Manufacturers of Internet of Things (IoT) devices (e.g., lights, doorbells, locks, cameras, watches, health trackers, etc.) are responsible for ensuring compliance with Canadian privacy legislation. The Office of the Privacy Commissioner of Canada (OPC) released the Privacy Law Guidance for Manufacturers of Internet of Things Devices (the “guidance”) to assist such organizations with their compliance efforts and to provide practical information to help facilitate general compliance with Canada’s federal private-sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA). The guidance is based on the results of several OPC investigations. While this guidance is focused on PIPEDA, manufacturers of IoT devices must consider whether they are also subject to provincial private-sector privacy legislation.
Manufacturers of IoT devices are subject to PIPEDA if their device is collecting, using, or disclosing personal information in the course of commercial activity. Personal information can be any information about an identifiable individual, particularly when there is a serious possibility that an individual could be identified through the use of that information, alone or combined with other available information. The types of personal information IoT devices collect may vary in sensitivity and could include heart rate, body temperature and movement; temperature or energy usage in a home; voice and facial recordings; geolocation data and behavioural patterns.
Application of PIPEDA’s privacy principles
- manual, which requires pushing a button?
- always ready, activated by a “wake phrase,” like “Hey, Siri”? or
- always on, where data is continuously transmitted without users taking any action?
Checklists – What organizations must do and what is a best practice
The guidance includes a helpful checklist of what manufacturers must do to fulfill their responsibilities under PIPEDA. Key items include:
- Be accountable by instituting practices that protect the personal information under the control of your organization. Use appropriate technological safeguards like encryption and password protection.
- Before collecting personal information, identify the purposes for its collection, and use and disclose personal information only for such purposes.
- Obtain informed and meaningful consent from the individual whose personal information is collected, used or disclosed.
- Design your devices to limit collection to that which is necessary to fulfil their stated purposes, explain to consumers any and all collection over and above what is needed for device functioning.
The guidance also includes a checklist of what manufacturers should do as a best practice. For example, create device specific privacy policies to improve the transparency of your information practices, consider periodically notifying users when the device is collecting data and give consumers greater control to limit the collection and perform privacy and security risk assessments that help identify and mitigate risks associated with the device and your personal information handling practices.
Consumer guidance for protecting privacy
The guidance for manufacturers complements the OPC guidance document for Canadian consumers, called “Smart Devices and Your Privacy”, which is meant to help consumers protect their privacy while enjoying the benefits of smart devices. The OPC advises consumers to get in the habit of reading privacy information (provided by IoT device manufacturers), to take control of their personal information (for example, by using device privacy features provided by IoT device manufacturers) and to take care of security (for example, using a strong password and enabling automatic firmware updates provided by IoT device manufacturers).
With connected devices increasing in popularity, it is important for manufacturers of these devices to be aware of their obligations relating to the collection, use, disclosure and safeguarding of personal information. The guidance sets out practical information to assist organizations in their compliance efforts. In particular, organizations must consider how to obtain meaningful consent from users and must establish appropriate internal practices to safeguard personal information under its control.