Canadian manufactures of internet-connected devices — including smart toys, educational products and e-learning platforms –should limit the collection of personal information about children, says the federal privacy commissioner.
In new guidance from the Office of the Privacy Commissioner, manufacturers are reminded that unless they fall under provincial privacy law, the federal Personal Information Protection and Electronic Documents Act (PIPEDA) applies to them if they collect personal information. As such, they, like other organizations, are required to obtain meaningful consent for the collection, use and disclosure of personal information.
But, it adds, “children under the age of 13 are not likely to fully understand the consequences of their privacy choices. For this reason, in all but exceptional circumstances, they are unable to meaningfully consent to the collection, use and disclosure of personal information.
“The OPC takes the position that at a minimum, you must obtain consent to collect, use and disclose children’s personal information from their parents or guardians,” the guideline reads.
To make consent meaningful, customers must understand what they are consenting to, according to the guide. Consent is only considered valid if it is reasonable to expect that individuals would understand the nature, purpose and consequences of the collection, use or disclosure to which they are consenting.
“It is strongly recommended that you design your device to limit collection,” the guidance says, starting with whether collection begins with the device booting up. “Any and all collection over and above what is needed for device functioning should be explained to consumers and their consent obtained before collection.”
IoT devices include everything from smart lights, doorbells, locks, smoke detectors, alarms, TVs, cameras, speakers, appliances, connected cars, toys, clothing, watches and health trackers.
The document notes personal information collected by IoT devices could include:
- heart rate, body temperature and movement;
- temperature or energy usage in a home;
- voice and facial recordings;
- geolocation data;
- and behavioural patterns.
The report notes there can be serious implications of an IoT hack, referring to news reports of hacking an insulin pump, and the abuse of smart home devices thermostats, locks and lights as digital tools of domestic abuse.
“IoT is going to be one of the most important technological innovations that significantly impacts privacy,” noted lawyer Barry Sookman of the Toronto law firm McCarthy Tetrault in an email. “The challenge is that traditional privacy principles are an uneasy fit for IoT as it is for artificial intelligence and other big data innovations.”
He also pointed out that the guidance doesn’t offer a real analysis of the challenges of applying PIPEDA to IoT. Nor, he added, does it address the real challenges of getting meaningful consents for uses of data by entire ecosystems.
Ultimately, Sookman says, PIPEDA is outdated and needs to be modernized to facilitate the adoption of new technologies, while still respecting people’s reasonable expectations of privacy.
The guidance includes a list of things IoT makers that capture personal information must do and things they should do.
“IoT makers that capture personal information have to demonstrate accountability by developing and committing to an ongoing privacy management program for the information that you collect and control,” the guide instructs. “The outcome of such a program is a demonstrable capacity to comply, at a minimum, with applicable privacy laws.
“In building a privacy program, you need to appoint someone to be responsible for your organization’s privacy compliance and implement privacy policies and practices to ensure you are adhering to the principles in PIPEDA. These must include procedures to protect personal information and receive and respond to complaints among other requirements.”
An effective privacy management program ensures that your overall data management practices are aligned with evolving legal obligations, such as mandatory reporting of breaches of security safeguards, the document adds.