There’s no getting around it. It’s been a rough year for privacy. So, we admit that we’re not completely caught off guard that during the shoppingest time of year it feels like it’s your privacy that’s roasting on an open fire. But I guess that makes us Jack Frost because, uh, nothing will stop us from nipping at these companies’ privacy no-nos!
This year, we reviewed the privacy and security of over 100 connected products, from video doorbells to Bluetooth trackers and all manner of robots in between. After about a thousand hours of research (yes, we’re tired), here are the biggest changes we noticed in consumer tech since our guide last year:
- We saw some of the good go bad: Sonos and Bose have been in our good books for privacy in recent years. For the first time, they have earned our*Privacy Not Included warning label.
- Google went from just OK to officially bad this year: Also joining the formerly OK but now naughty list are (Google-owned) Fitbit, and Tile trackers.
- And then there are the bad guys who keep getting worse: Amazon, Amazon Ring, Samsung, Microsoft Xbox, and Wyze were already on our naughty list, but they managed to get worse. We noticed.
- AI integration is becoming a lot more common: it is used in at least 94 of the products we reviewed. And too often, that means your personal information can be stored, studied, shared, or all of the above. Two such cases: iRobot’s test-run Roombas’ video recordings were reviewed by humans for AI training. That resulted in images from inside test-users’ homes showing up on Facebook. The company that owns the “learning robot with heart,” Moxie, may share parts of your child’s conversations with OpenAI, can store them for up to 18 months, and use them to “improve the AI.”
It was a good year for regulators doing their job. The FTC brought down the hammer on Microsoft Xbox and Amazon for violating the US’ children's data privacy law, COPPA. European regulators issued a record-breaking number of fines to companies for not obeying Europe’s GDPR (General Data Protection Regulation). That included a whopper for Meta – the largest fine ever so far – at $1.3B!
And many of our Best Ofs did keep their good-at-privacy status. Phew. Good-guy Garmin made our privacy-loving heart grow three sizes this season when we realized that their privacy practices got even better since last year. We also spotted a mini trend in kids’ connected toys: data minimization. Interactive toys like Tamagotchi Uni and Artie 3000 keep childrens’ personal information safe by not collecting it. We love to see it!
As the status quo for privacy seems to be slipping into the gutter, we feel it’s more important than ever to celebrate the brands that get it right. So stay tuned for our not quite as long but nonetheless very much appreciated nice list!
Our (newly) naughty list: Smart Home
These Smart Home brands are getting coal in their stockings and the *Privacy Not Included warning label for the first time this year:
In a *Privacy Not Included first, all Google products -- including their popular smart home products like the Google Nest line -- get our warning label this year. Two things pushed them over the edge, from just OK to bad. For one, their not-so-good track record. Google has received several multi-million dollar fines in recent years for some pretty serious privacy-related lapses. Second, how they use your data. Google says they can collect data from publicly available sources to train their AIs, but leave us wondering what exactly counts as “publicly available.”.
Wyze, maker of security cameras, video doorbells, robot vacuums, smart lighting and more, is officially bad now too. Recently, they’ve had the worst kind of security vulnerabilities and breaches – ones that could show strangers videos from inside your home. Yikes! Policy-wise, they can collect a ton of information about you, can use it to create new data about you (called “inferences”), and may sell some of it. Bad!
Sonos also doesn’t give everyone the right to delete their personal data and can sell your personal information for ads (according to how the state of California defines a “sale” – which includes when your information is exchanged for other “valuable consideration” and not just money).
As for Amazon Ring, it sure seems like they are still sharing a heck of a lot of sensitive information with law enforcement. They also failed to respond to the security vulnerability Mozilla brought to their attention last year.
Browse all Smart Home reviews by category
Our (newly) naughty list: Entertainment & Tech
Tile, the original Bluetooth-tracker-maker, has taken a turn for the worst this year. First, their parent company, Life360, was sued for selling users’ location data without permission. That’s ho-ho-horrible!
And then, while other tracker-makers (like Apple) are adding features that make it harder and harder to use them to track people without their permission, Tile seems to be walking that back a bit. In February, they released “Anti-Theft Mode.” It bypasses their “Scan and Secure” anti-stalking feature by making Tiles totally undetectable. So it’s a concern for anyone who is worried about a Tile following them around without their consent. It also raises some privacy concerns for users who turn on that feature. To use Anti-Theft Mode, you have to verify your identity and consent to have your information shared with law enforcement at Tile’s discretion. Yikes again.
A third “yikes” for Tile is that their parent company, Life360, says they can collect additional information about you from third parties and combine it with what they already know about you. That’s something that former nice guy, Bose, now says they can do too. Another thing Bose can do? Collect data on your head movements from your headphones. Come on, it’s nobody’s business if your head-bobbing is offbeat. Weirder, they may sell that information alongside your email address. Bose also doesn’t make it clear whether everyone has the right to delete their personal information.
Browse all Entertainment & Tech reviews by category
Our (newly) naughty list: Health & Fitness
Google says they’ll keep your health data safe and separate from the boatload of information they already have about you. But, that doesn’t keep privacy experts (including us) from worrying. After all, Google has reportedly misled users before and is already behaving badly with Fitbit data. Privacy advocacy group NOYB pointed out that they are violating Europe’s data privacy law, GDPR, by forcing users to consent to having their data transferred outside the EU if they want to use the app at all.
Browse all Health & Fitness reviews by category
Our (newly) naughty list: Kids’ Products
We do too! We do our best to give you the information you need to make smarter choices that protect more of your privacy. But it seems like there are fewer and fewer good options with each guide. We’re especially bummed to see so many of the brands we once trusted turn over to the data-sharing dark side. But know that we’ll never give up the fight for better privacy practices in consumer tech. And to all you newly naughty brands: it’s never too late to turn back!
You can help us hold these companies accountable by sharing our research and supporting our work. Together, we can do more.
During a rather unplanned stint working on my Master’s degree in Artificial Intelligence, I quickly discovered I’m much better at telling stories than writing code. This discovery led to an interesting career as a journalist covering technology at CNN. My true passion in life has always been to leave the world a little better than I found it. Which is why I created and lead Mozilla's *Privacy Not Included work to fight for better privacy for us all.
Kyiv-native and Berlin-based, Misha worked in big tech and security consulting, before joining Mozilla's privacy effort. Misha loves investigative storytelling and hates messy privacy policies. Misha is an advocate for stronger and smarter privacy regulations, as well as for safer Internet.
Zoë is a writer and digital strategist based in Toronto, Canada. Before her passion for digital rights led her to Mozilla and *Privacy Not Included, she wrote about cybersecurity and e-commerce. When she’s not being a privacy nerd at work, she’s side-eyeing smart devices at home.
It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy
All 25 car brands we researched earned our *Privacy Not Included warning label – making cars the worst category of products that we have ever reviewed
Jen Caltrider, Misha Rykov and Zoë MacDonald
“Is This Even Legal?” Our Top Cars-And-Privacy Question, Answered.
After reading our cars-and-privacy product reviews, many journalists and readers asked the same question. Here’s the answer.
Jen Caltrider, Reem Suleiman, Misha Rykov and Zoë MacDonald
What Data Does My Car Collect About Me and Where Does It Go?
Your car can collect data about what you do, where you go, what you say, and even how you move your body. Find out what car companies do with that information.
Jen Caltrider, Misha Rykov and Zoë MacDonald