As a manufacturer of Internet of Things (IoT) devices, you are responsible for the personal information under your control and have obligations under Canadian privacy legislation to implement effective privacy protection.
This guidance focuses on adherence with Canada’s federal private-sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA). We have based this guidance on the results of several Office of the Privacy Commissioner of Canada (OPC) investigations and have had it validated by experts in the field.
On this page
As a manufacturer of IoT devices, you are part of a complex IoT ecosystem in which many components and actors, such as social media platforms, third-party applications and service providers, can potentially collect, use and disclose personal information.
This guidance is meant to provide you with practical information to help ensure that your business practices and the devices you make are privacy protective and compliant with PIPEDA. While this guidance will focus on the privacy principles as laid out in Schedule 1 of PIPEDA, the whole Act applies. For more guidance on general adherence to PIPEDA, please refer to our Privacy Guide for Businesses.
This guidance will also provide you with examples of best practices that will further strengthen your privacy management program.
While this guidance considers an IoT manufacturer’s responsibilities in the context of PIPEDA, manufacturers will also want to keep themselves apprised of other legal obligations relevant to their business, including but not limited to the Canada Consumer Product Safety Act.
Who should read this guidance?
If you produce, design or are tasked with ensuring legal compliance for devices with embedded sensors that collect personal information—such as lights, doorbells, locks, smoke detectors, alarms, TVs, cameras, speakers, appliances, connected cars, toys, clothing, watches or health trackers—then this guidance is for you. This guidance is also relevant to those in the business of developing smart cities, where IoT devices are increasingly becoming part of the infrastructure within urban centres and on roads.
Does PIPEDA apply to you?
As a manufacturer of IoT devices, your device will probably be collecting, using and/or disclosing personal information in the course of commercial activity. If so, you are subject to PIPEDA or to provincial laws that may apply instead of PIPEDA. Note that you may be subject to more than one Canadian private-sector privacy law if your company has locations in various provinces. In addition, if your business handles the personal information of Canadians but you are not based in Canada, PIPEDA may still apply if a real and substantial connection to Canada exists.
Personal information is broadly defined in PIPEDA as “information about an identifiable individual.” The types of personal information IoT devices collect may vary in sensitivity and could include:
- heart rate, body temperature and movement
- temperature or energy usage in a home
- voice and facial recordings
- geolocation data
- behavioural patterns
For greater certainty, the Federal Court decided in Gordon v. Canada that information is about an identifiable individual where there is a serious possibility that an individual could be identified through the use of that information, alone or combined with other available information.
Our technical and legal overview of privacy and metadata further explains how combining seemingly innocuous “information about information” (metadata) may reveal detailed information about an individual and become personal information.
For more information:
- Gordon v. Canada (Health), 2008 FC 258
- Metadata and privacy: A technical and legal overview
- Personal Information
- Questions and Answers regarding the application of PIPEDA, Alberta and British Columbia’s Personal information Protection Acts
- OPC PIPEDA Report of Findings (September 2014), “After a significant Adobe data breach, customer questions company’s security safeguards and the response it provided about impacts on his personal information”
How information gathered by IoT devices may reveal personal information (Expand to read more)
PIPEDA’s privacy principles and how to apply them
If your IoT device is collecting, using or disclosing personal data in the course of commercial activity, then you are subject to PIPEDA and must follow the principles set out in Schedule 1 of PIPEDA. These principles, detailed below, are rooted in international data protection standards and reflect the Canadian Standards Association’s Model Privacy Code for the Protection of Personal Information.
You must demonstrate accountability by developing and committing to an ongoing privacy management program for the information that you collect and control. The outcome of such a program is a demonstrable capacity to comply, at a minimum, with applicable privacy laws.
In building a privacy program, you need to appoint someone to be responsible for your organization’s privacy compliance, and implement privacy policies and practices to ensure you are adhering to the principles in PIPEDA. These must include procedures to protect personal information and receive and respond to complaints among other requirements.
An effective privacy management program ensures that your overall data management practices are aligned with evolving legal obligations, such as mandatory reporting of breaches of security safeguards.
