Skip to main content
Share via Share via Share via Copy link

Connected products: What retailers need to know about ICO and data protection compliance

01 July 2026
Philip James and Anne Gascoigne

The Information Commissioner’s Office (ICO) has recently published guidance on consumer 'Internet of Things' (IoT) products.

IoT is a term used to describe products which have the ability to process information by way of sensors, software and connectivity to networks (including the internet).

Common IoT products, such as smart speakers, smart TVs and fitness trackers, collect and process information, and connect to networks and communicate with each other. 

Processing of personal data

By their very nature, IoT products usually process personal data as they are designed to interact with users. They often require an account for setup, which requires the user to provide personal data to operate them. The personal data captured by these products is therefore subject to UK Data Protection legislation, including the General Data Protection Regulation (GDPR).

The ICO is clear that, whilst many IoT products are used purely in the course of a user’s private life, the 'domestic purposes' exemption under GDPR (which sets out that the legislation does not apply to purely personal or household use) is not applicable. This is because the data itself is processed by manufacturers or developers of the product, who must ensure that they are treating it as they would any other data collected as part of their day-to-day business operations. Quite the opposite is true, in fact – since the data collected from IoT devices is often highly sensitive, higher protections will be required such as Data Protection Impact Assessments (DPIAs) to identify any risk to the user’s data protection rights.

Special category data

Many IoT products are capable of processing special category data – that is, data of a particularly sensitive nature, such as personal data revealing racial or ethnic origin, biometric data used for identification purposes, or data concerning health (a full list can be found under Article 9 of GDPR).

It is worth noting that the ICO guidance makes clear that special category data can be inferred from the information provided, meaning that users do not need to have explicitly provided this information themselves. In most cases, subject to certain limited derogations or exceptions, this data can only be processed by IoT products where explicit consent has been provided by the user.

Whilst many IoT devices will rely on consent as their lawful basis for processing personal data more generally, where a different basis or exception is used or relied upon, it will be important to be wary of purpose limitation, where a secondary and subsequent processing purpose may arise – i.e. which may not be directly linked to the specific, original exception or condition used (and the same principle applies to consent).

Only in limited circumstances, such as, for instance, scientific research, may a wider interpretation of the original purpose be applied (dependent upon the specific facts and circumstances prevailing at the time). Always remember that an Article 6 lawful basis must also apply in addition to Article 9 (special category data).

Privacy and Electronic Communications Regulations (PECR)

The guidelines also address Regulation 6 of PECR, which covers a range of technologies commonly used in IoT products, including:

  1. cookies;
  2. tracking pixels;
  3. local storage;
  4. device fingerprinting;
  5. scripts and tags;
  6. application programming interfaces;
  7. automatic content recognition; and
  8. software development kits.

These technologies can be used to store data which tracks user behaviour which can be used to build a detailed profile for the purposes of targeted advertising. Many IoT products, particularly those which enable content streaming, collect data on the browsing and viewing habits of their users, bringing them within the scope of Regulation 6 of PECR.

Where Regulation 6 applies, manufacturers and developers must provide users with "clear and comprehensive information” about the purposes of any storage or access of information taking place on the device, and must obtain the user’s consent before doing so. Crucially, this is a separate obligation to the requirement to provide information and obtain consent for the processing of personal data more broadly – the two cannot be conflated, and separate information and consent must be provided in respect of each.

The IoC guidance also makes clear that, if children are likely to be using an IoT product, or if the product itself is targeted to children, then targeted advertising should be turned off by default.

Other issues and regulatory trends

PECR

Equally consider that PECR also contains restrictions around location based information and certain criteria need to be adhered to, to process location data (other than in limited exceptional circumstances).

EU Data Act

Finally, whilst outside the scope of this article, the EU Data Act (and in due course secondary legislation issued under the UK Data (Use and Access) Act), governs the sharing of data, whether or not personal; and users may require data holders (i.e. businesses) to disclose data to either them as consumer users or third parties on their behalf (again, subject to certain limitations e.g. relating to trade secrets and commercially sensitive information). Understanding the risks and opportunities this presents should be on compliance teams’ radars for retailers.

UK Product Security and Telecommunications Infrastructure Act (PSTI)

It should also be noted that the PSTI came into force in April of 2024 and is enforceable by the Office for Product Safety and Standards (OPSS) with penalties of up to £10m. PSTI applies to internet-connectable products and network-connectable products (products that connect to other devices or networks such as via Bluetooth) that are supplied to consumers in the UK under commercial activity, regardless of where the manufacturer is based. The act has three baseline security requirements: 

  1. Each product must have a unique password, and generic default passwords are prohibited.
  2. Manufacturers must publish a clear and accessible policy explaining how security issues can be reported. This must include a point of contact and timescales for response. 
  3. Information on minimum security update periods must be published and made transparently available to the consumer.

