Warning: *Privacy Not Included with this product

Holiday Guide 2023 Smart Home Smart Speakers

Sonos Smart Speakers

Sonos

Wi-Fi Bluetooth

Review date: Nov. 1, 2023

Mozilla researched 8 hours

Mozilla says

People voted: Somewhat creepy

Sonos' smart speakers (and sounds bars) -- which include the Era 300 & 100, One, Roam, Move 2, Five, Beam, Arc, and Ray -- take the sound quality of Sonos speakers and adds in voice control, via their own Sonos Voice Control. You can still use Alexa or Google Assistant through your Sonos smart speaker too, but you don’t have to if you're not a fan of Google or Amazon. Sadly, it's not all gravy for us privacy-minded folks. This year, Sonos fell from grace -- from our "Best Of" and into the privacy danger zone. It's never to late to turn back, Sonos!

What could happen if something goes wrong?

Say it ain’t Sonos! In recent years, some Sonos speakers have been on our Best Of list – a category that we really wish was less exclusive. But this year, we are sad to say, Sonos has landed on our naughty list. Yes, Sonos says they can "sell" some of your personal data to places like "unaffiliated third parties for their advertising purposes," which is something we really don't like here at *Privacy Not Included.

Sonos' privacy policy says that they don’t sell your personal information to third parties. But their California Consumer Privacy Act (CCPA) disclosure says otherwise. According to the law in California, a sale doesn’t just mean exchanging data for money, but includes other kinds of business exchanges for monetary value as well. By that definition, Sonos can “sell” your IP address, zip code, time and date of visit, browser type and version, operating system, device make and model. contact information, such as hashed email address, Sonos device type, genre of the station you are currently listening to, listener ID, language, to advertising partners, advertisers, unaffiliated third parties for their advertising purposes, and analytics providers. That's bad. Also bad: if users want to opt out of selling, they only guarantee those rights if you live under a strong privacy law in places like California. Boo to following the low bar of the law instead of what’s right.

And if you decide to use Sonos Radio, a $7.99 subscription service that plays you curated music and lets you tune into over 60,000 radio stations around the world, Sonos can use information about what you listen to and how you interact with the app to show you interest-based ads. They also might share some information that could identify you, like your IP address, with “radio content partners who may run ads on their stations.” Not great.

We do still love that Sonos went and built their own AI voice assistant for their Sonos smart speakers that processes all your voice requests right on the device. So, when you ask Sonos to play Taylor Swift’s new album over and over using their Sonos voice assistant, no one hears that but you. Sonos does not retain a copy or transcript of your voice recording. This is way better than using Amazon’s Alexa or the Google Assistant AI’s that collect and process and retain lots of information about you -- even if Sonos doesn't. So, when you get your new Sonos smart speaker, you will have to actively enable a voice assistant and we recommend using the Sonos Voice Control over Alexa or Google Assistant if you care about privacy.

Another thing we should mention is that in May of 2023 hackers discovered multiple security flaws in the Sonos One wireless speakers. If those flaws were exploited it the wild, bad actors could have gotten a hold of data. But, they weren't. They were found during a hacking contest held in Toronto, and Sonos awarded those hackers $105,000 for discovering them. Good work Sonos! Sonos also patched those flaws quickly. Vulnerabilities aren't good, but being proactive about cybersecurity? That's something we really love to see. While we're banging that drum, keep your software updated, folks! It's one of the best and easiest things you can do to keep your apps and devices secure.

Ah, Sonos, these changes to your policies make us nostalgic for your relatable privacy goof back in 2020 – when you accidentally sent an email to 450 customers and revealed all of their email addresses to each other. That’s the kind of oopsie we can understand. But all this sharing and selling? Not so much. It pains us to say that Sonos speakers could come with *privacy not included.

Tips to protect yourself

Opt out from additional usage data collection
If you can, opt out from 'sales' of your information.
When starting a sign-up, do not agree to tracking of your data.
Do not sign up with third-party accounts. Better just log in with email and strong password.
Chose a strong password! You may use a password control tool like 1Password, KeePass etc
Use your device privacy controls to limit access to your personal information via app (do not give access to your camera, microphone, images, location unless neccessary)
Keep your app regularly updated
Limit ad tracking via your device (eg on iPhone go to Privacy -> Advertising -> Limit ad tracking) and biggest ad networks (for Google, go to Google account and turn off ad personalization)
Request your data be deleted once you stop using the app. Simply deleting an app from your device usually does not erase your personal data.

mobile

Can it snoop on me?

Camera

Device: No

App: No

Microphone

Device: Yes

App: Yes

Tracks location

Device: No

App: Yes

What can be used to sign up?

What data does the company collect?

