Turn me up some: Smart speaker outfit Sonos blasted in complaint to UK privacy watchdog
Tech lawyer argues that 'give us all your data or your kit gets it' doesn't count as valid consent
Sonos stands accused of seeking to obtain "excessive" amounts of personal data without valid consent in a complaint filed with the UK's data watchdog.
Sonos will deny updates to those who snub rewritten privacy termsREAD MORE
The company changed its terms in summer 2017 to allow it to collect more data from its users – ostensibly because it was launching voice services. Sonos said that anyone who didn't accept the fresh Ts&Cs would no longer be able to download future software updates.
Sonos denied at the time that this was effectively bricking the system, but whichever way you cut it, the move would deprecate the kit of users that didn't accept the terms. The app controlling the system would also eventually become non-functional.
Gardiner pointed out, however, that security risks and an interest in properly maintaining an expensive system meant there was little practical alternative other than to update the software.
Sonos collects personal data in the form of name, email address, IP addresses and "information provided by cookies or similar technology".
The system also collects data on room names assigned by users, the controller device, the operating system of the device a person uses and content source.
Sonos said that collecting and processing this data – a slurp that users cannot opt out of – is necessary for the "ongoing functionality and performance of the product and its ability to interact with various services".
But Gardiner questioned whether it was really necessary for Sonos to collect this much data, noting that his system worked without it prior to August 2017. He added that he does not own a product that requires voice recognition.
"Of course one can design a device which 'requires' significant personal data to function. That is a design choice," he said in the complaint. "It is also entirely possible to design a device which needs minimal personal data."
In his complaint, Gardiner argues that the extra slurpage could allow Sonos to build a profile on him based on his use of the system and by linking his choice of music to his Sonos account or that of other third parties.
The complaint added that the use of legitimate interests for processing fails to balance the privacy rights of individuals, and is "used as a carte blanche excuse... to unlawfully harvest and process my personal data".
Gardiner said that he had so far not received a copy of the data Sonos holds on him as attempts by the firm to send it had failed and were not repeated.
Sonos stood its ground, saying the data it collects is necessary for the device's function, adding for good measure that it "has never and will never sell" any of its customers' data.
The ICO confirmed to El Reg that it had received a complaint "and will be looking into the detail in line with our usual procedures". ®
Sponsored: Becoming a Pragmatic Security Leader