Aussie IoT firms get a fail mark for privacy

The Office of the Australian Information Commissioner says 71 percent of all privacy policies offered by the makers of ‘internet of things’ devices used in Australia fail basic requirements demanded by privacy law.

The regulator has joined 26 other privacy authorities from the Global Privacy Enforcement Network to contribute to a worldwide sweep of privacy guidance made available by 314 IoT companies - 45 of which are operating in Australia.

The survey - which was conducted between 11 and 15 April this year - found that policies are overwhelmingly generic rather than device specific; are vague, unhelpful and in some cases failed to recognise sensitive activity data like steps and calories burned as personal information.

The IoT industry has boomed in recent years, with the increasing popularity of sensor-driven wearables like fitness trackers, plus home devices and even children’s toys.

But Australian Privacy Commissioner Timothy Pilgrim has warned “many of us have adopted this technology into our everyday lives without considering how much of our personal information is being captured or what happens to that information”.

“Strong privacy protections and clear explanations for how personal information is managed helps build consumer trust. It also avoids the costly exercise of building these privacy frameworks later on, most often after something has already gone wrong,” he said.

On the local front, the OAIC found:

• 71 percent of companies did not disclose how personal data would be stored, and some failed to even specify what they collected
• 27 percent did not say whether they shared personal information with third parties
• 44 percent did not detail how personal data would be safeguarded
• 38 percent didn’t supply contact details if customers had outstanding privacy concerns
• 93 percent did not tell users how to wipe devices remotely if they are lost or stolen

Globally, an average of 68 percent of vendor privacy policies failed the basic test of informing a customer how their personal information is collected, used and disclosed.

The Global Privacy Enforcement Network is an interjurisdictional consortium of privacy regulators formed under the umbrella of the OECD.