Solution providers need to protect data and identities as more technology options become available in the connected home. Setting the right criteria for collecting, handling, treatment, and storage of consumers’ private information has to be adequately sanctioned in privacy regulations and frameworks. The most widely recognized of these regulations is the GDPR, which came into force in 2018. GDPR requires each EU member state to consistently protect consumer and personal data across EU nations. Any company that offers goods or services to EU residents, regardless of its location, is subject to the regulation. The major requirements of GDPR include consent from the consumer for data processing, anonymizing their personal information, and providing timely notifications about data breaches.

While strict regulations and policy frameworks cannot be easily enforced and do not safeguard vulnerable consumers, those frameworks that recommend that privacy needs be baked into connected-design concepts have found greater acceptance among advocates and vendor organizations alike.

Originally put forward by the Information and Privacy Commissioner of Ontario, in Canada, the structure of the privacy-by-design (PbD) framework was recognized as a global standard on privacy at the 32nd International Conference of Data Protection and Privacy Commissioners in Jerusalem, Israel, in 2010. In its current iteration, PbD offers a much more robust framework that connected-home industry stakeholders, including several Internet service providers (ISPs), professional consulting firms, energy management and monitoring solutions providers, and IoT platform providers, are deploying to honor their consumer privacy protection commitments. PbD is also recognized as a precursor to the GDPR, which incorporates PbD within its core framework.

Privacy by Design – Core Principles

1. Proactive not reactive—preventive not remedial

Anticipate, identify, and prevent invasive events before they happen; this means taking action before the fact, not afterward.

2. Lead with privacy as the default setting

Ensure personal data is automatically protected in all IT systems or business practices, with no added action required by any individual.

3. Embed privacy into design

Privacy measures should not be add-ons, but fully integrated components of the system.

4. Retain full functionality (positive-sum, not zero-sum)

Privacy by Design employs a “win-win” approach to all legitimate system design goals; that is, both privacy and security are important, and no unnecessary trade-offs need to be made to achieve both.

5. Ensure end-to-end security

Data lifecycle security means all data should be securely retained as needed and destroyed when no longer needed.

6. Maintain visibility and transparency—keep it open

Assure stakeholders that business practices and technologies are operating according to objectives and subject to independent verification.

7. Respect user privacy—keep it user-centric

Keep things user-centric; individual privacy interests must be supported by strong privacy defaults, appropriate notice, and user-friendly options.

For organizations that have yet to develop their cybersecurity and consumer privacy approaches, PbD offers a blueprint to build upon and customize according to organizational needs. Given the comprehensive principles of its structure, PbD addresses both consumers’ and organizations’ privacy, in particular, elements such as a user-centric approach and a default setting for privacy. Several connected home vendors and service providers that were interviewed for the purpose of this research confirmed that they apply PbD principles in their initiatives, such as those directed at the secure system development life-cycle approach.

— Adapted from ASHB’s “Privacy and Cybersecurity in the Connected Home” Research Report (2021). For more on privacy and cybersecurity in the connected home, download the free executive summary, or purchase the full report in our store.