Which? warns of security cameras sending data to TikTok

Home Appliances, Home security

Smart home device owners are being asked to provide swathes of data to manufacturers, which could compromise their privacy and potentially result in them handing their personal information to social media and marketing firms, Which? research has found.

The consumer association found companies appear to hoover up far more data than is needed for the product to function. This includes smart speakers and security cameras that share customer data with Meta and TikTok, smart TVs that insist on knowing users’ viewing habits and a smart washing machine that requires people’s date of birth.

The research suggests that, despite consumers having already paid up to thousands of pounds for smart products, they are also having to ‘pay’ with their personal data.

Which? analysed the data collection practices of popular brands behind a range of smart devices. Experts looked at what information they require to set up an account, what data permissions their apps request and what activity marketing companies are tracking on people’s products.

Which? found that Bose smart speakers share user data with Meta, the parent company of Facebook, while research discovered a stark difference in the volume of data requested by smart speakers if users own an Android phone versus an Apple iOS device.

For example, Google Nest products request contacts and location on Android, but neither on Apple’s iOS. The app functions the same on both, so the additional data collected on Android does not appear to be essential.

When it came to smart cameras and doorbells, Which? found Ezviz devices, sold by major high-street retailers including Argos, had by far the most tracking firms active. This included TikTok’s business marketing unit, Pangle, Huawei, as well as Google and Meta.

Every single smart camera and doorbell brand Which? assessed used tracking services from Google, while Blink and Ring also connected to parent company Amazon. Google’s Nest product demands full name, email, date of birth and gender. 

On Android, Arlo, Eufy and Ring also want permission for people’s background location, which is not necessary to alert users when their home security system is triggered and means they could track users even when they are not using the app. All permissions are activated by default. Consumers can opt out, but this requires changing the settings and could lead to aspects of the device or app no longer working.

In a survey of 1,201 Which? members in April 2023, the data people were most concerned about being shared were their contacts and background location, involving an app tracking where people are even when they are not using it. This was followed by photos, phone number and precise location.

For smart washing machines, experts were surprised to find companies needing the date of birth of users. Although this is optional on Beko machines, LG and Hoover will not allow use of the app without knowing when customers were born.

LG wants the most data of all the washing machine brands – the company will know the customer’s name, date of birth, email, phone contact book, precise location and phone number. Hoover wants users’ contacts and phone numbers on Android devices. With Miele, tracking of precise location is enabled by default, and required to use the app.

Most smart TV menus now feature adverts, some personalised based on user data. While tracking is optional, Which? has found that LG, Samsung and Sony bundle this up into an ‘accept all’ button, rather than encouraging customers to review a full list of tracking options and then accept or decline which ones they want. 

A third (33%) of the Which? members surveyed admitted to not reading any of the privacy policy when downloading an app, while two-thirds (67%) said that they merely skimmed it. This is perhaps unsurprising given terms and conditions and privacy policies are usually incredibly long to read. 

A Google Nest owner would need to work their way through more than 20,000 words to get to grips with them, which would take one hour and twenty minutes for someone who reads at 250 words per minute.

Under the General Data Protection Regulations (GDPR), companies must be transparent about the data they collect and how it is processed. The data collected must also be relevant and limited to what is necessary for the processing to take place.

Says Rocio Concha, Which? Director of Policy and Advocacy:

“Consumers have already paid for smart products, in some cases thousands of pounds, so it is excessive that they have to continue to ‘pay’ with their personal information.

“Firms should not collect more data than they need to provide the service that’s on offer, particularly if they are going to bury this important information in lengthy terms and conditions.   

“The ICO should consider updating guidelines to better protect consumers from accidentally giving up huge swathes of their own data without realising.”

Chris Price
For latest tech stories go to TechDigest.tv