It is important to keep in mind that your responsibility as an IoT device manufacturer may extend well after consumers have purchased the device if you continue to collect, use, disclose or otherwise retain personal information. Our guidance document, Getting accountability right with a privacy management program, explains how to develop a comprehensive privacy program.
For more information:
Design for Privacy: Conduct a Privacy Impact Assessment
As a best practice, you should perform a privacy impact assessment (PIA) before operationalizing your product. PIAs are a tool to ensure compliance with legal requirements, and promote best practices to identify and mitigate other privacy risks.
Identifying purposes, limiting collection, consent and openness
Before you collect any personal information, you must:
- identify and document why you need the information before or at the time of collection
- ensure that the collection of personal information is limited to that which is necessary for the purposes identified
- ensure that any purpose(s) for which you are collecting the information are limited to what a reasonable person would expect under the circumstances
- be aware that some purposes may not be permitted, even with a consumer’s consent (see below section on consent for more information)
You must also be open about your personal information handling practices. This means you have an obligation to inform individuals about:
- what personal information is collected
- with which parties personal information is shared
- for what purposes personal information is collected, used, or disclosed
- risk of harm and other consequences
- whom to contact if an individual has questions, wants to access their information, or make a complaint
If you intend to use personal information for a new purpose that wasn’t previously identified, you must identify the new purpose and obtain the individual’s consent before use (see section below on consent for more information). While it may be reasonable that some purposes are necessary for the functioning of the underlying product or service (for example, to protect network systems and security of devices), consumers must still be notified.
For more information:
How to improve your communications with consumers (Expand to read more)
Under PIPEDA, organizations are required to obtain meaningful consent for the collection, use and disclosure of personal information (unless an exception to the general consent requirement applies). To make consent meaningful, people must understand what they are consenting to. Consent is only considered valid if it is reasonable to expect that individuals would understand the nature, purpose and consequences of the collection, use or disclosure to which they are consenting.
It is important to be aware that, even with an individual’s consent, an organization may only collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances. Examples of inappropriate purposes include collection, use or disclosure that would otherwise be unlawful, or known or likely to cause significant harm to the individual, among others.
In some instances, meaningful consent can be implied, as opposed to obtained directly. However, if you are collecting, using or disclosing personal information that is considered sensitive, you need to obtain direct (“express”) consent. Organizations must generally obtain express consent when:
- the information being collected, used or disclosed is sensitive
- the collection, use or disclosure is outside of the reasonable expectations of the individual
- the collection, use or disclosure creates a meaningful residual risk of significant harm
In instances where the collection, use or disclosure of their personal information is not an essential condition of service, the options for consumers to say “yes” or “no” must be explained clearly and made easily accessible.
Under the law, individuals can withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. You also have a legal duty to inform individual of the implications of withdrawing consent.
We have drafted guidelines to provide clarity about how to obtain meaningful consent as well as guidance on what would generally be considered inappropriate data practices (see links provided below).
For more information:
Should I obtain consent to use children’s personal information? Children under the age of thirteen are not likely to fully understand the consequences of their privacy choices. For this reason, in all but exceptional circumstances, they are unable to meaningfully consent to the collection, use and disclosure of personal information.
The OPC takes the position that at a minimum, you must obtain consent to collect, use and disclose children’s personal information from their parents or guardians. We also highly recommend that you limit the collection, use, disclosure or retention of personal information about children. This issue often arises in the context of smart toys and educational products as well as e-learning platforms.
For more information:
- See section on consent and children in Guidelines for obtaining meaningful consent
- Collecting from kids? Ten tips for services aimed at children and youth
- Connected toy manufacturer improves safeguards to adequately protect children’s information
- Investigation into the personal information handling practices of Ganz Inc.
Limiting collection, use, disclosure and retention
If you collect personal information, PIPEDA requires you to limit its collection to what is necessary for the identified purpose(s). You must also be able to justify why each piece of information is collected. Document these decisions and inform individuals of these practices.
As previously noted, metadata can reveal personal information so you must also limit its collection. For example, data about the times of day, and lengths or location of audio recordings can be revealing on their own or when combined with other data, exposing sensitive and detailed information about individuals.