Personal

Registration data: email address, location, language preference, Product serial number, IP address, and Sonos account login information (as described above). System data: product type, controller device type, controller operating system, software version, content source (audio line in), signal input (e.g. whether your TV outputs a specific audio signal such as Dolby to your Sonos system), information about WiFi antennas, system settings (such as equalization or stereo pair), Product orientation, names of the music service(s) you added/enabled on your Sonos product, the names you have given your Sonos Product in different rooms, whether your Product has been tuned using Sonos Trueplay technology, system performance metrics (e.g. the temperature of your Product or WiFi signal strength) and error information. Your general geographic location as indicated by your IP address, your country and/or postcode when you register your Products As required for certain Services: location-based data using GPS (or similar technology, where available) and crowdsourced Wi-Fi access points and cell tower locations collected from your third party device when the Sonos app is in use. Activity Information: duration of music service use, product or room grouping information, command information (such as play, pause, change volume, or skip tracks), information about playlist or station container data including listening history (‘Recently Played’); and Sonos playlist or Sonos favorites information; each correlated to individual Sonos Products and your interactions with them. Audio or visual information, such as sound when you enable voice control technology on a voice-enabled Sonos Product, audio recordings if you call our customer service, participate in a recorded survey or research event, or CCTV recordings if you visit one of our physical locations or attend an event or program "Inferences drawn from any of the above information"

How does the company use this data?

We ding this product for potentially selling personal information to advertising partners, advertisers, and unaffiliated third parties for their advertising purposes for interest-based ads as the term 'sale' is defined by the CCPA.

Sonos, Inc. Privacy Statement

"Sonos does not and will not sell personal information about our customers. However, certain data practices described throughout this Privacy Statement may constitute a “sale” or “sharing” of data under California and/or other US state laws. See the below CA Addendum for more information applicable to CA residents. We want you to understand that information about our customers is an important part of our business. We only disclose your data as described in this Statement. We may share information with the following types of third parties:

Third Party Vendors <...>
Transactions involving Third Parties <...>
Advertising Partners:
If you decide to use Sonos Radio, we will share a subset of your information with third party advertising companies to present, via Sonos Products, interest-based ads for features, products, and services that might be of interest to you. Specifically, we share the following information with our advertising partners: location, language, and genre of the station you are currently listening to (which is not based on your overall listening history). We will share information with advertisers, which describes the overall listening audience in general. We may also share limited location information and identifiers (i.e. an IP address) with some of our third party radio content partners who may run ads on their stations.
Sonos-controlled Affiliates and Subsidiaries <...>
Compelled Disclosure and Law Enforcement
When legally required, strictly necessary for the performance of the services or to protect our rights, or the rights of our affiliates or users, we disclose your personal information to law enforcement authorities, investigative organizations, our affiliates or in legal proceedings. We will share your personal information when we in good faith believe it is necessary for us to do so in order to comply with a legal obligation under applicable law or respond to a valid legal process (e.g. a search warrant, a court order, or a subpoena).
Sharing and Disclosure of Aggregate Data
We share data in aggregate form and/or in a form which does not enable the recipient of such data to identify you, with third parties, for example, for industry analysis"

"There are only two occasions when we will capture sound from within your home: (a) when you enable voice control technology on a voice-enabled Sonos Product (such as Sonos One or Beam); and (b) when you utilize our innovative Trueplay room tuning technology."

"Sonos does not retain a copy or transcript of your voice recording."

"We use data to protect the security and safety of our customers, Sonos Products and Services, to detect and prevent fraud, to resolve disputes and enforce our agreements. We may use third parties to assess and manage credit risks. This processing is necessary to serve our legitimate interest."

"We use the data we collect to deliver and personalize our communications with you. <...>
If you elect to receive marketing, promotional and support text messages from us, either via our website, app or by sending a text message indicating your consent, you are providing your express written consent to receives recurring marketing, promotional and support text messages from us <...> sent through an automatic telephone dialling system. When you sign up to receive Text Messages, we will send you information about promotional offers and more. These messages may use information automatically collected based on your actions on our site and may prompt messaging such as cart abandonment messages.
If you choose to use Sonos Radio, we may use information such as your interactions with Sonos site, Sonos Radio content, Sonos Products, Sonos app and other Services to display interest-based ads for features, products, and services that might be of interest to you. This processing is necessary to serve our legitimate interest. For more information on this, please visit The Legal Bases for Using Personal Information.
We also use cookies and similar technologies to provide the most relevant Sonos advertising to you. For information about managing email and text messaging subscriptions and promotional communications, please visit Your Rights and Choices."

