7 Min Read

Smart devices and a legitimate interest in personal data

Read More

By Jade Kowalski & Stuart Hunt


Published 10 October 2023


The recent publication of a report by the consumer organisation Which? has prompted discussion about the excessive collection of personal data by internet-connected smart devices.

The report analysed various types of smart devices such as speakers, TVs, washing machines, and security cameras, and considered the personal data requested by default and additional information to use accompanying Android or Apple applications. The results indicated that a number of brands sought exact location data, and other information not necessarily required to ensure that the product in question functioned for the reason purchased.

While companies are required to be transparent about the collection of personal data and any subsequent processing, the basis for processing is often 'legitimate interest'. Which? suggested that "greater consideration around these 'legitimate interests' is necessary, and that a better standard to improve transparency for consumers is long overdue."

In response to the report, the Executive Director of the ICO, Stephen Almond, commented that the benefits of using smart devices should not be outweighed by the collection of unnecessary personal data. The transparency of data collection practices is key to maintaining trust.

The safety of smart consumer connectable products is on the legislative agenda with the introduction of new standard requirements, as part of the Product Safety and Telecommunications Infrastructure Act, taking effect from 29 April 2024. From that date, manufacturers, importers and distributors of the types of products identified in the Which? report are required to ensure:

  • There are no universal default or easily guessable default passwords on consumer connectable products;
  • That there are published details for a specific contact to report identified vulnerabilities with the product;
  • There is a stated minimum period through which software updates to the products will be provided.

However, these measures do not focus on the unnecessary collection of personal data by those same product manufacturers and the data protection risks posed. The Which? report highlighted companies using bundled consents to obtain access to personal data, with certain TV brands using 'accept all' buttons to gather consent for functions including the tracking of viewing habits.

This type of website architecture was recently highlighted by the ICO and CMA as harmful and preventing consumers from making informed decisions. This is indicative of the problems that efforts to limit the unnecessary collection of personal data will face.

Suggestions within the Which? report to improve data privacy were focused on individual measures that can be taken to prevent excessive data collection. These measures include denying permissions to Android and iOS apps and reading the privacy policy; however, it was highlighted that a Google Nest policy contains 20,000 words alone. It is perhaps unsurprising that users of smart devices can inadvertently agree to the use of personal data in ways they do not expect.