The fourth annual Global Privacy Enforcement Network (GPEN) sweep, which focused on Internet of Things (IoT) devices, found that privacy communications in relation to such devices were generally poor and companies demonstrating good practice were in the minority. Here, we summarize and explore the key findings of the fourth annual GPEN sweep .

The fourth annual GPEN sweep study was conducted by 25 data protection authorities around the world who examined the privacy communications of more than 300 devices. The main findings were as follows:

  • 59 per cent of devices failed to adequately explain how personal information is collected, used and disclosed;
  • 68 per cent of devices failed to inform users about how personal information collected by the device is stored and safeguarded;
  • 69 per cent of devices failed to provide device-specific guidance; and
  • 72 per cent of devices failed to explain how a user can delete their information.

In particular, many data protection authorities focused their sweep on fitness wearables and connected medical/health devices, such as blood pressure monitors or sleep monitors. It was found that although such devices collected sensitive personal data, this was not given special mention in their privacy policies. In addition, it was noted that sometimes unexpected personal information (such as location or date of birth), which are seemingly irrelevant to the services provided, were collected.

Concerns were also raised that some companies interpreted “personal data” narrowly and failed to recognise that other information such as steps taken, calories burned, trends/timings of appliances in use, shopping path, etc. could also be personal data if it were attributed to an identified individual.

It was also noted that there were many devices on the market that link multiple users (e.g. to compete in challenges or link family members accounts) and some devices and apps had functionality for sending data to other people (such as doctors) using common unencrypted email.

However, sweepers were encouraged that some companies used a privacy-by-design approach and provided device-specific privacy policies in addition to their generic privacy policies. In particular, sweepers were impressed by some companies that included “just-in-time” privacy communications to users at the time they input their personal information, informing them of why the information was required.

Steve Eckersley, ICO Head of Enforcement, said of the sweep that: “By looking at this internationally, we’ve been able to get an excellent overview on this topic. We’ll now be building on that, working with the industry and looking specifically at companies who might not have done enough to comply with the law.”

Authorities will now consider actions against any companies thought to be in breach of data protection laws.