The review was undertaken as part of the Global Privacy Enforcement Network’s (GPEN) fourth annual privacy sweep. GPEN’s 2016 sweep included results from 25 national agencies and reviewed 314 businesses and devices such as wearables, smart TVs and health monitors. The results showed significant numbers of those businesses failing to explain to consumers how their personal information is collected, used, disclosed and safeguarded. Many also did not offer assistance to consumers to help them manage default settings, delete data or wipe their data if the device was lost.
For the Australian section of the sweep, the OAIC reviewed 45 different devices from existing and start-up businesses. The devices reviewed ranged from fitness monitors to thermostats. Of these devices, over 30 were considered to have inadequate or non-existing privacy policies to explain to consumers how their personal information would be managed.
The OAIC has foreshadowed that it will publish resources for start-ups to assist them in developing appropriate policies.
Like other businesses, IoT businesses need to be aware of the thresholds for privacy compliance, and also the reputational need for compliant privacy procedures.