Skip to main content

ICO Publishes New Guidance for IoT Device Manufacturers

· 3 min read
SBD Community
SBD Community
Maintainer

On 16 June 2025, the UK's Information Commissioner's Office (ICO) published new draft guidance aimed directly at the manufacturers and developers of Internet of Things (IoT) products. This is a significant development for any company placing connected devices on the UK market, providing much-needed regulatory clarity on how data protection law applies to the IoT ecosystem.

The press release accompanying the guidance calls on the industry to prioritise user privacy and design products with data protection in mind from the outset. This move directly supports the core principles of secure-by-design that we champion in this handbook.

Why This Matters for Device Makers

The ICO's guidance addresses public concern that smart products often collect excessive amounts of personal information without being transparent about how that data is used. For manufacturers, this guidance isn't just a recommendation; it's a clear signal of the ICO's enforcement priorities.

Stephen Almond, Executive Director for Regulatory Risk at the ICO, stated:

"People rightly have a greater expectation of privacy in their own homes so they must be able to trust that smart products are using their personal information responsibly and only in ways they would expect... We want to help organisations get it right from the start – but we are closely monitoring compliance and ready to act where we believe corners are being cut or personal information is being collected recklessly."

This reinforces the need for a proactive, design-led approach to compliance.

What the Guidance Covers

The guidance clarifies the ICO's expectations on key privacy topics, including:

  • How to obtain valid, informed consent for accessing a user's device.
  • The need for transparency in privacy information.
  • What tools must be available for users to exercise their rights over their data.

These points are directly relevant to the design of device setup processes, companion apps, and cloud services.

Our Analysis

This new guidance from the ICO provides a clear framework for applying the Privacy and Electronic Communications Regulations (PECR) and UK GDPR to the unique challenges of IoT.

We have updated our own documentation to reflect this. For a detailed breakdown of how these rules affect device and cloud architecture, see our updated PECR & IoT Overview page.

The ICO's draft guidance is open for consultation for twelve weeks from the date of publication. You can read the official announcement here and the full draft guidance here.