ICO Launches Consultation On Draft Guidance For Consumer IoT Products And Services

The Information Commissioner's Office (ICO) has launched a public consultation on its draft guidance for consumer Internet of Things (IoT) products and services, alongside a draft impact assessment. The consultation opened on 16 June 2025 and runs until 7 September 2025.

The draft guidance aims to clarify how UK data protection law applies to the design, development, and deployment of consumer IoT products and services. These include smart home devices, wearables, and connected appliances that collect and process personal data. The ICO emphasises the importance of transparency, data minimisation, and user control, particularly in environments where users may not be fully aware of the data being collected or how it is used.

What is the Internet of Things (IoT)?

The Internet of Things (IoT) refers to a digitally connected network of physical devices embedded with sensors, software, and connectivity that enables them to collect and exchange data over the internet. The "smart home" is a good example of IoT; smart doorbells, security alarms, home appliances and entertainment systems among other things can create a network where data is shared between the different devices, which users can control remotely from an app or website. In the consumer context, IoT products are designed to enhance convenience, efficiency, and personalisation in everyday life. However, their data-driven nature also introduces significant privacy and security challenges; rather than actively inputting data into an app or device, data is now being constantly collected from and about us in a way we may not be conscious of or informed about. It also represents a large increase in the volume of data being collected about us as these devices are running almost constantly and consistently collect data about us.

Scope of the Draft Guidance

The guidance provides practical advice for organisations who process personal data via IoT products on complying with the UK GDPR and the Privacy and Electronic Communications Regulations 2003 (as amended) (PECR). Such organisations are likely to include manufacturers, app developers, AI service providers, software developers, and cloud providers, among others. Key areas covered include:

• Transparency and fairness: Ensuring users are clearly informed about data collection and processing.
• Lawful basis for processing: Identifying appropriate legal grounds for data use.
• Children's data: Applying heightened protections where children are likely to use the device.
• Security: Implementing appropriate technical and organisational measures to safeguard personal data.
• Data sharing and third parties: Managing risks associated with integrations and data transfers.

The guidance also addresses the use of tracking technologies, such as cookies and similar identifiers, in IoT ecosystems, reinforcing the need for valid consent and clear user interfaces. For example, the ICO gives an example of a smart TV using automatic content recognition (ACR) technology on their smart TVs to serve their users personalised ads. This technology periodically captures what is shown on the TV and matches it against a content library to serve the user ads they will be interested in; because the technology is storing and accessing information on the user's TV, the company needs to obtain valid consent under PECR to use it for advertising.

As in their other recent guidance, the ICO splits out the obligations under this advice into must, should, and could categories, to help organisations in scope plan their compliance matrix according to risk appetite.

Draft Impact Assessment

The accompanying draft impact assessment evaluates the potential effects of the guidance on organisations and individuals. It outlines anticipated benefits such as improved consumer trust, reduced risk of data breaches, and enhanced compliance clarity. The ICO acknowledges potential costs for businesses, particularly SMEs, in adapting to the new expectations, but argues these are proportionate to the privacy risks posed by IoT technologies.

The assessment is not yet finalised; the ICO will provide a more holistic assessment based on the finalised guidance and the feedback received from the consultation.

Further, as the guidance is based on the UK GDPR, the DPA 2018 and PECR, the draft guidance and draft impact assessment are likely to be updated as the Data (Use and Access) Act 2025 provisions amending this legislation is brought into force. This will ensure the final guidance is in line with the updated obligations under the new Act.

Next Steps

Stakeholders are encouraged to respond to the consultation via the ICO's Citizen Space platform. Feedback will inform the final version of the guidance, which is expected to play a pivotal role in shaping the UK's regulatory landscape for consumer IoT.