The Internet of Things has revolutionized the way we live and work. 13.2 billion IoT devices were connected via the Internet by the end of 2022, a number expected to grow to 34.7 billion by 2028. The rising prevalence of industrial IoT, consumer IoT, and artificial IoT has been met with warning calls from security and privacy professionals to stay alert to the risks that these systems encompass, recently illustrated by private pictures captured by robot vacuums ending up on social media.

Embrace New Regulations for IoT

The increasing ubiquity of IoT—coupled with the large amounts of personal data IoT devices can collect—is spurring efforts to regulate and standardize the field.

In June 2022, ISO/IEC published its new Guidelines ISO/IEC 27400 for IoT security and privacy, providing guidance on risks, principles, and controls to IoT service providers, developers, and users. Several of the 45 controls in ISO/IEC 27400 aim uniquely at protecting privacy. These include IoT privacy by default, providing a privacy notice, management of IoT privacy controls, minimization of indirect data collection, clear communication of privacy preferences, and privacy controls for IoT users.

In the EU, the updated EU Radio Equipment Directive will come into force on August 1, 2024, and cover most Wi-Fi-enabled devices imported and sold in the EU. One explicit goal of this Directive is to protect consumers’ privacy. For all equipment that processes personal data, traffic data, or location data, device manufacturers will have to implement measures to prevent unauthorized access or transmission of consumers’ personal data. This will add requirements to the current legal regime of legislation that already governs IoT, including privacy legislation, such as the GDPR, consumer protection, or product safety and liability rules.

With the proposed EU Cyber Resilience Act, another highly impactful legislation is on the horizon. This Act intends to cover most network-connected devices sold in the EU. It will require manufacturers to ensure that for the expected product lifetime or for a period of five years, security vulnerabilities are “handled effectively.” The Act also foresees notification obligations of actively exploited vulnerabilities to Europe’s cybersecurity authority ENISA within 24 hours.

Other examples of regulators around the world stepping up efforts to ensure security and privacy in IoT include guidelines by the Infocomm Media Development Authority in Singapore, the Office of the Privacy Commissioner in Canada, the UK Government, or the US Federal Trade Commission, as well as California spearheading with its IoT Law.

Get Ahead of the Curve: How to Prepare

With new regulations coming up and a long list of privacy threats that IoT devices can be vulnerable to, it is critical to be aware that data protection principles apply in all stages of the development of IoT systems and products processing personal data and include privacy considerations in the development of IoT applications. Privacy principles that need to be considered include ensuring collection limitation, data quality, purpose specification, use limitation, accountability, and individual participation.

It can be helpful to start with some questions around the use of personal data in IoT: What personal data are we collecting? How are we using this personal data? Do we have a legal basis for the collection? Are we informing users about the use of their data in a clear and concise manner? What are the threats to users if this data gets lost or stolen? What is the least privacy-invasive way to build this system or product? Are we collecting and keeping the minimum amount of data necessary?

By better understanding the potential privacy risks associated with IoT devices, IoT developers and manufacturers can safeguard privacy in a complex IoT environment and apply appropriate privacy by design considerations from the beginning.

This can include solid data anonymization processes, reducing the likelihood of identification in IoT and Big Data environments. Applicable techniques must be context-specific and may include k-anonymity, differential privacy, or detection and removal of personal information in images or videos.

Another priority can be to focus on transparency, choice, and control in IoT. For example, the Privacy in IoT framework Peekaboo provides a platform to support the secure sharing of only essential pieces of data with developers in response to their requests.