Abstract
The Informed Consent of a data subject (e.g., citizen) is often necessary to allow the legitimate processing of personal data by a third party application. The current implementation of Informed Consent based on End User License Agreements (EULA) has many limitations, which are likely to become more critical in future IoT applications, where the collection of personal data can happen in various ways and is not evident to the user. There is the need to define more sophisticated models of Informed Consent for IoT, which address the specific features of IoT, improve on the EULA approach, and protect the flow of personal data from the IoT sensors. In this paper, we propose an agent-based design for Informed Consent in IoT, where access to personal data is regulated through usage control policies, which can be tailored for the specific features of the user and the context. Policies are associated to users, service providers, and smart spaces containing IoT devices in a privacy-friendly way using pseudonyms. The main design concepts are described and applied to a smart city scenario, to evaluate the feasibility of the framework and the related deployment aspects.