IoT And Wearables: Managing Risk In A Connected Future

A world filled with connected devices

Connected technology has quietly become embedded in the everyday lives of individuals and organisation. From smartwatches and fitness bands that can track heart rates and monitor sleep patterns, to robotic vacuum cleaners that map homes, smart speakers that respond to voice commands and vehicles equipped with intelligent systems, these devices form part of the broader ecosystem known as the Internet of Things ("IoT").

IoT refers to physical objects embedded with sensors, software, connectivity that enable them to communicate over networks without human intervention. Put simply, IoT is the connection of physical devices to the internet for purposes of collecting, exchanging and acting on data, at scale and in real time. Wearable technologies represent a subset of this ecosystem and includes devices such as smartwatches, fitness trackers and other body-worn devices that continuously monitor user activity and health metrics.

The appeal of these technologies lies in convenience and insights they offer. Wearables allow users to monitor their health and fitness in real time, whilst connected home devices automate everyday tasks. However, the same technologies that offer convenience also introduce complex legal and cybersecurity risks.

When smart devices become vulnerable

A recurring concern surrounding IoT devices is cybersecurity. Many connected devices are designed to be affordable and user-friendly, but security protections are not always prioritised during development.

Recent incidents illustrate this vulnerability starkly. In early 2026, an AI software engineer attempting to connect his DJI Romo robot vacuum to a PlayStation controller discovered a severe backend authentication flaw that allowed him to access 7,000 devices across 24 countries. The vulnerability exposed live camera feeds, microphone audio, detailed floor maps and location data for thousands of users worldwide. The engineer was able to demonstrate the flaw by using a journalist's vacuum serial number to view their living room in real time from another country.

This incident followed similar security breaches in 2024, when hackers commandeered Ecovacs Deebot X2 robot vacuums across multiple US cities, remotely controlling the devices to chase pets and broadcast racial slurs through their speakers. Security researchers had warned Ecovacs months earlier about vulnerabilities that allowed attackers to bypass PIN protection and access video feeds remotely.

These incidents highlight a critical point: once a device connected to a network is compromised, it may provide attackers with an entry point into other connected systems, especially where network security protocols are weak or not properly isolated.

Wearables and the rise of data collection

Wearable devices have become one of the fastest-growing segments within the IoT ecosystem. Smartwatches, smart rings and fitness trackers routinely collect and analyse data relating to physical activity, heart rate, sleep cycles, location and other personal metrics.

These devices often transmit information to mobile applications and cloud-based platforms where the data is processed to generate insights for users. This functionality offers clear benefits but raises important privacy considerations. The information collected by wearable devices can reveal highly personal details about an individual's lifestyle, health status and behavioural patterns.

The privacy implications become more significant when wearable devices are connected to other devices within your household, such as a smart treadmill, health monitors, home hubs and security cameras. They create an interconnected suite of connected data collection points. In many cases, data collected from such devices can be shared with third-party service providers responsible for analytics, application functionality and integration services or data storage, further expanding the potential exposure surface.

Data protection obligations

In South Africa, the processing of personal information is regulated by the Protection of Personal Information Act, 2013 ("POPIA").

POPIA requires responsible parties to implement appropriate technical and organisational measures to secure personal information against loss, damage or unauthorised access. This obligation is particularly relevant in the context of IoT devices, which may process significant volumes of personal information continuously and often without direct user oversight.

Wearable devices may also process biometric or health-related information. Under POPIA, such information falls within the category of "special personal information" and is subjected to much more stricter processing requirements. The processing of special personal information is generally prohibited unless specific authorisation conditions are met, such as obtaining explicit consent from the data subject or demonstrating that processing is necessary for medical purposes with appropriate safeguards.

Organisations involved in the development, operation or integration of wearable technologies must therefore ensure that adequate safeguards are in place to protect the personal information of users and that the obligations imposed by POPIA are complied with.

Who controls the data?

A critical issue that often receives insufficient attention concerns the ownership and control of data generated by IoT devices.

Consumers frequently assume that data generated by devices they purchase belongs to them. However, device manufacturers and service providers frequently retain extensive rights over such data through terms of service agreements or terms and conditions. These agreements may permit companies to aggregate, analyse or utilise user data for product development, analytics or other commercial purposes.

Such practices are not inherently unlawful, provided that manufacturers and service providers obtain the necessary consents and comply with POPIA's transparency and processing limitation requirements. Nevertheless, as connected devices become more integrated into sectors such as healthcare, fitness and wellness and workplaces, questions relating to transparency, meaningful consent and user control over personal information will become increasingly significant and increasingly scrutinised by regulators.

A connected future with growing legal questions

Beyond POPIA, IoT and wearable devices may trigger compliance obligations under additional regulatory frameworks.

ICASA requirements: Connected devices that use radio frequency spectrum or telecommunications networks may require type approval or licensing from the Independent Communications Authority of South Africa ("ICASA") under the Electronic Communications Act, 2005. Manufacturers and importers must ensure that devices comply with applicable technical standards before they are placed on the South African market.

SAHPRA registration: Certain wearable devices, particularly those marketed with health monitoring or diagnostic capabilities, may be classified as medical devices under the Medicines and Related Substances Act, 1965, and require registration with the South African Health Products Regulatory Authority ("SAHPRA"). The classification depends on the device's intended purpose and the claims made regarding its functionality.

Consumer protection: The Consumer Protection Act, 2008, imposes obligations regarding product safety, quality and the provision of adequate warnings and instructions. Organisations must ensure that connected devices do not pose unreasonable risks to consumers and that users are organisations developing, deploying or integrating IoT and wearable technologies should consider the following:

1. Conduct privacy impact assessments to identify and mitigate data protection risks before deploying new connected technologies.
2. Implement security by design, ensuring that cybersecurity measures are built into products and systems from the outset rather than added as an afterthought.
3. Review third-party arrangements to ensure that operators and service providers are contractually bound to maintain equivalent data protection standards.
4. Monitor regulatory developments, as the legal landscape governing IoT and connected devices continues to evolve both domestically and internationally.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.