Information Commissioner's Office
Privacy regulators study finds Internet of Things shortfalls
Six in ten Internet of Things devices don’t properly tell customers how their personal information is being used, an international study has found.
The study, by 25 data protection regulators around the world, looked at devices like smart electricity meters, internet-connected thermostats and watches that monitor health, considering how well companies communicate privacy matters to their customers.
The report showed:
- 59 per cent of devices failed to adequately explain to customers how their personal information was collected, used and disclosed;
- 68 per cent failed to properly explain how information was stored;
- 72 per cent failed to explain how customers could delete their information off the device, and
- 38 per cent failed to include easily identifiable contact details if customers had privacy concerns.
Concerns were also raised around medical devices that sent reports back to GPs via unencrypted email.
The data protection authorities looked at more than 300 devices. Authorities will now consider action against any devices or services thought to have been breaking data protection laws.
The work was coordinated by the Global Privacy Enforcement Network, and follows previous reports on online services for children, website privacy policies and mobile phone apps.
The action is being led by the Information Commissioner’s Office (ICO) in the UK. Steve Eckersley, ICO Head of Enforcement, said:
“This technology can improve our homes, our health and our happiness. But that shouldn’t be at the cost of our privacy. Companies making these devices need to be clear how they’re protecting customers. We would encourage companies to properly consider the privacy impact on individuals before they go to market with their product and services. If consumers are nervous that devices aren’t using their data safely and sensibly, then they won’t use them.
“By looking at this internationally, we’ve been able to get an excellent overview on this topic. We’ll now be building on that, working with the industry and looking specifically at companies who might not have done enough to comply with the law.”
Notes to editors
- The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
- The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act (FOIA) 2000, Environmental Information Regulations (EIR) 2004 and Privacy and Electronic Communications Regulations 2003.
- The ICO can take action to change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit. The ICO has the power to impose a monetary penalty on a data controller of up to £500,000.
- The Global Privacy Enforcement Network was established in 2010 upon recommendation by the Organisation for Economic Co-operation and Development. Its aim is to foster cross-border cooperation among privacy regulators in an increasingly global market in which commerce and consumer activity relies on the seamless flow of personal information across borders. Its members seek to work together to strengthen personal privacy protections in this global context. The informal network is comprised of 51 privacy enforcement authorities in 39 jurisdictions around the world.
- To report a concern to the ICO telephone our helpline 0303 123 1113 or go toico.org.uk/concerns.
Latest News from
Information Commissioner's Office
ICO takes action against Lewisham Council for failing to respond to hundreds of Freedom of Information requests22/03/2023 15:05:00
The Information Commissioner’s Office (ICO) has issued an enforcement notice to the London Borough of Lewisham Council for failing to respond to hundreds of overdue requests made under the Freedom of Information Act (FOIA) 2000.
ICO reaches agreement with Easylife Ltd17/03/2023 10:25:00
Update: This press release has been updated to reflect the fact that Easylife Ltd were fined for breaching the GDPR, as opposed to the Data Protection Act 2018
ICO issues reprimand to the Metropolitan Police Service for inadequate handling of files related to organised crime groups16/03/2023 16:10:00
ICO statement on Government response to Sir Patrick Vallance’s Pro-Innovation Regulation of Technologies Review16/03/2023 11:05:00
Yesterday, Wednesday 15 March, the Government has published its response to Sir Patrick Vallance’s Pro-Innovation Regulation of Technologies Review.
ICO shares resources to help designers embed data protection by default15/03/2023 09:10:00
The ICO has produced new guidance to help UX designers, product managers and software engineers embed data protection into their products and services from the start.
John Edwards, Information Commissioner, delivers a keynote speech at IAPP Data Protection Intensive UK.13/03/2023 15:10:00
The Commissioner recently (09 March 2023) opened the conference with an overview of our past year and how we've changed our approach to ensure we’re a more empathetic, open regulator.
ICO statement on re-introduction of Data Protection and Digital Information Bill08/03/2023 16:05:00
Today, Wednesday 8 March, the Data Protection and Digital Information (DPDI) Bill is due to be re-introduced to Parliament. The ICO has issued the following statement and a full press release from the Department of Science, Innovation and Technology can be viewed here.
The Lockdown Files will help us learn from the experience of Covid07/03/2023 16:20:00
A cold and increasingly unsettled weather pattern is now becoming established across the UK with cold air from the north having pushed south across the whole of the country, bringing snow, ice and low temperatures for many.
The Lockdown Files will help us learn from the experience of Covid07/03/2023 16:15:00
Following the Daily Telegraph's reporting of leaked WhatsApp messages sent by Ministers during the COVID-19 pandemic, Information Commissioner John Edwards set out his views on the importance of record keeping. This piece first appeared in print in the Daily Telegraph on Saturday 4 March.