Niklas Paul1, Welderufael B. Tesfay1, Dennis-Kenji Kipker2, Mattea Stelter2 and Sebastian Pape1
1 Goethe-University, Frankfurt, Germany
2
University of Bremen, Bremen, Germany
Abstract.
Abstract. This paper provides an assessment framework for privacy
policies of Internet of Things Services which is based on particular GDPR
requirements. The objective of the framework is to serve as supportive
tool for users to take privacy-related informed decisions. For example
when buying a new fitness tracker, users could compare different models in
respect to privacy friendliness or more particular aspects of the framework
such as if data is given to a third party. The framework consists of 16
parameters with one to four yes-or-no-questions each and allows the
users to bring in their own weights for the different parameters. We
assessed 110 devices which had 94 different policies. Furthermore, we did
a legal assessment for the parameters to deal with the case that there
is no statement at all regarding a certain parameter. The results of this
comparative study show that most of the examined privacy policies of IoT
devices/services are insufficient to address particular GDPR requirements
and beyond. We also found a correlation between the length of the policy
and the privacy transparency score, respectively.
Keywords: Internet of Things, Privacy Policies, General Data Protec-
tion Regulation, GDPR, ePrivacy Regulation, ePR
The paper published in the IFIP SEC 2018 confeence proceedings by Springer Verlag