Use or disclose of personal information must be limited to the purposes for which it was collected, unless the individual consents or it is required by law.
You must also know how long you need users’ personal information for the identified purpose, and the what to do when you no longer need to retain it. PIPEDA requires that personal information shall be retained only as long as necessary for the fulfilment of the purposes for which it was collected. A specifically identified purpose is therefore a clear indicator of how long information needs to be retained and should be the basis for developing an appropriate retention policy. There is no “one size fits all” retention period and a clear rationale for retaining information should be developed to reflect each particular set of circumstances.
Note that personal information that has been used to make a decision about an individual shall be retained long enough to allow the individual access to the information after the decision has been made.
For more information:
It is strongly recommended that you design your device to limit collection. For example, when collecting audio data, how you design the method of activation matters. Is activation:
- manual, which requires pushing a button?
- always ready, activated by a “wake phrase,” like “Hey, Siri”? or
- always on, where data is continuously transmitted without users taking any action?
In addition, we encourage you to provide consumers with user-friendly options to permanently delete information you hold about them, and inform them of how to proceed with doing so. For example, instruct individuals that they can delete their information by going online and/or by calling customer support.
For more information:
Individual access, accuracy of information and challenging compliance
Consumers have a right to access their personal information, including any inferences the organization has made about the individual based on personal information previously collected or ongoing collection, such as patterns of use or consumer behavior. They also have a right to ensure that their information is accurate and to correct or amend the information. As previously discussed, you must let your customers know about these rights and provide them with a means of challenging the accuracy of the information you hold about them and correcting it if required.
For more information:
PIPEDA requires that all personal information be protected by security safeguards appropriate to the sensitivity of the information. This applies to the information that an IoT manufacturer or its partners collect and store on behalf of users. It also applies to information in transit.
Potential security risks associated with IoT devices are significant and you are required to take the physical, organizational and technological measures needed to ensure that your devices are safe to use and not easily compromised.
In other jurisdictions we have begun to see IoT-specific legislation requiring privacy and security safeguards for IoT devices, such as in the state of California. It is becoming increasingly evident just how high the stakes can be in the case of a security breach like hacking or misuse. For example, hacking an insulin pump can compromise the safety and well-being of an individual. Smart home devices such as thermostats, locks and lights can and have been used as digital tools of domestic abuse.
In Canada, the Canada Consumer Product Safety Act recognizes that suppliers of consumer products, including manufacturers, have an essential role to play in addressing any dangers to human health or safety that may be posed by consumer products in today’s global marketplace.
For more information:
- California Senate Bill No. 327 – SB-327 Information Privacy: Connected Devices (2018)
- Canada Consumer Product Safety Act Quick Reference Guide
- Meeting Canada Consumer Product Safety Act requirements
- Canada Consumer Product Safety Act (S.C. 2010, c. 21)
Technical overview: Tips for safeguarding personal information (Expand to read more)
Further information about PIPEDA compliance
We have a number of resources detailing information about PIPEDA compliance, including the following:
- Enforcement of PIPEDA
- Declined to investigate and discontinued complaint dispositions
- What you need to know about mandatory reporting of breaches of security safeguards
A checklist of what you must do under the law and should do as a best practice
What you must do to fulfill your responsibilities under PIPEDA:
- Be accountable by instituting practices that protect the personal information under the control of your organization
- Before collecting personal information, identify the purposes for its collection
- Obtain informed and meaningful consent from the individual whose personal information is collected, used or disclosed
- Design your devices to limit collection to that which is necessary to fulfil their stated purposes
- Use and disclose personal information only for the purpose for which it was collected
- Ensure that personal information is as accurate, up-to-date and complete as is necessary for the purposes for which it is to be used, especially when making a decision about individuals or when sharing it with others
- Ensure the personal information you are accountable for is appropriately safeguarded
- Inform individuals about your policies and practices for information management
- Give individuals the ability to access and correct their information
- Provide recourse to individuals by developing complaint procedures
- Limit what you collect, use, share and retain about your customers, including children
- Protect personal information through technological safeguards such as encryption and password protection
What you should do to supplement your responsibilities under the law:
- Create device specific privacy policies to improve the transparency of your information practices. For example, include a list of every sensor a device possesses in your policy’s section on disclosures and state the minimum length of time these devices will receive security updates
- Consider periodically notifying users when the device is collecting data and give consumers greater control to limit the collection.
