Smart home devices are fun but how much data do they collect?

Smart home devices can make life fun, smoother and more comfortable – a robot vacuum cleaner that starts to clean up automatically, smart lighting that you can control from your couch, or a smart thermostat to get your home heated in time for your arrival.

With the right design in place, smart home tech can also give consumers valuable data insights about their products and their behaviour. But focusing only on providers’ data needs can bring security and privacy risks.

Euroconsumers’ members are testing organizations who for decades have got under the hood of products to shine a light on where products and services are lacking, and to praise where they do well.

Testing is one way to hold brands accountable for where their practice is leaving consumers exposed, but it is also an opportunity to show how to do things differently.

What did the tests reveal about the smart home revolution?  

Euroconsumers’ latest round of smart device tests looked at how a range of popular smart home devices and their accompanying apps handle consumers’ data and some ideas for how consumers could take back more control. 

This blog reports back on the findings, and challenges brands to do more to take the trust opportunity and do more to build safety and empowerment into products so consumers can leave the data use worries aside. 

Smart home devices under the microscope

Euroconsumers partners, led by our Belgium organisation Testachats/Testaankoop looked at 13 popular smart devices to find out: 

• What data the devices and apps send and with whom it is shared, for both the manufacturer and third parties who are usually marketing or analytics companies. 
• Whether consumers data is sent securely: this was done by checking whether the communication of the apps was encrypted and whether or not data could be intercepted.
• Whether the privacy policy is clear and complete and whether it is just there to inform the user of what is happening with their data or if the user has any level of control.
• Whether the manufacturer provided information about its update policy: this was done by checking if the length of time the device is supported is made clear.   

The devices and brands tested were: 

• Smart speakers (Bose and Sonos)
• Smart TVs (Samsung and LG)
• Smart air fryers (Philips and Xiaomi)
• Robot vacuum cleaners (Eufy and Dreame)
• Smart thermostats (Tado and Nest)
• Video doorbells (Ring and Arlo)
• Smart lighting and sensors (Philips Hue)

Key findings: a missed opportunity for consumer data control

Almost every device tested missed the opportunity to empower consumers with the data they generate through their smart home kit, in ways that often carry privacy risks. All the devices shared several data practices, here we take a look at how the different companies’ data practice takes away control from consumers and potentially leaves them exposed: 

Redundant permissions: apps regularly ask for access to location, microphone or even to track behavior in other apps  – these permissions aren’t required to operate the smart device the app is designed to control.  We found smart air fryer apps that connected to  many tracking companies and asked for extensive permissions, like access to your photo library and location. Video doorbell apps kept track of families’ habits and shared that information with external parties and asked for potentially risky permissions like access to phone calls.

Data sharing with external parties: almost all of the apps investigated send user data to external parties, like marketing firms. This is hard to spot as it mostly happens in the background, but when we looked into smart speakers for example, we saw apps that enabled app tracking by default, shared personal data with third-party companies, and sometimes even forwarded email addresses without permission.

Excessive data collection by default: the temptation to collect as much data as possible seems hard for companies to resist – for example, smart thermostats collected detailed information about the home routine. Of course, some of this data is useful for monitoring potential hacks, or for notifying customers of a security breach. But some feels excessive, for example, Tado shared customer data with companies such as Amazon, and Google’s Nest prefers to keep a lot of data to itself. Smart TVs do the same, with the accompanying apps asking for access to a users’ location and microphone, for no obvious reason, and sharing data with companies such as Facebook or Google.

Unclear privacy policy: information about what happens to consumers’ data is usually hidden in privacy statements that can be vague or difficult to understand. For many users, it is therefore absolutely unclear with whom their data is shared and what choices they might have to change this.  Consumers have to accept the policy to use the product, leaving them with few powers to exert control over how they want their data to be used.

Security risks: some devices send data without proper security. As a result, malicious parties could relatively easily intercept that information. We found robot vacuum cleaner apps sending email addresses and passwords unencrypted to the cloud.

Smart lighting and sensors: a positive exception  

Smart products do not have to follow the data heavy route, and Philips Hue smart lamps and sensors stood out as the best for respecting consumers’ data choices. 

The app requires few permissions and no personal data or unique codes are passed on to third parties. App tracking is off by default and technical and usage data is only shared with external companies if the consumer wishes. Users are able to easily retain control over what is shared via the settings. 

Limits and defaults are a great example of how to design in protection and empowerment in line with consumer expectations, without putting the onus on them.

Companies should take the data empowerment opportunity

Smart technology can help improve consumers’ home lives by smoothing out demand for lighting and heating, giving deeper knowledge of their habits, product use and spending, or simply by making life more convenient. 

The type of data generated by smart home devices could also help providers understand much more about consumers’ real lives and behaviours and help work with them to build a circular, green economy with the most efficient energy distribution available.  But working with this type of often personal or revealing data means sharing it on their terms with the right organisations and systems.

To do this, we need a data economy that works for everyone, where people have control over how their data is used, with rights to access, share and get value from their data. 

The tests show that while greater consumer control of smart device data is entirely possible, too few companies are taking the opportunity to commit to data empowerment by design. Instead, smart device users face a confusing consumer journey of registrations, permissions, privacy policies and default tracking with limited means to understand what is happening with their data or how to change data management options. 

In smart home devices, there is now a huge opportunity to build consumer trust by delivering products that genuinely meet people’s needs, without the intrusive, frustrating data practices that can leave consumers exposed and break down trust.

Get smart and give consumers the data choices they want 

Doing so with strong privacy, security and data control practices can give companies a powerful way to stand out, strengthen consumer confidence and at the same time, create a safer smart home environment.  

Consumer tips to protect data in smart home devices  

The tests show that most companies are missing the opportunity to give consumers the control and reassurance they want from their smart devices.  Until we see companies designing in data empowerment from the start, here are some suggestions for how consumers can get back some of the data control.  

Completely preventing smart devices from collecting data on your terms is difficult. But you can do what is necessary to better protect your privacy. Keep these tips in mind with any new smart device:

• Check permissions: only allow access to location, microphone, camera, or contacts if necessary for the device to work. You can adjust these permissions via the smart device settings. 
• Disable in-app tracking: if possible, turn off tracking your app behavior in the app settings. This way, your usage will not be automatically visible to manufacturers and marketers.
• Limit voice recordings: if using a voice assistant/smart speaker, then specify in the settings that voice recordings are automatically deleted.
• Sign in with your email address, not external accounts: whenever possible, avoid logging in via Facebook, Google or Amazon – the fewer links, the fewer routes for data sharing or loss. 
• Read the privacy policy: check what data is collected and shared. Although it’s a hassle, you can always object to the use of your data, check with your national Data Protection Agency for how to do this.
• Use smartphone app settings to manage adverts: the two main ways to do this are through turning off personalised ads in your smartphone system settings, and resetting or deleting your ad ID – a unique tag assigned to everyone’s mobile device which tracks your behaviour across apps and and helps advertising personalize their offers.