Consumer IoT data protection and the connected-product stack
In short: Consumer IoT data protection has two layers: UK GDPR sets the lawful basis for personal data, and PECR regulation 6 adds a separate consent layer wherever a connected product is “terminal equipment”. The ICO’s final IoT guidance, published 11 June 2026, confirms the test. Product security and market-access rules add third and fourth layers.
If you want to deploy a consumer IoT product in the UK, two sets of data protection rules govern the data it handles: the UK GDPR and PECR. The UK GDPR governs the personal data the product processes. PECR governs access to the device itself, and applies whether or not you have a lawful basis for processing the data. Two more regimes also apply: the product must be secure, and it must be lawful to sell.
The Information Commissioner published its final guidance for consumer Internet of Things products and services on 11 June 2026, alongside a summary of consultation responses. It replaces the draft consulted on between 16 June and 7 September 2025. For connected-product businesses the guidance sets out how two regimes, the UK GDPR and the Privacy and Electronic Communications Regulations 2003 (PECR), apply together to a single device.
The two layers of consumer IoT data protection
The UK GDPR layer asks whether you have a lawful basis under Article 6 for the personal data your product processes, a valid Article 9 condition for any special category data, and whether your processing is fair, transparent and secure. Most consumer IoT products process personal data, and often a wide range of it: identifiers, telemetry, location, audio, video and inferences drawn from sensor readings. Voice ID in a smart speaker is special category biometric data because it is used to identify the user, and the ICO confirms that even a one-off voice query is processed to match against stored voice IDs and so is treated the same way.
Regulation 6 of PECR prohibits storing information on, or gaining access to information stored in, the terminal equipment of a user, unless an exception applies. It is not a lawful-basis question. It applies to the act of reaching into the device at all. Where it applies and no exception fits, you need consent to the UK GDPR standard before you process, and you cannot reason your way to a legitimate interest instead.
When does PECR regulation 6 also apply?
Not every IoT product is terminal equipment. PECR does not define the term; it derives from the wider communications framework, where terminal equipment is equipment connected, directly or indirectly, to a public communications network to send, process or receive information. Connectivity triggers PECR; a product’s intelligence is irrelevant. The ICO puts it plainly: if an IoT product is connected to a public communications network, directly or indirectly, it is terminal equipment and PECR applies.
The assessment runs connection by connection, not once for the whole product. A smart lightbulb that reaches the internet only through a paired phone app over Bluetooth is, for that local link, outside PECR; regulation 6 instead applies when the manufacturer stores or accesses information through the network-connected device. So a product can sit partly inside and partly outside the regime depending on which component is holding the connection.
| Connectivity scenario | Terminal equipment? | Does PECR regulation 6 apply? |
|---|---|---|
| Product connects directly to a public network (eg a smart TV or speaker on the internet) | Yes | Yes. Storing or accessing information on the device needs a Schedule A1 basis. |
| Product reaches the network only through a hub or phone that holds the connection | The network-connected device is terminal equipment; the local link is not | The local transmission is outside PECR. Regulation 6 applies when you store or access information via the network-connected device. |
| Companion app on a phone or tablet that enables, configures or controls the product | Yes. The phone or tablet is terminal equipment | Yes. Storage or access through the app engages regulation 6. |
| Product with no direct or indirect connection to a public network | No | No. Regulation 6 is not engaged. |
If PECR applies: the Schedule A1 choices
Where regulation 6 is engaged, consent is not automatic. The Data (Use and Access) Act 2025, section 112, substituted regulation 6 and moved the exceptions into a new Schedule A1 (the Schedule itself inserted by Schedule 12 to the Act, in force from 5 February 2026). Six exceptions now sit there. The two that decide most IoT cases are consent and strict necessity. Storage or access for online advertising, including automatic content recognition on a smart TV, is never strictly necessary and always needs consent. By contrast, the ICO has added detail on when telemetry and diagnostic data fall within the strictly-necessary exception.
| Schedule A1 basis | When it is available | What it means for your product |
|---|---|---|
| Consent (paragraph 2) | The default route for any non-essential storage or access | Valid, UK GDPR-standard consent before you process. Advertising, content recognition and personalisation always sit here. |
| Transmission (paragraph 3) | Storage or access solely to carry the communication | No consent for the technical transmission itself. |
| Strictly necessary (paragraph 4) | Strictly necessary to provide the service the user asked for | No consent. Covers security, fraud prevention, fault detection and authentication. The ICO has clarified when telemetry and diagnostic data qualify. |
| Statistics (paragraph 5) | First-party analytics to improve the service, with clear information and a free objection | No consent if the conditions are met. Does not cover information automatically emitted by the device. |
| Appearance or functionality (paragraph 6) | Storage or access solely to adapt the product to the user’s preferences | No consent, subject to information and a free means to object. |
| Emergency assistance (paragraph 7) | The device signals a need for emergency help | No consent, to establish location for the emergency response. |
New regulation 6A gives the Secretary of State a power to add, omit or vary the Schedule A1 exceptions by statutory instrument, after consulting the ICO. The exception list is now adjustable without primary legislation, so the boundary between consent and strict necessity may move as the technology does.
