SONOS has both misapplied the GDPR and avoided provisions of it in enabling an unacceptable level of harvesting of personal data.
In summary SONOS erred in law, in my opinion, in permitting its legitimate interests (some of which are fairly generic) to override the rights of data subjects which is wrong (the rights of data subjects come first as a general rule). SONOS has also intentionally embarked on a process of changing its ecosystem from stand alone use to one that forces the user to accept an intrusive and unnecessary level of linking of SONOS units to activities.
This falls foul of the privacy by design requirement of the GDPR. SONOS has intentionally designed its system in such a way that this account linking is mandatory. We know this is not necessary because prior to the update in 2017 (I think it was) the units could work quite easily in a stand alone setup. By this I mean it was not necessary to have an account with SONOS. Now you must have that account, yet nothing in my usage has changed since 2017. That very fact proves that this new account based linking of units is not necessary for it to function. This is a conscious design change aimed, it seems, at giving SONOS "justification" for its data harvesting.
SONOS does not need to know what my units are called, whether I use Spotify or not (that is between Spotify and myself) and it certainly does not need to know what I am listening to and when; nor does it need the right to export that personal data outside of the EEA. Yet it forces you to accept its terms which allows it to do so, which is another breach of the GDPR because forced consent is not consent.
SONOS will no doubt say that it does not and will not monitor my listening habits. If so, why has it required me to consent to exactly this?
SONOS produces brilliant products and I have been a happy user for many years over two homes. I have recommended it to and purchased units for friends. This totally unnecessary data harvesting excercise detracts from what has formely been a really good product/system. It may be that third parties (ie Amazon or Google) have dictated these terms because of the voice recognition features being adopted; but that does not make it lawful.
I marked up SONOS's privacy terms with over 80 comments, each of which pointed out errors in reasoning and breaches of data protection laws. While SONOS's customer service team were excellent throughout the process of trying to get SONOS to acknowledge my complaint, its data protection team basically ignored me.
I was therefore left with no option but to lodge a formal complaint with the ICO. I have been informed that as SONOS has opted to be regulated by the Dutch Data Protection Authority my complaint has been forwarded to that regulator. Apparently they are already dealing with another complaint. Despite having lodged my complaint over three months ago the Dutch regulator has made no effort to communicate with me, let alone acknowledging receipt of my complaint via the ICO.