This paper aims to establish general principles for fair contractual relationships and to offer a comparative legal examination concerning the attribution of rights over data generated by IoT products, a growing area of interest alongside the expansion of the data economy. With the rapid advancement in the data industry and related technologies, data has taken on substantial economic value, and data generation and utilization through IoT products have become prevalent. However, a regulatory gap exists between the legal framework and current realities, making it challenging to appropriately govern transactions and legal relations centered on data. Initial discussions on recognizing exclusive property rights over data have mostly subsided, shifting scholarly focus towards rights of access and utilization. In practice, data is now governed as an object of legitimate use, enabling lawful access, appropriate control, disposal, and sharing among parties. This paper focuses on the European Union's pioneering examination and legislative preparations in attributing rights over IoT-generated data, notably the ALI-ELI Principles for a Data Economy and the EU Data Act. It begins by describing the objectives, main contents, and relationship between these legal instruments from a comparative law perspective. Unlike direct property rights, the EU Data Act aims to broaden data utilization via contractual relationships and acknowledges data as a transactional object for fair use among parties. Covering both personal and non-personal data, the Act recognizes users' rights to IoT-generated data in relation to data holders, who possess de facto control over the data. This framework holds significant value in clarifying user rights within the context of IoT product-generated personal and non-personal data. Building on an overview of the ALI-ELI Principles and EU Data Act, the study then outlines a framework for attributing rights to parties over IoT-generated data. It categorizes data into personal data, non-personal data closely related to usage, non-personal data with minimal usage correlation and incidental generation, and derived or inferred data. For personal data, the legal basis is self-determination, while for non-personal data, it is assessed based on contribution to data generation, proximity of rights between the product and the generated data, and the degree of relatedness to the product itself. In assessing the legal relationships for rights attribution, the study highlights the need for parallel and independent rights for both product users and data holders, recognizing that the extent and limits of each party's rights may vary based on the level of contribution and relevance. Data holders, in particular, are acknowledged to have independent rights over derived or inferred data, while the study also notes a cost-sharing obligation in describing the rights of data recipients. Finally, the study draws general principles for evaluating fairness in contractual relationships and discusses potential improvements in domestic legislation. Recognizing that the substance of rights over data generated through IoT product use will be realized in contractual relationships, it advocates for establishing general principles to ensure rational contractual standards rather than leaving this solely to private autonomy. These principles are described as follows: consumer protection based on negotiation imbalances, effective guarantee of data access and utilization rights for product users, prevention of data monopolization, and transparency for safe data use. The study concludes that clearly defining rights between IoT product users and data holders and deriving general principles for data transactions will underpin fair data use in the data economy era.