Privacy policies for Internet of Things devices must comply with GDPR

No. 3, 25 March 2019 Issue

Many Internet of Things (IoT) devices, such as smart speakers, lightbulbs, hubs and fridges, collect personal data. These devices are increasingly popular, leading to increasing interaction with General Data Protection Regulation (GDPR) provisions. The amount of control that people have over the data about them is, to a large extent, dependent on how well manufacturers inform the users about what data the devices collect, what the data is used for, and what the likely consequences for the users are.

As a case study of this, Open Rights Group recently worked with researchers at the London School of Economics to produce an unboxing video exploring one specific IoT product, “Sammy Screamer”. Sammy Screamer is a connected motion alarm made by a company called BleepBleeps. You attach the device to a door, pushchair or bag, for example. Then if the device moves it sends a signal via Bluetooth to your phone. Your phone then notifies you that the device has moved – useful, for example, to know if your sleeping child has stirred or if someone has entered your home or taken your bag without permission.

One of the areas the video examines is privacy, and particularly the device’s privacy policy documentation (this section starts at 2m 54s).

When you buy the device on the BleepBleeps website, there is a link to the company’s privacy policy in the footer of that webpage. It is unclear whether the contents of that privacy policy cover a) the BleepBleeps website, b) the device you are buying and its associated app, or c) both the website and the device/app.

If you received the device as a gift, you would not have seen the website link at all. When you receive the device, the box does not come either with a privacy policy in paper form or any link to a digitally-located privacy policy.

The only time a user sees a link to the BleepBleeps privacy policy is in the sign-up phase when setting up the app which links their phone with the motion alarm device.

You cannot use the device unless you sign up through the app. You cannot sign up without (silently) agreeing to the privacy policy. This is problematic, given that this type of implied consent is ruled out by GDPR.

The text linking to the privacy policy is incredibly small which means it is difficult to read and accurately tap on. It is also very easy to miss that text at the bottom of the screen.

This is only one short case study illustrating how people are expected to interact with an IoT device and where the shortfalls are in terms of GDPR. IoT device manufacturers should be making it easy for users to understand what data about them will be collected and how it will be used. They should also ensure that users are giving “freely given, specific, informed and unambiguous” consent rather than relying on silent, implied consent.


By Ed Johnson-Williams, Policy and Research Officer, Open Rights Group