A four-step consumer IoT data protection assessment
- Map the connectivity of every component: the device, any hub and the companion app. Mark each point that connects, directly or indirectly, to a public communications network.
- At each connected point, ask whether you store or access information on it. If you do, regulation 6 is engaged for that point.
- Where regulation 6 is engaged, find the Schedule A1 basis. If none fits, you need consent to the UK GDPR standard before you process, and advertising and content recognition always need it.
- Then, separately, confirm your UK GDPR position: a lawful basis under Article 6, an Article 9 condition for any special category data such as voice ID or health data, and your transparency and security obligations. The PECR step does not discharge these; it sits in front of them.
What the final ICO guidance changed
The ICO made several substantive changes after consultation. It widened the controllership examples to address embedded third-party services: a vendor can be a processor for one purpose and a controller for another within the same device. It hardened its treatment of manipulative consent, naming confirmshaming and biased framing, warning against consent requests stacked in quick succession, and endorsing positive friction that makes a user pause. It held its reading of terminal equipment against industry pressure for a case-by-case test, and added detail on telemetry and diagnostic data under the strictly-necessary exception.
The guidance also absorbs the post-Data (Use and Access) Act 2025 reforms. The children’s section now reflects the higher protection matters for children under Article 25, and the automated decision-making section is aligned with the ICO’s revised ADM guidance, a theme that runs through its wider 2026 priorities. The guidance addresses generative AI throughout, the scope is clarified so that companion apps on phones and tablets are in scope where they enable, configure or control the product, and the harms discussion now acknowledges that connected products can be used to facilitate domestic abuse and coercive control.
What manufacturers, importers, distributors and sellers must do
The duties do not all apply to the same party. The data protection duties apply to the controller, usually the manufacturer or the service operator that decides why and how personal data is processed, while embedded service vendors take processor obligations by contract under Article 28. The product-security duties under PSTI run across manufacturers, importers, distributors and retailers. So an importer or reseller can be subject to both a security and market-access duty on a product whose data protection compliance is the manufacturer’s to own.
The controller should build data protection in from the product lifecycle, not at launch. The lawful basis is determined before processing starts and documented. Where consent is the basis, it has to be a clear opt-in, granular by purpose, separated from terms and conditions, and as easy to withdraw as to give. Consent obtained as a precondition of a service that does not need it is invalid, so a children’s GPS tracker that cannot work without location relies on contract, not consent, for the location data.
Transparency operates in layers across the device, the companion app and the website, because a product with a small screen or none cannot carry the full picture. Consent requests sit at the right moments in the user journey rather than all at once during set-up, and provision for multiple household users, not all of whom hold accounts, becomes part of the design. Where a product is likely to be accessed by children the Children’s code applies, with geolocation and behavioural advertising off by default. A DPIA follows for systematic monitoring, large-scale special category data, products aimed at children and biometric identification, and the Article 32 security standard is met through secure-by-design measures and a defined end-of-support position.
Beyond privacy: product security and market access
Data protection is not the whole stack. A connected product must also be secure and lawful to sell, and each is a separate regime. The Product Security and Telecommunications Infrastructure Act 2022 has two parts: Part 1 on product security and Part 2 on telecommunications infrastructure. Part 1, with the Security Requirements for Relevant Connectable Products Regulations 2023, has applied since 29 April 2024. It sets three baseline duties on manufacturers, importers and distributors of connectable products, retailers included:
- no universal default passwords;
- a published point to report security flaws, and
- a stated minimum period for security updates.
The requirements draw on the 2018 Code of Practice for Consumer IoT Security and the ETSI EN 303 645 standard. The Office for Product Safety and Standards enforces it, with a penalty ceiling of the greater of £10 million or 4 per cent of worldwide revenue. It is product security, not data protection, so it runs in parallel with the UK GDPR and PECR rather than discharging either.
