Privacy Protection in IoT Household Products and “Smart Homes”
5 December 2023
Dear clients and friends,
On November 15, 2023, the Protection of Privacy Authority (the “PPA“) published a document on privacy in IoT (Internet of Things) household products and smart homes (the “Document“). The term IoT refers to the use of electronic devices with sensors that collect information from the environment, such as movement data, temperature, sound and location, and process it for various purposes and actions that have an impact on the physical world (“IoT Products“).
As part of the Document, the PPA reviews the challenges and risks imposed on privacy while using the IoT Products derived from the collection of personal information, specifies guidelines and recommendations for companies that provide home IoT Products and smart home services, and provides recommendations for the public with respect to the use of these products and services.
The PPA points out several key risks resulting from the operation and use of IoT Products:
- Concern regarding the use of the personal and sensitive information collected through IoT Products by the service providers for purposes other than those for which the user’s consent was given. The concern also arises when it comes to the use of artificial intelligence technologies that are designed to process information from a variety of sources independently.
- Information about the privacy policies of IoT Products is typically provided only after the products are purchased and installed. In some cases, the information is presented in lengthy and in legally complex language, making it difficult for users to understand.3. Data breaches resulting from unauthorized access to stored information may occur due to the connection of IoT Products to the network or cloud and the inadequate security measures of these products.
- Exploitation of security failures by malicious or unauthorized entities with the intention of remotely taking control of IoT Products and monitoring users within their home environment.
- Information about guests or service providers in the home environment may be collected without their knowledge or consent.
- Collection and retention of surplus information that is not necessary for the provision of the service.
In light of these risks, the PPA outlines a variety of recommendations for users of IoT Products, including:
- Informing all household members (verbally or by other means) about the use of IoT Products that may record or capture them.
- Avoiding installation of IoT Products with recording capabilities in sensitive home areas such as bedrooms, bathrooms and showers.
- Restricting the movement of mobile IoT Products (such as robotic vacuum cleaners) and prevent them from operating in sensitive home areas.
- Ensuring the change of default passwords of IoT Products to strong and unique passwords, updating them periodically. If the products are connected to the network via Wi-Fi, it should also be ensured that the home network password is strong and is not shared with unauthorized individuals.
- Avoiding the linkage of IoT Products to social networks during the registration and installation process.
- Preferring the purchase of home IoT Products from companies that emphasize the importance of privacy protection and information security as part of their products and offering advanced privacy and cybersecurity features. Additionally, examining the privacy policies of different products and preferring those that allow significant control over the collected data.
In addition, the PPA outlines in the Document guidelines and recommendations for companies that provide IoT Products and services, including:
- Data Security – The information must be secured as required under the Privacy Protection Regulations (Data Security) 2017. Additionally, it is recommended that these companies will work to reduce risks through the implementation of privacy engineering processes (Privacy By Design) and adopting a “Privacy By Default” approach. Starting from the early planning stages of products, these measures will simplify users control over their relevant information, inform users about privacy and security risks when using products (with a specific emphasis on “smart toys” and IoT Products intended for children), and conduct a privacy impact assessment early in the information systems planning phase.
- Duty of Informing – Emphasis should be placed on presenting users with information about the purpose of collecting data, to whom it will be disclosed, and specifying the purposes of such disclosure. This is especially crucial when dealing with IoT Products targeted towards children. It is advisable that this information would be provided prior to obtaining users’ consent for the service, or at the very least, as part of the consent acquisition process.
- Consent and Purpose Limitation Principle – When obtaining consent for the use of IoT Products, it is essential to present users with concise, understandable, and straightforward information regarding the collection of personal data by the product and the intended uses of the information (including details about the collection and processing using artificial intelligence technology), including the potential implications of such usage on their privacy. It must also be ensured that the use of the collected information through IoT Products is solely for the purposes for which consent was originally obtained. Additionally, users should be given the option to revoke their consent for the collection and use of information pertaining to them.
- Access, Minimization and Deletion of data –
- Data Access – Users should be provided with easy access to review their personal information whenever possible.
- Deletion of Data – It is important to positively consider requests from users for the deletion of information about themselves or their minor children.
- Excessive Data Minimization – Periodically, at least once a year, an evaluation should be conducted in order to determine if the collected information for providing the services does not exceed what is necessary.
To read the full Document (HE) >> Click here
We will be happy to be at your service for any questions or required clarifications.