Membership is FREE!   Professional Designations for Business & Technology Professionals

Privacy

Privacy guidance for manufacturers of Internet of Things devices

13 Mins read

Overview

As a manufacturer of Internet of Things (IoT) devices, you are responsible for the personal information under your control and have obligations under Canadian privacy legislation to implement effective privacy protection.

This guidance focuses on adherence with Canada’s federal private-sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA). We have based this guidance on the results of several Office of the Privacy Commissioner of Canada (OPC) investigations and have had it validated by experts in the field.

Introduction

As a manufacturer of IoT devices, you are part of a complex IoT ecosystem in which many components and actors, such as social media platforms, third-party applications and service providers, can potentially collect, use and disclose personal information.

 This guidance is meant to provide you with practical information to help ensure that your business practices and the devices you make are privacy protective and compliant with PIPEDA. While this guidance will focus on the privacy principles as laid out in Schedule 1 of PIPEDA, the whole Act applies. For more guidance on general adherence to PIPEDA, please refer to our Privacy Guide for Businesses.

This guidance will also provide you with examples of best practices that will further strengthen your privacy management program.

While this guidance considers an IoT manufacturer’s responsibilities in the context of PIPEDA, manufacturers will also want to keep themselves apprised of other legal obligations relevant to their business, including but not limited to the Canada Consumer Product Safety Act.

Who should read this guidance?

If you produce, design or are tasked with ensuring legal compliance for devices with embedded sensors that collect personal information—such as lights, doorbells, locks, smoke detectors, alarms, TVs, cameras, speakers, appliances, connected cars, toys, clothing, watches or health trackers—then this guidance is for you. This guidance is also relevant to those in the business of developing smart cities, where IoT devices are increasingly becoming part of the infrastructure within urban centres and on roads.

Does PIPEDA apply to you?

 As a manufacturer of IoT devices, your device will probably be collecting, using and/or disclosing personal information in the course of commercial activity. If so, you are subject to PIPEDA or to provincial laws that may apply instead of PIPEDA. Note that you may be subject to more than one Canadian private-sector privacy law if your company has locations in various provinces. In addition, if your business handles the personal information of Canadians but you are not based in Canada, PIPEDA may still apply if a real and substantial connection to Canada exists.

Personal information is broadly defined in PIPEDA as “information about an identifiable individual.” The types of personal information IoT devices collect may vary in sensitivity and could include:

  • heart rate, body temperature and movement
  • temperature or energy usage in a home
  • voice and facial recordings
  • geolocation data
  • behavioural patterns

For greater certainty, the Federal Court decided in Gordon v. Canada that information is about an identifiable individual where there is a serious possibility that an individual could be identified through the use of that information, alone or combined with other available information.

Our technical and legal overview of privacy and metadata further explains how combining seemingly innocuous “information about information” (metadata) may reveal detailed information about an individual and become personal information.

How information gathered by IoT devices may reveal personal information (Expand to read more)

PIPEDA’s privacy principles and how to apply them

If your IoT device is collecting, using or disclosing personal data in the course of commercial activity, then you are subject to PIPEDA and must follow the principles set out in Schedule 1 of PIPEDA. These principles, detailed below, are rooted in international data protection standards and reflect the Canadian Standards Association’s Model Privacy Code for the Protection of Personal Information.

Accountability

You must demonstrate accountability by developing and committing to an ongoing privacy management program for the information that you collect and control. The outcome of such a program is a demonstrable capacity to comply, at a minimum, with applicable privacy laws.

In building a privacy program, you need to appoint someone to be responsible for your organization’s privacy compliance, and implement privacy policies and practices to ensure you are adhering to the principles in PIPEDA. These must include procedures to protect personal information and receive and respond to complaints among other requirements.

An effective privacy management program ensures that your overall data management practices are aligned with evolving legal obligations, such as mandatory reporting of breaches of security safeguards.

It is important to keep in mind that your responsibility as an IoT device manufacturer may extend well after consumers have purchased the device if you continue to collect, use, disclose or otherwise retain personal information. Our guidance document, Getting accountability right with a privacy management program, explains how to develop a comprehensive privacy program.

Design for Privacy: Conduct a Privacy Impact Assessment

As a best practice, you should perform a privacy impact assessment (PIA) before operationalizing your product. PIAs are a tool to ensure compliance with legal requirements, and promote best practices to identify and mitigate other privacy risks.

