Privacy guidance for manufacturers of Internet of Things devices

August 2020

Overview

As a manufacturer of Internet of Things (IoT) devices, you are responsible for the personal information under your control and have obligations under Canadian privacy legislation to implement effective privacy protection.

This guidance focuses on adherence with Canada’s federal private-sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA). We have based this guidance on the results of several Office of the Privacy Commissioner of Canada (OPC) investigations and have had it validated by experts in the field.

Introduction

As a manufacturer of IoT devices, you are part of a complex IoT ecosystem in which many components and actors, such as social media platforms, third-party applications and service providers, can potentially collect, use and disclose personal information.

This guidance is meant to provide you with practical information to help ensure that your business practices and the devices you make are privacy protective and compliant with PIPEDA. While this guidance will focus on the privacy principles as laid out in Schedule 1 of PIPEDA, the whole Act applies. For more guidance on general adherence to PIPEDA, please refer to our Privacy Guide for Businesses.

This guidance will also provide you with examples of best practices that will further strengthen your privacy management program.

While this guidance considers an IoT manufacturer’s responsibilities in the context of PIPEDA, manufacturers will also want to keep themselves apprised of other legal obligations relevant to their business, including but not limited to the Canada Consumer Product Safety Act.

Who should read this guidance?

If you produce, design or are tasked with ensuring legal compliance for devices with embedded sensors that collect personal information—such as lights, doorbells, locks, smoke detectors, alarms, TVs, cameras, speakers, appliances, connected cars, toys, clothing, watches or health trackers—then this guidance is for you. This guidance is also relevant to those in the business of developing smart cities, where IoT devices are increasingly becoming part of the infrastructure within urban centres and on roads.

Does PIPEDA apply to you?

As a manufacturer of IoT devices, your device will probably be collecting, using and/or disclosing personal information in the course of commercial activity. If so, you are subject to PIPEDA or to provincial laws that may apply instead of PIPEDA. Note that you may be subject to more than one Canadian private-sector privacy law if your company has locations in various provinces. In addition, if your business handles the personal information of Canadians but you are not based in Canada, PIPEDA may still apply if a real and substantial connection to Canada exists.

Personal information is broadly defined in PIPEDA as “information about an identifiable individual.” The types of personal information IoT devices collect may vary in sensitivity and could include:

• heart rate, body temperature and movement
• temperature or energy usage in a home
• voice and facial recordings
• geolocation data
• behavioural patterns

For greater certainty, the Federal Court decided in Gordon v. Canada that information is about an identifiable individual where there is a serious possibility that an individual could be identified through the use of that information, alone or combined with other available information.

Our technical and legal overview of privacy and metadata further explains how combining seemingly innocuous “information about information” (metadata) may reveal detailed information about an individual and become personal information.

How information gathered by IoT devices may reveal personal information (Expand to read more)

In many cases, the data gathered by an individual IoT device may not seem to be personal information. The challenge is that the data may be combined with data from other IoT devices that can then reveal personal information.

We can, for example, imagine many useful circumstances where combining data from multiple IoT devices is needed to provide an enhanced service. It could be the smart thermostats in your house communicating with other sensors nearby to help regulate the inside temperature. This interconnectedness and the opportunity to learn and function as a whole is in fact one of the main features many tout when it comes to IoT.

However, these interconnected devices can also expose intimate details about the lives of individuals through the sensors they contain. What becomes of critical importance is to determine whether the data collected from a sensor is, by itself or in combination with other data from IoT devices or other sources, personal information.

For more information:

• Don’t Sweep Privacy under the Internet of Things Rug
• International Standard on Information technology—Security techniques—Privacy framework

PIPEDA’s privacy principles and how to apply them

If your IoT device is collecting, using or disclosing personal data in the course of commercial activity, then you are subject to PIPEDA and must follow the principles set out in Schedule 1 of PIPEDA. These principles, detailed below, are rooted in international data protection standards and reflect the Canadian Standards Association's Model Privacy Code for the Protection of Personal Information.

Accountability

You must demonstrate accountability by developing and committing to an ongoing privacy management program for the information that you collect and control. The outcome of such a program is a demonstrable capacity to comply, at a minimum, with applicable privacy laws.

In building a privacy program, you need to appoint someone to be responsible for your organization's privacy compliance, and implement privacy policies and practices to ensure you are adhering to the principles in PIPEDA. These must include procedures to protect personal information and receive and respond to complaints among other requirements.

