LONDON, 16 June 2025 – The Information Commissioner’s Office (ICO) has today opened a vital public consultation on new draft guidance for consumer Internet of Things (IoT) products and services. The move signals a significant step towards clarifying data protection law for the rapidly growing market of smart devices, from connected speakers and fitness trackers to smart home security systems.
The UK’s data protection regulator is calling on manufacturers, developers, small businesses, and the public to provide feedback on the proposed rules, which aim to ensure personal information is used responsibly and that privacy is built into smart products from the ground up.
The consultation will run for twelve weeks, closing on Sunday, 7 September 2025.
The draft guidance addresses widespread public concern that many smart products collect excessive amounts of personal data, often without users having meaningful control or understanding of how their information is used. A previous investigation by the consumer group Which? found that some smart devices were collecting data, such as audio recordings, for no functional reason.
Stephen Almond, Executive Director for Regulatory Risk at the ICO, emphasised the need for trust and transparency. “People rightly have a greater expectation of privacy in their own homes so they must be able to trust that smart products are using their personal information responsibly and only in ways they would expect,” he said.
“This is not just about compliance – it’s about building a fair and transparent online world where people are given meaningful control over how their data is used.”
Key Focus Areas of the Draft Guidance
The ICO’s proposals provide, for the first time, regulatory certainty for the IoT industry by outlining clear expectations for complying with the UK General Data Protection Regulation (UK GDPR). The core principles addressed include:
- Data Protection by Design: Ensuring that privacy and security are fundamental components of a product’s development, not an afterthought.
- Transparency and Fairness: Mandating that information about data collection is clear, honest, and easily accessible to users before they purchase or set up a device.
- Data Minimisation: A strict requirement that devices should only collect the personal data absolutely necessary for their stated function.
- Security: Building on the UK’s ‘Secure by Design’ approach, the guidance insists on measures like banning universal default passwords and ensuring software can be securely updated.
- User Rights: Clarifying the tools and processes that must be available for people to exercise their data protection rights, such as the right to access or delete their data.
Mr Almond added, “Our guidance provides clear recommendations and examples to support manufacturers and developers to understand their legal responsibilities and provide their customers with trusted smart products that respect their privacy. We want to help organisations get it right from the start – but we are closely monitoring compliance and ready to act where we believe corners are being cut or personal information is being collected recklessly.”
Call for Input from Businesses and the Public
The ICO is inviting feedback from all stakeholders, including UK-based small businesses, freelancers, marketers, and website operators who develop, sell, or integrate with IoT technologies. The regulator is seeking views on its proposed approach and the practical application of the guidance.
Responses can be submitted via a survey on the Citizen Space platform, which is accessible through the ICO’s official website. The survey is structured into sections covering the respondent’s background, views on the regulatory approach, and current industry practices.
This consultation offers a critical opportunity for businesses to help shape a practical and effective regulatory framework, and for the public to voice their expectations for privacy in an increasingly connected world.
For more information or to respond to the consultation, please visit the consultations section on the ICO website.