Breaking News

Privacy Commissioner urges IoT creators to limit collection of personal data

Privacy Commissioner urges IoT creators to limit collection of personal data

The Federal Privacy Commissioner says that Canada manufactures Internet-connected devices, including smart toys, educational products, and e-learning platforms.

In new guidance from the Office of the Privacy Commissioner, manufacturers are reminded that unless they are subject to regional privacy law, the Personal Information and Electronic Documentation Act (PIPEDA) applies to them if they collect personal information. As such, they, like other organizations, are required to obtain meaningful consent to collect, use, and disclose personal information.

But, it added, "Children under 13 are unlikely to fully understand the consequences of their privacy choice." For this reason, but in all exceptional circumstances, they are unable to give meaningful consent to the collection, use and disclosure of personal information. 

"The OPC takes the position that, at a minimum, you must obtain consent from your parents or guardians to collect, use and disclose children's personal information," the guideline reads. To make consent meaningful according to the guide, customers must understand what they are agreeing to. Consent is considered valid only if it is reasonable to expect that individuals will understand the nature, purpose and consequences of the collection to which they are consenting. 

"It is strongly recommended that you design your device to limit storage," the guidance says, asking if the collection starts with the device's booting. 

"More than what is required for the functioning of the device and any collection must be explained by consumers and their consent to obtain consent before collection."

 Individuals should be told which activation method is used as part of your privacy policy. The collection of more than what is required for the functioning of the device should be explained to consumers and their consent is obtained prior to collection, assuming that the objectives are reasonable according to our guidance. 

IoT devices include everything from smart lights, doorbells, locks, smoke detectors, alarms, TVs, cameras, speakers, appliances, connected cars, toys, clothes, watches, and health trackers.

The document notes personal information collected by IoT devices could include:
  • heart rate, body temperature and movement;
  • temperature or energy usage in a home;
  • voice and facial recordings;
  • geolocation data;
  • and behavioural patterns.
  • The report notes there can be serious implications of an IoT hack, referring to news reports of hacking an insulin pump, and the abuse of smart home devices thermostats, locks and lights as digital tools of domestic abuse.

"IoT is one of the most important technological innovations that significantly affects privacy," said Barry Suckman, a lawyer for Toronto law firm McCarthy Tetrault in an email. 

"The challenge is that traditional privacy principles are an uncomfortable fit for IoT as it is for artificial intelligence and other big data innovations." He also pointed out that the guidance does not provide an actual analysis of the challenges of implementing PIPEDA on IoT. Nor, he added, does it address the real challenges of obtaining meaningful consent for the use of data by entire ecosystems. 

Ultimately, Suckman says, PIPEDA is outdated and needs modernization to facilitate the adoption of new technologies, while still respecting people's reasonable expectations of privacy. 

The guidance includes a list of things that IoT creators do that capture personal information and what they should do. "IoT manufacturers who capture personal information have to demonstrate accountability to develop and commit to an ongoing privacy management program for the information you collect and control," the guide instructs. 

“The result of such a program is a demonstrated ability to comply, at least, with applicable privacy laws. "In the creation of a privacy program, you need to appoint someone to be responsible for your organization's privacy compliance and implement privacy policies and practices to ensure that you are following the principles in PIPEDA . 

These should include procedures to protect personal information and to receive and respond to complaints, among other requirements. ”An effective privacy management program ensures that your overall data management practices develop with legal obligations Aligns, such as mandatory reporting of security safeguards, the document says.

No comments