Smart devices in our homes may be far too intrusive and collect data that goes beyond necessary basic functions, research has suggested.
The consumer advocacy group Which? assessed several popular smart gadgets across multiple categories, rating them on their privacy practices and how much data they collect.
The findings suggested a trend where manufacturers prioritise data acquisition over user privacy.
All three air fryer models examined required not only precise location data to function but also sought permission to access audio recording on users’ phones. Experts warned these requests often lacked justification.
The Xiaomi air fryer app, for example, connects to various trackers from tech giants like Facebook and Pangle – TikTok’s advertising network – as well as Tencent, a major Chinese technology firm.
The Aigostar air fryer also carried out similar data practices, going as far as to request users’ gender and date of birth during account setup.
Both the Xiaomi and Aigostar air fryers transferred personal data to servers in China, a fact disclosed in their privacy notices but one that many users may overlook.
While the requests were marked as optional, the implications of asking for such information have raised questions.
Harry Rose, Which? magazine editor, said: “Our research shows how smart tech manufacturers and the firms they work with are currently able to collect data from consumers, seemingly with reckless abandon, and this is often done with little or no transparency.”
Other devices aside from air fryers were also tested.
The Huawei Ultimate smartwatch also raised the alarm for requiring nine “risky” permissions – the most of any device tested. Other smartwatch models like the Kuzil and WeurGhy also require user consent for full functionality.
“Risky” permissions are described as giving invasive access to parts of someone’s smartphone.
There were no details on how long companies carry out security updates to protect consumers’ data, leaving them in the dark about the lifespan of their devices’ security features.
Smart TVs were also scrutinised, with the Hisense and Samsung models tested requiring postcodes for setup, and in both brands full addresses were essential.
Samsung’s claim that providing a postcode was optional was challenged by Which?’s findings, which indicated it often felt mandatory during setup.
Which? found that Samsung’s TV app was particularly demanding, requesting eight permissions.
On smart speakers, the Bose Home Portable model stood out by requesting the fewest upfront permissions. However, it raised concerns over connections to Facebook and Google, which can compromise user privacy.
The Amazon Echo and Google Nest Mini provided users with some options to bypass data-sharing requests, but users cannot opt out.
Following the findings, new guidance from the Information Commissioner’s Office (ICO) will be published in 2025.
Experts hope clearer regulations can enforce accountability, especially for companies operating beyond UK borders, where compliance might be even more slippery.
Mr Rose added: “Which? has been calling for proper guidelines outlining what is expected of smart product manufacturers and the ICO has confirmed a code is being introduced in spring 2025 – this must be backed by effective enforcement, including against companies that operate abroad.”
When contacted by Which?, a Samsung spokesperson said: “At Samsung, the security and privacy of our customers’ data is of the utmost importance. And we employ industry-standard security safeguards and practices to ensure that the data are secured. Customers are also given the option to view, download or delete any personal data through their Samsung accounts.”
A Hisense spokesperson said: “Hisense UK values its relationships with its customers and respects their data privacy rights. We are compliant with all UK data privacy laws and only capture the postcodes of our customers to enable them to receive regional-specific content, enhancing their user experience. If users are concerned, then many of our TVs will accept a partial postcode.”
An Amazon spokesperson said: “We design our products to protect our customers’ privacy and security and to put them in control of their experience. For example, we build easy-to-use controls for our customers—these include physical buttons or shutters, simple in-app controls, and prompts within the device set-up experience—and have created resources that explain how our devices and services work and the options available to customers.”
A Google spokesperson said: “Our customers’ privacy is very important to us and Google fully complies with applicable privacy laws and provides transparency to our users regarding the data we collect and how we use it. For those moments when users want additional privacy controls on Google Nest smart speakers and displays, users can use Google Assistant in guest mode.”
A Huawei spokesperson said: “Huawei takes consumers’ privacy incredibly seriously. Clearly, to be useful lifestyle and health/fitness partners, smartwatches require permissions to access a number of personal data; we are very clear both on the devices at set-up, and on the companion app Huawei Health, which permissions are required and why, and users have full control over turning them on or off at any time.”
In a lengthy statement, a Xiaomi spokesperson told Which? “respecting user privacy has always been among Xiaomi’s core values, which includes transparency, accountability, user control, security, and legal compliance”. It said it adheres to all UK data protection laws and “we do not sell any personal information to third parties”, and certain functions are only active in select global markets, such as Tencent services only used in China. “The permission to record audio on Xiaomi Home app is not applicable to Xiaomi Smart Air Fryer which does not operate directly through voice commands and video chat,” it added.
Which? added Aigostar and Bose did not respond. WeurGhy and Kuzil were uncontactable.