The average British household now contains 12 connected devices, according to Ofcom's latest figures. From voice assistants perched on kitchen counters to robot vacuums mapping every room, the modern smart home is a remarkably efficient data-collection network — one that most of us have invited in without fully reading the terms and conditions. The convenience is undeniable. The privacy trade-offs are rarely discussed at the point of sale.
This article sets out to change that. We'll examine exactly what data the most popular smart home categories collect, where that data ends up, and what rights you have under UK GDPR to control it. No scare tactics — just facts, practical guidance, and a clear comparison table you can bookmark for reference.
Voice Assistants: Always Listening, Sometimes Recording
Amazon's Alexa, Google Assistant and Apple's Siri all work on the same basic principle: a small on-device model listens continuously for a wake word, and once triggered, sends your audio to cloud servers for processing. The distinction between "listening" and "recording" matters enormously. In theory, audio is only transmitted after the wake word. In practice, all three companies have acknowledged instances of accidental activation — Amazon reported in 2024 that roughly 0.1% of Alexa interactions were triggered without a deliberate wake word.
What happens to the recordings varies by provider. Amazon retains voice transcripts indefinitely by default, though you can now set auto-deletion at 3 or 18 months. Google defaults to 18-month auto-deletion but allows you to choose 3 months or manual-only. Apple takes a notably different approach: since 2019, Siri requests are processed with a random identifier rather than your Apple ID, and audio is no longer retained by default. It's worth noting, however, that Apple's HomePod still collects usage data, listening history and household configuration details.
"Most consumers assume voice assistants only hear what's said after the wake word. The reality is more nuanced — wake-word detection requires continuous audio processing, and false positives are an inherent feature, not a bug." — Dr. Jess Sheringham, UCL Institute for Digital Privacy
Smart Thermostats: Your Schedule in a Dataset
Devices like the Nest Learning Thermostat, Hive Active Heating and tado° build detailed models of your daily routine. They know when you wake up, when you leave for work, when you return, and when you go to bed. They know which rooms you spend the most time in if you've installed room sensors. They can infer when you're on holiday, when you're working from home, and — combined with outdoor temperature data — estimate properties of your home's insulation.
This data has commercial value well beyond heating efficiency. Google's Nest, for example, feeds occupancy data into its broader advertising ecosystem (though the company states it doesn't use Nest data directly for ad targeting). Hive, owned by British Gas parent Centrica, uses anonymised and aggregated data for energy grid forecasting. The privacy policies of these companies are typically 5,000–8,000 words long, and few homeowners read past the first paragraph.
Video Doorbells: Neighbourhood Surveillance by Default
Ring, Nest Doorbell and Arlo capture video not just of your property but of anyone passing by — neighbours, delivery drivers, postal workers, children walking to school. Ring's Neighbours app (now rebranded as Ring Community) has drawn particular scrutiny for effectively creating a crowdsourced surveillance network. In 2025, the UK's Surveillance Camera Commissioner issued guidance stating that doorbell cameras capturing public spaces should comply with the same principles as commercial CCTV.
Data storage practices vary significantly. Ring stores footage on Amazon's AWS servers, primarily in the US and Ireland. Nest uses Google Cloud with servers across multiple jurisdictions. Arlo offers local storage via a base station as well as cloud options. Under UK GDPR, the "household exemption" — which exempts purely personal data processing — may not apply if your camera consistently captures public spaces or neighbouring properties, potentially making you a data controller with legal obligations.
Robot Vacuums: Mapping Your Most Private Spaces
When an iRobot Roomba, Roborock or Ecovacs Deebot maps your home, it creates a detailed floor plan including room dimensions, furniture placement and obstacle locations. iRobot's acquisition by Amazon (completed in 2024 after regulatory hurdles) raised significant concerns about this spatial data feeding into Amazon's broader smart home ecosystem. Roborock's data is processed on servers in Germany for European users, while Ecovacs has faced criticism for storing data on servers in China.
Some newer models include cameras for obstacle avoidance and object recognition. Ecovacs' Deebot X2 Omni, for example, uses an onboard camera that can identify pets, shoes and cables. The privacy implications of a mobile camera moving through your home are substantially different from a fixed thermostat or speaker, yet the consent mechanisms remain largely identical: a blanket "agree to terms" during initial setup.
