Guidance for consumer Internet of Things products and services
-
Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.
Click to toggle details
Latest updates - 16 06 2025
16 06 2025 - the guidance was published.
We are consulting on this draft guidance - please give us your views.
How do we ensure accountability in IoT products?
- What is accountability?
- How should we understand controller and processor relationships in IoT?
- What do we need to do if children are likely to use our IoT products or services?
- What risks do we need to manage?
- How do we apply a data protection by design and default approach?
How do we ensure our IoT products process information lawfully?
How do we ensure our IoT products process personal information fairly?
How should we tell people what we’re doing?
- How do we ensure our processing by IoT products is transparent?
- How do we decide the right methods for providing our privacy information?
- How do we make our privacy information easy to follow?
- What are the right moments for us to provide privacy information?
- How do we provide privacy information on different product interfaces?
- How do we provide privacy information if there are multiple users?
How do we ensure accuracy in IoT?
How long should we keep personal information for?
How do we ensure security of personal information in IoT?
How do we help people exercise their rights?
- What is the right of access?
- What is the right to rectification?
- What is the right to erasure?
- What is the right to data portability?
- What is the right to object?
- What is automated decision-making and profiling?
Glossary