California Privacy Statement
"During the 12 months leading up to the effective date of this Privacy Statement, we may have provided personal information (i.e., hashed email address and cookie related information) to third-party advertising providers for targeted advertising purposes, so that we can provide you with more relevant and tailored ads regarding our Products and Services, or use analytics partners to assist us in analyzing use of our services and our user/customer base. The disclosure of your personal information to these third parties to assist us in providing these services may be considered a “sale” of personal information under the CCPA, or the “sharing” of your personal information for purposes of “cross-context behavioral advertising.”

Categories of Information Collected
"Information about your computer or device, including IP address, time and date of visit, browser type and version, operating system, device make and model.
Contact information, such as hashed email address.
IP address, zip code, Sonos device type (e.g. Beam, One, Arc, etc.), genre of the station you are currently listening to, listener ID, language"

Categories of Third Parties to Whom We Have “Sold” This Information
"Advertising partners and advertisers
Unaffiliated third parties for their advertising purposes
Analytics providers"

How can you control your data?

We ding this product because it is unclear if all users can get their data deleted, and not all users can opt out from data 'selling'.

Sonos, Inc. Privacy Statement

"Sonos Account and Sonos App
If you wish to access, edit or remove profile information, change your password, close your account or request deletion of your personal data, you can do it by logging in to your Sonos account or Sonos app or sending an email to [email protected]. If you cannot access certain personal information collected by Sonos via the Sonos account, the Sonos app or directly via the Sonos Product that you use, you can always contact us by sending an email to [email protected]. We will respond to any request to access or delete your personal data as soon as possible but certainly within 30 days."

"Laws in certain jurisdictions, including the EEA, UK, and Switzerland, as well as California and Virginia, also grant consumers the right to exercise certain controls and choices regarding our collection, use, and disclosure of your personal information. Subject to local law, you may request we:
provide access to or a copy of the personal information we hold about you;
correct any of the personal information, we hold about you that is out of date or incorrect;
in certain situations, erase, block or restrict the personal information we hold about you, or object to particular ways in which we are using your personal information;..."

"Residents of certain jurisdictions, like California and Virginia, also have the right to opt out of “sales” of their information and “sharing/processing of their information for targeted advertising.” If you would like to opt out of our online disclosure such as through cookie and pixel technology of your personal information for purposes that could be considered “sales” for those third parties' own commercial purposes, or “sharing” for purposes of targeted advertising, please see Cookie Preferences."

"If you wish to object to any such processing, simply disable the feature (for example, disable voice control) or unlink the feature (for example, unlink your home automation remote) from your Sonos Products. The voice control function or other direct control functionality will not work unless you authorize us to collect and process the data as outlined in this section."

What is the company’s known track record of protecting users’ data?

Average

In May 2023, Sonos paid $105,000 to three hackers teams that exposed several vulnerabilities in Sonos systems at Pwn2Own hacking contest held in Toronto. Following responsible disclosure on December 29, 2022, the flaws were addressed by Sonos as part of Sonos S2 and S1 software versions 15.1 and 11.7.1, respectively. Users are recommended to apply the latest patches to mitigate potential risks.

In January 2020, an email sent by Sonos accidentally to 450 customers revealed all of their email addresses to each other.

Child Privacy Information

"Sonos does not target and is not intended to attract children under sixteen. Although visitors of all ages may navigate through our website or use our app, we do not knowingly collect or request personal information from those under the age of sixteen without parental consent. If, following a notification by a parent or guardian or discovery by other means, a child under sixteen has been improperly registered on our site using false information, we will cancel the child's account and delete the child's personal information from our records."

Can this product be used offline?

User-friendly privacy information?

Yes

Sonos's privacy policy is long and has a lot of information in it, but it is also laid out nicely, easily searchable, and they provide a link to a downloadable pdf of their privacy policy and archived versions of their privacy policies so you can track what has changed. As privacy researchers, we really appreciate this.

Links to privacy information

Does this product meet our Minimum Security Standards?

Yes

Encryption

Yes

Strong password

Yes

Security updates

Yes

Manages vulnerabilities

Yes

Sonos has a security researcher recognition page here: https://www.sonos.com/en-us/security

Privacy policy

Yes

Does the product use AI?

Yes

Sonos provides its own voice assistant.

Is this AI untrustworthy?

Can’t Determine

What kind of decisions does the AI make about you or for you?

Is the company transparent about how the AI works?

Yes

Does the user have control over the AI features?

Yes

Dive Deeper

Hackers Win $105,000 for Reporting Critical Security Flaws in Sonos One Speakers
The Hacker News
Privacy Evaluation for Sonos
Common Sense Privacy Program
Sonos Voice Control Is A Privacy-First Alternative To Alexa And Google
Slash Gear
New Sonos Digital Assistant May Protect Consumer Privacy
Consumer Reports
Sonos Voice Control review: a speedy, private, music-focused assistant
The Verge
A Sonos survey suggests the company might build a voice assistant of its own
The Verge

Comments

Got a comment? Let us hear it.