Many Internet of Things (IoT) devices, such as smart speakers, lightbulbs, hubs and fridges, collect personal data. These devices are increasingly popular, leading to increasing interaction with General Data Protection Regulation (GDPR) provisions. The amount of control that people have over the data about them is, to a large extent, dependent on how well manufacturers inform the users about what data the devices collect, what the data is used for, and what the likely consequences for the users are.
As a case study of this, Open Rights Group recently worked with researchers at the London School of Economics to produce an unboxing video exploring one specific IoT product, “Sammy Screamer”. Sammy Screamer is a connected motion alarm made by a company called BleepBleeps. You attach the device to a door, pushchair or bag, for example. Then if the device moves it sends a signal via Bluetooth to your phone. Your phone then notifies you that the device has moved – useful, for example, to know if your sleeping child has stirred or if someone has entered your home or taken your bag without permission.
This is only one short case study illustrating how people are expected to interact with an IoT device and where the shortfalls are in terms of GDPR. IoT device manufacturers should be making it easy for users to understand what data about them will be collected and how it will be used. They should also ensure that users are giving “freely given, specific, informed and unambiguous” consent rather than relying on silent, implied consent.
By Ed Johnson-Williams, Policy and Research Officer, Open Rights Group