TUYA Strategic Priorities Assessment

Executive Summary

TUYA Smart (TUYA or "the company") is a private sector company that focuses on a cloud platform as a service infrastructure (PaaS) and a range of both software and hardware products. TUYA collects, uses, discloses, stores, and disposes of personal information as part of its ongoing business operation. TUYA operations include processing personal data within Canada, including within the province of Quebec, and therefore seeks assurance on the organization's management of personal data in regards to their corporate response to the relevant legislation.

Canadian private sector companies are subject to the provisions of the Personal Information Protection and Electronic Documents Act (PIPEDA), which is overseen by the Privacy Commissioner of Canada. PIPEDA's 10 Fair Information Principles form the "ground rules" for how companies must collect, use, and disclose personal information, as well as giving access, correction, and redress rights to the individuals to whom that information belongs. In addition, the Quebec province has passed an additional law 25 that applies to the private sector in September 2021 that modernizes and introduces new requirements similar to what has been seen worldwide with laws such as the EU General Data Protection Regulation (GDPR).

To better understand privacy risks posed regarding TUYA's compliance with PIPEDA, and to chart a course for mitigating or managing these risks as needed, TUYA has engaged TrustArc to undertake an assessment of its current risk profile, identify any gaps, and map a strategy for bringing the organization to its preferred privacy posture. This report and its supporting materials constitute the primary TrustArc deliverable to TUYA.

TUYA's compliance with PIPEDA's Fair Information Principles and Quebec Law 25 were assessed in November 2024 using surveys, document review, and follow-on questioning of subject matter experts. This high-level assessment is designed to identify gaps in TUYA's privacy program and offer corresponding remedial steps to improve compliance with PIPEDA.

Canadian laws require organizations that collect, use, disclose, retain, and dispose of personal information to adopt a sound and comprehensive privacy program. This program should include points of accountability and escalation, training, and documentation to assist employees and demonstrate the importance TUYA places on the safeguarding of all personal information in its custody.

A strong privacy program features a sense of collective accountability, a "culture of privacy" across all levels of the organization supported by policies, procedures, and training which leave no doubt as to the employee's responsibilities toward the safeguarding of privacy rights.

Findings Overview

The responses from TUYA indicate an overwhelmingly compliant standpoint, with the limited respondents giving positive responses to every question. There has been activity since 2022, with documents being updated throughout 2023. The organization has engaged positively and has endeavored to produce whatever evidence of implementation and documentation has been requested.

The Consultant has tried to seek evidence that this evidence was in place effectively, but this was difficult due to the remote nature of the methodology and a narrow view of the organization through the single respondent assigned. With the experience gained from dealing with many large global multinational organizations over decades, a "perfect score" has never before been encountered due to the risk-based nature of Data Protection law.

Culturally, it is understandable that an organization may wish for perfection and have a completely perfect response, but this may come at the cost of taking a more realistic view and achieving long-term benefit. Whilst the desire for perfection is commendable, and the company could provide some evidence of implementation, TrustArc encouraged the Company to expose the Consultant to lower-level evidence of implementation. This then identified some improvement opportunities for the organization in terms of being assured of systematically incorporating areas of their privacy program consistently and programmatically, such as Privacy Notices, Privacy by Design, DPIAs, International Transfer, and Third Party Management. The results of these activities then require review for further product and service enhancements and ongoing compliance monitoring.

Whilst there is policies and documentation in place, there remains the question of implementation into a wider Data Protection program. To strengthen the company's alignment with PIPEDA's Fair Information Principles and the new Quebec law, TrustArc recommends that TUYA also carry out a lower-level implementation review in addition to this report to assess whether the documentation privacy program framework supplied is, in fact, effectively in place for each of its products and services, as part of a coordinated company-wide program.

Whilst there are no new findings, TrustArc would like to reiterate the findings from the previous report for review and highlight areas of progress made. It seems that whilst compliance efforts have been reviewed and progress made, there remain some areas of improvement still to pursue. The recommendations are restated for convenience.

By taking the recommended steps to reveal and uncover elements of non-conformity and non-compliance within the organization, TrustArc believes TUYA could better engender a culture of privacy throughout the organization and enhance the product and service offerings to its customers.

