Is my air fryer spying on me? Which? reveals smart devices gathering most data

Which? research has found evidence of excessive smart device surveillance – from air fryers demanding permission to listen in on your conversations and sharing data with TikTok, to TVs wanting to know your exact location.

The consumer association rated products across four categories and gave them overall privacy scores for factors including consent and what data access they want. Researchers found data collection often went well beyond what was necessary for the functionality of the product – suggesting data could, in some cases, be being shared with third parties for marketing purposes.

]In the air fryer category, as well as knowing customers’ precise location, all three products wanted permission to record audio on the user’s phone, for no specified reason. The Xiaomi app linked to its air fryer connected to trackers from Facebook, Pangle (the ad network of TikTok for Business), and Chinese tech giant Tencent (depending on the location of the user).

The Aigostar air fryer wanted to know gender and date of birth when setting up an owner account, again for no clear reason, but this was optional. The Aigostar and Xiaomi fryers both sent users’ personal data to servers in China, although this was flagged in the privacy notice.

The Huawei Ultimate smartwatch – as with all the products on test – requires privacy consent to work properly. It requested nine “risky” phone permissions – the most of all devices on test. Which? defines “risky” as giving invasive access to parts of someone’s phone.

These included precise location, the ability to record audio, access to stored files or an ability to see all other apps installed. The company said all had a justified need. Huawei also said that no user data is used for marketing or advertising purposes. Which? found some trackers active on the Huawei watch, but Huawei said they are active only in certain regions.

Bestsellers on Amazon, the Kuzil and WeurGhy smartwatches were found to be essentially the same product. Both required consent to work – if declined, the product will only operate as a watch, without the accompanying smart features. There was none of the legally required information on how long the smartwatches would be supported with security updates. However, both watches did not appear to use any trackers.

Smart TV menus are littered with ads and thirsty for user data. The Hisense and Samsung TVs Which? tested required a postcode at set up – though both brands said customers can use a partial postcode and that it was only used for some content localisation features. Samsung claimed supplying a postcode was not mandatory but Which? found it appeared mandatory in its tests.

The LG set asked for a postcode, but providing it was not mandatory. Samsung’s TV app requested eight risky phone permissions, including being able to see all the other apps on the phone, second only to the Huawei smartwatch. The Hisense did not connect to any trackers that researchers could detect, but Samsung and LG linked to a number of them, including Facebook and Google.

The analysis of smart speakers found that the Bose Home Portable speaker and app take the fewest upfront phone permissions of all the products on test, but are stuffed with trackers, including Facebook, Google and digital marketing firm Urbanairship. The Bose speaker also fared poorly on how it secured customer consent for data tracking.

By contrast, Amazon Echo gives useful options to skip various requests to share data. Consumers need an Amazon or Google account to use the Echo Pop or Nest Mini, respectively. They use trackers that Which?’s researchers expected to see, mostly their own. However users cannot selectively opt out, hence their low star rating.

All of the devices on test wanted to know users’ precise locations.

Which?’s research highlights how manufacturers are currently able to collect excessive data from consumers, often with little transparency about what it will be used for. The ICO is due to publish new guidance for smart product manufacturers in Spring 2025.

However, Which? is concerned that manufacturers based abroad could take advantage of the challenges of enforcing compliance with guidelines.

Says Harry Rose, Which? magazine editor, said:

“Our research shows how smart tech manufacturers and the firms they work with are currently able to collect data from consumers, seemingly with reckless abandon, and this is often done with little or no transparency.

“Which? has been calling for proper guidelines outlining what is expected of smart product manufacturers and the ICO has confirmed a code is being introduced in Spring 2025 – this must be backed by effective enforcement, including against companies that operate abroad.”

Consumer advice – How to improve your data privacy

Care about what you share: Some data collection is optional during setup and that means you can opt out (although potentially with consequences in terms of functionality). Only share what you are comfortable with.

Check permissions: On iOS and Android, you can review permission requests before downloading an app, and check what each app has access to in your settings.

Deny access: Also in your phone settings, you can potentially deny or limit access to data such as location, contacts, and so on. Although, that might stop or limit aspects of the app.

Delete recordings: Using the Alexa and Google Assistant settings, you can set your voice recordings to be deleted automatically rather than stored after a period of time.

Read the privacy notice: Do at least browse the policy, particularly the data collection sections. You have the right to object to a company processing your data.

Right of replies

Samsung

“At Samsung, the security and privacy of our customers’ data is of the utmost importance. And we employ industry-standard security safeguards and practices to ensure that the data are secured. Customers are also given the option to view, download or delete any personal data through their Samsung accounts. Customers can find more information about our privacy policies at www.samsung.com/uk/info/privacy.”

