Many smart devices gathering ‘excessive’ amounts of personal data, says Which?

Many smart devices including TVs, speakers, air fryers and smartwatches are making “excessive” requests for access to user data, a new study from Which? has said.

The consumer group has tested and rated a range of popular smart devices to give them a privacy score based on what data access requests they made.

It said its research found that data collection often went well beyond what was necessary for the functionality of a product, which it argued suggests personal data could be being shared with third parties for marketing purposes in some cases.

The consumer champion said its study showed firms were collecting data with “reckless abandon” and called for stricter guidelines to be put in place around smart product devices and data collection.

The UK’s data protection watchdog, the Information Commissioner’s Office (ICO), is due to publish such guidance next year.

According to the report, all three air fryer products tested wanted to know a user’s precise location and wanted permission to record audio on a user’s phone, for no specified reason.

Which? said one of the air fryers – made by Chinese firm Xiaomi – used a connected app that linked to trackers from Facebook, an ad network linked to TikTok and, depending on location, Chinese tech giant Tencent.

This air fryer, and another from fellow Chinese firm Aigostar, also sent personal data to servers in China, Which? said, although this was flagged in a privacy notice.

In addition, Which? said the Huawei Ultimate smartwatch it tested asked for a range of phone permissions the study classified as “risky”, including precise location, the ability to record audio, access to stored files and the ability to see all other installed apps.

Which? said it was told by Huawei that these permissions were a justified need and that no user data was used for marketing or advertising purposes.

Elsewhere, Which? said it found similar issues in the smart TVs it tested, which were made by Hisense, LG and Samsung.

The study said all three asked for a postcode at set up, and while the Hisense did not connect to any trackers Which? researchers could detect, Samsung and LG’s TVs did, including Facebook and Google.

It said the Samsung TV app also made a number of “risky” phone permission requests.

In its test of smart speakers, Which? highlighted the Bose Home Portable speaker as being “stuffed” with trackers, including Facebook, Google and digital marketing firm Urbanairship.

Harry Rose, Which? magazine editor, said: “Our research shows how smart tech manufacturers and the firms they work with are currently able to collect data from consumers, seemingly with reckless abandon, and this is often done with little or no transparency.

“Which? has been calling for proper guidelines outlining what is expected of smart product manufacturers and the ICO has confirmed a code is being introduced in spring 2025 – this must be backed by effective enforcement, including against companies that operate abroad.”

Which? has also encouraged consumers to improve their data privacy by taking care to opt out of data collection requests they are not comfortable with, to check permission requests on apps before downloading them and deny or limit app data access via their phone settings, and delete voice recordings of interactions with voice-based assistants.

Slavka Bielikova, principal policy adviser at the ICO, said: “The results from Which?’s testing of smart products show that many products not only fail to meet our expectations for data protection but also consumer expectations.

“Smart products know a lot about us – who we live with, what music we like, what medication we are taking and much more. That’s why it’s vital that consumers trust smart product manufacturers to use their information safely and in the ways they expect.

“Earlier this year, we asked consumers how they feel about smart products. They told us that their products collect too much information about them and that they feel powerless to control how their information is used and shared.

“That’s why the ICO is working on new guidance for manufacturers of smart products which will be published in spring 2025.

“The guidance will outline clear expectations for what they need to do to comply with data protection laws and, in turn, protect people using smart products.

“Our guidance will allow manufacturers to plan and invest in the use of information responsibly. We want to help organisations get it right, however where they don’t we will be ready to act to ensure consumers are protected from harm.”

In response to the Which? research, Samsung said: “At Samsung, the security and privacy of our customers’ data is of the utmost importance.

“And we employ industry-standard security safeguards and practices to ensure that the data are secured.

“Customers are also given the option to view, download or delete any personal data through their Samsung accounts. Customers can find more information about our privacy policies at samsung.com/uk/info/privacy.”

Hisense said: “Hisense UK values its relationships with its customers and respects their data privacy rights.

“We are compliant with all UK data privacy laws and only capture the postcodes of our customers to enable them to receive regional-specific content, enhancing their user experience.

“If users are concerned, then many of our TVs will accept a partial postcode.”

Huawei said: “Huawei takes consumers’ privacy incredibly seriously. Clearly, to be useful lifestyle and health/fitness partners, smartwatches require permissions to access a number of personal data; we are very clear both on the devices at set-up, and on the companion app Huawei Health, which permissions are required and why, and users have full control over turning them on or off at any time.”

In a statement, a Xiaomi UK spokesperson said: “We are aware of the recent press release by Which? and some information in it including ‘Xiaomi fryer sent people’s personal information to servers in China’ is inaccurate and misleading, which could be resulted from some misunderstandings.

“We are in the process of clarifying with Which?.

“Our privacy policy is developed to comply with applicable regulations such as the UK GDPR and the DPA 2018. By complying with local applicable laws and regulations in markets where Xiaomi operates, user data are stored in compliance with local laws.

“We reserve the right to take legal actions to protect our reputation.”

Which? said LG declined to comment, while Aigostar and Bose did not respond.