Identifying purposes, limiting collection, consent and openness

Before you collect any personal information, you must:

  • identify and document why you need the information before or at the time of collection
  • ensure that the collection of personal information is limited to that which is necessary for the purposes identified
  • ensure that any purpose(s) for which you are collecting the information are limited to what a reasonable person would expect under the circumstances
    • be aware that some purposes may not be permitted, even with a consumer’s consent (see below section on consent for more information)

You must also be open about your personal information handling practices. This means you have an obligation to inform individuals about:

  • what personal information is collected
  • with which parties personal information is shared
  • for what purposes personal information is collected, used, or disclosed
  • risk of harm and other consequences
  • whom to contact if an individual has questions, wants to access their information, or make a complaint

If you intend to use personal information for a new purpose that wasn’t previously identified, you must identify the new purpose and obtain the individual’s consent before use (see section below on consent for more information). While it may be reasonable that some purposes are necessary for the functioning of the underlying product or service (for example, to protect network systems and security of devices), consumers must still be notified.

How to improve your communications with consumers (Expand to read more)

Consent

Under PIPEDA, organizations are required to obtain meaningful consent for the collection, use and disclosure of personal information (unless an exception to the general consent requirement applies). To make consent meaningful, people must understand what they are consenting to. Consent is only considered valid if it is reasonable to expect that individuals would understand the nature, purpose and consequences of the collection, use or disclosure to which they are consenting.

It is important to be aware that, even with an individual’s consent, an organization may only collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances. Examples of inappropriate purposes include collection, use or disclosure that would otherwise be unlawful, or known or likely to cause significant harm to the individual, among others.

In some instances, meaningful consent can be implied, as opposed to obtained directly. However, if you are collecting, using or disclosing personal information that is considered sensitive, you need to obtain direct (“express”) consent. Organizations must generally obtain express consent when:

  • the information being collected, used or disclosed is sensitive
  • the collection, use or disclosure is outside of the reasonable expectations of the individual
  • the collection, use or disclosure creates a meaningful residual risk of significant harm

In instances where the collection, use or disclosure of their personal information is not an essential condition of service, the options for consumers to say “yes” or “no” must be explained clearly and made easily accessible.

Under the law, individuals can withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. You also have a legal duty to inform individual of the implications of withdrawing consent.

We have drafted guidelines to provide clarity about how to obtain meaningful consent as well as guidance on what would generally be considered inappropriate data practices (see links provided below).

Should I obtain consent to use children’s personal information? Children under the age of thirteen are not likely to fully understand the consequences of their privacy choices. For this reason, in all but exceptional circumstances, they are unable to meaningfully consent to the collection, use and disclosure of personal information.

The OPC takes the position that at a minimum, you must obtain consent to collect, use and disclose children’s personal information from their parents or guardians. We also highly recommend that you limit the collection, use, disclosure or retention of personal information about children. This issue often arises in the context of smart toys and educational products as well as e-learning platforms.

Limiting collection, use, disclosure and retention

If you collect personal information, PIPEDA requires you to limit its collection to what is necessary for the identified purpose(s). You must also be able to justify why each piece of information is collected. Document these decisions and inform individuals of these practices.

As previously noted, metadata can reveal personal information so you must also limit its collection. For example, data about the times of day, and lengths or location of audio recordings can be revealing on their own or when combined with other data, exposing sensitive and detailed information about individuals.

 Use or disclose of personal information must be limited to the purposes for which it was collected, unless the individual consents or it is required by law.

You must also know how long you need users’ personal information for the identified purpose, and the what to do when you no longer need to retain it. PIPEDA requires that personal information shall be retained only as long as necessary for the fulfilment of the purposes for which it was collected. A specifically identified purpose is therefore a clear indicator of how long information needs to be retained and should be the basis for developing an appropriate retention policy. There is no “one size fits all” retention period and a clear rationale for retaining information should be developed to reflect each particular set of circumstances.

Note that personal information that has been used to make a decision about an individual shall be retained long enough to allow the individual access to the information after the decision has been made.

It is strongly recommended that you design your device to limit collection. For example, when collecting audio data, how you design the method of activation matters. Is activation:

  • manual, which requires pushing a button?
  • always ready, activated by a “wake phrase,” like “Hey, Siri”? or
  • always on, where data is continuously transmitted without users taking any action?

Individuals should be told what activation method is used as part of your privacy policy. Any and all collection over and above what is needed for device functioning should be explained to consumers and their consent obtained before collection, assuming that the purposes are reasonable as per our guidance on section 5(3) of PIPEDA.

In addition, we encourage you to provide consumers with user-friendly options to permanently delete information you hold about them, and inform them of how to proceed with doing so. For example, instruct individuals that they can delete their information by going online and/or by calling customer support.

