ICO guidance on the internet of things: what you need to know

Consider a smart thermostat. Its owner installs it on a Saturday afternoon, downloads the companion app, and agrees to a privacy notice that, if printed, would be dense enough to fell an entire forest.

In a few days, the device has assembled a detailed portrait of the household's daily rhythms and begun transmitting it to a constellation of third parties. Consent was obtained, but transparency comes as an afterthought.

The Information Commissioner's Office wants to close this gap.

On 11 June 2026, it published finalised guidance on consumer Internet of Things (IoT) products and services. The language within it is pointed. In the press release to accompany the guidance, Setting out our expectations for the smart device industry, it notes that "genuine transparency is more than a privacy notice" – a rebuke for businesses that try to bury data collection disclosures in legalese and label the result 'compliance'.

The guidance spans the full lifecycle of connected consumer products, from smart speakers to fitness trackers, and sets out what the ICO expects. It's the most granular statement yet on how the UK GDPR and the Privacy and Electronic Communications Regulations apply to the IoT sector.

In particular, the guidance notes:

privacy should be by design, not as an afterthought. Protective settings should be the default and data collection should go no further than what's strictly necessary for the product to function;
consent needs to mean something, which means a clear, specific opt-in (and not a pre-ticked box buried in the terms). And withdrawing consent should be just as straightforward as giving it;
transparency goes well beyond a privacy notice. Users need to understand how their data is used, explained in plain language and surfaced at the moments that matter and not hidden in a document nobody reads;
most organisations will need to do a data protection impact assessment (DPIA). As the guidance notes, "most processing involving IoT products is likely to result in a high risk". Where children might use the product, the bar rises sharply: high privacy by default, age-appropriate design, child-friendly explanations, and a DPIA that addresses children's rights and risks rather than just those of adult account holders; and
security is a continuous legal obligation. This means things like regular updates, encryption and multifactor authentication, maintained throughout the product's lifetime.

None of this is entirely new law. But the detail matters. Several aspects of the guidance stood out to us, and we think they deserve closer attention.

Built-in friction

The guidance endorses 'positive friction': deliberately slowing users down when they're making consent choices. This runs directly against mainstream UX thinking, which treats friction as the enemy. The ICO is saying the opposite: sometimes making a process slightly harder produces better outcomes as people need to stop and think about what they are doing (so actually give consent) rather than a quick click with no thought as to the consequences of that action.

Shared spaces

The guidance's most candid moment comes when it admits that "gathering consent from multiple users where not everyone has an account for your IoT product may be difficult". This is the ICO acknowledging a structural limitation. A smart speaker in a flat share, for example, processes data from everyone who talks near it, but only account holders have real control. The underlying problem is that the UK GDPR's individual-rights model is harder to operationalise when a single device processes data about multiple people who may not all have accounts or equivalent controls. IoT puts multiple people inside the same data relationship without clear individual mechanisms for each of them. The guidance tries to patch this with multiple accounts, but holes still remain. What if someone declines to set up an account?

Data changing character

Data can change its character depending on the context. The step count example in the guidance is the clearest illustration of contextual reasoning. A step count on its own is "unlikely to be health data." But use that same step count to generate a wellness score, or feed it to an insurance company calculating premiums, and it becomes special category health data. It's the same number, but with a different legal treatment.

Inferences matter

Inferences are within the scope of the guidance, ie, data that organisations "infer about someone, for example, by combining and analysing information you collect". And it goes further for special category data: "this also covers cases where you intend to infer or guess details about someone that fall within these categories". Put simply, the ICO isn't just concerned with what you gather. It's concerned with the conclusions you draw from what you've gathered.

In effect, the guidance represents a shift in what a data protection authority does. The ICO isn't just enforcing abstract principles here, it's also telling companies how to build things.

The EU's approach?

The EU may eventually produce dedicated IoT privacy guidance, particularly if regulators see inconsistent approaches in this area. But for now, the EU approach is a patchwork rather than a single playbook.

The GDPR and the ePrivacy Directive provide the privacy base. The Data Act gives users of connected products greater control over the data those products generate and requires that devices on the EU market be designed to allow data sharing. The Cyber Resilience Act introduces mandatory cybersecurity requirements for manufacturers covering planning, design, development, maintenance and vulnerability handling over the product lifecycle. And where IoT products include AI features, the AI Act may add further obligations, particularly where the product involves biometric categorisation, emotion recognition, AI safety components in regulated products, medical-device functionality, or risk assessment and pricing in life and health insurance.

That's a lot of legislation, all with different dates when provisions apply. But there is, as yet, no EU equivalent of the ICO's practical, consolidated consumer IoT privacy guidance. The closest predecessor is the Article 29 Working Party's Opinion 8/2014 on the Internet of Things, which pre-dates the GDPR and is showing its age.

What to do now

IoT compliance is now a product architecture issue. Legal teams need to sit with product, design, engineering and security before the device ships. If privacy review starts when the packaging is already printed, it's too late!

For multinationals that operate in the UK and the EU, the sensible move is not to wait. We'd look to build a single EU and UK IoT compliance framework now, using the ICO guidance for practical design detail and, in particular, EU materials for the GDPR, ePrivacy, Data Act, cybersecurity and AI overlays.

Please get in touch with the team if you'd like to discuss how we could help your organisation comply with this new guidance.