Privacy and data security are key concerns in the Internet of Things (IoT). It is important to incorporate appropriate privacy and security controls into your IoT device at the development stage in order to effectively address privacy and security risks, and build user confidence. The following checklist can help you create a safer and more welcoming IoT environment.


  • Identify information that your device collects, where it comes from, what it is used for, with whom it is shared and for what purposes.
  • Conduct a privacy impact assessment to identify privacy risks and consider ways that the risks can be addressed or managed.
  • Familiarize yourself with data protection laws in place where the device will be offered.
  • Consider whether any other laws could apply to the device or the persons or industries that will be using the device.
  • Understand the device’s technical limitations that may impact security.
  • Understand the existing threat environment.


  • Limit collection and retention of information to what is reasonable and necessary to operate the device.
  • Describe personal information handling practices in a simple and clear manner and obtain consent.
  • Ensure that any collection, use or disclosure of personal information for “secondary” purposes (such as marketing or targeting) is optional.
  • Implement appropriate security controls, keeping in mind the nature of the device and the information collected, how information is stored and identified threats.
  • Engage experts in de-identification of personal information to ensure it is done effectively.


  • Regularly review existing security measures and update in light of changes to the threat environment or industry standards.
  • Review privacy policies and consent language regularly and any time a change is made to the device or applicable data protection laws.