a hand holding a guitar



Internet of Things laws in Canada, the U.S., U.K. and EU

Please enable Targeting Cookies and refresh the page to clear this message and play the video.

This article provides highlights of BLG’s Emerging Technologies Webinar Series focusing on IoT

Connected devices are having a boom in health care, life sciences, transportation, infrastructure, manufacturing, finance, agriculture and other industries.

As part of BLG’s Emerging Technologies Series, BLG Partner Edona Vila was joined by two product liability and product safety lawyers, Rachel Raphael, partner at Crowell & Moring and Katie Chandler, partner at Taylor Wessing, to discuss the current state of Internet of Things (IoT) law across jurisdictions in the U.S., U.K., EU and Canada with a focus on compliance issues, compliance challenges and best practices for businesses deploying IOT solutions across borders.

Below is a summary of how existing laws in various jurisdictions can be applied to IoT-related issues in Canada, the U.S. and Europe. To get full details on compliance issues and challenges, check out the full 30-minute webinar recording or skim the transcript*. For any questions, feel free to reach out directly to Edona Vila.

Current IoT laws across jurisdictions

As IoT devices continue to have an increased presence across many industries, governments need to review existing laws and explore whether new laws should be developed around certain issues, including the IoT.

The U.S.

In the U.S. there are not many policies at the federal or state level that are focusing on the regulation of IoT devices more generally; however, there are some states that have adopted IoT-specific security laws. One of the first adopters of those is California. California’s IoT law was enacted at the beginning of 2020 and imposed a security requirement for manufacturers of connected devices that requires those devices to be equipped with certain security features, all tailored to the nature and function of the device and the information it collects.

There are also several industry standards in the U.S. that provide guidance, including ASTM (formerly known as the American Society for Testing and Materials) – the standard guide for ensuring the safety of connected consumer products – which provides guidelines for things like remote updates or software and firmware, configuration risk and certain cybersecurity controls. In addition, Underwriters’ Laboratories has an IoT security rating, which is an evaluation process that rates certain smart products on common attack methodology with various levels of security ratings.

Despite the relative lack of regulation, there are some industry actors and states that set the tone when it comes to the standard of care.

U.K. and EU

Although regulation or legislation around IoT still largely derives from EU laws, there have been some changes post-Brexit that will separate the U.K. regime from the EU regime. Many of the safe processing activities involved in IoT will fall within the space of the general data protection regulation. Since IoT devices can process personal data, IoT providers must ensure that they are complying with those requirements under the General Data Protection Regulation (GDPR) – the EU’s data protection law.

Cybersecurity is another key feature. There is a whole raft of legislation commenced in the EU and U.K. to try and regulate the cybersecurity risks in relation to IoT products outside the European Cybersecurity Act, including the NIS2 Directive, which sets out particular cybersecurity standards and obligations on instant reporting and other particular obligations o n digital service providers, and the Cyber Resilience Act, which is on the horizon and aiming to focus security on hardware and software, particularly the software with digital elements.

On the product safety side, there has been a very recent development which is the introduction of the new proposed General Product Safety Directive – a European legislation that was recently approved. This is a re-work of the General Product Safety Regulations, which are currently in force to bring it up to date with the digital age and advancements in technology and to cover those products where a physical product meets a software and connected element.


Canada does not currently have IoT-specific legislation and generally follows a piecemeal approach to regulating IoT solutions. The AI regulatory framework in Canada is anticipated to impact those IoT solutions that are AI empowered and have AI features.

Canada has AI-specific legislation developments that is expected to cause amendments to our consumer product legislative framework when it does come into force. It will be interesting to see how we move in our jurisdiction, but certainly our AI regulatory framework is anticipated to impact those IoT solutions that are AI empowered and have those AI features.

*Recording and transcript are available in English only.

Key Contacts