UK Information Commissioner releases guidance on Internet of Things used in products and services
July 13, 2026 |
The internet of things has long been recognised as a significant weakness in cyber security and privacy. The Information Commissioner has published its final guidance on consumer Internet of Things products and services.
It is a very comprehensive guideline, running to 90 pages, but is laid out in a very user friendly manner.
The media release provides:
We have today published our finalised guidance on consumer Internet of Things (IoT) products and services, setting out clear expectations for manufacturers and developers on how to use people’s personal information responsibly.
The guidance reflects feedback from both the public and industry following a 12-week consultation last year. It provides regulatory certainty on areas such as how to ask for informed consent, how to provide transparent privacy information and what tools need to be available for people to exercise their rights over their data.
William Malcolm, ICO Executive Director for Regulatory Risk and Innovation, said:
“Connected devices process some of the most sensitive data about people’s lives, from data about health to daily routines and family life. Product and device innovation holds huge potential to make a positive impact in so many areas of people’s lives, but that innovation must work for everyone. It is vital that product developers put privacy at the centre of product design and use data fairly and transparently.
“We’ve welcomed the constructive engagement from industry during the consultation process and now we are calling for action – data protection by design is a legal requirement, not a suggestion. We encourage organisations making and developing smart products to review the guidance and ensure they are meeting the standards the public expect.”
We are now turning our attention to connected TVs and how they use people’s personal information. Found in 70% of UK households, smart TVs can collect a large amount of data and use this information to serve targeted advertising – but this must be done transparently and with genuine consent.
We will be engaging with connected TV manufacturers this year to assess whether they are complying with the law and offering consumers meaningful choice over how their data is used.
Andrew Laughlin, Which? Tech Expert, said:
“For years, Which? investigations have shown that many connected products collect far more personal data than is needed to provide their service, so it’s good that the ICO has incorporated some of our recommendations into its final guidance, helping to set clearer expectations for manufacturers and developers.
“The guidance should mark a turning point for the sector. Businesses need to be upfront about the data they collect, explain why they need it and give consumers meaningful control over how it’s used. The challenge now is ensuring the guidance is backed by effective regulation and meaningful industry action.”
Our expectations for IoT manufacturers and developers
-
- Privacy must be built in from the start, not bolted on afterwards – with protective settings on by default and data collection limited to what is strictly necessary.
- Consent must be real, specific and freely given via a clear opt-in – and it must be just as easy to withdraw.
- Genuine transparency is more than a privacy notice – users must be clearly informed about how their data is used, in plain language and at relevant points across the whole product.
- Most firms will have to do a Data Protection Impact Assessment – due to the sensitive nature of the data they collect, with an even higher bar if children may use the product.
- Security is an ongoing legal obligation, not a one-time consideration – it requires regular updates, encryption, and multifactor authentication throughout the product’s lifetime.
The guidance forms part of our wider online tracking strategy, which aims to give people meaningful choice and confidence in how their information is used, while enabling businesses to innovate responsibly.
The guidance is drafted for UK users and applies UK law and GDPR regulations. That said it is useful to have regard to it for good practice. Such as:
Regarding transparency
When deciding how to comply with the transparency principle, you should consider:
-
- the most appropriate formats to deliver privacy information;
- the accessibility of your language;
- appropriate moments in a person’s user journey;
- different interfaces where people could receive privacy information; and
- who are the product users are (eg a single user vs multiple users, adults or children).
You must separate privacy information from terms and conditions, as well as any requests for consent to process personal information. You must not include a tick box to indicate consent with your privacy information.
You should make sure that privacy information is specific and relevant to an IoT product and the processing it does. You must provide privacy information for all its processing.
and
When deciding how to provide privacy information, you should consider how people will interact with your IoT product and the wider context of its use. This will help you work out the most effective way of informing them.
Privacy notices are a useful way to communicate privacy information but may not be the most appropriate for all instances in the context of IoT. Where appropriate, you should consider other techniques alongside a notice. This will help you demonstrate you’ve taken steps to communicate privacy information in ways that people are likely to notice and use.
You should use various techniques such as ‘just-in-time’ (JIT) notices or a layered approach, where appropriate.