Individual access, accuracy of information and challenging compliance

Consumers have a right to access their personal information, including any inferences the organization has made about the individual based on personal information previously collected or ongoing collection, such as patterns of use or consumer behavior. They also have a right to ensure that their information is accurate and to correct or amend the information. As previously discussed, you must let your customers know about these rights and provide them with a means of challenging the accuracy of the information you hold about them and correcting it if required.

Safeguards

PIPEDA requires that all personal information be protected by security safeguards appropriate to the sensitivity of the information. This applies to the information that an IoT manufacturer or its partners collect and store on behalf of users. It also applies to information in transit.

Potential security risks associated with IoT devices are significant and you are required to take the physical, organizational and technological measures needed to ensure that your devices are safe to use and not easily compromised.

In other jurisdictions we have begun to see IoT-specific legislation requiring privacy and security safeguards for IoT devices, such as in the state of California. It is becoming increasingly evident just how high the stakes can be in the case of a security breach like hacking or misuse. For example, hacking an insulin pump can compromise the safety and well-being of an individual. Smart home devices such as thermostats, locks and lights can and have been used as digital tools of domestic abuse.

In Canada, the Canada Consumer Product Safety Act recognizes that suppliers of consumer products, including manufacturers, have an essential role to play in addressing any dangers to human health or safety that may be posed by consumer products in today’s global marketplace.

Technical overview: Tips for safeguarding personal information (Expand to read more)

Further information about PIPEDA compliance

We have a number of resources detailing information about PIPEDA compliance, including the following:

A checklist of what you must do under the law and should do as a best practice

What you must do to fulfill your responsibilities under PIPEDA:

  • Be accountable by instituting practices that protect the personal information under the control of your organization
  • Before collecting personal information, identify the purposes for its collection
  • Obtain informed and meaningful consent from the individual whose personal information is collected, used or disclosed
  • Design your devices to limit collection to that which is necessary to fulfil their stated purposes
  • Use and disclose personal information only for the purpose for which it was collected
  • Ensure that personal information is as accurate, up-to-date and complete as is necessary for the purposes for which it is to be used, especially when making a decision about individuals or when sharing it with others
  • Ensure the personal information you are accountable for is appropriately safeguarded
  • Inform individuals about your policies and practices for information management
  • Give individuals the ability to access and correct their information
  • Provide recourse to individuals by developing complaint procedures
  • Limit what you collect, use, share and retain about your customers, including children
  • Protect personal information through technological safeguards such as encryption and password protection

What you should do to supplement your responsibilities under the law:

  • Create device specific privacy policies to improve the transparency of your information practices. For example, include a list of every sensor a device possesses in your policy’s section on disclosures and state the minimum length of time these devices will receive security updates
  • Consider periodically notifying users when the device is collecting data and give consumers greater control to limit the collection.
  • Perform privacy and security risk assessments that help identify and mitigate risks associated with the device and your personal information handling practices
  • Design your devices to have consumers use of strong and unique passwords
  • Provide consumers with user-friendly options to permanently delete information you hold about them and inform them of how to do so
  • Ensure that the end user can patch or update the firmware on the device

Select References

OPC Publications

Legislation

Governments and Data Protection Authorities

International

Other

Original Post

Related posts
Privacy

'We don't collect subscribers' genetic, religious, health and sexual data,' Airtel clarifies

2 Mins read
Airtel has said that it does not collect any sensitive data related to subscribers’ genetic data, religious or political beliefs, and health…
Privacy

European Privacy Regulator Turns Up Heat on Ad Tactics Used by Google and Rivals

2 Mins read
Belgium’s data-protection authority takes aim at collection of personal information in digital-ad auctions Tactics Google and other large online-ad players use in…
Privacy

Canada has ‘clearly fallen behind’ other countries in privacy law, says privacy commissioner

3 Mins read
Canada’s efforts to update its privacy laws progress at a snail’s pace, prompting a stern warning from its privacy commissioner that Canada…
Join BIZTEK

Yes, I have read and live by this Code of Ethics - https://biztek.org/code-of-ethics/. We are BIZTEK, located in Mississauga, Ontario. Business Certification is an important part of doing business in Canada. Join us to set new standards and professionalism to the technology sector. We will email you regarding issues that affect business and technology professionals in Canada. Contact us at info@biztek.org or call us at 647 499 2744. You can unsubscribe at any time.

 

Leave a Reply

Your email address will not be published. Required fields are marked *