Updated Recommendations Summary

• REC 1: Implement ongoing privacy governance and oversight at the executive level. UPDATE: Evidence provided of a security compliance committee that includes data protection issues being discussed at a senior level and actioned accordingly. Timeframe: CLOSED
• REC 2: Revise Data Protection Policy for whole business program. Timeframe: <3 months
• REC 3: Further simplify and develop more user-friendly outward-facing Privacy Notices. Timeframe: 6 months
• REC 4: Update and maintain the inventory of all personal information collected and used by the company. Timeframe: 6 months
• REC 5: Formalize Vendor Management data protection requirements. UPDATE: Evidence provided of Data Security Assessments and Contractual Data Processing Addendums. Whilst some Data Protection content is included, further questions could be developed and added. Timeframe: 12 months
• REC 6: Formalize a full DPIA process with evidence of implementation. UPDATE: Evidence provided on DPIA completion as part of the development process, that results in controls being implemented to prevent harm to individuals. Timeframe: CLOSED
• REC 7: Implement as part of the Data Inventory/Mapping an understanding of international transfers and appropriate transfer mechanisms. UPDATE: Evidence provided of international transfers identified and justified. Timeframe: CLOSED
• REC 8: Implement a corporate record management program that ensures the secure storage and eventual destruction of personal information collected by the company. UPDATE: Evidence provided of retention and disposal program. Timeframe: CLOSED
• REC 9: Extend a wider Privacy program to all processes (e.g., Human Resources, Sales, Customer Service, Payroll Services etc.) that collects and uses personal information. UPDATE: Evidence provided of HR, sales, customer services data protection audit records etc. Timeframe: CLOSED
• REC 10: Instigate processes to deal with deceased individuals. Timeframe: 12 months
• REC 11: Age Verification services. Timeframe: 12 months
• REC 12: Reporting on Rights Requests status as part of a coordinated wider program. Timeframe: 12 months

For further information and detail on the recommendations, please see the full report pages 29-32.

After TUYA has reviewed this Report, TrustArc encourages questions, feedback, corrections, and supplementation prior to finalization. If TUYA chooses to implement the recommendations made in this Report, TrustArc would be pleased to work with the Company to review those changes and is available for additional engagements as TUYA implements the recommendations.

Appendix: About TrustArc

Founded in 1997, TrustArc has a history and depth of experience in data privacy management that is unmatched by any other company on the market. TrustArc delivers a comprehensive suite of Data Privacy Management Services, leveraging the TrustArc Data Privacy Management Platform.

TrustArc has extensive European Regulatory Experience, having built strong relationships working with regulators and privacy organizations worldwide since its founding in 1997 as TRUSTe. TrustArc maintains an ongoing dialogue with regulators globally to promote the recognition of accountable data compliance and transfer mechanisms. In the EU, TrustArc regularly participated in Article 29 Working Party meetings that led to GDPR language development. They have also worked with APEC economies on global interoperability and key stakeholders seeking approval of their BCRs. TrustArc plays a leading role in the Centre for Information Policy Leadership's (CIPL) working group on GDPR implementation.

TrustArc has also worked with CIPL members on the US-EU Privacy Bridges Project (https://privacybridges.mit.edu/). TrustArc regularly engages with regulators in the Asia-Pacific region on cross-border interoperability with European regulators through various forums, including as a delegate to biannual APEC conferences.

On the ads compliance front, TrustArc works closely with self-regulatory agencies such as the European Interactive Digital Advertising Alliance (EDAA) in the development of the EU Self-Regulatory Programme for OBA. TrustArc is on the Advisory Board of the IORMA Global Consumer Commerce Center with close links to UK Trade and Industry.

TrustArc opened its first European Headquarters in London in 2012 and has since built an extensive network of privacy technology and consulting clients, law firm partners, and continues to host and/or participate in major data protection events across Europe.

TrustArc clients are part of a loyal network of thousands of companies worldwide that benefit from association with respected brands. Clients choose to associate with the TRUSTe brand and Certified Privacy seal programs, recognized by consumers worldwide and displayed on millions of web pages, ads, and apps monthly. TrustArc, through its TRUSTe brand, provides certified companies access to a leading privacy assurance program as a demonstration of their commitment to privacy.

The TrustArc Data Privacy Management (DPM) Platform, built by veterans from leading privacy, security, and ad tech companies, is used in-house to support thousands of clients. This one-of-a-kind SaaS-based platform delivers innovative technology capabilities for all phases of DPM, from conducting assessments to implementing compliance controls and managing ongoing assurance surrounding privacy.

TrustArc is recognized for its deep bench of privacy expertise, with significant experience leading global privacy assessments for large enterprises. TrustArc employs more individuals holding CIPP, CIPM, and the FIP designation than any other organization globally. Many of their privacy professionals hold law degrees and possess experience as privacy practitioners at the highest levels in major corporations, serving as privacy leaders and consultants to companies like IBM, Citrix, Yahoo, Merck, Intel, Intuit, Microsoft, Kellogg's, American Express, Pfizer, Kimberly-Clark, HSBC Bank, Hertz, Comcast, Adobe Systems, and government agencies.