General Data Protection Regulation
If device is intended for users in the EU the following required by the GDPR:
All user-identifiable data must be encrypted at rest and in transit
Consent must be freely given, specific, informed, and revocable
Right to access, right to be forgotten, and data portability must be honored via API
All telemetry is opt-in by default; logs and identifiers must auto-expire after 30 days
Breach notifications must be issued to users within 72 hours of the compromised
California Consumer Privacy Act
If device is intended for users in California the following required by the CCPA:
Opt-out of sale or sharing of their data with third parties
Informed users of personal information being collected, who has access
Users can request the deletion of their personal data
Platform must respond to requests within 45 days
No retaliation is allowed for exercising these rights
HIPAA-lite
If device is intended for wellness monitoring or therapy the following recommended:
Enforce TLS 1.3 and zero plaintext logging of Protected Health Information (PHI)
encrypt all exchange application PHI between client and server
Store only anonymized telemetry with strict access controls
Regularly checking the device and associated systems for vulnerabilities
Isolating IoT devices on the network to limit the potential damage from a security breach
Vendor Compliance Responsibilities
Require minimum age gate per regional standardsÂ
Data processing agreements are required for all vendors handling PII operating in compliance with the GDPR & CCPA
Each integrated vendor is required to publish their own compliance status for each product
Vendors are Encouraged to sandbox APIs to prevent unauthorized data flow