You could provide a dedicated privacy and security hub where people can find privacy information.
and
You should make your privacy information easy to read and understand. You must make it concise, transparent, intelligible and easily accessible, using clear and plain language.
You should think about the people you address the information to. Putting yourself in their position can help you understand their level of knowledge and whether they may also have particular needs. This can impact not just what you tell them but also how you do so.
Where appropriate, you should make your privacy information more effective by:
-
- using combinations of audio and visual aids, including navigation panels, collapsible lists, bullet points, large text, pictures, diagrams, videos and subtitles to deliver your privacy information; and
- accommodating people with particular needs (eg providing the information in ways that are compatible with assistive technologies like screen readers and using (or enabling the use of) easy-to-perceive colours to display the information).
If you offer more than one IoT product or service, you should provide privacy information across various products and services in a consistent way that is appropriate for the specific product or service.
The right moment to provide privacy information
You should identify the moments when people might expect to make decisions about their personal information, and when they might be ready to make reasonable, informed choices.
Consider when in the user journey you should discuss privacy. You must provide privacy information at the time of collecting personal information from the person it relates to, but you should consider other moments too.
You could consider providing privacy information at the different moments in the user journey. For example, when a user:
-
- visits a product website;
- downloads an accompanying app from an app store;
- sets up a product for the first time;
- creates or adds user accounts;
- receives a security update that changes how you process their personal information;
- receives a product update that changes how you process their personal information (eg launching a new feature);
- enables a product feature themselves; and
- has their personal information collected by the product.
Often, your IoT product may start processing people’s personal information:
-
- during set-up (eg if the user gives you personal information as part of this process); or
- once set-up is complete and the product starts working.
You should provide privacy information at least at these moments in the user journey.
Accuracy
The accuracy principle in data protection law means you must:
-
- take all reasonable steps to ensure the personal information you process through your IoT product is not incorrect or misleading about any matter of fact;
- keep the personal information up-to-date, if necessary; and
- consider how you will respond to any challenges from users about the accuracy of the information you’ve gathered through your IoT product.
In practice this means you must take reasonable steps to design your IoT product so that the information it processes is accurate. If the technology – such as sensors – that your IoT product relies on to process personal information is inaccurate, you will probably not be able to meet the requirements of the accuracy principle.
Security
You must apply appropriate security measures to your IoT products and services when you process personal information. This includes both technical measures for your product and ensuring you have appropriate organisational measures in place.
You should determine what these measures are by carrying out a risk analysis that considers:
-
- the circumstances of your processing and the likely security threats you may face;
- the harm that may arise if the personal information is compromised; and
- what forms of attack your product and its associated services may be vulnerable to.
What’s ‘appropriate’ is likely to differ depending on the type of IoT product, its functions, and the nature of the personal information you process.
Regarding passwords
While passwords are a common security measure, you should consider whether they are appropriate for your particular circumstances.
Passwords carry well-known risks. More complex passwords are known to be more secure – but only if they are unique. However, there is a risk that if you require over-complex passwords, people will bypass the security measure and write them down or repeatedly request to reset their password.
If you choose to use passwords for your IoT products, you must ensure you have a policy in place to govern how you set them up. You should also enforce an appropriate level of complexity and prevent the use of common, easily guessed passwords. This will help you avoid allowing your users to set weak or already compromised passwords.
Security updates
You must provide regular security updates for your IoT products. Where possible, you should enable your IoT product to operate during a security update. You should make clear how security updates can be installed – whether this is automatically over-the-air or manually.
If an IoT product can’t be automatically updated, you must give users the option to update it manually. If it’s not possible to update the product automatically or manually, you should inform users that they should remove the IoT product from the network.
and
When evaluating whether encryption can mitigate any risks you identify, you should consider:
-
- the sensitivity of the information you are processing – if your IoT product processes special category data or things like location data, your risk profile may be higher;
- the harms that may arise if personal information is subject to unlawful or unauthorised access;
- the data flows in your IoT product’s overall ecosystem; and
- where this personal information will be stored (eg on the IoT product or in the cloud).
You should ensure that your IoT product supports secure firmware updates to patch vulnerabilities and update encryption algorithms as needed.