Six in ten Internet of Things devices do not properly tell customers how their personal information is being used, an international study has found.
The study was conducted by 25 data protection authorities around the world, including the Gibraltar Regulatory Authority (“GRA”) in its role as Data Protection Commissioner. The study looked at devices like smart sleep systems, internet-connected toothbrushes and watches that monitor health, considering how well companies communicate privacy matters to their customers.
The report showed that:
- 59 per cent of devices failed to adequately explain to customers how their personal information was collected, used and disclosed;
- 68 per cent failed to properly explain how information was stored;
- 72 per cent failed to explain how customers could delete their information off the device, and;
- 38 per cent failed to include easily identifiable contact details if customers had privacy concerns.
Concerns were also raised around medical devices that sent reports back to General Practitioners via unencrypted email.
The data protection authorities collectively looked at more than 300 devices. Locally, the GRA focused its attention on devices on sale in local shops or on international websites that delivered to Gibraltar. Authorities will now consider action against any devices or services thought to have been breaking data protection laws.
The work was coordinated by the Global Privacy Enforcement Network, and led by the Information Commissioner’s Office in the UK. It follows previous reports on online services for children, website privacy policies and mobile phone apps.
Steven Sanchez, Information Rights Manager at the GRA said:
“There are many Internet of Things devices that have the potential to revolutionise our lives, be it through a toothbrush that monitors how we brush our teeth, an alarm clock that ensures we get the perfect amount of sleep, or a watch that regulates our health as we walk down the street. Whilst the positive elements these devices bring to us are obvious, they will inevitably be collecting and using a constant stream of personal information. Consequently, it is important that companies making these devices are open and clear to their customers in respect of the personal information that they collect, and ensure an appropriate balance is achieved between the enjoyment of these devices and the privacy of those that interact with them.
By working together with other authorities from around the world, it is our hope that this report can raise awareness, and help ensure that Internet of Things devices are enjoyed by all in a responsible manner, with adequate consideration given to the privacy of individuals.”