do, or could do, depending on the level of risk to which the data are exposed. From a regulatory perspective, organisations must ensure compliance with the UK GDPR and the Privacy and Electronic Communications Regulations 2003 (as amended) (PECR).
Key principles concerning IoT data processing
The guidance provides practical recommendations, examples, and explaining graphics to help organisations design and manage consumer IoT products and services in a way that protects personal data, ensures compliance with the UK GDPR and PECR, and fosters trust with users.
The guidance highlights several key elements that organisations should consider:
Accountability and roles
It is essential to clearly define from the outset who acts as the data controller, who as the data processor, whether a joint controllership relationship exists, so that obligations and responsibilities are properly assigned.
Where the processing is likely to result in a high risk to the rights and freedoms of individuals, it may also be necessary to conduct a Data Protection Impact Assessment as part of demonstrating accountability.
Last but not least, the data protection by design and default approach should be considered starting from the planning stage.
The right lawful basis
To process personal data lawfully, IoT manufacturers and service providers must establish a clear lawful basis under the UK GDPR before any data collection begins. In certain cases, such as the processing of special category data, explicit consent might be obtained under the UK GDPR or the PECR. The guidelines also include illustrative graphics demonstrating how explicit consent can be obtained and the appropriate timing for requesting it.
Protection of children
Particular care must be taken with children, who represent a vulnerable group and require enhanced safeguards in both device design and data management.
Transparency
Information provided to users must be clear, understandable, and easily accessible, enabling informed use of IoT products and services. A layered approach is recommended to present information in a clear and understandable way. Privacy information should be given when personal data is collected and, where relevant, at key stages of the user journey such as visiting the product website, downloading the app, setting up the device, creating accounts, or when updates or new features change how personal data is processed.
Fairness
Fairness in data protection means processing personal data in ways people would reasonably expect and that don’t cause unjustified harm. It requires transparency, data minimisation, and regular reviews to ensure alignment between product design and data use. For IoT products using AI, fairness also involves preventing bias and discrimination by ensuring systems are accurate, tested, and regularly checked for fairness and equality.
Accuracy
The accuracy principle requires IoT products to process reliable, precise information. Inaccurate technology, such as faulty sensors, can breach this principle and undermine system integrity.
Retention
Personal data collected through IoT products should only be retained for as long as necessary for the intended purpose and must not be kept indefinitely “just in case.” Retention periods should be regularly reviewed, and data that is no longer needed should be deleted or anonymised. Users could be given options to remove their information.
Security
IoT products must ensure appropriate security to protect personal data against unauthorised or unlawful processing. Appropriate technical and organisational measures should be determined through risk assessment, considering threats, potential harm, and data sensitivity. According to the guideline measures may include:
- Passwords and authentication: Use strong, unique passwords or alternatives like passkeys, apply multifactor authentication where possible.
- Security updates: Provide regular updates, clearly inform users how to install them, and specify update periods.
- Vulnerability management: Maintain a public disclosure policy and verify software integrity with secure boot mechanisms.
- Monitoring: Detect and respond to security issues promptly while respecting data minimisation and purpose limitation.
- Encryption: Apply encryption to stored and transmitted data, especially sensitive or personal information.
User rights
IoT products must support users in exercising their UK GDPR data subject rights, whether they are registered or unregistered users. Interfaces such as mobile apps, product settings, or online accounts should make these rights easy to access and use, especially for children, who need clear and accessible options.
Conclusion
The ICO guidance is a valuable tool for businesses because it provides practical, concrete recommendations on how to properly manage personal data in consumer IoT products and services.
However, it should be noted that this is not the final version of the guidance. The consultation process has recently closed, and, the Data Use and Access Act has entered into force, which may lead to updates or revisions in the ICO’s final guidance.
Nevertheless, the guidance currently provides valuable practical illustrations, especially regarding transparency obligations and obtaining consent, which can help manufacturers, service providers, and other market stakeholders design more privacy-compliant and user-centred IoT products.
