Global Internet of Things Sweep finds connected devices fall short on privacy
GATINEAU, Que., September 22, 2016 — The privacy communications of Internet-connected devices are generally poor and fail to inform users about exactly what personal information is being collected and how it will be used, a global Sweep has found.
Results of the fourth annual Global Privacy Enforcement Network (GPEN) Privacy Sweep released today show that many companies neglect to explain how information is stored and safeguarded or how a user can delete their personal information.
While a number of the devices swept can collect a great deal of often sensitive data, including health and financial information, privacy communications tended to be generic and those companies demonstrating good communication practices were in the minority.
“Overall there was significant room for improvement with respect to the privacy communications of the Internet-connected devices swept,” Commissioner Daniel Therrien said.
“With the proliferation of the Internet of Things, the activities, movements, behaviours and preferences of individuals are being measured, recorded and analyzed on an increasingly regular basis. As this technology expands, it is imperative that companies do a better job of explaining their personal information handling practices.”
Twenty-five privacy enforcement authorities participated in this year’s Sweep, which took place April 11-15, 2016. Over the course of the week, participants looked at the privacy communications and practices of 314 Internet connected devices, focusing largely on how organizations communicate their personal information handling practices.
Each authority had the flexibility to choose a different category of products and different sweep method. While some opted to sweep connected toys, health devices and household aids, others looked at very specific areas like smart meters, connected cars and smart TVs. Authorities also had the flexibility to examine the privacy communications that came in the box with the devices and/or those provided by the companies online. They could also choose to interact with the devices to assess how well privacy communications matched their experience using the product, and/or contact the relevant companies directly with follow-up privacy questions.
The Office of the Privacy Commissioner of Canada’s Sweep strategy involved a combination of all the above methods. In total, OPC Sweepers assessed 21 health and wellness devices considered to be popular among Canadians, according to our research. This included fitness trackers, smart watches, smart scales, blood pressure monitors and an array of other Internet connected devices that could track everything from sleep habits to one’s blood-alcohol level.
The goals of the Sweep initiative included: increasing public and business awareness of privacy rights, responsibilities and best practices; encouraging compliance with privacy legislation; and enhancing cooperation among privacy enforcement authorities.
The Sweep was not an investigation, nor was it intended to conclusively identify compliance issues or possible violations of privacy legislation. The Sweep was also not a review of organizations’ privacy practices in general, nor was it meant to provide an in-depth analysis of the design and development of the devices examined.
By briefly interacting with the devices, the exercise was meant to recreate the consumer experience. Sweepers ultimately sought to assess privacy communications by spending time checking performance against a set of common indicators.
“The Sweep demonstrates the ongoing commitment of privacy enforcement authorities to work together to promote privacy protection around the world,” Commissioner Therrien said. “Past Sweeps have shown us that education and outreach alone can often go a long way towards effecting positive change for privacy.”
GPEN Privacy Sweep efforts are ongoing. As was the case in previous years, concerns identified during the Sweep could result in follow-up work such as outreach to organizations and/or enforcement action.
About the Global Privacy Enforcement Network
The Global Privacy Enforcement Network was established in 2010 upon recommendation by the Organisation for Economic Co-operation and Development. Its aim is to foster cross-border cooperation among privacy regulators in an increasingly global market in which commerce and consumer activity relies on the seamless flow of personal information across borders. Its members seek to work together to strengthen personal privacy protections in this global context.
About the Office of the Privacy Commissioner of Canada
The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman and guardian of privacy in Canada. The Commissioner enforces two laws for the protection of personal information: the Privacy Act, which applies to the federal public sector; and the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private sector privacy law.
- 30 -
For more information, please contact:
Daphne Guerrero, Office of the Privacy Commissioner of Canada
NOTE: To help us to respond more quickly, journalists are asked to please send requests for interviews or further information via e-mail.
- Date modified: