The ICO exists to empower you through information.

Smart products

Share

Lots of people now own at least one smart home product, also known as Internet of Things (IoT) products. TVs, connected toys, kitchen appliances, doorbells, baby monitors, speakers and fitness trackers are all smart products that slide seamlessly into our homes and everyday lives.

They work by connecting to other products or ‘things’ over the internet, and to the environment around them. For example, you can ask your virtual assistant on a smart speaker to change the temperature in the room, which it does by connecting to your smart thermostat over the internet.

The benefits of these products are obvious, but the risks to your personal information are often less clear.

Follow these top tips to help you:

  • manage the personal information you share with organisations;
  • protect yourself from security risks posed by hackers;
  • avoid sharing more information than you want to; and
  • lower your chances of becoming a victim of identity fraud.

What should I check before I buy?

Do your research

Smart products naturally collect more of your personal information than other products in order to function. It’s important to do some research about which one is right for your needs before buying. Read some reviews and pay attention to how long the manufacturer states they will provide security updates for your product.

Ask yourself whether certain privacy features are important to you. This could include a physical switch to stop your smart speaker from gathering voice data, or a physical cover to put over the camera.

Check what personal information is collected

Make sure you’re comfortable with the information the device wants to access. Privacy policies can be daunting, but taking a look at the section on data collection and sharing should help you gather the information you need. You can ask yourself the following questions to make sure you’re happy before you buy:

  • What personal information does the device collect from me to work?
  • What else can it collect from me and how often?
  • If additional information isn’t needed for the device to work, am I comfortable sharing it?
  • Will my information be shared with other organisations?
  • Why will it be shared?

What should I do during set up?

Make sure you pay attention when you set up your new device and carefully consider the options about what information it collects. Most devices will ask you what information you want to share at the start, but you can also review your choices in your privacy settings at any time.

Remember, don’t press agree unless you do.

Check your permissions

Many smart products come with an accompanying app to set them up and access the settings. When setting up your product, you have the option to grant it permission to collect certain information. This could include access to your phone’s microphone, approximate or precise location, camera, your phone contacts and photos.

The product may require some of this information for it to work, for example a fitness tracker may require your location to function. However, not all information sharing is necessary for some products to work. Use the privacy controls to limit the permissions to access your personal information, if they seem unreasonable or excessive. You can decide if you want to grant permissions without any time restriction or only when the app is in use.

Be picky about who gets your information

Some smart products ask to share information with other organisations in order to unlock more features. For example, an app that helps you train and monitor your running may integrate with your smartwatch or fitness tracker which shares your information about calories, running distance and speed. You should only consent to sharing your information with companies you know and trust.

Think about the adverts you want to see

You might want to keep some interactions with your smart product private. For example, you may not want to receive personalised adverts about something you asked your smart assistant to add to your shopping basket.

Organisations can use the information your smart product collects to build a detailed picture about you. They could use this to personalise adverts you see based on your online behaviours and location, depending on the type of product you have. Organisations should only use this information for personalised advertising if you’ve consented.

When you set up your device, check what options you have to control the use of your information for advertising. You can always change this later by going back to the privacy settings.

Choose a secure password

You wouldn’t leave your house with the key still in the front door, so don’t lock your devices with an easily guessable password. The law on smart products now requires manufacturers to meet basic security requirements. This includes banning easily guessable default passwords. There are a number of ways you can reduce the risk of your account being compromised:

  • If your device does have a weak password, then follow the NCSC’s advice and create a password using three random words.
  • Never reuse your passwords, and choose an entirely different combination, if you change it.
  • Consider getting a password manager. You can use it to store all your passwords in one place and keep them secure, so you only need to remember one log-in.
  • Look at websites, such as haveibeenpwned, to help you identify whether the password you have chosen has appeared in a data breach before. You could check these regularly and change your password, if needed.

You can get more information about choosing better passwords at Get Safe Online and Cyber Aware.

Check the security of your router

You should make sure your wifi router also uses a strong password. A router is a physical device which connects you to the internet. Many smart products need to connect to your wifi router to function as ‘smart’. If your router is not protected, it is much easier for hackers to access your devices and the information stored there.

There are rules for manufacturers to follow, which mean that your router should already come with a strong password. However, if your router comes with a password that looks common or simple such as ‘123456789’, ‘admin’ or ‘password’, then you should change it. Follow the same principle as setting a password for your smart product, using three random words with special characters.

Accessing the settings for your router and checking it’s secure is different to connecting to your wifi. We have produced further guidance on securing your wifi network.

If there’s a two-step verification option – use it

Two-step verification (2SV) adds an additional layer of security to your account. The device may ask for an additional method of authentication, as well as your username and password. For example, sending you a text or email with a code or requesting to use facial recognition.

Using 2SV means that if your username and password are compromised, it is still not possible for someone else to gain access to your account. They would also need to know the second verification method, such as the code sent to your mobile phone. If you have 2SV turned on, your information has a much greater chance of remaining secure.

You can read the National Cyber Security Centre’s tips for using 2SV.

How should I keep up to date when I’m using the product?

Keep up with the security updates

Updating your software to the latest version can fix any bugs and glitches and strengthen protection against hackers and cyber criminals. New updates often address any vulnerabilities that could enable hackers to access your information.

Check your settings to see if you can set your device and its app to update automatically. You should be prompted when a new update is ready to install, usually via a pop-up message or from the settings menu of an app.

Vulnerabilities can also be found in any apps that you use along with your device. This may mean that although the device is still secure, the app itself may not be. If automatic updates are not available, then check the manufacturer’s website.

Review your settings

Remember that most products will have privacy controls in the settings. You can always go back to them and check whether you’re still happy with your choices. For example, consider whether you still want to share certain information or receive targeted advertising.

Some products give you the option to periodically delete some information. For example, some smart speakers have options to delete the queries you have asked after a certain time period. Consider whether automatic deletion is right for you.

What should I do when I want to stop using the product?

It might be time to recycle an old device or regift it. Either way, you’ll want to be sure that you’ve removed your information. You can usually erase all information and reset the device via the settings. Remember, simply deleting an app does not usually erase your information.

You should also consider whether you want to delete your account. For example, if the only reason you created this was to use the device.

You can also request a copy of your information before you delete it.

If you’re unable to erase your information within the settings, then contact the manufacturer and request the deletion this way.

You can read about your right to erasure and other information rights on our website.

What should I do if I’m not happy with how an organisation has handled your personal information

If you’re unhappy with the way an organisation has handled your information, you should usually complain to them first. Most organisations will want to put things right, so giving them the opportunity to look into your complaint may help to address your concerns. You can find more information on how to do this, including a template letter that can help you, in the Raising a complaint with an organisation section of our website.

If you can’t resolve your complaint with the organisation directly, you can make a complaint to the ICO.

If you hear about an incident in the media, such as a data breach that may affect your device, you should first visit the manufacturer’s website. Check if there’s information there on what you should do next. You may need to update your device and passwords.

You can find out more information about protecting your information and devices on the National Cyber Security Centre website.

You can read further advice on your consumer rights at Citizens’ Advice, and on websites such as Which?.