The Information Commissioner’s Office (ICO) has published draft Guidance for consumer Internet of Things products and services | ICO (Guidance). The Guidance aims to assist organisations who process personal information in Internet of Things (IoT) products comply with data protection law and the Privacy and Electronic Communications Regulations. Such organisations are likely to include manufacturers, developers of operating systems, mobile app developers, web app developers, software developers, AI service providers, providers of biometric technologies, providers of sensors and telemetry, cloud providers, and cybersecurity and IT providers. 

What is IoT?

This is a broad term that applies to a network of physical products incorporating sensors, software, processing ability and different types of connectivity (including the internet), which enable these products to process information. IoT products can often connect to one or more IoT products. Examples of IoT products include: home entertainment products (smart speakers, connected TVs, connected toys); home automation products (smart lights and lightbulbs, smart thermostats, smart home hubs); wellbeing products (fitness trackers, smart watches, smart scales, sleep monitors); and security and safety products (smart security cameras, smart doorbells, smart baby monitors). By their very nature, these products require an input of personal data in the first instance, with likely sharing of this information across different connected products. 

Addressing privacy concerns

The Guidance provides regulatory certainty, outlining clear expectations for organisations to comply with data protection law and use people’s personal information responsibly - the ICO is seeking to ensure that smart products are designed with privacy in mind from the outset.  

Stephen Almond, Executive Director for Regulatory Risk at the ICO said: “People rightly have a greater expectation of privacy in their own homes so they must be able to trust that smart products are using their personal information responsibly and only in ways they would expect…this is not just about compliance – it’s about building a fair and transparent online world where people are given meaningful control over how their data is used.”

Areas of focus

The Guidance sets out the following principles that reflect the need for IoT production to comply with the UK data protection laws:

• Accountability:  Means manufacturers and developers are responsible for complying with the data protection principles - accountability is considered in the context of IoT products and services, such as the controller and processor relationship (proper allocation of roles), privacy by design, and the use of IoT products and services by children.
• Transparency and fairness: The Guidance includes examples for manufacturers and developers on how to inform consumers of how they collect, use and share personal data. Manufacturers and developers are encouraged to consider how personal data is processed, focusing on key issues such as necessity, proportionality and purpose limitation.
• Data minimisation and accuracy: A strict requirement that devices should only collect the personal data absolutely necessary for stated function; and that data is accurate to ensure system integrity. Data obtained from IoT products should not be held any longer than is needed. 
• Security: The Guidance proposes measures such as passwords, multifactor authentication methods, monitoring, software security updates and encryption methods.
• Data subject rights: Clarifying the tools and processes that must be available for people to exercise their data protection rights, such as the right to access or erase their data.

This consultation offers an opportunity for businesses and consumers to help shape a practical and effective regulatory framework and protect personal data in an increasingly connected world. The consultation period closes on 7 September 2025.