There’s no getting around it. It’s been a rough year for privacy. So, we admit that we’re not completely caught off guard that during the shoppingest time of year it feels like it’s your privacy that’s roasting on an open fire. But I guess that makes us Jack Frost because, uh, nothing will stop us from nipping at these companies’ privacy no-nos!
This year, we reviewed the privacy and security of over 100 connected products, from video doorbells to Bluetooth trackers and all manner of robots in between. After about a thousand hours of research (yes, we’re tired), here are the biggest changes we noticed in consumer tech since our guide last year:
- We saw some of the good go bad: Sonos and Bose have been in our good books for privacy in recent years. For the first time, they have earned our*Privacy Not Included warning label.
- Google went from just OK to officially bad this year: Also joining the formerly OK but now naughty list are (Google-owned) Fitbit, and Tile trackers.
- And then there are the bad guys who keep getting worse: Amazon, Amazon Ring, Samsung, Microsoft Xbox, and Wyze were already on our naughty list, but they managed to get worse. We noticed.
- AI integration is becoming a lot more common: it is used in at least 94 of the products we reviewed. And too often, that means your personal information can be stored, studied, shared, or all of the above. Two such cases: iRobot’s test-run Roombas’ video recordings were reviewed by humans for AI training. That resulted in images from inside test-users’ homes showing up on Facebook. The company that owns the “learning robot with heart,” Moxie, may share parts of your child’s conversations with OpenAI, can store them for up to 18 months, and use them to “improve the AI.”
- We found a new creepiest product ever: We added a ton of new products to our roster this year. Some were good, some were bad, and others, well, they left us speechless. Almost. We rarely say this but do not buy the Angel Watch for your child or vulnerable person in your life. This surveillance watch doesn’t have a privacy policy at all!
Hang on – it’s not all bad news!
It was a good year for regulators doing their job. The FTC brought down the hammer on Microsoft Xbox and Amazon for violating the US’ children's data privacy law, COPPA. European regulators issued a record-breaking number of fines to companies for not obeying Europe’s GDPR (General Data Protection Regulation). That included a whopper for Meta – the largest fine ever so far – at $1.3B!
And many of our Best Ofs did keep their good-at-privacy status. Phew. Good-guy Garmin made our privacy-loving heart grow three sizes this season when we realized that their privacy practices got even better since last year. We also spotted a mini trend in kids’ connected toys: data minimization. Interactive toys like Tamagotchi Uni and Artie 3000 keep childrens’ personal information safe by not collecting it. We love to see it!
As the status quo for privacy seems to be slipping into the gutter, we feel it’s more important than ever to celebrate the brands that get it right. So stay tuned for our not quite as long but nonetheless very much appreciated nice list!
Our (newly) naughty list: Smart Home
These Smart Home brands are getting coal in their stockings and the *Privacy Not Included warning label for the first time this year:
In a *Privacy Not Included first, all Google products -- including their popular smart home products like the Google Nest line -- get our warning label this year. Two things pushed them over the edge, from just OK to bad. For one, their not-so-good track record. Google has received several multi-million dollar fines in recent years for some pretty serious privacy-related lapses. Second, how they use your data. Google says they can collect data from publicly available sources to train their AIs, but leave us wondering what exactly counts as “publicly available.”.
Wyze, maker of security cameras, video doorbells, robot vacuums, smart lighting and more, is officially bad now too. Recently, they’ve had the worst kind of security vulnerabilities and breaches – ones that could show strangers videos from inside your home. Yikes! Policy-wise, they can collect a ton of information about you, can use it to create new data about you (called “inferences”), and may sell some of it. Bad!
Sonos also doesn’t give everyone the right to delete their personal data and can sell your personal information for ads (according to how the state of California defines a “sale” – which includes when your information is exchanged for other “valuable consideration” and not just money).
As for Amazon Ring, it sure seems like they are still sharing a heck of a lot of sensitive information with law enforcement. They also failed to respond to the security vulnerability Mozilla brought to their attention last year.
Browse all Smart Home reviews by category
Our (newly) naughty list: Entertainment & Tech
Tile, the original Bluetooth-tracker-maker, has taken a turn for the worst this year. First, their parent company, Life360, was sued for selling users’ location data without permission. That’s ho-ho-horrible!
And then, while other tracker-makers (like Apple) are adding features that make it harder and harder to use them to track people without their permission, Tile seems to be walking that back a bit. In February, they released “Anti-Theft Mode.” It bypasses their “Scan and Secure” anti-stalking feature by making Tiles totally undetectable. So it’s a concern for anyone who is worried about a Tile following them around without their consent. It also raises some privacy concerns for users who turn on that feature. To use Anti-Theft Mode, you have to verify your identity and consent to have your information shared with law enforcement at Tile’s discretion. Yikes again.
