On May 1, 2019, the UK’s Department for Digital, Culture, Media and Sport (“DCMS”) launched a public consultation (“Consultation”) regarding plans to pursue new laws aimed at securing internet connected devices. The Consultation follows the UK’s publication of its final Code of Practice for Consumer IoT Security (“Code of Practice”) last October (the subject of another Covington blog available here) and is targeted at device manufacturers, IoT service providers, mobile application developers, retailers and those with a direct or indirect interest in the field of consumer IoT security.

Despite a stated preference for industry self-regulation to address IoT cybersecurity, DCMS noted “significant shortcomings in many products on the market.” As a result, DCMS seeks to ensure security by design through new laws, primarily through mandating the top three security requirements outlined in the Code of Practice: (i) that devices’ passwords are unique and are not resettable to any universal factory setting; (ii) the implementation of a vulnerability disclosure policy; and (iii) explicit statements regarding the minimum length of time (month and year) for which the device will receive security updates.

To this end, three key proposals are considered in the Consultation:

  • Option A: Mandate retailers to only sell consumer IoT products that have an IoT security label, with manufacturers to self-declare and implement a security label on their consumer IoT products.
  • Option B: Mandate retailers to only sell consumer IoT products that adhere to the top three guidelines of the Code of Practice, with the burden on manufacturers to self-declare that their consumer IoT products adhere to guidelines as well as certain technical specifications.
  • Option C: Mandate that retailers only sell consumer IoT products with a label that proves compliance with all 13 guidelines of the Code of Practice, with manufacturers expected to self-declare and to ensure that a label is on the appropriate packaging.

Option A: The “Preferred Option”

Option A has been identified by DCMS as the “preferred option.” Consistent with this preference, DCMS has noted that it will implement voluntary labeling for IoT later this year. The voluntary labeling scheme will remain in effect until Parliament implements governing regulations.

As part of the current consultation period, DCMS is also welcoming feedback on its proposed labeling design, which was developed in conjunction with a working group and feedback from a consumer survey. The draft designs are featured below:

To acquire a “positive label,” device manufacturers would have to self-certify that they comply with the top three guidelines in the Code of Practice.

Options B and C

Option B is in line with DCMS’s stated ambition to require mandatory adherence to the top three guidelines of the Code of Practice in the UK. As portions of the top three guidelines run through Option A, it would not be surprising if the end result of the Consultation was support for legislation invoking some hybrid of Option A and B.

Option C is the most rigorous of the options and its requirements may be considered overly burdensome for certain devices and by industry requiring to comply. Accordingly, it seems least likely to gain support, at least at this stage.

What’s Next?

The consultation period is open until 11:59 pm on June 5, 2019, with DCMS hoping to receive feedback from a range of stakeholders, as it evaluates which measures to pursue legislatively. Comments can be sent by email to securebydesign@culture.gov.uk or mailed to Department for Digital, Culture, Media and Sport, 4th Floor, 100 Parliament Street, London, SW1A 2BQ.

Following the consultation period, the government will decide which option(s) to pursue as legislation. DCMS aims to produce both primary and secondary legislation: primary legislation to authorize the Secretary of State for DCMS “to set requirements for a mandated labelling scheme and/or to set security requirements for devices on sale in the UK”; and secondary legislation to provide for specific device requirements. DCMS also intends to publish a “final impact assessment” with the ultimate decision after the close of the consultation period. Should you wish to discuss a consultation response, please get in touch with:

Mark Young +44 20 7067 2101 myoung@cov.com

The team at Covington will continue to monitor for updates related to this IoT Consultation and will post on future developments.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Mark Young Mark Young

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the…

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the firm. In these contexts, he has worked closely with some of the world’s leading technology and life sciences companies and other multinationals.

Mark has been recognized for several years in Chambers UK as “a trusted adviser – practical, results-oriented and an expert in the field;” “fast, thorough and responsive;” “extremely pragmatic in advice on risk;” “provides thoughtful, strategic guidance and is a pleasure to work with;” and has “great insight into the regulators.” According to the most recent edition (2024), “He’s extremely technologically sophisticated and advises on true issues of first impression, particularly in the field of AI.”

Drawing on over 15 years of experience, Mark specializes in:

  • Advising on potential exposure under GDPR and international data privacy laws in relation to innovative products and services that involve cutting-edge technology, e.g., AI, biometric data, and connected devices.
  • Providing practical guidance on novel uses of personal data, responding to individuals exercising rights, and data transfers, including advising on Binding Corporate Rules (BCRs) and compliance challenges following Brexit and Schrems II.
  • Helping clients respond to investigations by data protection regulators in the UK, EU and globally, and advising on potential follow-on litigation risks.
  • Counseling ad networks (demand and supply side), retailers, and other adtech companies on data privacy compliance relating to programmatic advertising, and providing strategic advice on complaints and claims in a range of jurisdictions.
  • Advising life sciences companies on industry-specific data privacy issues, including:
    • clinical trials and pharmacovigilance;
    • digital health products and services; and
    • engagement with healthcare professionals and marketing programs.
  • International conflict of law issues relating to white collar investigations and data privacy compliance (collecting data from employees and others, international transfers, etc.).
  • Advising various clients on the EU NIS2 Directive and UK NIS regulations and other cybersecurity-related regulations, particularly (i) cloud computing service providers, online marketplaces, social media networks, and other digital infrastructure and service providers, and (ii) medical device and pharma companies, and other manufacturers.
  • Helping a broad range of organizations prepare for and respond to cybersecurity incidents, including personal data breaches, IP and trade secret theft, ransomware, insider threats, supply chain incidents, and state-sponsored attacks. Mark’s incident response expertise includes:
    • supervising technical investigations and providing updates to company boards and leaders;
    • advising on PR and related legal risks following an incident;
    • engaging with law enforcement and government agencies; and
    • advising on notification obligations and other legal risks, and representing clients before regulators around the world.
  • Advising clients on risks and potential liabilities in relation to corporate transactions, especially involving companies that process significant volumes of personal data (e.g., in the adtech, digital identity/anti-fraud, and social network sectors.)
  • Providing strategic advice and advocacy on a range of UK and EU technology law reform issues including data privacy, cybersecurity, ecommerce, eID and trust services, and software-related proposals.
  • Representing clients in connection with references to the Court of Justice of the EU.