An effective privacy management program ensures that your overall data management practices are aligned with evolving legal obligations, such as mandatory reporting of breaches of security safeguards.

It is important to keep in mind that your responsibility as an IoT device manufacturer may extend well after consumers have purchased the device if you continue to collect, use, disclose or otherwise retain personal information. Our guidance document, Getting accountability right with a privacy management program, explains how to develop a comprehensive privacy program.

Design for Privacy: Conduct a Privacy Impact Assessment

As a best practice, you should perform a privacy impact assessment (PIA) before operationalizing your product. PIAs are a tool to ensure compliance with legal requirements, and promote best practices to identify and mitigate other privacy risks.

Identifying purposes, limiting collection, consent and openness

Before you collect any personal information, you must:

• identify and document why you need the information before or at the time of collection
• ensure that the collection of personal information is limited to that which is necessary for the purposes identified
• ensure that any purpose(s) for which you are collecting the information are limited to what a reasonable person would expect under the circumstances
  • be aware that some purposes may not be permitted, even with a consumer’s consent (see below section on consent for more information)

You must also be open about your personal information handling practices. This means you have an obligation to inform individuals about:

• what personal information is collected
• with which parties personal information is shared
• for what purposes personal information is collected, used, or disclosed
• risk of harm and other consequences
• whom to contact if an individual has questions, wants to access their information, or make a complaint

If you intend to use personal information for a new purpose that wasn’t previously identified, you must identify the new purpose and obtain the individual’s consent before use (see section below on consent for more information). While it may be reasonable that some purposes are necessary for the functioning of the underlying product or service (for example, to protect network systems and security of devices), consumers must still be notified.

How to improve your communications with consumers (Expand to read more)

Use plain language and be clear about your information handling practices. There is evidence to suggest that there are significant gaps between how consumers believe devices handle their personal information and how they actually interact with the broader IoT ecosystem. In your communications with individuals, it is important to use plain language and be clear about your information handling practices. This is especially important given that, generally, these devices are designed to blend in with their surroundings.

For more information:

• Global Internet of Things Sweep finds connected devices fall short on privacy (2016)

Create a noticeable and device-specific privacy policy. Our guidance to mobile app developers provides some recommendations on ways to improve communication with consumers despite the challenge of a small screen. The IoT environment takes this challenge even further because sometimes there are no screens at all where information can be communicated. In this case, you should think about finding creative solutions to fulfil the legal requirement to notify the user of your privacy practices, such as by including your privacy policy within the packaging of your device and making sure the policy is prominently featured on your website.

If part of the device’s setup is done on a phone, tablet or computer, you should actively notify the user about the device’s privacy policy and give links to easily locate it. We encourage creating a device-specific privacy policy to improve the transparency of your information handling practices, such as including a list of device sensors in your policy’s section on disclosures. The policy should also explicitly state the length of time these devices will receive security updates and should inform the consumer whether there will be ongoing updates to continuously protect their information.

For more information:

• Seizing Opportunity: Good Privacy Practices for developing Mobile Apps

Make it known when the device is collecting data. As a manufacturer of IoT devices, you are encouraged to develop creative solutions to communicate information regarding data management practices. For example, for IoT devices with microphones, you could use distinctive and non-software-modifiable lights to show when the mic is on and when the device is recording. A do not collect “switch” (for example, a mute button or a software toggle) can also help consumers control the data being collected about them. Manufacturers may also wish to consider periodically notifying users (for example, on the device’s smartphone app) that a device is collecting data in the background.

Consent

Under PIPEDA, organizations are required to obtain meaningful consent for the collection, use and disclosure of personal information (unless an exception to the general consent requirement applies). To make consent meaningful, people must understand what they are consenting to. Consent is only considered valid if it is reasonable to expect that individuals would understand the nature, purpose and consequences of the collection, use or disclosure to which they are consenting.

It is important to be aware that, even with an individual’s consent, an organization may only collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances. Examples of inappropriate purposes include collection, use or disclosure that would otherwise be unlawful, or known or likely to cause significant harm to the individual, among others.