Hisense

“Hisense UK values its relationships with its customers and respects their data privacy rights. We are compliant with all UK data privacy laws and only capture the postcodes of our customers to enable them to receive regional specific content, enhancing their user experience. If users are concerned, then many of our TVs will accept a partial postcode.”

An Amazon spokesperson said:

“We design our products to protect our customers’ privacy and security and to put them in control of their experience. For example, we build easy-to-use controls for our customers—these include physical buttons or shutters, simple in-app controls, and prompts within the device set up experience—and have created resources that explain how our devices and services work and the options available to customers.”

Google

“Our customers’ privacy is very important to us and Google fully complies with applicable privacy laws and provides transparency to our users regarding the data we collect and how we use it. For those moments when users want additional privacy controls on Google Nest smart speakers and displays, users can use Google Assistant in Guest Mode. When in Guest Mode, Google Assistant won’t say or show personal results, personal contacts, and automatically deletes audio recordings and Google Assistant activity. “

Huawei

“Huawei takes consumers’ privacy incredibly seriously. Clearly, to be useful lifestyle and health/fitness partners, smartwatches require permissions to access a number of personal data; we are very clear both on the devices at set-up, and on the companion app Huawei Health, which permissions are required and why, and users have full control over turning them on or off at any time.”

In a lengthy statement Xiaomi said that “respecting user privacy has always been among Xiaomi’s core values, which includes transparency, accountability, user control, security, and legal compliance”. It said that it adheres to all UK data protection laws, and “we do not sell any personal information to third parties”, and certain functions are only active in select global markets, such as Tencent services only used in China. “The permission to record audio on Xiaomi Home app is not applicable to Xiaomi Smart Air Fryer which does not operate directly through voice commands and video chat,” it added.

Cosori

“We prioritize privacy, and subject to our internal compliance requirements, the smart products must comply with GDPR. However, without specific test reports from your firm or the test lab, we cannot comment further.”

LG declined to comment. Aigostar and Bose did not respond. WeurGhy and Kuzil were uncontactable.

Nov 5, 2024Chris Price

For latest tech stories go to TechDigest.tv

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__atuvc	1 year 1 month	AddThis sets this cookie to ensure that the updated count is seen when one shares a page and returns to it before the share count cache is updated.
__atuvs	30 minutes	AddThis sets this cookie to ensure that the updated count is seen when one shares a page and returns to it before the share count cache is updated.

Cookie	Duration	Description
at-rand	never	AddThis sets this cookie to track page visits, sources of traffic and share counts.
disqus_unique	1 year	Set to record internal statistics for anonymous visitors.
uvc	1 year 1 month	addthis.com sets this cookie to determine the usage of addthis.com service.
_ga	1 year 1 month 4 days	Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_gat_gtag_UA_*	1 minute	Google Analytics sets this cookie to store a unique user ID.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_gid	1 day	Google Analytics sets this cookie to store information on how visitors use a website while also creating an analytics report of the website's performance. Some of the collected data includes the number of visitors, their source, and the pages they visit anonymously.
__gads	1 year 24 days	Google sets this cookie under the DoubleClick domain, tracks the number of times users see an advert, measures the campaign's success, and calculates its revenue. This cookie can only be read from the domain they are currently on and will not track any data while they are browsing other sites.

Cookie	Duration	Description
IDE	1 year 24 days	Google DoubleClick IDE cookies store information about how the user uses the website to present them with relevant ads according to the user profile.
loc	1 year 1 month	AddThis sets this geolocation cookie to help understand the location of users who share the information.
skimGUID	10 years	Set by Slimlinks, this cookie is a unique identifier provided to each device for log analysis to determine the number of unique users for various parts of skimresources.com.
test_cookie	15 minutes	doubleclick.net sets this cookie to determine if the user's browser supports cookies.
_ir	session	This is a Pinterest cookie that collects information on visitor behaviour on multiple websites. This information is used on the website, in order to optimize the relevance of advertisement.
__gpi	1 year 24 days	Google Ads Service uses this cookie to collect information about from multiple websites for retargeting ads.

Cookie	Duration	Description
wp_api	past	Description is currently not available.
wp_api_sec	past	Description is currently not available.
xtc	1 year 1 month	Description is currently not available.

Which? research has found evidence of excessive smart device surveillance – from air fryers demanding permission to listen in on your conversations and sharing data with TikTok, to TVs wanting to know your exact location.

Consumer advice – How to improve your data privacy

Right of replies

Share this:

Like this: