Manufacturers of Internet of Things (IoT) devices (e.g., lights, doorbells, locks, cameras, watches, health trackers, etc.) are responsible for ensuring compliance with Canadian privacy legislation. The Office of the Privacy Commissioner of Canada (OPC) released the Privacy Law Guidance for Manufacturers of Internet of Things Devices (the “guidance”) to assist such organizations with their compliance efforts and to provide practical information to help facilitate general compliance with Canada’s federal private-sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA). The guidance is based on the results of several OPC investigations. While this guidance is focused on PIPEDA, manufacturers of IoT devices must consider whether they are also subject to provincial private-sector privacy legislation.

Manufacturers of IoT devices are subject to PIPEDA if their device is collecting, using, or disclosing personal information in the course of commercial activity. Personal information can be any information about an identifiable individual, particularly when there is a serious possibility that an individual could be identified through the use of that information, alone or combined with other available information. The types of personal information IoT devices collect may vary in sensitivity and could include heart rate, body temperature and movement; temperature or energy usage in a home; voice and facial recordings; geolocation data and behavioural patterns.

Application of PIPEDA’s privacy principles

The guidance includes details on PIPEDA’s privacy principles and how to apply them. The accountability principle requires organizations to appoint someone to be responsible for the organization’s privacy compliance and to implement internal privacy policies and practices. As a best practice, organizations should perform a privacy impact assessment (PIA) before establishing any new or substantially modified product or service that involves personal information. Organizations are generally required to obtain meaningful consent for the collection, use and disclosure of personal information, meaning individuals must understand what they are consenting to. Obtaining express consent is required in certain situations, such as when the information being collected, used or disclosed is sensitive. It is important for manufacturers of devices that are targeted at children (e.g., smart toys, educational devices and e-learning platforms) to remember that children under the age of thirteen are unable to provide meaningful consent and, therefore, at a minimum, the organization must obtain consent from parents or guardians. The guidance strongly recommends that the device is designed to limit collection of personal information, especially in devices targeted at children, and that the privacy policy is clear about how the device is activated. For example, when collecting audio data, tell individuals what activation method is used as part of your privacy policy. Is activation:

  • manual, which requires pushing a button?
  • always ready, activated by a “wake phrase,” like “Hey, Siri”? or
  • always on, where data is continuously transmitted without users taking any action?

Checklists – What organizations must do and what is a best practice

The guidance includes a helpful checklist of what manufacturers must do to fulfill their responsibilities under PIPEDA. Key items include:

  • Be accountable by instituting practices that protect the personal information under the control of your organization. Use appropriate technological safeguards like encryption and password protection.
  • Before collecting personal information, identify the purposes for its collection, and use and disclose personal information only for such purposes.
  • Obtain informed and meaningful consent from the individual whose personal information is collected, used or disclosed.
  • Design your devices to limit collection to that which is necessary to fulfil their stated purposes, explain to consumers any and all collection over and above what is needed for device functioning.

The guidance also includes a checklist of what manufacturers should do as a best practice. For example, create device specific privacy policies to improve the transparency of your information practices, consider periodically notifying users when the device is collecting data and give consumers greater control to limit the collection and perform privacy and security risk assessments that help identify and mitigate risks associated with the device and your personal information handling practices.

Consumer guidance for protecting privacy

The guidance for manufacturers complements the OPC guidance document for Canadian consumers, called “Smart Devices and Your Privacy”, which is meant to help consumers protect their privacy while enjoying the benefits of smart devices. The OPC advises consumers to get in the habit of reading privacy information (provided by IoT device manufacturers), to take control of their personal information (for example, by using device privacy features provided by IoT device manufacturers) and to take care of security (for example, using a strong password and enabling automatic firmware updates provided by IoT device manufacturers).

Conclusion

With connected devices increasing in popularity, it is important for manufacturers of these devices to be aware of their obligations relating to the collection, use, disclosure and safeguarding of personal information. The guidance sets out practical information to assist organizations in their compliance efforts. In particular, organizations must consider how to obtain meaningful consent from users and must establish appropriate internal practices to safeguard personal information under its control.