The devices we checked allows you to monitor your blood pressure, blood sugar, pulse and the level of oxygen in your blood. The devices are easily available for Norwegian consumers and sends data to an app on the users' mobile phones.

The Norwegian DPA found major shortfalls in the privacy communication of the six devices it checked:

• Five of the six devices failed to adequately explain to customers how their personal data was collected, used and disclosed;
• Four of the six devices did not have a privacy policy;
• Whereas some devices did not offer any information on how personal data was processed, we also found that others provided at least some relevant information.
• None of the devices adequately explained to the users how their personal data was stored, and
• None of the devices adequately explained to the users how they could delete their data.

These findings led us to three main conclusions:

User friendly equipment, but not user friendly information. It is easy to get started, install apps, take the test and get the result. It is therefore disappointing to learn how difficult it is for the user to find information about how his or her personal data is processed.

Buy first, learn about privacy later? The ability to make informed decisions about what will happen to your personal data is a basic principle within privacy thinking. In our test, we found that it was close to impossible to acquire information about how a device would handle your personal data at the point of purchase. If a device does offer information on how personal data is processed, that information is only provided at a later point, often when installing the app on your phone. Furthermore, accessing privacy information often entails a considerable search effort by the user.

Information security. All the devices provided the users with the opportunity to share test results by e-mail. One of the devices enabled users to share results directly on Twitter and Facebook through the app. Several of the devices were designed so that the user could easily share results with health care professionals through e-mail. Sending sensitive personal data (including health related information) by e-mail to healthcare institutions is not permitted by Norwegian data protection law and is therefore problematic.

The Norwegian study is part of a GPEN (Global Privacy Enforcement Network) collaboration project in which 25 data protection regulators around the world looked at 314 devices that could be categorised as Internet of Things (IoT) devices. The project looked at devices such as smart electricity meters, Internet-connected thermostats and watches that monitor health, considering how well companies communicate privacy matters to their customers.

To sum up, the results for the different IoT devices in the international project showed that:

• 59 per cent of devices failed to adequately explain to customers how their personal data was collected, used and disclosed;
• 68 per cent failed to properly explain how personal data was stored;
• 72 per cent failed to explain how customers could delete their data from the device, and
• 38 per cent failed to include easily identifiable contact details if customers had privacy concerns.

More about the Norwegian study and download the full report (in Norwegian).