There's more data flowing to third parties from internet of things (IoT) devices in the U.S. compared to devices used in the U.K., according to a new report. But the days of the U.S. being a data sharing "open season" may be numbered. 

The "Information Exposure From Consumer IoT Devices: A Multidimensional, Network-Informed Measurement Approach" report conducted by Northeastern University and Imperial College London found that U.S. IoT devices contacted more third-parties than their UK counterparts, possibly because they aren't held to the European Union's strict data privacy regulations. The two universities studied the data flows and encryption of 46 smart devices purchased and used in the U.S. and 35 IoT devices purchased and used in the U.K.

London-based Freshfields Bruckhaus Deringer partner and data practice leader Giles Pratt noted that smart home devices used in the study could collect personal data that would fall under the General Data Protection Regulation (GDPR)'s scope, and as such should have data collection and protection controls in place when collecting EU citizens' data.

"[Companies] will probably pause and engage in designing their devices with privacy in mind, and by default you should be able to calibrate your device in respect to privacy and default opt-out," he said of the GDPR.

To be sure, the U.S. doesn't have a federal privacy law similar to the GDPR, though New York-based Freshfields Bruckhaus partner Tim Harkness noted the legal landscape in the U.S. is complex. with state laws like the California Consumer Privacy Act (CCPA) and federal regulations on health care, finance and underage children's data.

Still, even without a federal data privacy law governing all U.S. citizens' data, some companies are taking the initiative and adjusting their data privacy management to fit international regulators' and consumers' expectations.

Harkness noted that while some companies haven't made data privacy their top concern, others have used the GDPR as a benchmark for devices not even intended for release in the EU.

"They are now looking at their approach to personal data with an international viewpoint of if they should be GDPR compliant even though their product may not be released initially in the EU," he said.

Companies are taking that approach to match not only regulatory requirements, but to answer ethical questions consumers may have about a device's snooping abilities. Pratt noted some IoT device makers are manufacturing devices that include default opt-out for data sharing and other measures to earn consumers' trust.

What's more, "big national companies are thinking about what's beyond regulations like the GDPR to make sure their products are safe," Harkness added. 

What comes after the GDPR, may in fact originate from the U.S. "I would have thought the days of people thinking the U.S. was open season for data have started to disappear, particularly with the new laws coming down the pike," Pratt said, citing the upcoming CCPA.  

While new regulations may hinder what IoT devices can do, some do not believe this will translate into stunting innovation. As companies adjust to the new "modern age" where regulators are focusing on data privacy, Harkness doesn't think companies' innovations are hampered by the data they can't collect.

"I think more is not necessarily better," he explained. "It's really about who can use the data that enhances the consumer experience because those sophisticated with the data or are sophisticated about what the rules are, know what they need to collect."