Smart air fryers ordered to stop invading our digital privacy

In a confirmation that we've gone full Black Mirror, air fryer and other IoT manufacturers are being told to stop playing with our data.

Jun 17, 2025 - 12:50

Smart air fryers ordered to stop invading our digital privacy

In a confirmation that we’ve gone full Black Mirror, the UK’s privacy czar has wagged a finger at air fryer manufacturers and told them to stop playing with our data.

New draft guidance from the Information Commissioner’s Office (ICO) targets not just air fryer vendors but manufacturers of any smart home products, ranging from smart lighting systems through to internet-connected refrigerators and connected toys.

Collectively known as IoT (Internet of Things) devices, these connected objects have a nasty habit of collecting our data without us really understanding what they’re doing. It’s a problem with many of them, although late last year Which? magazine added air fryers to the list of offenders.

The guidance highlights data that IoT vendors might collect. This includes registration data such as an owner’s name, address, and email. It also means information gathered directly from the product that reveals how the user interacts with it. A device might simply tell its manufacturer when you used the product and how long for, but sensors embedded in it might monitor anything from temperature to motion.

The ICO is interested in enforcing privacy laws such as the UK’s version of the General Data Protection Regulation (UK GDPR). That allows products to process user information if it’s purely for domestic use, like asking a smart speaker to play Lady Gaga’s all-time greatest hits, say.

But if the IoT vendor uses audio recordings of the person’s interactions with the speaker to improve its own service or even to make inferences about that person from their musical choices, then that isn’t domestic use. That’s processing for the company’s own purposes, and it falls on the wrong side of the law.

Consent is key

The guidance tells vendors to ask for consent when processing this kind of data. That means ensuring that users can easily tell what they’re consenting to, and be able to make a clear choice not to do so.

Users should be able to find out how the manufacturer is using their information after they sign up for the service, says the ICO. They must also be able to withdraw consent at any time. In practice, that helps people who might click a consent button early on but then think twice about it later and decide to change their permissions.

When vendors do collect information about users they must tell them what they’re collecting, and why they’re using it. They should tell people what decisions they’re making with it, and how it affects their service. People should also be informed about how long the vendor will keep that data.

The company should also process user data fairly. That means only doing what people expect them to do with it, and not in ways that harm the user.

This is all good advice, and in keeping with existing privacy laws, but it means vendors will have a fine line to walk. Some of the requirements are nuanced. For example, the guidance asks companies to consider ways of making their privacy information easy to follow. That means giving them all the information they need without overloading them. It might require careful user interface design, along with collaboration between designers and privacy or compliance professionals.

Where appropriate, design choices like navigation panels, collapsible lists, large text, and diagrams will go a long way towards satisfying these requirements, the ICO says.

There’s an existing UK law for IoT security

There’s also a section outlining security for IoT devices and the data they collect. This points to an existing UK law called the Product and Telecommunications Infrastructure Regulations 2024 (PSTI Regulations), which came into effect last year. This calls for specific protections such as the use of unique passwords for devices, encryption of user data, and regular security updates.

The security aspect of IoT is perhaps one of the most important of all. Even companies with the best of intentions can make mistakes and leak customer data gathered by everything from connected chastity devices through to kids’ toys.

This guidance applies not just to smart connected objects but to the apps that vendors often provide with them. Those apps, which give you data about what your smart object is doing and allow you to control it, are great ways for vendors to harvest information about you.

You’re your own best protection

The document is still in draft form and open to consultation. Because it’s UK guidance it likely won’t protect people not in the UK. As always, the first line of defense is you.

So, when buying a smart home device, consider whether an app for it is necessary. Your smart fryer might have no way of phoning home without an app, but you might be able to just check whether your food is done without needing your phone to tell you.

In some cases, you might want to consider whether you really need a product to be connected at all. Connected devices are a great way for companies to nickel and dime you unexpectedly through subscription programs, or brick your product remotely when they decide it isn’t profitable for them any more.

Sometimes, all you want to do is cook up some hot fries without things getting too complicated, you know?

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.