Warning: *Privacy Not Included with this product
Sonos' smart speakers (and sounds bars) -- which include the Era 300 & 100, One, Roam, Move 2, Five, Beam, Arc, and Ray -- take the sound quality of Sonos speakers and adds in voice control, via their own Sonos Voice Control. You can still use Alexa or Google Assistant through your Sonos smart speaker too, but you don’t have to if you're not a fan of Google or Amazon. Sadly, it's not all gravy for us privacy-minded folks. This year, Sonos fell from grace -- from our "Best Of" and into the privacy danger zone. It's never to late to turn back, Sonos!
What could happen if something goes wrong?
Say it ain’t Sonos! In recent years, some Sonos speakers have been on our Best Of list – a category that we really wish was less exclusive. But this year, we are sad to say, Sonos has landed on our naughty list. Yes, Sonos says they can "sell" some of your personal data to places like "unaffiliated third parties for their advertising purposes," which is something we really don't like here at *Privacy Not Included.
Sonos' privacy policy says that they don’t sell your personal information to third parties. But their California Consumer Privacy Act (CCPA) disclosure says otherwise. According to the law in California, a sale doesn’t just mean exchanging data for money, but includes other kinds of business exchanges for monetary value as well. By that definition, Sonos can “sell” your IP address, zip code, time and date of visit, browser type and version, operating system, device make and model. contact information, such as hashed email address, Sonos device type, genre of the station you are currently listening to, listener ID, language, to advertising partners, advertisers, unaffiliated third parties for their advertising purposes, and analytics providers. That's bad. Also bad: if users want to opt out of selling, they only guarantee those rights if you live under a strong privacy law in places like California. Boo to following the low bar of the law instead of what’s right.
And if you decide to use Sonos Radio, a $7.99 subscription service that plays you curated music and lets you tune into over 60,000 radio stations around the world, Sonos can use information about what you listen to and how you interact with the app to show you interest-based ads. They also might share some information that could identify you, like your IP address, with “radio content partners who may run ads on their stations.” Not great.
We do still love that Sonos went and built their own AI voice assistant for their Sonos smart speakers that processes all your voice requests right on the device. So, when you ask Sonos to play Taylor Swift’s new album over and over using their Sonos voice assistant, no one hears that but you. Sonos does not retain a copy or transcript of your voice recording. This is way better than using Amazon’s Alexa or the Google Assistant AI’s that collect and process and retain lots of information about you -- even if Sonos doesn't. So, when you get your new Sonos smart speaker, you will have to actively enable a voice assistant and we recommend using the Sonos Voice Control over Alexa or Google Assistant if you care about privacy.
Another thing we should mention is that in May of 2023 hackers discovered multiple security flaws in the Sonos One wireless speakers. If those flaws were exploited it the wild, bad actors could have gotten a hold of data. But, they weren't. They were found during a hacking contest held in Toronto, and Sonos awarded those hackers $105,000 for discovering them. Good work Sonos! Sonos also patched those flaws quickly. Vulnerabilities aren't good, but being proactive about cybersecurity? That's something we really love to see. While we're banging that drum, keep your software updated, folks! It's one of the best and easiest things you can do to keep your apps and devices secure.
Ah, Sonos, these changes to your policies make us nostalgic for your relatable privacy goof back in 2020 – when you accidentally sent an email to 450 customers and revealed all of their email addresses to each other. That’s the kind of oopsie we can understand. But all this sharing and selling? Not so much. It pains us to say that Sonos speakers could come with *privacy not included.
Tips to protect yourself
- Opt out from additional usage data collection
- If you can, opt out from 'sales' of your information.
- When starting a sign-up, do not agree to tracking of your data.
- Do not sign up with third-party accounts. Better just log in with email and strong password.
- Chose a strong password! You may use a password control tool like 1Password, KeePass etc
- Use your device privacy controls to limit access to your personal information via app (do not give access to your camera, microphone, images, location unless neccessary)
- Keep your app regularly updated
- Limit ad tracking via your device (eg on iPhone go to Privacy -> Advertising -> Limit ad tracking) and biggest ad networks (for Google, go to Google account and turn off ad personalization)
- Request your data be deleted once you stop using the app. Simply deleting an app from your device usually does not erase your personal data.
Can it snoop on me?
Camera
Device: No
App: No
Microphone
Device: Yes
App: Yes
Tracks location
Device: No
App: Yes
What can be used to sign up?
Yes
Phone
No
Third-party account
No
What data does the company collect?
Personal
Registration data: email address, location, language preference, Product serial number, IP address, and Sonos account login information (as described above). System data: product type, controller device type, controller operating system, software version, content source (audio line in), signal input (e.g. whether your TV outputs a specific audio signal such as Dolby to your Sonos system), information about WiFi antennas, system settings (such as equalization or stereo pair), Product orientation, names of the music service(s) you added/enabled on your Sonos product, the names you have given your Sonos Product in different rooms, whether your Product has been tuned using Sonos Trueplay technology, system performance metrics (e.g. the temperature of your Product or WiFi signal strength) and error information. Your general geographic location as indicated by your IP address, your country and/or postcode when you register your Products As required for certain Services: location-based data using GPS (or similar technology, where available) and crowdsourced Wi-Fi access points and cell tower locations collected from your third party device when the Sonos app is in use. Activity Information: duration of music service use, product or room grouping information, command information (such as play, pause, change volume, or skip tracks), information about playlist or station container data including listening history (‘Recently Played’); and Sonos playlist or Sonos favorites information; each correlated to individual Sonos Products and your interactions with them. Audio or visual information, such as sound when you enable voice control technology on a voice-enabled Sonos Product, audio recordings if you call our customer service, participate in a recorded survey or research event, or CCTV recordings if you visit one of our physical locations or attend an event or program "Inferences drawn from any of the above information"
Body related
Voice data if you use Sonos Voice Control, Amazon Alexa, or Google Assistant
Social
How does the company use this data?
How can you control your data?
What is the company’s known track record of protecting users’ data?
In May 2023, Sonos paid $105,000 to three hackers teams that exposed several vulnerabilities in Sonos systems at Pwn2Own hacking contest held in Toronto. Following responsible disclosure on December 29, 2022, the flaws were addressed by Sonos as part of Sonos S2 and S1 software versions 15.1 and 11.7.1, respectively. Users are recommended to apply the latest patches to mitigate potential risks.
In January 2020, an email sent by Sonos accidentally to 450 customers revealed all of their email addresses to each other.
Child Privacy Information
Can this product be used offline?
User-friendly privacy information?
Sonos's privacy policy is long and has a lot of information in it, but it is also laid out nicely, easily searchable, and they provide a link to a downloadable pdf of their privacy policy and archived versions of their privacy policies so you can track what has changed. As privacy researchers, we really appreciate this.
Links to privacy information
Does this product meet our Minimum Security Standards?
Encryption
Strong password
Security updates
Manages vulnerabilities
Sonos has a security researcher recognition page here: https://www.sonos.com/en-us/security
Privacy policy
Dive Deeper
-
Hackers Win $105,000 for Reporting Critical Security Flaws in Sonos One SpeakersThe Hacker News
-
Privacy Evaluation for SonosCommon Sense Privacy Program
-
Sonos Voice Control Is A Privacy-First Alternative To Alexa And GoogleSlash Gear
-
New Sonos Digital Assistant May Protect Consumer PrivacyConsumer Reports
-
Sonos Voice Control review: a speedy, private, music-focused assistantThe Verge
-
A Sonos survey suggests the company might build a voice assistant of its ownThe Verge
Comments
Got a comment? Let us hear it.