A third “yikes” for Tile is that their parent company, Life360, says they can collect additional information about you from third parties and combine it with what they already know about you. That’s something that former nice guy, Bose, now says they can do too. Another thing Bose can do? Collect data on your head movements from your headphones. Come on, it’s nobody’s business if your head-bobbing is offbeat. Weirder, they may sell that information alongside your email address. Bose also doesn’t make it clear whether everyone has the right to delete their personal information.
Meanwhile, Samsung continues to write their privacy policy as if no one will read it (we sure showed them! But seriously, Samsung’s privacy policy is unpleasant to read and that’s being generous). They collect a huge amount of data on their users, young and old alike. Then they combine it, share it, sell it, and use it for advertising. Oh, and! They accidentally gave away sensitive information to ChatGPT this year.
Browse all Entertainment & Tech reviews by category
Our (newly) naughty list: Health & Fitness
If you don’t already have a Fitbit, there’s no way to get one without now agreeing to Google’s privacy policy. Yep, all new Fitbit devices require a Google account to login. That means all that health-tracking data will be collected by not-so-good data giant, Google.
Google says they’ll keep your health data safe and separate from the boatload of information they already have about you. But, that doesn’t keep privacy experts (including us) from worrying. After all, Google has reportedly misled users before and is already behaving badly with Fitbit data. Privacy advocacy group NOYB pointed out that they are violating Europe’s data privacy law, GDPR, by forcing users to consent to having their data transferred outside the EU if they want to use the app at all.
Browse all Health & Fitness reviews by category
Our (newly) naughty list: Kids’ Products
We already mentioned you shouldn’t buy an Angel Watch. Here’s why: It’s a GPS-tracking, cellular phone calling, video and audio monitoring, remote body vitals tracking smart watch that’s marketed as "the ultimate lifeline to keep loved ones safe." With all that tracking of super sensitive data, we already raised an eyebrow. But here’s the kicker: we could not find a privacy policy for this product. So we have no idea what they will or won’t do with that information. We’re also wondering if “discreetly monitor[ing] audio and video” is something anyone should be doing to their little or vulnerable loved ones. We all deserve privacy.
Another similar product is the AngelSense Watch (confusing, we know). It’s also marketed as a device to help guardians keep kids and vulnerable adults “safe” and provides many of the same features. Though they technically have a section in their terms and conditions agreements called “Privacy Policy” it doesn’t meet our standards of an actual policy. It leaves us with way too many unanswered questions, especially for a product that collects such sensitive information.
When products are marketed to parents for kids and they collect a ton of personal information, they usually make bold promises about why that’s necessary. Both “angel” smart watches promise safety. Moxie, the AI robot with heart, promises to help your child regulate their emotions, learn, and be your “parental co-pilot.” But in order to do those things, Moxie has to transcribe everything your child says to it, and can share some of that information with Google and OpenAI. While Moxie didn't technically earn our warning label, it did worry us. Especially since its privacy policy tells parents it’s their responsibility to make sure to teach their kids to never share personal information with Moxie. What?
Want to see less naughtiness from connected devices?
We do too! We do our best to give you the information you need to make smarter choices that protect more of your privacy. But it seems like there are fewer and fewer good options with each guide. We’re especially bummed to see so many of the brands we once trusted turn over to the data-sharing dark side. But know that we’ll never give up the fight for better privacy practices in consumer tech. And to all you newly naughty brands: it’s never too late to turn back!
You can help us hold these companies accountable by sharing our research and supporting our work. Together, we can do more.
Jen Caltrider
During a rather unplanned stint working on my Master’s degree in Artificial Intelligence, I quickly discovered I’m much better at telling stories than writing code. This discovery led to an interesting career as a journalist covering technology at CNN. My true passion in life has always been to leave the world a little better than I found it. Which is why I created and lead Mozilla's *Privacy Not Included work to fight for better privacy for us all.
Misha Rykov
Kyiv-native and Berlin-based, Misha worked in big tech and security consulting, before joining Mozilla's privacy effort. Misha loves investigative storytelling and hates messy privacy policies. Misha is an advocate for stronger and smarter privacy regulations, as well as for safer Internet.
Zoë MacDonald
Zoë is a writer and digital strategist based in Toronto, Canada. Before her passion for digital rights led her to Mozilla and *Privacy Not Included, she wrote about cybersecurity and e-commerce. When she’s not being a privacy nerd at work, she’s side-eyeing smart devices at home.