In Brief
A report by the OPC has shown that companies don't sufficiently explain to users how their personal information is collected, used, and disclosed to third parties.

Privacy watchdog takes on IoT

The Office of the Privacy Commissioner of Canada (OPC), the country’s privacy watchdog, is taking part in a global privacy initiative that’s raising concerns about connected devices often referred to collectively as “Internet of Things.” And it’s not looking good.

The “Internet of Things” (IoT) refers to an extremely broad range of devices connected to the Internet that have technologically enhanced functionality. Smart home thermostats and security systems, self-driving cars, fitness and sleep trackers, and Internet TV systems are examples of IoT.

Canada and the OPC took part in April’s global “privacy sweep” and released its results. Although Canada was one of 25 privacy authorities involved, only a handful of countries (including Canada) have released results from the sweeps. Specifically, the initiative is red flagging the failure of smart devices to allow users to control the personal data they collect.

The OPC’s sweep focused on connected health and wellness devices like blood pressure monitors, fitness trackers, smart scales, and smart watches.

The OPC revealed that connected devices “fail to inform users about exactly what personal information is being collected and how it will be used.” These findings include sensitive data like financial and health information.

You Have a Connection Problem

“Overall there was significant room for improvement with respect to the privacy communications of the Internet-connected devices swept,” Commissioner Daniel Therrien said.

“With the proliferation of the Internet of Things, the activities, movements, behaviours and preferences of individuals are being measured, recorded and analyzed on an increasingly regular basis. As this technology expands, it is imperative that companies do a better job of explaining their personal information handling practices.”

As part of the process, “sweepers” – OPC staff tasked with testing devices – analyzed what information connected products asked for and what privacy protection and collection information they offered to users. Almost half of sweepers on the Canadian team and more than three-quarters of international sweepers could not locate basic instructions on how to delete their data. Multiple devices ask to track locations without explaining why this was needed, and the privacy policies of many devices and companies were too vague.

Brent Homan, director-general of PIPEDA investigations for the OPC, stressed that information about what data is being collected should not be buried in privacy policies and should instead be openly provided at key points like purchase or device registration. Homan also emphasized that, where gathering data is not essential to a device’s function, the default should not be to gather the information and user consent should be explicit.

The Global Privacy Enforcement Network (GPEN) is a joint collaboration between the privacy organizations of various countries including the United States, Canada, Britain, various EU member states, and China. Founded in 2012, GPEN has conducted these kinds of sweeps before. The group is hoping to add weight to its advocacy by making these sweeps global.

According to Cisco Systems, by 2020 there will be 50 billion connected devices worldwide. International Data Corporation (IDC) research predicts that the IoT global market will grow to $1.7 trillion by 2020.

Data gathered by connected devices is extremely valuable to marketers, and in some instances to law enforcement agencies.