Turn me up some: Smart speaker outfit Sonos blasted in complaint to UK privacy watchdog

Tech lawyer argues that 'give us all your data or your kit gets it' doesn't count as valid consent

Man blasted with noise from speaker

Sonos stands accused of seeking to obtain "excessive" amounts of personal data without valid consent in a complaint filed with the UK's data watchdog.

The complaint, lodged by tech lawyer George Gardiner in a personal capacity, challenges the Sonos privacy policy's compliance with the General Data Protection Regulation and the UK's implementation of that law.

Sonos_Amazon_Echo_

Sonos will deny updates to those who snub rewritten privacy terms

READ MORE

It argues that Sonos had not obtained valid consent from users who were asked to agree to a new privacy policy and had failed to meet privacy-by-design requirements.

The company changed its terms in summer 2017 to allow it to collect more data from its users – ostensibly because it was launching voice services. Sonos said that anyone who didn't accept the fresh Ts&Cs would no longer be able to download future software updates.

Sonos denied at the time that this was effectively bricking the system, but whichever way you cut it, the move would deprecate the kit of users that didn't accept the terms. The app controlling the system would also eventually become non-functional.

Gardiner pointed out, however, that security risks and an interest in properly maintaining an expensive system meant there was little practical alternative other than to update the software.

This resulted in a mandatory acceptance of the terms of the privacy policy, rendering any semblance of consent void.

"I have no option but to consent to its privacy policy otherwise I will have over £3,000 worth of useless devices," he said in a complaint sent to the ICO and shared with The Register.

Users setting up accounts are told: "By clicking on 'Submit' you agree to Sonos' Terms and Conditions and Privacy Policy." This all-or-nothing approach is contrary to data protection law, he argued.

Sonos collects personal data in the form of name, email address, IP addresses and "information provided by cookies or similar technology".

The system also collects data on room names assigned by users, the controller device, the operating system of the device a person uses and content source.

Sonos said that collecting and processing this data – a slurp that users cannot opt out of – is necessary for the "ongoing functionality and performance of the product and its ability to interact with various services".

But Gardiner questioned whether it was really necessary for Sonos to collect this much data, noting that his system worked without it prior to August 2017. He added that he does not own a product that requires voice recognition.

"Of course one can design a device which 'requires' significant personal data to function. That is a design choice," he said in the complaint. "It is also entirely possible to design a device which needs minimal personal data."

In his complaint, Gardiner argues that the extra slurpage could allow Sonos to build a profile on him based on his use of the system and by linking his choice of music to his Sonos account or that of other third parties.

The complaint added that the use of legitimate interests for processing fails to balance the privacy rights of individuals, and is "used as a carte blanche excuse... to unlawfully harvest and process my personal data".

Gardiner said that he had so far not received a copy of the data Sonos holds on him as attempts by the firm to send it had failed and were not repeated.

He said he wants the ICO to rule both the consent Sonos collected and its privacy policy as invalid, and order the firm to delete all the personal data collected since the terms were changed.

Sonos stood its ground, saying the data it collects is necessary for the device's function, adding for good measure that it "has never and will never sell" any of its customers' data.

The company also offered the following canned line: "We take the privacy of our customers extremely seriously and our privacy policy is aligned with the latest legislation."

The ICO confirmed to El Reg that it had received a complaint "and will be looking into the detail in line with our usual procedures". ®

Sponsored: Becoming a Pragmatic Security Leader




Biting the hand that feeds IT © 1998–2019