Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Privacy shortcomings of Internet of Things businesses revealed

In April 2016, 25 privacy enforcement authorities from around the world looked into the way over 300 Internet of Things (IoT) devices communicate with their customers about privacy. In Australia we examined 45 different devices, including fitness and health monitors, ‘smart’ travel locks and thermostats, from both multinational and start-up businesses.

Our results revealed that overall, 71 per cent of devices did not provide a privacy policy that adequately explains how personal information is managed.

This review was a part of the Global Privacy Enforcement Network’s (GPEN) annual privacy sweep, which looks at how businesses communicate privacy information, how personal information is collected, stored, distributed and the controls businesses provide to users to help them manage their personal information.

We encourage all businesses, including start-ups, to adopt a privacy-by-design approach. This approach creates a strong framework for protecting customer’s personal information and is key to building people’s trust. Start-up business owners should also keep in mind that they may be subject to the Privacy Act if they trade in personal information or deal with health information, and will definitely be covered once they reach an annual turnover of more than $3 million, and will then be required to build in privacy procedures.

Businesses offering IoT devices to Australians can create stronger privacy frameworks by:

  • creating privacy policies that address IoT privacy issues
  • making privacy notices easy to read, including by layering notices
  • outlining to customers how personal information is collected, used, disclosed and stored
  • telling customers how they can control their information, including how to access, amend or delete their information if they wish
  • providing timely advice to customers seeking information about privacy practices.

We are currently developing a number of resources for start-up businesses to assist them in implementing best privacy practices, these will be available shortly.