Skip to Main Content
Main Menu

ISO 31700-01

The International Organization for Standardization (ISOP) 31700-01 focuses on consumer protection and provides high-level guidance and requirements for the implementation of privacy by design elements throughout the entire lifecycle of consumer products.

Who should use ISO 31700-01?

This voluntary international standard is directed to any organizations and third parties responsible for the concept, design, manufacturing, management, testing, operation, service, maintenance and disposal of consumer goods and services.

Key obligations of ISO 31700-01

Disposal and retention of consumer products

Consumer products shall only retain PII to what is necessary to meet organizational needs. Organizations should develop procedures for the responsible destruction of PII when the product reaches the end of its lifecycle (e.g. via deletion or anonymization), and destroy the PII when it is not required to meet a business or legal requirement and/or enable consumers to delete their PII stored on the product themselves.

Development of privacy controls within consumer products

Organizations should integrate privacy controls for the consumer product into the product’s development and management lifecycle in order to establish product privacy goals. Third-parties may be outsourced to aid in the development and integration of privacy controls, but third-party relationship management policies must be established and their participation must be monitored for compliance. When developing privacy controls, consider the privacy needs and expectations of consumers throughout the development process, and inform how they can operate such controls.

Privacy risk assessments

Organizations should perform privacy risk assessments prior to the release of a consumer product, and on any third-parties who intend to transfer personally identifiable information (PII) during the consumer product lifecycle.


Organizations should provide consumers with transparency information regarding the product, including, but not limited to: the availability of and configuration options of privacy controls within the product, and products’ end-of-life withdrawal information (e.g. the entity will continue to retain and process PII).


Privacy and Data Security in Mergers & Acquisitions

Data can be a valuable asset or an incredible liability to your business. Proactive data privacy practices are strategically critical in this data economy because of the extreme cost of mistakes today.

Achieve compliance


  • Are there access rights and/or other data subject rights that I must comply with?

    No. ISO 31700-01 does not establish requirements for entities to comply with data subject rights. Depending on the jurisdiction where processing occurs, it is advisable to comply with relevant data protection laws in the event a consumer requests to have access to PII about them held by an entity and/or within a product.

  • What are some technical security measures I must apply when developing consumer products?

    ISO 3700-01 does not provide granular security requirements. However, entities are recommended to create and maintain documented evidence demonstrating that the design and operation of product privacy controls are effective. Documented information may include: privacy risk assessment results, PII flow maps, functional and non-functional privacy requirements of consumer products, test results of products, and product privacy policies.

  • What does privacy by design mean?

    Privacy by design is a design methodology wherein elements of privacy are considered and incorporated into the initial design stage and throughout the entire product lifecycle and within processes or services that involve processing of PII.

The information provided does not, and is not intended to, constitute legal advice. Instead, all information, content, and materials presented are for general informational purposes only.

Back to Top