August 2020
Overview
As a manufacturer of Internet of Things (IoT) devices, you are responsible for the personal information under your control and have obligations under Canadian privacy legislation to implement effective privacy protection.
This guidance focuses on adherence with Canada’s federal private-sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA). We have based this guidance on the results of several Office of the Privacy Commissioner of Canada (OPC) investigations and have had it validated by experts in the field.
On this page
Introduction
As a manufacturer of IoT devices, you are part of a complex IoT ecosystem in which many components and actors, such as social media platforms, third-party applications and service providers, can potentially collect, use and disclose personal information.
This guidance is meant to provide you with practical information to help ensure that your business practices and the devices you make are privacy protective and compliant with PIPEDA. While this guidance will focus on the privacy principles as laid out in Schedule 1 of PIPEDA, the whole Act applies. For more guidance on general adherence to PIPEDA, please refer to our Privacy Guide for Businesses.
This guidance will also provide you with examples of best practices that will further strengthen your privacy management program.
While this guidance considers an IoT manufacturer’s responsibilities in the context of PIPEDA, manufacturers will also want to keep themselves apprised of other legal obligations relevant to their business, including but not limited to the Canada Consumer Product Safety Act.
Who should read this guidance?
If you produce, design or are tasked with ensuring legal compliance for devices with embedded sensors that collect personal information—such as lights, doorbells, locks, smoke detectors, alarms, TVs, cameras, speakers, appliances, connected cars, toys, clothing, watches or health trackers—then this guidance is for you. This guidance is also relevant to those in the business of developing smart cities, where IoT devices are increasingly becoming part of the infrastructure within urban centres and on roads.
Does PIPEDA apply to you?
As a manufacturer of IoT devices, your device will probably be collecting, using and/or disclosing personal information in the course of commercial activity. If so, you are subject to PIPEDA or to provincial laws that may apply instead of PIPEDA. Note that you may be subject to more than one Canadian private-sector privacy law if your company has locations in various provinces. In addition, if your business handles the personal information of Canadians but you are not based in Canada, PIPEDA may still apply if a real and substantial connection to Canada exists.
Personal information is broadly defined in PIPEDA as “information about an identifiable individual.” The types of personal information IoT devices collect may vary in sensitivity and could include:
- heart rate, body temperature and movement
- temperature or energy usage in a home
- voice and facial recordings
- geolocation data
- behavioural patterns
For greater certainty, the Federal Court decided in Gordon v. Canada that information is about an identifiable individual where there is a serious possibility that an individual could be identified through the use of that information, alone or combined with other available information.
Our technical and legal overview of privacy and metadata further explains how combining seemingly innocuous “information about information” (metadata) may reveal detailed information about an individual and become personal information.
For more information:
- Gordon v. Canada (Health), 2008 FC 258
- Metadata and privacy: A technical and legal overview
- Personal Information
- Questions and Answers regarding the application of PIPEDA, Alberta and British Columbia’s Personal information Protection Acts
- OPC PIPEDA Report of Findings (September 2014), “After a significant Adobe data breach, customer questions company’s security safeguards and the response it provided about impacts on his personal information”
How information gathered by IoT devices may reveal personal information (Expand to read more)
PIPEDA’s privacy principles and how to apply them…
Read The Full Article at the Office of the Privacy Commissioner (OPC)
Canada, U.S. sign international guidelines for safe AI development
Eighteen countries, including Canada, the U.S. and the U.K., today agreed on recommended g…