In some instances, meaningful consent can be implied, as opposed to obtained directly. However, if you are collecting, using or disclosing personal information that is considered sensitive, you need to obtain direct (“express”) consent. Organizations must generally obtain express consent when:

• the information being collected, used or disclosed is sensitive
• the collection, use or disclosure is outside of the reasonable expectations of the individual
• the collection, use or disclosure creates a meaningful residual risk of significant harm

In instances where the collection, use or disclosure of their personal information is not an essential condition of service, the options for consumers to say “yes” or “no” must be explained clearly and made easily accessible.

Under the law, individuals can withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. You also have a legal duty to inform individual of the implications of withdrawing consent.

We have drafted guidelines to provide clarity about how to obtain meaningful consent as well as guidance on what would generally be considered inappropriate data practices (see links provided below).

Should I obtain consent to use children’s personal information? Children under the age of thirteen are not likely to fully understand the consequences of their privacy choices. For this reason, in all but exceptional circumstances, they are unable to meaningfully consent to the collection, use and disclosure of personal information.

The OPC takes the position that at a minimum, you must obtain consent to collect, use and disclose children’s personal information from their parents or guardians. We also highly recommend that you limit the collection, use, disclosure or retention of personal information about children. This issue often arises in the context of smart toys and educational products as well as e-learning platforms.

Limiting collection, use, disclosure and retention

If you collect personal information, PIPEDA requires you to limit its collection to what is necessary for the identified purpose(s). You must also be able to justify why each piece of information is collected. Document these decisions and inform individuals of these practices.

As previously noted, metadata can reveal personal information so you must also limit its collection. For example, data about the times of day, and lengths or location of audio recordings can be revealing on their own or when combined with other data, exposing sensitive and detailed information about individuals.

Use or disclose of personal information must be limited to the purposes for which it was collected, unless the individual consents or it is required by law.

You must also know how long you need users’ personal information for the identified purpose, and the what to do when you no longer need to retain it. PIPEDA requires that personal information shall be retained only as long as necessary for the fulfilment of the purposes for which it was collected. A specifically identified purpose is therefore a clear indicator of how long information needs to be retained and should be the basis for developing an appropriate retention policy. There is no “one size fits all” retention period and a clear rationale for retaining information should be developed to reflect each particular set of circumstances.

Note that personal information that has been used to make a decision about an individual shall be retained long enough to allow the individual access to the information after the decision has been made.

It is strongly recommended that you design your device to limit collection. For example, when collecting audio data, how you design the method of activation matters. Is activation:

• manual, which requires pushing a button?
• always ready, activated by a “wake phrase,” like “Hey, Siri”? or
• always on, where data is continuously transmitted without users taking any action?

Individuals should be told what activation method is used as part of your privacy policy. Any and all collection over and above what is needed for device functioning should be explained to consumers and their consent obtained before collection, assuming that the purposes are reasonable as per our guidance on section 5(3) of PIPEDA.

In addition, we encourage you to provide consumers with user-friendly options to permanently delete information you hold about them, and inform them of how to proceed with doing so. For example, instruct individuals that they can delete their information by going online and/or by calling customer support.

Individual access, accuracy of information and challenging compliance

Consumers have a right to access their personal information, including any inferences the organization has made about the individual based on personal information previously collected or ongoing collection, such as patterns of use or consumer behavior. They also have a right to ensure that their information is accurate and to correct or amend the information. As previously discussed, you must let your customers know about these rights and provide them with a means of challenging the accuracy of the information you hold about them and correcting it if required.

Safeguards

PIPEDA requires that all personal information be protected by security safeguards appropriate to the sensitivity of the information. This applies to the information that an IoT manufacturer or its partners collect and store on behalf of users. It also applies to information in transit.

Potential security risks associated with IoT devices are significant and you are required to take the physical, organizational and technological measures needed to ensure that your devices are safe to use and not easily compromised.

In other jurisdictions we have begun to see IoT-specific legislation requiring privacy and security safeguards for IoT devices, such as in the state of California. It is becoming increasingly evident just how high the stakes can be in the case of a security breach like hacking or misuse. For example, hacking an insulin pump can compromise the safety and well-being of an individual. Smart home devices such as thermostats, locks and lights can and have been used as digital tools of domestic abuse.

In Canada, the Canada Consumer Product Safety Act recognizes that suppliers of consumer products, including manufacturers, have an essential role to play in addressing any dangers to human health or safety that may be posed by consumer products in today's global marketplace.