- Perform privacy and security risk assessments that help identify and mitigate risks associated with the device and your personal information handling practices
- Design your devices to have consumers use of strong and unique passwords
- Provide consumers with user-friendly options to permanently delete information you hold about them and inform them of how to do so
- Ensure that the end user can patch or update the firmware on the device
- Research paper, The Internet of Things (2016)
- Report of Findings, Investigation into the personal information handling practices of Ganz Inc. (2014)
- Report of Findings, Connected toy manufacturer improves safeguards to adequately protect children’s information (2018)
- Getting accountability right with a privacy management program (2012) and a PIPEDA self-assessment tool (2008)
- Seizing Opportunity: Good Privacy for Developing Mobile Apps (2012) and Ten Tips for Communicating Privacy Practices to your App’s Users (2014)
- Guidelines for obtaining meaningful consent (2018)
- Guidance on inappropriate data practices: Interpretation and application of subsection 5(3) (2018)
- PIPEDA fair information principles (2018)
- Wearable Computing – Challenges and opportunities for privacy protection (2014)
- Collecting from kids? Ten tips for services aimed at children and youth (2015)
Governments and Data Protection Authorities
- The Information Commissioner’s Office, United Kingdom, and The Office of the Privacy Commissioner of Canada’s joint letter to 10 webcam manufacturers in Canada and the United States (2015)
- The UK Government, Department for Digital, Culture, Media & Sport, Code of Practice for Consumer IoT Security (2018)
- The UK Government, Department for Digital, Culture, Media & Sport, Mapping of IoT Security Recommendations, Guidance and Standards to the UK’s Code of Practice for Consumer IoT Security (2018)
- The US Federal Trade Commission Staff Report, Internet of Things: Privacy and Security in a Connected World (2015)
- The US Federal Trade Commission, What’s the Security Shelf-life of IoT? (2015)
- U.S. Department of Commerce, National Institute of Standards and Technology (NIST), Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks (2018)
- U.S. Department of Commerce, National Institute of Standards and Technology (NIST), De-Identification of Personal Information (2015)
- France Commission Nationale de l’Informatique et des Libertés, Objets connectés : n’oubliez pas de les sécuriser ! [French only]
- International Conference on Data Protection and Privacy Commissioners, Mauritius Declaration on the Internet of Things (2014)
- Results of the 2016 Global Privacy Enforcement Network Sweep (2016); Global Internet of Things Sweep finds connected devices fall short on privacy (2016); and, 2016 GPEN Privacy Sweep, Internet of Things: Participating Authorities’ Press Releases.
- Article 29 Data Protection Working Party. Opinion 8/2014 on the on Recent Developments on the Internet of Things, European Commission (2014)
- International Organization for Standardization (ISO), International Standard on Information technology—Security techniques—Privacy framework, ISO 29100 (2011) (see page 14, Table 2)
- Internet of Things Privacy Forum, Clearly Opaque: Privacy Risks of the Internet of Things (2018)
- Future of Privacy Forum, Microphones and the IoT (2017)
- Ian Kerr, The Devil is in the Defaults (2017) (see pages 98-99)
- Vishai Salvi, 6 Steps to a More Secure IoT (2019)
- Broadband Internet Technical Advisory Group (BITAG), Internet of Things Security and Privacy Recommendations (2016)
- Scott Peppet, Regulating the Internet of Things: First Steps Toward Managing Discrimination, Privacy, Security & Consent (2014)
- Center for Democracy & Technology, Toward Privacy-Aware Research and Development in Wearable Health (2016)
- Center for Digital Democracy, Health Wearable Devices in the Big Data Era: Ensuring Privacy, Security, and Consumer Protection (2017)
- Florian Schaub, et al., A Design Space for Effective Privacy Notices (2015)
- ACLU, Jay Stanley, The Privacy Threat from Always-on Microphones like the Amazon Echo (2017)