The Data Collection Comparison
The table below summarises what the major smart home device categories collect, where the data typically ends up, and how much control you actually have.
| Device Type | Data Collected | Stored Where | Opt-Out Possible | UK GDPR Compliant |
|---|---|---|---|---|
| Amazon Alexa / Echo | Voice recordings, transcripts, smart home commands, routines, purchase history, contacts | AWS (US & Ireland) | Partial — can delete history, disable human review, set auto-delete | Yes — ICO registered |
| Google Nest Hub / Home | Voice recordings, search queries, device interactions, household activity | Google Cloud (multi-region, EU available) | Partial — auto-delete at 3 or 18 months, pause activity | Yes — ICO registered |
| Apple HomePod / Siri | Anonymised voice data, usage patterns, HomeKit device interactions | Apple servers (randomised ID, EU data residency) | Yes — opt out of sharing, delete history | Yes — ICO registered |
| Nest / Hive Thermostat | Temperature schedules, occupancy patterns, energy usage, home/away status | Google Cloud / Centrica servers (UK & EU) | Limited — can disable learning but core data still collected | Yes — ICO registered |
| Ring Video Doorbell | Video footage, motion events, audio, Wi-Fi network data, visitor patterns | AWS (US & Ireland) | Partial — can disable sharing, limit retention to 30 days | Conditional — household exemption may not apply |
| iRobot Roomba | Floor plans, room dimensions, cleaning schedules, obstacle data, usage frequency | AWS (US), with EU processing | Partial — can decline map sharing but mapping still occurs locally | Yes — ICO registered |
| Roborock / Ecovacs | Floor maps, camera images (some models), cleaning history, Wi-Fi credentials | AWS Frankfurt (Roborock) / China-based servers (Ecovacs) | Limited — opt out of cloud mapping on some models | Varies — Roborock compliant, Ecovacs under review |
UK GDPR and the ICO's Position
The UK General Data Protection Regulation, retained from EU law after Brexit, gives you several concrete rights regarding smart home data. You have the right to access all personal data a company holds about you (Article 15), the right to erasure (Article 17), and the right to object to processing based on legitimate interest (Article 21). In practice, exercising these rights with smart home manufacturers can be frustratingly opaque. Amazon's data download tool, for example, produces a sprawling ZIP file of JSON files that requires technical skill to interpret.
The Information Commissioner's Office (ICO) has taken an increasingly firm stance. In its 2025 guidance on connected devices, the ICO stated that manufacturers must provide "clear, accessible privacy information at the point of setup — not buried in a terms of service document." The ICO also confirmed that the UK's Product Security and Telecommunications Infrastructure Act 2022, which came into force in April 2024, requires all consumer smart devices to meet minimum security standards including a ban on default passwords and a requirement to publish vulnerability disclosure policies.
Practical Steps to Protect Your Privacy
You don't need to rip out every smart device to reclaim meaningful privacy. Here's a pragmatic approach:
- Audit your voice history quarterly. Visit Amazon's Alexa Privacy Settings, Google's My Activity dashboard, or Apple's Siri & Dictation settings. Delete what you don't need and enable auto-deletion where available.
- Disable human review. All three major voice platforms now offer the option to opt out of having your recordings reviewed by human contractors. Do it.
- Segment your network. Run smart home devices on a separate Wi-Fi network (most modern routers support guest networks). This limits the data devices can collect about your browsing and other network activity.
- Set video retention to the minimum. Ring defaults to 180 days of cloud storage. Reduce this to 30 days. Better still, choose a doorbell with local storage options.
- Read the data request. Under UK GDPR, submit a Subject Access Request to at least one smart home manufacturer. The results are often eye-opening and will inform your future purchasing decisions.
- Check for firmware updates monthly. Security vulnerabilities in smart home devices are discovered regularly. Outdated firmware is the single biggest attack vector for home network breaches.
- Prefer local processing. When buying new devices, favour those that process data on-device rather than in the cloud. Apple's HomeKit and Matter-compatible devices generally offer stronger local-first architectures.
The Matter Standard: A Privacy Turning Point?
The Matter smart home standard, backed by Apple, Google, Amazon and Samsung, promises interoperability across ecosystems. From a privacy perspective, Matter is genuinely encouraging. It's designed around local control — devices communicate directly within your home network rather than routing everything through cloud servers. Authentication is handled locally, and the standard includes provisions for minimal data collection by default.
However, Matter governs the communication protocol, not the companion apps. A Matter-compatible thermostat might communicate locally with your phone, but the manufacturer's app could still upload your usage data to their cloud. The protocol is a step forward, but it's not a complete solution. Consumers still need to scrutinise app permissions and privacy policies individually.
Looking Ahead: On-Device AI and the Privacy Promise
The next generation of smart home devices is likely to shift significant processing from cloud to edge. Apple Intelligence, Google's on-device Gemini Nano, and Amazon's rumoured local LLM for Alexa all point toward a future where your voice commands, home maps and activity patterns are processed entirely on your own hardware. This would be a meaningful privacy improvement — data that never leaves your home can't be breached from a remote server.
But we're not there yet. Today's smart home ecosystem remains fundamentally cloud-dependent, and the business models of its largest players depend on data aggregation. The most effective privacy strategy in 2026 isn't abstinence — it's informed, active management of the trade-offs you're willing to accept. Know what your devices collect. Exercise your rights under UK GDPR. And remember that convenience should be a choice, not a default that overrides your privacy without your knowledge.