As Chapter 3 will show the drawbacks of any strategy that attempted to curb IoT power by relying solely on contract-focused consumer laws, Chapter 4 will consider two consumer laws that look beyond the contract, namely, the Product Liability Directive and the Unfair Commercial Practices Directive. The IoT-readiness of these laws will be tested by critically assessing whether they can be used to tackles two major consumer issues that revolve around the concept of vulnerability: product, on the one hand, and human vulnerability, on the other. First, Chapter 4 will focus on the Things that are vulnerable as they are defective. Current legal regimes struggle to cope with new defects (e.g. software updates, inaccurate sensors, etc.) and vulnerabilities (e.g. the limitations stemming from software instructions and training datasets that affect the capacity to predict human behaviour in real-world scenarios). Second, it will deal with the vulnerability of IoT users as it manifests itself in the so-called Internet of Personalised Things.