Guidance for consumer Internet of Things products and services
Click to toggle details
Latest updates - 11 June 2026
11 June 2026 - this updated guidance was published. We have also published a summary of the responses to the consultation.
16 June 2025 - the guidance was published.
We are consulting on this draft guidance - please give us your views.
How do we ensure accountability in IoT products?
- What is accountability?
- How should we understand controller and processor relationships in IoT?
- What do we need to do if children are likely to use our IoT products or services?
- What risks do we need to manage?
- How do we apply a data protection by design and default approach?
How do we ensure our IoT products process information lawfully?
How do we ensure our IoT products process personal information fairly?
How should we tell people what we’re doing?
- How do we ensure our processing by IoT products is transparent?
- How do we decide the right methods for providing our privacy information?
- How do we make our privacy information easy to understand?
- What are the right moments for us to provide privacy information?
- How do we provide privacy information on different product interfaces?
- How do we provide privacy information if there are multiple users?
How do we ensure accuracy in IoT?
How long should we keep personal information for?
How do we ensure security of personal information in IoT?
How do we help people exercise their rights?
- What is the right of access?
- What is the right to rectification?
- What is the right to erasure?
- What is the right to data portability?
- What is the right to object?
- What are automated decision-making and profiling?
Glossary