Most wireless IoT is radio equipment under the Radio Equipment Regulations 2017, placed on the Great Britain market by conformity assessment and a CE or UKCA marking, usually by self-declaration. The old telecoms terminal type-approval regime is gone. CE marking is recognised for Great Britain on an open-ended basis, so UKCA is not mandatory and the two marks are interchangeable; the 31 December 2027 deadline governs only where the UKCA mark may be placed, not whether CE is accepted. The EU’s radio-equipment cyber security requirements under Delegated Regulation (EU) 2022/30 have been mandatory in the EU since 1 August 2025 and apply in Northern Ireland under the Windsor Framework, but Great Britain has not adopted them and relies on the PSTI regime instead. The Cyber Security and Resilience Bill, introduced on 12 November 2025 and carried into the 2026-27 session, will widen the network-security obligations that sit above all of this.
If you also sell into the EU, two further EU regimes reach UK businesses. The Cyber Resilience Act (Regulation (EU) 2024/2847) sets cyber security requirements for products with digital elements, applies to anyone placing them on the EU market wherever they are established, and applies in full from 11 December 2027. The Data Act (Regulation (EU) 2023/2854), in application since 12 September 2025, gives users of connected products a right to access and share the data those products generate, which the UK has not legislated for. A product sold on both sides of the Channel meets two regimes, not one.
| Layer | What it governs | Lead instrument and regulator |
|---|---|---|
| Data protection | The personal data the product processes | UK GDPR and DPA 2018; ICO |
| ePrivacy | Storing or accessing information on the device | PECR regulation 6 and Schedule A1; ICO |
| Product security | Baseline security of the connectable product | PSTI Act 2022 Part 1 and the 2023 Regulations; OPSS |
| Market access | Placing the product lawfully on the GB market | Radio Equipment Regulations 2017; CE or UKCA marking |
Viewpoint
In our experience advising connected-product businesses, the PECR question and the UK GDPR question sit apart. A lawful basis for the data is one question; consent to store or access information on the device is another. The two do not collapse into one. A legitimate interest under the UK GDPR does not cure a regulation 6 breach, and for advertising and content recognition there is no route but consent.
The discipline the final guidance rewards is a connection-by-connection map of the product, because terminal-equipment status follows the network connection and not the casing. That is also the harder analysis to retrofit, which is why it belongs in the design phase. The point to watch is the new regulation 6A power: the boundary between consent and strict necessity is now something the Secretary of State can move by statutory instrument after consulting the ICO, and the ICO has signalled further work on privacy-enhancing technologies and generative AI in the IoT context. The framework is now stable enough to build to, though the regulation 6A power means its boundaries will keep moving.
Frequently asked questions
Are all IoT devices terminal equipment under PECR?
No. A product is terminal equipment only where it connects, directly or indirectly, to a public communications network. A device with no such connection is outside PECR regulation 6. Where a product reaches the network through a hub or phone, the local link is outside PECR and regulation 6 applies when you store or access information through the network-connected device. The assessment is made connection by connection, not once for the whole product.
Does an IoT product always need consent under PECR?
No. Consent is the default, but Schedule A1 provides exceptions, including strict necessity for the service the user requested. Security, fraud prevention, fault detection and authentication can fall within strict necessity, and the ICO has clarified when telemetry and diagnostic data qualify. Online advertising and automatic content recognition are never strictly necessary and always need consent.
Is voice ID special category data?
Yes, where it is used to identify a user. A voice ID is biometric data processed to recognise a particular person, so it is special category biometric data and needs an Article 9 condition, usually explicit consent. The ICO treats even a one-off voice query the same way, because it is processed to match against stored voice IDs.
How does the Data (Use and Access) Act 2025 affect IoT compliance?
It restructured PECR regulation 6, moving the exceptions into Schedule A1 and adding a power for the Secretary of State to vary them by statutory instrument. It also raised the bar on children’s protections under Article 25 and reshaped automated decision-making, both of which the final ICO guidance reflects.
Is the PSTI Act 2022 the same as the ICO IoT guidance?
No. They are different regimes for the same devices. The Product Security and Telecommunications Infrastructure Act 2022, Part 1, and the 2023 Regulations set baseline security duties for connectable products from 29 April 2024, enforced by the Office for Product Safety and Standards. The ICO guidance covers data protection under the UK GDPR and PECR. Meeting one does not discharge the other.
How we can help
If you are assessing where PECR and the UK GDPR apply across a connected product, or building data protection into a product lifecycle, Bratby Law advises manufacturers, importers, distributors and retailers on consumer IoT data protection and the wider connected-product rules. Our data protection compliance for products page sets out how we work. For a connection-by-connection review of your product, contact Rob Bratby at Bratby Law.
