Pitfall 1: Treating Local-Network Data as Outside Scope
The mistake: Founders often assume that because Matter keeps device states local by default, privacy laws don't apply until data leaves the home. This is incorrect. GDPR Article 4(1) defines personal data as information relating to an identified or identifiable natural person—device on/off logs and temperature readings over time are personal data *even if stored locally*. Regulators (including EDPB) have clarified that local processing does not exempt you from transparency and lawful-basis requirements.
Why it happens with Matter: Matter's marketing emphasizes "local-first" and "privacy-preserving" architecture, leading operators to assume compliance is optional. But if *you* control or access the Matter hub/gateway, you are processing personal data and must comply with GDPR Article 13 and CCPA disclosures.
Consequence: Failure to issue a privacy notice for local data collection violates GDPR Article 13 (up to €20M or 4% revenue fine) and CCPA Section 1798.100 (statutory damages $100–$750 per consumer per incident).
Pitfall 2: Ambiguous Lawful Basis for Occupancy Inference
The mistake: Matter home topologies and automation logs allow inference of occupancy patterns (e.g., "lock armed at 9 PM, lights off" = away). Operators frequently rely on vague "legitimate interest" claims without documenting a balancing test. Under GDPR Article 6(1)(f) and EDPB Guidelines 06/2014, legitimate interest requires: (a) purpose, (b) necessity, (c) balancing against user rights. Occupancy inference is high-risk personal data (GDPR Article 35, recital 75) and requires explicit consent or a documented balancing test.
Why it happens: Occupancy is not explicitly called out in most privacy policies; it emerges as a byproduct of automation data. Teams don't realize the inference layer creates a separate lawful-basis requirement.
Consequence: EDPB or national DPA (e.g., CNIL, ICO) issues a decision that occupancy processing lacks lawful basis, triggering enforcement action and mandatory consent retrofit.
Pitfall 3: Missing Data Processing Agreement (DPA) for Cloud Sync
The mistake: If your Matter implementation syncs to a cloud backend (even self-hosted), and users can access that data via your app, you are a joint controller with the cloud provider (or the provider is a processor). GDPR Article 28 requires a written DPA specifying processor obligations (confidentiality, security, subprocessor approval). Many teams skip this because they assume self-hosting = no third-party processor needed. However, if you integrate a Matter hub that syncs to *any* external storage (AWS, Azure, or a vendor's cloud), you have a processor relationship.
Why it happens with Matter: Matter ecosystem documentation doesn't mandate a formal DPA template; cloud sync is optional and easy to enable without governance review.
Consequence: National DPA finds missing DPA (GDPR Article 28(3) violation) and issues corrective order. If a breach occurs, you and the processor are jointly liable for damages (GDPR Article 82).
