Smart devices in our homes can be far too intrusive and collect data beyond the basic necessary functions, research shows.
The consumer advocacy group Which? reviewed several popular smart gadgets across multiple categories, rating them on their privacy practices and how much data they collect.
The findings suggested a trend of manufacturers prioritizing data acquisition over user privacy.
All three air fryer models examined not only required precise location data to function, but also requested permission to access audio recordings on users’ phones. Experts warned that these requests were often unjustified.
For example, the Xiaomi air fryer app connects to various trackers from technology giants such as Facebook and Pangle – TikTok’s advertising network – and from Tencent, a major Chinese technology company.
The Aigostar air fryer also engaged in similar data practices, even going so far as to ask for users’ gender and date of birth during account setup.
Both the Xiaomi and Aigostar air fryers have personal data transferred to servers in China, a fact revealed in their privacy statements but which many users may overlook.
Although the requests were marked as optional, the implications of asking for such information have raised questions.
Harry Rose, which one? magazine editor said: “Our research shows how smart technology manufacturers and the companies they partner with are currently able to collect consumer data with seemingly reckless abandon, and this is often done with little or no transparency.”
In addition to air fryers, other devices were also tested.
The Huawei Ultimate smartwatch also raised the alarm as it required nine “risky” permissions – the most of any device tested. Other smartwatch models such as the Kuzil and WeurGhy also require user consent for full functionality.
“High-risk” permissions are described as giving invasive access to parts of someone’s smartphone.
There were no details on how long companies will roll out security updates to protect consumers’ data, leaving them in the dark about the longevity of their devices’ security features.
Smart TVs were also scrutinized, with the Hisense and Samsung models tested requiring postcodes for installation, and full addresses were essential on both brands.
Samsung’s claim that providing a postcode was optional was challenged by Which?’s findings, which found that this often felt mandatory during installation.
Which one? found that Samsung’s TV app was particularly demanding, requesting eight permissions.
In the field of smart speakers, the Bose Home Portable model stood out for requiring the least prior permission. However, concerns have been raised about connections to Facebook and Google, which could compromise user privacy.
The Amazon Echo and Google Nest Mini offered users some options to bypass data sharing requests, but users can’t opt out.
Following the findings, new guidance from the Information Commissioner’s Office (ICO) will be published in 2025.
Experts hope that clearer regulations can enforce accountability, especially for companies operating beyond UK borders, where compliance may be even trickier.
Mr Rose added: “Which one? has called for proper guidance setting out what is expected of manufacturers of smart products and the ICO has confirmed that a code will be introduced in spring 2025 – this should be backed by effective enforcement, including against companies operating abroad are.
When Which? contacted us, a Samsung spokesperson said: “At Samsung, the security and privacy of our customers’ data is of the utmost importance. And we use industry-standard security measures and practices to ensure the data is safe. Customers will also have the option to view, download or delete personal data via their Samsung accounts.”
A spokesperson for Hisense said: “Hisense UK values its relationships with its customers and respects their data privacy rights. We comply with all UK data privacy laws and only record our customers’ postcodes to enable them to receive region-specific content, improving their user experience. If users are concerned, many of our TVs accept a partial zip code.”
An Amazon spokesperson said: “We design our products to protect our customers’ privacy and security and put them in control of their experience. For example, we build easy-to-use controls for our customers (including physical buttons or shutters, simple in-app controls, and device setup prompts) and have created resources that explain how our devices and services work. and the options available to customers.”
A Google spokesperson said: “The privacy of our customers is very important to us and Google fully complies with applicable privacy laws and provides transparency to our users about the data we collect and how we use it. For those times when users want additional privacy controls on Google Nest smart speakers and displays, users can use the Google Assistant in guest mode.”
A Huawei spokesperson said: “Huawei takes consumer privacy incredibly seriously. Clearly, to be useful lifestyle and health/fitness partners, smartwatches need permission to access some personal data; we are very clear both on the devices upon setup and on the companion app Huawei Health, which permissions are required and why, and users have full control over enabling or disabling them at any time.
In a lengthy statement, a Xiaomi spokesperson told Which? “Respecting user privacy has always been one of Xiaomi’s core values, including transparency, accountability, user control, security and legal compliance.” It says it complies with all UK data protection laws and that “we do not sell personal information to third parties”, and that certain features are only active in selected global markets, such as Tencent services only used in China. “The permission to record audio in the Xiaomi Home app does not apply to the Xiaomi Smart Air Fryer, which does not work directly via voice commands and video chat,” it added.
Which one? Aigostar added and Bose didn’t respond. WeurGhy and Kuzil could not be reached.