The internet of things (or IoT) is transforming our home and work lives with technological developments that are changing our approach to everyday tasks and functions.   

IoT is all about connectivity and communication between physical “connected devices” that are linked together via the internet to complete everyday tasks more efficiently, to allow monitoring and to enable data collection. 

There is currently a huge consumer demand for “things”/connected devices, evidenced by the dedicated “Smart Home” department that John Lewis opened in its Oxford Street store in April 2016 after the retailer saw an 81% increase in sales of “smart” home products. The John Lewis flagship store now has four interactive areas (kitchen, entertainment, sleep, and home monitoring) to showcase how IoT can transform consumers’ homes with useful gadgets. 

Cyberhacking and security

With the increased use of “things”/connected devices comes increased variation in the type, quality and amount of data that is available to retailers and suppliers.

Each “thing”/connected device will harvest and collect a vast amount of data. This data can be extremely useful to retailers and suppliers undertaking data analytics. The data can be used to enable innovation, to understand which products consumers want or need and to increase revenues through targeted advertising.

With increased volumes of data comes the need for greater data security. There has been a fair amount of press attention on data security weaknesses. For example, cyberhacking concerns were uncovered in connection with an £11bn nationwide system of smart energy meters. GCHQ found that loopholes in meter designs in use abroad meant that if a hacker was able to crack the encryption key, it could potentially gain control of every meter. This could then allow it to attempt to crash the country’s power grids.  GCHQ is now helping the Department of Energy and Climate Change design the new metering system to ensure it is secure against such hacking attempts. 

Too much of a good thing?

Change is happening quickly in the world of IoT. With this change comes the issue of technology being rapidly surpassed by new innovations and also consumers having to keep pace.

It was recently reported that sales of the iPhone are falling leading to a decline in revenue for Apple for the first time in nearly 13 years. This could be for a number of reasons (primarily blamed on the struggling Chinese economy) but the possibility that the pace of change for consumers is too fast cannot be ruled out.

The Revolv smart hub in the US (a product used to manage connected devices in the home such as lighting, heating and alarm systems via a smartphone app) has also been a victim to pace of change regarding research and development and getting the latest “thing”/connected device out to market. Revolv was acquired by Nest (Google’s home automation company) in 2014 and the hub stopped being sold shortly after the acquisition. The decision has now been made to turn off the cloud platform that allows smartphones to interface with the Revolv hub, as Google wish to focus its efforts on the Works with Nest platform.

The legal issues

Data protection

The key legal issue to consider in respect of “things”/connected devices when supplying to consumers is compliance with the data protection regulatory framework.

Data protection law in the EU is set to change in the next two years with the new General Data Protection Regulation (GDPR) applying in all member states from 25 May 2018. The GDPR comes into force on 24 May 2016 with a 2 year transition period.

The GDPR will introduce new obligations for organisations. For example, the GDPR will require data controllers to obtain clear consent from data subjects to process personal data and separate consents will need to be obtained for different processing activities. Data subjects should also be informed of the right to withdraw their consent at any time.  Many “things”/connected devices will collect a vast amount of personal data about individuals and therefore retailers will need to put in place procedures to demonstrate that the appropriate consent has been obtained.

Consumers also need to be made aware of the purposes for which their data is being processed, which although a requirement under current legislation, more extensive information will need to be provided under the GDPR. Even where this is the case, if not managed properly this can cause reputational damage of the retailer. Samsung’s Smart TV is a good example of this when it was revealed that Samsung’s privacy policy permitted its Smart TV’s to “listen” to the conversations of viewers and to share the content with third parties. 


When “switching off” support for “things”/connected devices, retailers should ensure that they are not in breach of their terms and conditions issued to consumers and in particular, any warranties that may have been given in respect of the “thing”/connected device and the support and maintenance terms.

Development of “things”/connected devices

IoT is a highly competitive market and companies need to act quickly in getting new “things”/connected devices with the latest technology, interface and design out to market.  Companies are therefore only too aware of the critical importance of getting their “things”/connected devices to market on time and also on budget. A delay is the difference between success and failure (only demonstrated too clearly by the hugely successful British Gas “Hive” product and the lagging Google “Nest” product). The contracts for manufacture and delivery therefore need to include clear timescales and/or milestones for deliverables with appropriate incentivisation mechanisms on the developer to ensure timely delivery.

However, contractual rights and remedies are not the panacea to a timely delivery. Governance and project management has a significant role to play. Regular review meetings should be held, risk and issues logs should be maintained and there should be clear and open lines of communication with swift escalation and resolution routes where required.

Another important issue to consider when a new “thing”/connected device is being developed is which party will own the intellectual property rights in the new “thing”/connected device.  Is it the retailer (who will ultimately sell the “thing”/connected device on to consumers) or the developer?  Registration of patents and trademarks and protection of copyright should be key considerations as should gain share provisions in respect of revenue generated from the exploitation of the relevant intellectual property rights.

The next big thing?

This article is just a brief overview of the internet of things in a consumer environment and the related legal issues.

It will be interesting to see how this area develops as we start to see standardisation and the introduction of common platforms. Entry and growth of IoT in smart cities is also something that we are watching with interest.