What information do IoT products use?
-
Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.
Do IoT products process personal information?
Personal information is information that relates to an identified or identifiable person.
In most cases, IoT products process personal information. This is because they are designed for people to interact with them, and many often require a user account to operate.
Remember, if you cannot identify someone directly from the information you hold, it may still be possible to identify them indirectly.
You must consider the information you process through IoT products and all the means that you or anyone else are reasonably likely to use to identify someone.
The range of personal information you collect may be extensive. For example, the lifecycle of a single IoT product may involve processing personal information that you:
- obtain directly from the user, such as when they give personal information like their name, date of birth, email address, user account information;
- obtain from another source, like a third party (eg a social media company or other mobile apps for purposes such as account linking);
- observe about how the user interacts with the product and any associated services (eg an app);
- collect from the product’s hardware and software, such as sensors, device identifiers, voice and video recordings, images, movements, temperature, location; and
- infer about someone, for example, by combining and analysing information you collect from the user, the product or other sources, and by making inferences about their behaviours, characteristics or preferences.
It is important to be aware that information you hold may indirectly identify a person, so it could constitute personal information. This may be the case even if you need additional information to be able to identify someone, because they may still be identifiable. You may already hold that additional information or may need to get it from another source.
Further reading – ICO guidance
Do IoT products process special category information?
Special category information is personal information about a person’s:
- race;
- ethnic origin;
- political opinions;
- religious or philosophical beliefs;
- trade union membership;
- genetic data;
- biometric data (where this is used for identification purposes);
- health data;
- sex life; or
- sexual orientation.
Special category information includes anything that reveals or concerns these categories of personal information. This also covers cases where you intend to infer or guess details about someone that fall within these categories.
IoT products and services may use special category information, whether directly or by inference; for example, where:
- the core functionality of your product requires this data; or
- you intentionally infer it, for example to provide your users with a ‘health score’ reflecting your assessment of their physical health.
You must process special category information only if you can identify both a lawful basis and a valid condition under article 9.
Most of these conditions mean you must be able to demonstrate that using special category information:
- is necessary and proportionate; and
- complies with the data minimisation principle.
Further reading - ICO guidance
IoT and health data
The UK GDPR defines health data in Article 4(15) as:
“personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status”.
Health data can be about someone’s past, current or future health status.
It not only covers specific details of medical conditions, tests or treatment, but also any related information that reveals anything about the state of their health.
Some types of IoT products are designed to process health data, whether directly or by inference (or inherently involve its processing).
Example
Fitness trackers and smart watches can track a user’s step count. The step count information is transmitted from the product to the IoT manufacturer’s servers that process the information. Step count does not automatically reveal the user’s health status. For example, low step counts may occur for several reasons, such as:
- the user not wearing the device often;
- hardware or software errors; or
- engaging in other types of non-step based activity (eg cycling).
So, step count on its own is unlikely to be health data.
However, when a person uses a fitness tracker as part of their insurance policy and the insurance company uses step count to predict their health when calculating their insurance premium, then step count is likely to be health data.
Example
A fitness tracker asks to input a user’s height and weight to calculate their body mass index (BMI). The user’s height, weight and BMI is transmitted from the product over a network to the IoT manufacturer’s servers that process the information. Based on whether the BMI score is low, high or normal, the fitness tracker makes recommendations for a training regime.
Height and weight are not necessarily health data on their own, but the user’s BMI score is more likely to be. This is because BMI scores may reveal something about the user’s health status.
Example
A woman uses a smart fertility tracker to record the dates of her periods and body temperature. This information is transmitted from the product over a network to the IoT manufacturer’s servers where it is further processed. The tracker makes an inference about fertile days based on this information.
Not only is the information about the user’s period and body temperature special category data, the inference about fertile days also falls into this category because it can reveal something about the woman’s reproductive health.
Further reading
IoT and biometric data
Biometric data is a type of personal information that:
- relates to someone’s physical, physiological or behavioural characteristics (eg voice, fingerprints, face);
- has been processed using specific technologies (eg a voice recording is analysed to detect qualities like tone, pitch, accent or inflection); and
- can uniquely identify (recognise) the person it relates to.
Biometric data only becomes special category information when you use it for the purpose of uniquely identifying someone. We call this ‘special category biometric data’.
This means that if you are using biometric data but not for the purpose of uniquely identifying someone, it is not special category biometric data.
Your purpose for processing biometric data therefore defines whether you’re processing special category biometric data.
