A review and an empirical analysis of privacy policy and notices for consumer Internet of things

Abstract

The privacy policies and practices of six consumer Internet of things (IoT) devices were reviewed and compared. In addition, an empirical verification of the compliance of privacy policies for data collection practices on two voice‐activated intelligent assistant devices, namely the Amazon Echo Dot and Google Home devices was performed. The review shows that IoT privacy policies may not be usable from the human‐computer interaction perspective because IoT policies are included as part of the manufacturers' general privacy policy (which may include policies unrelated to the device), or the IoT policy requires to read (in addition to the IoT policies) the manufacturers' general privacy policy which increase the cognitive load for the user. It was also found that future policy changes along with the approach to provide user consent to changes may adversely affect the privacy of the consumer because changes to policies may not provide choice to consumers to opt out from data collection practices if consumers are not aware of the changes. Finally, the empirical results for the Amazon Echo Dot and the Google Home devices demonstrate they adhere to their privacy policies when voice is collected through these devices.