Category Archives: Home Automation

Nest Privacy Policy: 7 Best Practices

The Nest privacy policy is one of the best IoT Security Lab has seen.  It is easy-to-find, easy-to-read, and quickly gives consumers the confidence they need to buy Nest’s products.

Whether you are a IoT smart device consumer or manufacturer, please read on to learn more about seven privacy policy best practices Nest uses to comfort and protect its buyers.

1. Privacy Policy is Easy to Find

First, if your consumers are interested in privacy (and research shows they are), make it easy for them to find information about it on your web site.  Nest does this by putting a link to their privacy policy on EVERY page.

NestPrivacyPolicy

2. Privacy Summary Written for Humans

When you click “privacy,” Nest doesn’t just take consumers to a jargon-laden privacy policy written by attorneys.  Instead, they show you a picture of a woman in her home with her child, and equate the sharing of data with “deciding who we invite in.”

NestPrivacyPolicy2

3. Note That Privacy Depends on Security

It is impossible to have privacy without security.   Security prevents malicious people from breaking through the access controls – whether curtains, doors, digital permissions or encryption –  that provide other people’s privacy.

Nest reminds people of this connection using more everyday language like “same…tools that banks use” and “double-bolt the doors.”  They also reinforce the human connection with another picture of a woman, her husband, and their young family.

NestPrivacyPolicy5

4. Buyer Controls Sharing and Retention

Two of the critical concepts in IoT privacy are who can see your data (sharing) and how long can they use it (retention).  Nest tackles both issues in their human-readable policy.

  • Sharing: “We only share personal info when you ask us to connect a Nest product to another device in your home. We also let you know what we’re sharing and why. And you can stop sharing your information at any time.”
  • Retention: “We have a Delete My Account feature that removes your personal information from our servers.”

5. Separate Web and Device Privacy  Polices

One of the most common mistakes companies make while rushing to market is to reuse their web privacy policy as their device privacy policy.   Since web privacy policies are often written to allow advertisers to seek as much information from consumers as possible, carrying these policies forward into devices can cause embarrassing leaks or even invite legal action.

To draw a clean line between the two types of policies, Nest lists them separately (web vs. device) and clearly states that it only talking about devices and device data when it leads off its device privacy policy.

NestPrivacyPolicy4

6. Data Is Made Anonymous Before Publication

“Big data” got a scare in 2014 when a researcher used a complete set of obfuscated taxi route data to figure out the personal travel habits of an entire city.  With that in mind, data providers have been been more careful to only release data that hides the individual identity and behaviors of individual consumers.

While we cannot say for sure that Nest has thoroughly scrubbed and boiled its data, its privacy policy certainly says the right things about “aggregating” and “anonymizing” data shared publicly and with Nest’s partners.

NestPrivacyPolicy6

7. A Real Privacy Contact

Finally, Nest provides a catch-all contact, in this case an email address, in case their buyers have any questions.

NestPrivacyPolicy3

How Are Others Doing?

Like Nest, we would also love to hear suggestions about how well other IoT companies are doing with privacy, or which other companies you would like us to evaluate.  To contact us about either topic, please send email to “meetus@iotsecuritylab.com