Technical overview: Tips for safeguarding personal information (Expand to read more)

Complete a security risk assessment. Each smart device has different threats and vulnerabilities, and organizations should tailor the safeguards for their devices to the nature of their product, the type of data being collected and other factors. It is good practice to undertake a security risk assessment that will help you identify threats and mitigate risks. The Communications Security Establishment (CSE) and the Royal Canadian Mounted Police (RCMP) have jointly developed guidance on threat and risk assessments.

For more information:

• Harmonized threat and risk assessment methodology
• Considerations for Managing Internet of Things Cybersecurity and Privacy Risks

Design devices to minimize risk of breach. Manufacturers should design IoT devices in a manner that minimizes the risk of breaches. Design elements can play an important role in improving device security. These include:

• limiting microphone sensitivity and range
• enabling a hardware-linked on/off mute control
• filtering out unnecessary audio data at the point of collection
• being able to temporarily or permanently disable a camera to prevent it from being activated accidentally

Whenever possible, give the user the option of turning an IoT device into a “dumb” device by completely disconnecting it from the internet and from IoT networks. Users should be given an easy way to disassociate themselves from a device—for example, “this family member is no longer living at home and using the smart TV”—and to easily remove her or his personal data from it.

For more information:

• TechRepublic Article on Big data vs. smart data: Dun & Bradstreet chief data scientist breaks it down (Apr 7, 2016)

Encrypt personal information. Protect personal information through encryption. For example, encrypt data on devices that store personal information, configuration settings or information relating to controlling access to the device (such as passwords and cryptographic keys). Ensure that you incorporate hardware and software encryption into the device. Using only software-based encryption is less secure.

Regularly assess for security risks. Security risks evolve over time, particularly in the IoT environment where the lifespan of a device greatly exceeds the typical lifespan of the software and firmware within it. Regularly assessing the potential risks posed by technological developments, new malicious threats, etc. are necessary to understand and then mitigate the risks of your device.

For more information:

• What’s the security shelf-life of IoT?

Passwords and pairing keys. Manufacturers should design their products to require that passwords be changed before the device is connected to the Internet. Like passwords, Bluetooth connections should also not use default pairing codes. Finally, the consumer should be instructed to set up long passwords and pairing keys that are far more difficult to crack or guess.

Wiping data off the device. The software or firmware should have a provision to wipe the file system or reset the device back to factory defaults should the user decide they want to dispose of or sell the device. Leaving data on the device could increase the risk of a security breach.

Patching and updating the firmware. In almost all software code, security issues are found after the testing phase. Ensure that the end user can patch or update the firmware on the device. Provide a means to inform the user that an update is available for the device. If the device contains a display, a message can be shown that updates are available and allow the user to initiate the update. A blinking LED to notify the user when an update is available can be used if there is no display. It may also be possible for the device to connect to a URL that lists firmware files, or have the user subscribe to an update service that emails a notice to them.

Selecting secure device components. Component selection can play a big part in the security of a device. It is always prudent to make sure that the source is reputable and has a proven track record for secure components. If you select a new or less experienced supplier, we recommend the manufacturer obtain the source code for the device. This will allow you to vet the software and firmware on the device for risks to personal information before it is used. Keep in mind that if you subcontract the manufacturing of components, you remain accountable for information transferred to any third party for processing.

Further information about PIPEDA compliance

We have a number of resources detailing information about PIPEDA compliance, including the following:

• Enforcement of PIPEDA
• Declined to investigate and discontinued complaint dispositions
• What you need to know about mandatory reporting of breaches of security safeguards

A checklist of what you must do under the law and should do as a best practice

What you must do to fulfill your responsibilities under PIPEDA:

• Be accountable by instituting practices that protect the personal information under the control of your organization
• Before collecting personal information, identify the purposes for its collection
• Obtain informed and meaningful consent from the individual whose personal information is collected, used or disclosed
• Design your devices to limit collection to that which is necessary to fulfil their stated purposes
• Use and disclose personal information only for the purpose for which it was collected
• Ensure that personal information is as accurate, up-to-date and complete as is necessary for the purposes for which it is to be used, especially when making a decision about individuals or when sharing it with others
• Ensure the personal information you are accountable for is appropriately safeguarded
• Inform individuals about your policies and practices for information management
• Give individuals the ability to access and correct their information
• Provide recourse to individuals by developing complaint procedures
• Limit what you collect, use, share and retain about your customers, including children
• Protect personal information through technological safeguards such as encryption and password protection

