A staggering 71 percent of Australian IoT suppliers did not provide a privacy policy and notices to adequately explain how personal information is collected, used and disclosed, according to a review by global privacy regulators including the Office of the Australian Information Commissioner (OAIC).

Furthermore, 69 percent of Australian IoT providers did not adequately explain how customers could delete their information off the device, and 38 percent failed to include easily identifiable contact details if customers had privacy concerns, according to the review.

In addition, a whopping 91 percent of the providers failed to advise their customers how to customise their privacy configurations.

The OAIC participated in the review by the Global Privacy Enforcement Network (GPEN), a consortium of privacy regulators under the umbrella of the OECD. The review was part of GPEN’s annual privacy sweep, which this year was conducted between 11 and 15 April. The review surveyed the privacy policies and notices of 314 IoT providers across the globe, 45 of which were operating in Australia.

Comparisons between the Australian figures and global averages were mixed. For example, 60 percent of global providers failed to adequately explain the details of collection, usage and disclosure of privacy information, compared to 71 percent of those surveyed in Australia.

On the other hand, Australian suppliers were better at disclosing information about how consumer data was protected, with 44 percent failing to do so, compared to 68 percent of global businesses.

How IoT providers can improve

The report identified a number of practices that often were not up to scratch, suggesting that IoT providers needed to:

  • Gain an understanding of and comply with Australian privacy legislation
  • Improve their generic privacy policies
  • Provide specific details in privacy policies about the data that may be collected
  • Recognise that in some instances ‘personal information’ may include health information
  • Advise users that they can customise the default settings of the device
  • Cease collecting personal information that is not required by the device or provider
  • Clearly explain how personal information is stored and safeguarded
  • Clearly explain how users can delete personal information from the device.

What consumers need to watch for

Australian Privacy Commissioner Timothy Pilgrim urged consumers to be cautious when adopting IoT devices.

“The Internet of Things allows for some great products and entertainment, but many of us have adopted this technology into our everyday lives without considering how much of our personal information is being captured or what happens to that information,” he said.

“Remember, for an Internet of Things device to work for you it needs to know about you, so you should know what information is being collected and where it is going.

“I encourage all Australians to look for privacy policies before you decide to use a device, and ensure you are comfortable with what information is being collected and how it is being managed.”