How should we tell people what we’re doing?

Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.

Contents

In detail

How do we ensure our processing by IoT products is transparent?
How do we decide the right methods for providing privacy information?
How do we make our privacy information easy to follow?
What are the right moments for us to provide privacy information?
How do we provide privacy information on different product interfaces?
How do we provide privacy information if there are multiple users?

You must inform people that you intend to process their personal information.

Being transparent about your use of people’s personal information is closely linked to fairness. Your processing is unlikely to be fair if you do not give people information about it.

Regardless of the type of IoT product you use in your processing, you must tell users:

why you are using their personal information;
what lawful basis you are using for processing;
what types of personal information you are using;
what decisions you are making with the information and how it affects their use of your service;
whether you keep personal information used or generated by your systems and for how long;
whether and in what circumstances you share their personal information with other organisations; and
how they can exercise their data protection rights.

You must provide privacy information to people at the time you collect their personal information from them. You could also give people privacy information ahead of time when you start your processing.

If your IoT product is aimed at children or likely to be accessed by them, you must ensure that the privacy information you give them – and other published terms, policies and community standards – is concise, prominent and in clear language suited to their age. You should provide additional specific ‘bite-sized’ explanations about how you use personal information at the point that use is activated.

How do we ensure our processing by IoT products is transparent?

When deciding how to comply with the transparency principle, you should consider:

the most appropriate formats to deliver privacy information;
the accessibility of your language;
appropriate moments in a person’s user journey;
different interfaces where people could receive privacy information; and
who are the product users (eg a single user vs multiple users, adults or children).

You must separate privacy information from terms and conditions, as well as any requests for consent to process personal information. You must not include a tick box to indicate consent with your privacy information.

You should make sure that privacy information is specific and relevant to an IoT product and the processing it does. You must provide privacy information for all its processing.

Example

A digital company manufactures and sells IoT products as well as operating an online video streaming service and email service.

The transparency information it provides for its IoT products is different to that of its two other services because the personal information it processes is different. Its IoT products process information from the product sensors that includes, for example, health and biometric information. Therefore, the company has three different sets of transparency information for its users, specific to each service.

You should make it easy for people to find privacy information again once they have set up the device.

For example, you could provide access to privacy information in the product’s settings or in a privacy dashboard – a dedicated section where people can manage what’s happening to their personal information.

How do we decide the right methods for providing our privacy information?

When deciding how to provide privacy information, you should consider how people will interact with your IoT product and the wider context of its use. This will help you work out the most effective way of informing them.

Privacy notices are a useful way to communicate privacy information but may not be the most appropriate for all instances in the context of IoT. Where appropriate, you should consider other techniques alongside a notice. This will help you demonstrate you’ve taken steps to communicate privacy information in ways that people are likely to notice and use.

You should use various techniques such as ‘just-in-time’ (JIT) notices or a layered approach, where appropriate.

You could provide a dedicated privacy and security hub where people can find privacy information.

But you should be careful not to overload them with information. You should consider if people are likely to read what you provide and the circumstances in which they do so. You could have a concise transparency information resource, for example as part of the JIT notice, and refer users to the privacy hub if they want more information.

How do we make our privacy information easy to follow?

You should design your privacy information in a way that enables people to understand what happens to their personal information. This helps you demonstrate your compliance with the UK GDPR’s transparency principle and people’s right to be informed.

Privacy information should be easy to read and understand. You must make it concise, transparent, intelligible and easily accessible, using clear and plain language.

Where appropriate, you should use navigation panels, collapsible lists, bullet points, large text, pictures, diagrams and videos to deliver your privacy information.

Example

A graphic shows a smart TV displaying a privacy policy and terms and conditions. It bundles them in a large block of text without headings or navigational aids.

Example

Two examples of smart TVs show on-screen privacy information. The first shows privacy information with a navigation panel for different sections of the document and a clear heading for each section. It provides a short summary at the top.

The second shows privacy information with a navigation panel for different sections of the document and a clear heading for each section. Each section contains a text box with key points for users to take away.

Both examples contain a QR code so users can scan and view the privacy information on their mobile if preferred.

What are the right moments for us to provide privacy information?

Timing is important. You should identify the moments when people might expect to make decisions about their personal information, and when they might be ready to make reasonable, informed choices.

Consider when in the user journey you should discuss privacy. You must provide privacy information at the time of collecting personal information from the person it relates to, but you should consider other moments too.

