Kathryn Wynn

The UK’s Information Commissioner’s Office (ICO) confirmed it is developing guidance on data protection and the “internet of things” as it responded to concerns raised by consumer watchdog Which? over “data harvesting” by smart home devices.

Which? said it had assessed the data collection practices of major brands across smart speakers, washing machines, TVs, video doorbells and security cameras, and alleged that businesses behind such devices may be collecting more data than they need.

Rocio Concha, director of policy and advocacy at Which?, said: “Consumers have already paid for smart products, in some cases thousands of pounds, so it is excessive that they have to continue to ‘pay’ with their personal information.”

The UK General Data Protection Regulation requires organisations to ensure personal data they collect is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.

“People should be able to enjoy the benefits of using their connected devices without having excessive amounts of their personal data gathered. This simply isn’t a price we expected to pay,” said Stephen Almond, ICO’s executive director of regulatory risk.

“To maintain trust in these products companies must be transparent about the data they collect and how they use it, and ensure that the data is not used or shared in ways that people would not expect.” Arnold said businesses behind connected devices can expect the ICO to “act where we don’t see the rules being followed”.

The promise of action comes at a time when the ICO has opened a separate review into how period and fertility tracking apps process users’ personal data. The move comes after a poll commissioned by the authority found that more than half of women have concerns over data security. Among the findings, more than half of people who use the apps believed they had noticed an increase in baby or fertility-related adverts since signing up.

The regulator has urged users to share their experiences through a survey in a call for evidence. A focus of its work is to identify whether there is the potential for harm and negative impact on users because of how the apps process users’ personal data.

Potential harms, as cited by the ICO, include unnecessarily complicated and confusing privacy policies, leaving users in the dark as to what they have consented to, apps requesting or storing unnecessary volumes of data, or users receiving upsetting targeted advertising that they did not sign up to.

Emily Keaney, deputy commissioner of regulatory policy of the ICO, said the authority expects organisations operating health apps to safeguard their users’ privacy and have transparent policies in place.

“This review is intended to establish both the good and bad of how the apps are working currently. Once we have more information, we will explore next steps, but we will not hesitate to take regulatory action to protect the public if necessary,” said Keaney.

Kathryn Wynn is a partner at Pinsent Masons