Manufacturers must ensure products meet these requirements, issuing a statement of compliance, before placing them on the market. Importers must check that manufacturers have complied before they import the products. Import documentation should also be reviewed to ensure the importer has conducted relevant checks. Lastly, distributors must verify compliance before selling products. Retailers should have a process to withdraw products that do not meet these requirements. 

Examples of in-scope products include smart TVs, connected speakers, smartphones and tablets, and baby-monitors. Desktop and laptop computers (without mobile connectivity), smart meters, medical devices, EV charging points and motor vehicles are excluded from the scope as they are covered by other regulation. However, standalone products used within a motor-vehicle, such as GPS trackers, are not excluded. 

An international case study: California’s enforcement action against General Motors (GM)

On 8 May 2026, a settlement was announced with GM for violations of the California Consumer Privacy Act (CCPA) and unfair competition law. GM had collected their subscribers’ personal data, including names and driving behaviour, and sold this data to two insurance brokers who used that data to raise premiums. The violations included misleading customers by stating that they would not sell their data, as well as holding covered driving data beyond the necessary period. As a result, GM had to pay $12.75m in penalties. California regulators now treat data minimisation as an enforceable requirement. Collecting more data than strictly necessary for a defined purpose will now have regulatory consequences. 

The UK GDPR also has a binding data minimisation principle. Under Article 5(1)(c) of the UK GDPR, personal data must be "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed"

This case has important implications for connected product retailers in all jurisdictions. They may be selling products that collect data by design, for example, where the data is transferred to the manufacturer by design. To maintain compliance with data minimisation requirements, retailers should take the following measures: 

  1. Review what existing policies they have in place regarding data minimisation and flag whether changes need to be made.
  2. Ensure that their existing privacy policies match their data collection practices, so that consumers are not being misled. This means understanding exactly what data your product collects and whether it is shared with third parties.
  3. When selling data to third parties, ensure that consumers have given fully informed consent and that they understand what this data may be used for. Ensure that there is no ambiguous wording in privacy notices. Alternatively, identify an alternative lawful basis, other than consent (where applicable and carry out a privacy risk assessment)
  4. Conduct a DPIA. Under Article 35 of the UK GDPR, this is likely to be compulsory for retailers of connected products that process vast amounts of personal data.
  5. Establish a data retention and deletion policy to ensure that personal data that is stored in connected products is deleted before if it is re-sold. 

ICO expectations

The ICO have set out their expectations for IoT manufacturers and developers, the key points of which are:

  • Privacy must be built in from the start, not bolted on afterwards: Developers and manufacturers must ensure that data privacy is inherent in the device. This includes ensuring that default device settings are privacy-protective and that data collection is limited to what is strictly necessary.
  • Consent must be “real, specific and freely given via a clear opt-in”: When providing their consent to data processing, IoT users must give their explicit consent, and be informed of:
    • why their personal information is being used;
    • what lawful basis is being used for processing;
    • what types of personal information are being used; 
    • what decisions are being made with the information and how it affects their use of the service;
    • whether personal information used or generated by the systems is being kept and for how long;
    • whether and in what circumstances their personal information is shared with other organisations; and
    • how they can exercise their data protection rights.
  • Genuine transparency is more than a privacy notice: Information must be communicated to users in clear, accessible language and at relevant points throughout the product experience, including at the point of data collection. This means thinking carefully about how privacy information is delivered, the language used, when it's provided, and which interfaces it's delivered through. Developers and manufacturers should also bear in mind that multiple people may be using the same product.
  • Most firms will have to carry out a Data Protection Impact Assessment: As touched on previously, in light of the sensitive nature of the data typically collected by IoT devices, most organisations will be required to carry out a DPIA.
  • Security is a continuing obligation: Developers and manufacturers must maintain robust security practices, including multi-factor authentication, and ensure that systems are regularly updated to safeguard personal data on an ongoing basis.
  • Consider the implications of broader smart data legislation: Including the EU Data Act and Data (Use and Access) Act and broader data disclosure and open data obligations retailers will need to comply with (as well as the inclusion of appropriate open data notices).

Summary

It's worth noting that the ICO's guidance on IoT products does not introduce any new requirements – rather, it sets out how existing UK data protection legislation applies to IoT products in practice. That said, it offers clear and practical advice that manufacturers and developers of IoT products would do well to take on board, particularly as their use becomes ever more common in our daily lives. If you have any questions about how this guidance may affect your business, Browne Jacobson has data law specialists who would be happy to provide support.

Contact

Contact

Philip James

Partner

philip.james@brownejacobson.com

+44 (0)330 045 1022

View profile Connect on LinkedIn
Can we help you? Contact Philip

Anne Gascoigne

Trainee Solicitor

anne.gascoigne@brownejacobson.com

+44 (0)330 045 1011

View Profile
Can we help you? Contact Anne

You may be interested in