Example
A smart speaker with an embedded voice assistant allows people to create a voice ID. The voice ID is a digital representation of a user’s voice, which is used to match their spoken voice and identify the particular user asking a query to the voice assistant. The accompanying app for the smart speaker records the query and the name of the user who asked it.
Voice ID is biometric special category data because it is used to uniquely identify that user.
If a user asked a voice assistant a query without having voice ID set up for their voice, their voice query is also biometric special category data. This is because the voice query is still processed by the voice assistant to match against any existing voice IDs. So it is at least partly processed for the purpose of uniquely identifying someone.
Further reading
IoT and location data
Some IoT products may process information about their geographical location. Location data is not special category information. But people may consider it to have a level of sensitivity because it can reveal a lot about their lives.
This means it can be personal information, so if you process it you must comply with the UK GDPR. In this context, you should consider:
- the level of location granularity you need to deliver certain features of your IoT products and services;
- only collecting location information that is essential to provide the service your users request;
- offering different location options for individual product features;
- identifying potential risks to people from processing their location, such as measures or safety features you can implement to mitigate these risks; and
- where appropriate, providing a clear and easy-to-find setting for users to turn location data on and off.
If your IoT product includes a service likely to be accessed by children, you should conform to the requirements of the geolocation standard in our Children’s code. This may affect your overall design choices. For example, the Children’s code says any geolocation setting you provide should be switched off by default unless you can demonstrate a compelling reason for it to be enabled.
Other specific rules may apply depending on the type of location information that your IoT product (or its associated app) processes. This is because PECR contains provisions about both location data and device information. See the section on PECR for more information.
Further reading – ICO guidance
People might use IoT products in the home – does the UK GDPR still apply?
People often use IoT products as part of their daily lives, which may make unclear whether data protection law applies to the processing.
This is because the UK GDPR does not cover processing by a person in the course of a purely personal or household activity. We call this ‘domestic purposes’.
But it’s important to note that this doesn’t make any processing by an IoT product exempt from the law. While many consumer IoT products are designed to be used in the home, this doesn’t mean your use of any personal information they collect is also out of scope. As this is processing you undertake for your own purposes, you must comply with the law when doing so – for example, when providing an IoT service or collecting information from IoT products as part of that service.
And the UK GDPR is clear that if you provide the means by which people process personal information for domestic purposes, the law applies to you.
These are important considerations you must take into account when you design any IoT product or service that intends to collect personal information.
Example
A driver is using a smart dash camera in their car. The dashcam records the road and surroundings when the car is on the move. The driver can view the footage from the dashcam in the accompanying app.
Although the dashcam’s recordings capture public spaces as the driver uses the car, the product is not being used to continually monitor a specific public space but is instead capturing images related to the movements of the car when used by the driver. Capturing the images is part of the driver’s personal activity when using the car.
However, if the driver posts dashcam recordings online, the processing of any personal information captured by the dashcam will no longer be in the course of the driver’s personal activity. This processing is within scope of the UK GDPR and the driver will need to identify an appropriate lawful basis.
The manufacturer’s processing of personal information in the dashcam falls within scope of the UK GDPR because it is processing carried out by a legal entity rather than by a person. It is a commercial, rather than a personal or household, activity.
Example
A person owns a smart speaker with an embedded virtual assistant. They use it for different purposes, including to play music, use a search engine or make calendar appointments.
Other people in the household use the smart speaker, including family members and visiting friends. Processing of other people’s information when they use the smart speaker is a purely personal or household activity by the person who owns the smart speaker.
However, processing the personal information by the smart speaker manufacturer falls within scope of the UK GDPR because it is processing carried out by a legal entity for its own purposes, rather than by someone in the context of a personal or household activity.
The smart speaker manufacturer should design their product in a way that provides controls for users to configure product settings to minimise the personal information it collects.
Further reading – ICO guidance
Does PECR apply to IoT products?
What PECR rules are relevant for IoT products?
Most of the PECR rules concern things like direct marketing or security of communications providers. But a specific one applies when you use technologies that store information (or access information stored) on a user’s terminal equipment.
This is regulation 6, and it applies to the use of technologies like:
- cookies;
- tracking pixels;
- local storage;
- device fingerprinting;
- scripts and tags;
- application programming interfaces (APIs);
- automatic content recognition (ACR); and
- software development kits (SDKs).
Are IoT products ‘terminal equipment’?
If an IoT product is connected to a public communications network (eg the internet), it is ‘terminal equipment’ so PECR rules apply. This is true whether the IoT product is connected directly or indirectly (eg through another device that has a network connection).
