The user group tested and rated a number of popular smart devices to give them a privacy score based on the data access requests they made.
She said her research found that data collection often goes beyond what is necessary for a product’s functionality, suggesting that in some cases personal data may be shared with third parties for marketing purposes.
The consumer champion said its research showed firms were collecting data with “reckless abandon” and called for stricter guidelines on smart product devices and data collection.
The UK’s data protection authority, the Information Commissioner’s Office (ICO), is due to publish such guidance next year.
According to the report, all three air fryer products tested wanted to know the user’s exact location and asked for permission to record audio on the user’s phone, for no reason given.
which ones? said one of the air fryers — made by Chinese firm Xiaomi — uses a connected app that connects to trackers from Facebook, an ad network linked to TikTok and, depending on the location, Chinese tech giant Tencent.
This air fryer and another from another Chinese company Aigostar also sent personal data to servers in China, Which? said, although it was noted in a privacy notice.
Also, Which? said the tested Huawei Ultimate smartwatch requested a set of phone permissions classified by the study as “risky,” including precise location, the ability to record audio, access to stored files, and the ability to see all other installed apps.
which ones? said it was told by Huawei that these permissions were a legitimate need and that no user data was used for marketing or advertising purposes.
Elsewhere, Which? said it found similar problems in smart TVs it tested made by Hisense, LG and Samsung.
The study says all three asked for a zip code at setup, and while the Hisense didn’t connect to any trackers, the Which? researchers could detect Samsung and LG TVs, including Facebook and Google.
It said the Samsung TV app also made a number of “risky” phone permission requests.
In its test of smart speakers, Which? highlighted that the Bose Home Portable speaker is “crammed” with trackers including Facebook, Google and digital marketing firm Urbanairship.
Harry Rose, what? magazine editor, said: “Our research shows how smart technology manufacturers and the companies they work with are currently able to harvest user data with seemingly reckless abandon, and often do so with little or no transparency.”
“What? calls for proper guidance outlining what is expected of smart product manufacturers and the ICO has confirmed that in spring 2025. a code is introduced – this must be backed up by effective enforcement, including against companies operating abroad.”
which ones? also encouraged users to improve their data privacy by making sure to opt out of data collection requests they don’t like, checking apps’ permission requests before downloading them, and denying or restricting access to the data of apps through your phone’s settings and delete voice recordings of interactions with voice assistants.
Slavka Bielikova, Chief Policy Adviser at the ICO, said: “The results of the smart product testing of Which? show that many products not only do not meet our data protection expectations, but also the expectations of users.
“Smart products know a lot about us – who we live with, what music we like, what medicines we take and much more. That’s why it’s vital that consumers trust smart product manufacturers to use their information safely and in the ways they expect.
“Earlier this year we asked consumers what they thought about smart products. They told us that their products collect too much information about them and that they feel powerless to control how their information is used and shared.
“This is why the ICO is working on new guidelines for manufacturers of smart products, which will be published in spring 2025.
“The guidelines will set out clear expectations of what they need to do to comply with data protection laws and in turn protect people using smart products.
“Our guidance will enable manufacturers to plan and invest in the use of information responsibly. We want to help organizations get it right, but where they don’t, we’ll be ready to act to ensure consumers are protected from harm.”
In response to Which? Samsung said: “At Samsung, the security and privacy of our customers’ data is paramount.
“And we use standard security precautions and practices to ensure that data is protected.
“Customers are also given the ability to view, download or delete any personal data through their Samsung accounts. Customers can find more information about our privacy policies at www.samsung.com/uk/info/privacy.”
Hisense said: “Hisense UK values its relationship with its customers and respects their data privacy rights.
“We comply with all UK data privacy laws and only capture our customers’ postcodes to enable them to receive regionally specific content, enhancing their user experience.
“If consumers are concerned, many of our TVs will accept a partial postcode.”
Huawei said: “Huawei takes user privacy incredibly seriously. Clearly, to be useful lifestyle and health/fitness partners, smartwatches require permissions to access a range of personal data; we’re very clear on both the devices at setup and the companion Huawei Health app, which permissions are needed and why, and users have full control over turning them on or off at any time.”
which ones? said it was told by Xiaomi that “respect for user privacy has always been among Xiaomi’s core values, which includes transparency, accountability, user control, security and compliance with laws” and “we do not sell personal information to third parties” .
“The permission to record audio in the Xiaomi Home app is not applicable to the Xiaomi Smart Air Fryer, which does not work directly through voice commands and video chat,” the company added.
which ones? said LG declined to comment until Aigostar and Bose responded.