About this guidance
-
Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.
Why have you produced this guidance?
This guidance explains how data protection law and the Privacy and Electronic Communications Regulations 2003 (as amended) (PECR) apply when you process personal information in consumer Internet of Things (IoT) products.
Read it to understand the law and our recommendations for good practice.
It is not a comprehensive guide to compliance. We link to relevant further reading about any principles we’ve already covered in our other guidance.
Who is it for?
This guidance is aimed at organisations who process personal information in IoT products. Such organisations are likely to include manufacturers, developers of operating systems, mobile app developers, web app developers, software developers, AI service providers, providers of biometric technologies, providers of sensors and telemetry, cloud providers, and cybersecurity and IT providers.
These organisations are likely to be responsible for processing by IoT products. In this guidance, ‘processing by IoT products’ refers to processing by those organisations who have relevant data protection responsibilities.
In these organisations, two main audiences will find this guidance useful.
First, those with a compliance focus, including:
- data protection officers (DPOs);
- general counsel;
- risk managers; and
- senior management.
Second, technology specialists, including:
- product and UX designers;
- cybersecurity and IT risk managers.
If you are a product or UX designer interested in practical recommendations and illustrations on how to implement data protection, see the sections on:
- data protection by design and default;
- lawfulness;
- transparency;
- individual rights; and
- children.
If you are a cybersecurity or IT specialist wanting to understand what security measures you should consider, see the sections on
- data protection by design and default; and
- security.
What is the Internet of Things?
IoT is a broad term that applies to a network of physical products incorporating sensors, software, processing ability and different types of connectivity (including the internet), which enable these products to process information. IoT products can often connect to one or more IoT products.
What does this guidance cover?
This guidance covers the processing of personal information by organisations providing IoT products on the consumer market.
Consumer IoT products include:
- home entertainment products (smart speakers, connected TVs, connected toys);
- home automation products (smart lights and lightbulbs, smart thermostats, smart home hubs);
- domestic appliances (smart fridges, smart ovens);
- wellbeing products (fitness trackers, smart watches, smart scales, sleep monitors);
- security and safety products (smart security cameras, smart doorbells, smart baby monitors);
- over-the-counter medical devices (smart fertility trackers with a device, smart blood pressure monitors, smart pulse oximeters); and
- peripheral products (smart keyboards, smart mice, smart headphones).
What doesn’t this guidance cover?
This guidance doesn’t cover:
- connected and autonomous vehicles;
- smart meters;
- smart cities; or
- the use of IoT products in enterprise and industrial settings.
Also, this guidance specifically doesn’t cover:
- mobile phones;
- tablets; and
- computers.
Where this guidance refers to principles addressed in other guidance, we provide links to the relevant further reading.
How should we use this guidance?
To help you understand the law and good practice as clearly as possible, this guidance says what organisations must, should, and could do to comply.
Legislative or legal requirements
- Must refers to legislative requirements.
Good practice
- Should does not refer to a legislative requirement, but what we expect you to do to comply effectively with the law. You should do this unless there is a good reason not to. If you choose to take a different approach, you must be able to demonstrate that this approach also complies with the law.
- Could refers to an option or example you could consider to help you comply effectively. There are likely to be various other ways you could comply.