Smart TV manufacturers face UK data protection probe

The Information Commissioner’s Office (ICO) trailed the probe on Thursday as it published new guidance for consumer ‘internet of things’ products and services.

The term ‘internet of things’ (IoT) refers to the growing array of everyday products and services that are connected to online networks. Smart TVs are one example. Others include smart fridges and ovens, smart doorbells and baby monitors, fitness trackers and smart watches, as well as connected toys and smart speakers.

It is common for IoT products and services to collect data about their users and to use that information for a range of purposes, including to create personalised experiences for their users, provide them with insights, or enable personalised adverts to be served to those users based on their interaction with those products and services and others they might be connected to. In its guidance, the ICO highlighted how this activity constitutes processing of personal data and is subject to data protection laws.

The ICO said there is potential for IoT products to collect information about people that is intrusive. It said manufacturers of IoT products and services therefore must consider whether they need to process personal information from those products at all and, if they do, how long it is necessary to retain that data. It said that most personal data processing involving IoT products “is likely to result in a high risk” and highlighted that where this is the case, manufacturers must undertake a data protection impact assessment, to identify and reduce associated data protection risks, before they undertake the processing.

Its guidance also addresses how the processing of data from IoT products and services can engage data protection principles under the UK General Data Protection Regulation (GDPR), including around fair and lawful processing, accuracy, data minimisation and data security, as well as requirements manufacturers face around accountability.

In addition to considering GDPR compliance, the ICO said manufacturers of IoT products and services need to consider their duties under the UK’s Privacy and Electronic Communications Regulations (PECR). In this regard, the ICO highlighted how manufacturers that use ‘cookies’ or similar tracking technologies to store information, or access information stored, on a user’s connected product will generally need users' prior consent to the use of those trackers and to provide users with information about how to manage and delete them.

Among other things, the ICO said the PECR requirements would apply to circumstances where a network-connected device – for example, a mobile app linked to an IoT product – collects data from the product.The ICO further confirmed that where IoT products have been designed to use cookies or other tracking technologies and consent has been obtained to their use, manufacturers should ensure that they obtain user consent for any subsequent processing of the personal data they gather about them. It said consent must be obtained if the trackers are to be used for online advertising purposes.

“This applies both to the technical processes involved in ad selection and delivery, as well as any associated tracking and profiling,” the ICO said in its guidance. “This is because use of storage and access technologies for the purposes of online advertising is not strictly necessary to provide an online service via your IoT product. You might consider generating income through advertising necessary for your business but on a technical level, you can provide the service without any advertising.”

“Remember, you must also have an appropriate lawful basis for any processing of personal information for the purposes of profiling and targeted advertising (eg a person’s viewing habits on a smart TV). If you need consent for your use of storage and access technologies, and the information is personal data, you should use consent as your lawful basis under the UK GDPR for subsequent processing. If your product is aimed at children or is likely to be accessed by them, you should ensure that online behavioural advertising is off by default,” it added.

The ICO’s intended focus on the data protection compliance of smart TV manufacturers comes amidst research that found that the products are in 70% of UK households.

“Smart TVs can collect a large amount of data and use this information to serve targeted advertising – but this must be done transparently and with genuine consent,” the ICO said, adding that it will engage with manufacturers of the products this year “to assess whether they are complying with the law and offering consumers meaningful choice over how their data is used”.

Data protection law expert Malcolm Dowden of Pinsent Masons said: “This is not new law. However, it does signal a significant sharpening of the ICO’s enforcement focus as it prepares to move to its new corporate structure and as penalties under PECR have been increased to align with the UK GDPR maximum of £17.5 million or, if higher, 4% of global annual turnover.”