Consultation on draft guidance on consumer Internet of Things products and services – summary of responses
Introduction
The Information Commissioner's Office (ICO) has consulted on draft guidance on consumer Internet of Things products and services and accompanying draft impact assessment. The consultation, open from 16 June to 7 September 2025, sought views on the draft guidance and impact assessment to provide additional clarity to the final guidance.
This page summarises the key themes emerging from the consultation responses.
There were 13 consultation respondents in total. We thank everyone who took the time to comment and share their views.
Table 1 shows a breakdown of the survey responses by respondent type.
| Respondent type | Number |
|---|---|
| Organisation representing the interests of UK citizens | 1 |
| University | 4 |
| Private sector business | 1 |
| Other | 3 |
| Email responses | 4 |
| Total | 13 |
Source: Analysis of ICO’s consultation by ICO Economic Analysis
A plurality of survey responses received (four responses from a total of nine) were from universities, while three respondents responded as 'Other'. This included an individual who identified as a 'Personal' respondent, a response from a 'Social enterprise', and a response from a 'UK consumer's association'.
Two email respondents were private sector businesses, one was a trade association, and one was the representative of a professional industry.
About the consultation
Overall, the responses were positive. Most organisations said the guidance provides clarity on regulatory expectations for organisations developing and offering consumer IoT products and services and that it successfully translates legal obligations into practical requirements that reflect the realities of IoT ecosystems.
In analysing the responses, we identified several key themes. Below, we summarise the feedback we received and explain how we intend to respond.
Key themes
Consent
Respondents told us the guidance did not sufficiently address manipulative consent practices, particularly in relation to children and vulnerable users.
One respondent said it was unclear why organisations should avoid requesting consent in quick succession or repeatedly. They also suggested the guidance should explain how organisations can communicate the consequences of refusing consent.
In addition, one respondent requested an additional graphic depicting a request for consent to personalisation on a connected TV. Another respondent highlighted a minor inconsistency between the wording on withdrawal of consent in this guidance and our existing published guidance.
Our response
The guidance already addresses online choice architecture and highlights that organisations must not unfairly influence users' decisions. Organisations should also refer to the children's code for further information about appropriate consent practices for children.
We have added a short explanation clarifying why requesting consent repeatedly or in quick succession is unlikely to meet the requirements for valid consent. We have also included a graphic showing a request for consent to personalisation on a connected TV.
We aligned the wording on withdrawal of consent with our existing published guidance.
Transparency
Several respondents said the guidance did not provide enough detail on transparency requirements in multi-user scenarios, particularly where home hubs are used.
One respondent suggested incorporating "Safety-by-Design" controls for IoT products used by multiple users to support compliance with transparency requirements.
Another respondent said the guidance could be strengthened by explaining how organisations should provide privacy information in ways compatible with assistive technologies.
We also heard that the guidance did not sufficiently address the use of permissions in IoT products and associated apps.
Our response
We welcomed these suggestions and have reflected them in the guidance.
We added further graphics for multi-user scenarios to demonstrate the controls organisations should provide to comply with the transparency principle.
The guidance now also explicitly refers to assistive technologies and the need to accommodate people with accessibility requirements in the section on making privacy information more effective.
In addition, we updated the guidance to explain how organisations should request permissions in ways that comply with transparency requirements, including a practical example.
Controllership
We asked respondents what criteria organisations use to identify their roles as controllers, processors and joint controllers as well as what controllership scenarios would benefit from clarification.
Several respondents said the guidance should provide greater clarity on relationships involving embedded third-party services in IoT products.
Our response
We agree that additional clarification would be helpful and have updated the guidance accordingly.
We included further examples covering:
- controllers;
- joint controllers making converging decisions;
- joint controllers making common decisions;
- separate controllers processing the same personal information for their own purposes; and
- a processor for one purpose and a controller for another while processing the same personal information.
PECR
Some responses argued that the assessment of whether an IoT product is a terminal equipment should be done on a case by case basis.
Other responses requested clarification on the application of PECR regulation 6 to telemetry and diagnostic data in IoT products.
Our response
The interpretation of ‘terminal equipment’ as written in the guidance reflects the intent and wording of the legislation and aligns with previous guidance issued by the ICO and other data protection bodies.
We have added further clarification about when storage and access of telemetry and diagnostic data may fall within the strictly necessary exception
Harms and vulnerable users
Several respondents said the guidance did not fully reflect the range of harms users may experience when using IoT products.
Two respondents highlighted that IoT products may be used to facilitate domestic violence.
Our response
We agree that users may experience a broader range of harms than those originally described in the guidance, and we have updated the guidance to reflect this.
We have acknowledged that IoT products may be used to facilitate domestic violence and coercive behaviour. However, we do not consider it necessary for the guidance to provide a more detailed discussion of specific harms.
Security and PETs
One respondent suggested the guidance could introduce a security scoring system or tiering framework for categories of IoT products based on factors such as the type of data processed, the sensitivity of inferences drawn, and the likelihood of multi-user interactions.
Another respondent agreed that privacy-enhancing technologies (PETs), when used responsibly, can help create a safer ecosystem for users of consumer IoT products and services. One organisation suggested the ICO should develop guidance on PETs in an IoT context.
Our response
While we recognise there may be value in organisations using a scoring system to assess the sensitivity of personal information processed by different categories of IoT products, we consider this work may be better undertaken by organisations themselves or by external providers.
We agree that PETs have a role to play in improving people's online experiences, as well as helping organisations to comply with their legal obligations. We'll consider IoT products and services as part of our future work on PETs, building on our existing guidance.
Clarifications
We received several helpful suggestions for minor clarifications and additions throughout the guidance.
One respondent highlighted an inconsistency in how we described the scope of the guidance and how it would operate in practice. The draft guidance excluded mobile phones, computers and tablets from scope. However, the respondent noted this could imply that companion apps are also out of scope, despite often being accessed through mobile phones.
Another respondent disagreed with our assessment of when voice ID constitutes special category biometric data.
Some respondents also said the guidance did not sufficiently address generative AI.
Our response
We clarified the scope of the guidance to reflect that it applies to mobile phones, computers and tablets where they enable, configure or control the functionality of an IoT product.
We also added further detail explaining the circumstances in which voice ID constitutes special category biometric data.
In addition, we incorporated relevant points relating to generative AI throughout the guidance. These were drawn from our response to the consultation series on generative AI that we ran in 2024. The ICO plans to provide further regulatory clarity on generative AI foundation models and the emerging agentic AI systems that incorporate them.
DUA updates to ADM and children's sections
We amended the section on children's protections to reflect the higher protection matters relating to children in Article 25 following the publication of the Data (Use and Access) Act. These changes also take into account our updated guidance on data protection by design and on children and the UK GDPR.
We also revised the section on automated decision-making to align it with our revised guidance on ADM.