Smart home devices could be harvesting excessive person data, report finds

The ICO has announced a crackdown on connected devices and is working on developing new rules and action to be taken against manufacturers who fail in their data security obligations.

The news follows the publication of a Which? report that analysed the data collection practices of popular home device brands. The report concluded that almost all connected devices sold in the UK required data surplus to the devices’ performance. 

Some examples included smart TVs that asked for users’ viewing habits and a smart washing machine that requires people’s date of birth. Most brands also required exact location data. 

Which? also found that certain companies were sharing customer data with firms such as TikTok and Meta. 

“Consumers have already paid for smart products, in some cases thousands of pounds, so it is excessive that they have to continue to ‘pay’ with their personal information,” said Rocio Concha, Which? director of policy and advocacy.

Every single brand assessed by Which? used tracking services from Google, while Blink and Ring also connected to parent company Amazon. Google’s Nest product demands the user’s full name, email, date of birth and gender.

In response, Stephen Almond, executive director of regulatory risk at the ICO, said: “People should be able to enjoy the benefits of using their connected devices without having excessive amounts of their personal data gathered. This simply isn’t a price we expect to pay.

“To maintain trust in these products, companies must be transparent about the data they collect and how they use it, and ensure that the data is not used or shared in ways that people would not expect. The ICO is developing guidance on data protection and Internet of Things devices and we will act where we don’t see the rules being followed.”

Andy Ward, VP, international, Absolute Software, added: “Connected devices are the lifeblood of a modern workplace but are also a minefield when it comes to data security. The ability for malicious third parties to listen in, steal passwords and confidential information means that organisations should think first before implementing new devices that could present a major security risk."

Cyber expert Oseloka Obiora, CTO, RiverSafe, said: “It’s time to wake up and smell the coffee around the risks posed by smart devices, which bring with them both a data privacy and cyber risk. The rise of smart offices can create an exciting work environment, but open up a myriad of security challenges, from eavesdropping in the boardroom to offering a back door into the business for hackers to exploit. New devices should be approached with a level of caution, with data policies checked and confidential information properly protected at all times.

Amazon told The Guardian it  “never” sells customers’ personal data, and “never stop[s] working to keep their [customer] information safe”, while Google said that it complies with “applicable privacy laws” and “provides transparency” to users regarding the data it collects.

Under the European Union’s General Data Protection Regulation (GDPR), companies must be transparent about the data they collect and how it is processed. Although users of the products included in the report had usually agreed to the firms's privacy policies, Which? argued many had no idea of what they are agreeing to. 

Last year, the government has revealed its plans to introduce a new Data Reform Bill, which will differ from GDPR and the Data Protection Act, and was described by the government as “highly complex”. 

At the time, industry representatives expressed concerns that, if introduced improperly, the Bill could ultimately cost the economy more than it will deliver. If the UK were to depart from the EU standards too greatly, it could lose its “data adequacy status”, meaning businesses will face higher compliance costs when receiving data from the bloc.