You could consider providing privacy information at the different moments in the user journey. For example, when a user:

visits a product website;
downloads an accompanying app from an app store;
sets up a product for the first time;
creates or adds user accounts;
receives a security update that changes how you process their personal information;
receives a product update that changes how you process their personal information (eg launching a new feature);
enables a product feature themselves; and
has their personal information collected by the product.

Often, your IoT product may start processing people’s personal information:

during set-up (eg if the user gives you personal information as part of this process); or
once set-up is complete and the product starts working.

You should provide privacy information at least at these moments in the user journey.

However, in some instances, users will not turn on all the features of the product at this time or you add new features that are not covered by the transparency information they’ve already interacted with. This means you might only start certain types of processing later.

You should consider how to provide transparency information then. For example, you could use a just-in-time notice or refer people to your privacy policy.

Example

A design team at a smart security camera manufacturer must ensure they explain what happens to people’s information. They are considering at what moments during the user journey they start processing users’ information. They identify that the smart security camera can start processing different personal information at different times.

For example, the smart camera processes some information as soon as the product is set up, but it would only start processing biometric information from facial recognition if the user turned it on. Users can turn on this feature any time, not just at the product set-up.

The design team decide to provide transparency information in the step-by-step instructions during initial account sign-up, and to deploy ‘just in time’ notice when users turn on additional features, including facial recognition.

Example

A graphic shows the set-up of a smart baby monitor. The users were shown a link to more information about the product’s privacy and security measures, which they could choose to interact with. A few weeks later, the baby monitor is due a security update that will change how some of the users’ personal information is processed. The users receive a notification on their mobile phone about the security update. They can navigate to a page that explains the changes.

The right moments may vary for different people with different needs.

Whatever moments you choose, you should ensure people have enough time and knowledge to consider the information fully.

How do we provide privacy information on different product interfaces?

When you think about how to provide privacy information, you should consider how your users interact with your IoT product.

This is particularly relevant for IoT products that have different types of interface. For example:

Will your users interact with your product through a display?
Does your product involve the use of an associated mobile app?

IoT products can have different types of interface. They include small and large screens, voice and sound interface, light controls, mobile or app interface, or a web browser interface.

You should plan for what privacy information you can make directly available on the IoT product and what information you will make available on a mobile app (if there is one) or through an account accessed through a web browser.

Some devices have a prominent voice interface and a far less prominent display interface. You could consider making privacy information available through the voice interface.

Example

A graphic shows a smart speaker answering users’ questions about how their personal information is processed via its voice interface.

Example

Two graphics show smart TVs using a smart assistant’s voice interface to provide privacy information about how users’ personal information is processed.

Example

A graphic shows a smart oximeter and its accompanying app displaying privacy information about the cloud back-up setting being on. After users click on the cloud setting, they are presented with more information about what data is collected and stored on the cloud. The oximeter doesn’t have an on-device screen that would allow it to show information in this way.

Some IoT products have prominent light controls and sound interfaces. You could use these methods to signal to your users when IoT products are on and processing personal information.

Example

A graphic shows a smart speaker making a sound when it starts ‘listening’ after being prompted by a user.

Example

A graphic shows a smart security camera indicating a camera light being on when recording video footage.

How do we provide privacy information if there are multiple users?

An IoT product can often be used by multiple people. Whether you intentionally design your product for use by multiple users or not, you must ensure all potential users whose information you will process are given privacy information.

This may be difficult if users don’t have their own account. You should consider giving people the option of having multiple accounts for a product if this is likely to improve their experience and access to transparency information.

If you are giving users multiple accounts, you should make sure transparency information is easy to find for everyone that has an account, not just the primary account holder.

In situations where users don’t have their own account or don’t want to create one, you should find other ways of giving them transparency information.

This could include providing privacy information:

on the accompanying app’s app store page;
directly through the product’s interface, such as screen or a speaker; or
on any product listing, prominently next to the product description.

Example

A graphic of a smart home hub shows a dashboard with privacy settings allowing any user, registered or unregistered, to manage controls for sharing certain personal information, including location and whether the home hub’s voice assistant is listening. Any user can access transparency information about how the home hub uses personal information.

Example

A graphic shows a smart speaker’s accompanying app indicating what product controls are available to an additional user. The additional user is made aware they have limited access to change device settings or to make decisions about what connected services they can control. They can manage their voice ID and view their usage history. They can also view information about how the smart speakers use personal information and privacy.

Further reading

Principle (a): Lawfulness, fairness and transparency
Accountability framework – transparency
Children’s code – see standard 4 for how to provide information in an accessible and easy-to-understand way
Right to be informed