What you should do to supplement your responsibilities under the law:

• Create device specific privacy policies to improve the transparency of your information practices. For example, include a list of every sensor a device possesses in your policy’s section on disclosures and state the minimum length of time these devices will receive security updates
• Consider periodically notifying users when the device is collecting data and give consumers greater control to limit the collection.
• Perform privacy and security risk assessments that help identify and mitigate risks associated with the device and your personal information handling practices
• Design your devices to have consumers use of strong and unique passwords
• Provide consumers with user-friendly options to permanently delete information you hold about them and inform them of how to do so
• Ensure that the end user can patch or update the firmware on the device

Select References

OPC Publications

• Research paper, The Internet of Things (2016)
• Report of Findings, Investigation into the personal information handling practices of Ganz Inc. (2014)
• Report of Findings, Connected toy manufacturer improves safeguards to adequately protect children’s information (2018)
• Getting accountability right with a privacy management program (2012) and a PIPEDA self-assessment tool (2008)
• Seizing Opportunity: Good Privacy for Developing Mobile Apps (2012) and Ten Tips for Communicating Privacy Practices to your App’s Users (2014)
• Guidelines for obtaining meaningful consent (2018)
• Guidance on inappropriate data practices: Interpretation and application of subsection 5(3) (2018)
• PIPEDA fair information principles (2018)
• Wearable Computing - Challenges and opportunities for privacy protection (2014)
• Collecting from kids? Ten tips for services aimed at children and youth (2015)

Legislation

• Personal Information Protection and Electronic Documents Act, SC 2000, c 5

Governments and Data Protection Authorities

• The Information Commissioner’s Office, United Kingdom, and The Office of the Privacy Commissioner of Canada’s joint letter to 10 webcam manufacturers in Canada and the United States (2015)
• The UK Government, Department for Digital, Culture, Media & Sport, Code of Practice for Consumer IoT Security (2018)
• The UK Government, Department for Digital, Culture, Media & Sport, Mapping of IoT Security Recommendations, Guidance and Standards to the UK's Code of Practice for Consumer IoT Security (2018)
• The US Federal Trade Commission Staff Report, Internet of Things: Privacy and Security in a Connected World (2015)
• The US Federal Trade Commission, What’s the Security Shelf-life of IoT? (2015)
• U.S. Department of Commerce, National Institute of Standards and Technology (NIST), Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks (2018)
• U.S. Department of Commerce, National Institute of Standards and Technology (NIST), De-Identification of Personal Information (2015)
• France Commission Nationale de l'Informatique et des Libertés, Objets connectés : n’oubliez pas de les sécuriser ! [French only]

International

• International Conference on Data Protection and Privacy Commissioners, Mauritius Declaration on the Internet of Things (2014)
• Results of the 2016 Global Privacy Enforcement Network Sweep (2016); Global Internet of Things Sweep finds connected devices fall short on privacy (2016); and, 2016 GPEN Privacy Sweep, Internet of Things: Participating Authorities’ Press Releases.
• Article 29 Data Protection Working Party. Opinion 8/2014 on the on Recent Developments on the Internet of Things, European Commission (2014)
• International Organization for Standardization (ISO), International Standard on Information technology—Security techniques—Privacy framework, ISO 29100 (2011) (see page 14, Table 2)

Other

• Internet of Things Privacy Forum, Clearly Opaque: Privacy Risks of the Internet of Things (2018)
• Future of Privacy Forum, Microphones and the IoT (2017)
• Ian Kerr, The Devil is in the Defaults (2017) (see pages 98-99)
• Vishai Salvi, 6 Steps to a More Secure IoT (2019)
• Broadband Internet Technical Advisory Group (BITAG), Internet of Things Security and Privacy Recommendations (2016)
• Scott Peppet, Regulating the Internet of Things: First Steps Toward Managing Discrimination, Privacy, Security & Consent (2014)
• Center for Democracy & Technology, Toward Privacy-Aware Research and Development in Wearable Health (2016)
• Center for Digital Democracy, Health Wearable Devices in the Big Data Era: Ensuring Privacy, Security, and Consumer Protection (2017)
• Florian Schaub, et al., A Design Space for Effective Privacy Notices (2015)
• ACLU, Jay Stanley, The Privacy Threat from Always-on Microphones like the Amazon Echo (2017)