The ICO's consultation on draft guidance on consumer Internet of Things (IoT) products and services - Which? response

Executive Summary

Which? welcomes this opportunity to respond to the ICO’s proposal to introduce clear guidance to Consumer IoT vendors on how to adhere to data protection regulation, requirements and best practices and the ICO’s draft impact assessment.

Our research has consistently demonstrated a repeated and wholesale absence of good data protection processes and privacy-enhancing approaches in consumer IoT, with most products we tested scoring less than 50% on our privacy framework.  

Overall, we welcome the ICO’s draft guidance for Consumer IoT products and services. We have called for the introduction of such a regulatory initiative for many years, and we feel that it will be a vital step towards improving the inconsistent and often diluted privacy protection measures currently experienced across the Consumer IoT market, such as smart washing machines that request a user’s data of birth and access to the users’ phone contact list. 

Over the past two and a half years our Consumer Insight Tracker (a monthly poll weighted to be demographically representative of the national population) has consistently shown that the majority of consumers (between 60-65%) are worried about how data about them is collected and used by businesses.

In our response to the ICO’s draft guidance, we argue that in several areas further detail or further commitments are needed to ensure that organisations that process data through consumer IoT have clarity on how to comply with their data protection responsibilities. In particular:

1. The draft guidance must be clarified to address the definition of harms (including psychological harm).
2. The draft guidance must be strengthened to address inadequacies in the following areas: exemptions of tablets, smartphones, and consumer connected vehicles; permissions and excessive requests for data not essential for functionality; consent journeys from the app download stage onwards (including the experiences of vulnerable users); consumer agency and the ongoing need for ICO enforcement; and data portability.
3. The draft guidance must be joined-up for coherence across the legislative and regulatory landscape, in particular: privacy and the consumer rights legislation; online advertising and legitimate interests; location data and UK GDPR; and PSTI and PECR regulations.
4. The draft guidance must be expanded to consider ICO engagement with standards development; and to include plans for market investigations, monitoring and robust enforcement by the ICO.

If ICO expects the Consumer IoT industry to improve practices to align with the guidance, then there must be a clear statement of what will happen if this expectation is not met.

We recommend that the ICO commits to a review of the impact of the guidance to check how manufacturers are adhering to their responsibilities under data protection legislation. This could involve setting a strong threshold for harm reduction within a 1-year timeframe, otherwise the regulator would consider deeper market intervention measures. 

Without this, companies may continue to underinvest in data protection and privacy measures, and so consumers will continue to be exposed to harms. 

The ICO’s draft impact assessment notes a focus on growth in digital industries. We argue that consumer protection is vital for economic growth and supports innovation and investment.  If trust and consumer confidence increase as a result of data privacy compliance, so does the use of Consumer IoT products.