It’s also true whether the information that the product processes is streamed or cached for intermittent reporting. This is because information on the IoT product is stored or accessed, or both – for example, where you send or receive data from the device.
If your IoT product connects to the network through another network-connected device, any transmission of data to that device falls outside the scope of PECR.
However, if you store or access information that the network-connected device collects from the IoT product, PECR does apply to these processing activities.
Example
A smart lightbulb does not automatically connect to a network. The lightbulb needs to connect to its accompanying app on a mobile phone via Bluetooth to transmit information over the internet to the lightbulb manufacturer. The transmission of information between the smart lightbulb and the mobile phone falls outside the scope of PECR.
When information from the accompanying app on a mobile phone attached to the smart lightbulb is stored or accessed by the manufacturer, PECR rules apply.
How do PECR rules interact with UK GDPR?
Unless an exemption applies, PECR says you must:
- provide “clear and comprehensive information” to your users about the purposes of any storage or access in the IoT product; and
- obtain the user’s prior consent (to the UK GDPR standard).
PECR does not define ‘clear and comprehensive information’. However, in practice it refers to the UK GDPR’s transparency requirements, the right to be informed and the conditions for consent.
So, if you design your IoT product to use storage and access technologies, to comply with PECR you must provide the same information to subscribers and users as you would when you process their personal information.
If you have to obtain consent for your use of storage and access technologies, and the information is personal information, then you should use consent as your lawful basis under the UK GDPR for subsequent processing.
Example
A smart TV company is using automatic content recognition (ACR) technology on their smart TVs to serve their users personalised ads.
The ACR technology periodically captures content displayed on the TV and matches it against a content library to identify what the user is watching. Based on content matches, the smart TV users are served personalised ads.
The company needs to access information on each user’s TV to match against the content library. Because the ACR technology is storing and accessing information on the user’s TV (ie terminal equipment), the company needs to obtain valid consent under PECR to use it for advertising.
When users start setting up their smart TV, the ACR is off by default. The smart TV asks them during the TV set-up process whether they would like to switch on this feature. Users are shown a short explanation of the technology. On the TV screen, users are presented with options to accept or reject the use of the ACR technology with equal prominence. Users can revisit their choice about ACR in the settings.
Read the sections of this guidance on consent and transparency for more details about the relevant requirements.
Do we need consent for online advertising purposes?
You must get consent if you use storage and access technologies for online advertising purposes in your IoT products.
This applies both to the technical processes involved in ad selection and delivery, as well as any associated tracking and profiling.
This is because use of storage and access technologies for the purposes of online advertising is not strictly necessary to provide an online service via your IoT product. You might consider generating income through advertising necessary for your business but on a technical level, you can provide the service without any advertising.
Remember, you must also have an appropriate lawful basis for any processing of personal information for the purposes of profiling and targeted advertising (eg a person’s viewing habits on a smart TV). If you need consent for your use of storage and access technologies, and the information is personal data, you should use consent as your lawful basis under the UK GDPR for subsequent processing.
If your product is aimed at children or is likely to be accessed by them, you should ensure that online behavioural advertising is off by default.
Example
A company wants to serve digital advertising on the screen of their home hub product. The company integrates a software development kit (SDK) into the home hub that collects information about users’ behaviour, users’ interactions with the home hub and their preferences. It uses the information to enable the display of targeted ads to users when they engage with the home hub.
The company gets valid consent from their home hub users before starting this processing. It offers users options of equal prominence to make a choice about whether or not they want their advertising to be personalised. It also provides settings for users to withdraw their consent at any time after they set up their product.
Further reading – ICO guidance
How do the PECR rules on location data apply?
PECR contains a specific definition of ‘location data’. For PECR, this is information that a network or service collects about where the user’s device is or was located.
The rules on location data are in regulation 14 and are strict. You can only process this data if you are a public communications provider, a provider of a value-added service, or a person acting on the authority of such a provider, and only if:
- the data is anonymous; or
- you have the user’s consent to use it for a value-added service, and the processing is necessary for that purpose.
For most organisations that make IoT products, the processing of location data under regulation 14 isn’t possible. This is because they are not public communications providers or value-added service providers.
How are the PECR rules on terminal equipment relevant to location data?
IoT product providers may process other information about a person’s location, even if it doesn’t meet PECR’s definition of location data. For example, the rules on location data don’t apply to GPS-based location information or data about connections with local wifi equipment.
This is because these types of data are created and collected independently of the communications provider.
However, a different part of PECR may apply to the processing of this data. If you obtain information about a person’s location by storing or accessing information on their IoT product, you must comply with regulation 6.
Further reading – ICO guidance