Complaint to the UK ICO and referral to the Dutch Data Protection Authority


Userlevel 2
In my personal capacity but drawing upon my knowledge as a data protection and privacy lawyer I have made a formal complaint to the UK Information Commissioner's Office on a number of grounds relating to SONOS's privacy policy and its processing of personal data.

SONOS has both misapplied the GDPR and avoided provisions of it in enabling an unacceptable level of harvesting of personal data.

In summary SONOS erred in law, in my opinion, in permitting its legitimate interests (some of which are fairly generic) to override the rights of data subjects which is wrong (the rights of data subjects come first as a general rule). SONOS has also intentionally embarked on a process of changing its ecosystem from stand alone use to one that forces the user to accept an intrusive and unnecessary level of linking of SONOS units to activities.

It is impossible to not accept SONOS's updated privacy terms and terms of use because the update procedure forces you to do so. For example, you cannot add a new SONOS unit to an existing setup (or creatte a new setup) without having an account with SONOS. (If one unit or a controller is running an inconsistent firmware version the entire system is "bricked" until you update everything.)

This falls foul of the privacy by design requirement of the GDPR. SONOS has intentionally designed its system in such a way that this account linking is mandatory. We know this is not necessary because prior to the update in 2017 (I think it was) the units could work quite easily in a stand alone setup. By this I mean it was not necessary to have an account with SONOS. Now you must have that account, yet nothing in my usage has changed since 2017. That very fact proves that this new account based linking of units is not necessary for it to function. This is a conscious design change aimed, it seems, at giving SONOS "justification" for its data harvesting.

SONOS does not need to know what my units are called, whether I use Spotify or not (that is between Spotify and myself) and it certainly does not need to know what I am listening to and when; nor does it need the right to export that personal data outside of the EEA. Yet it forces you to accept its terms which allows it to do so, which is another breach of the GDPR because forced consent is not consent.

SONOS will no doubt say that it does not and will not monitor my listening habits. If so, why has it required me to consent to exactly this?

SONOS produces brilliant products and I have been a happy user for many years over two homes. I have recommended it to and purchased units for friends. This totally unnecessary data harvesting excercise detracts from what has formely been a really good product/system. It may be that third parties (ie Amazon or Google) have dictated these terms because of the voice recognition features being adopted; but that does not make it lawful.

I marked up SONOS's privacy terms with over 80 comments, each of which pointed out errors in reasoning and breaches of data protection laws. While SONOS's customer service team were excellent throughout the process of trying to get SONOS to acknowledge my complaint, its data protection team basically ignored me.

I was therefore left with no option but to lodge a formal complaint with the ICO. I have been informed that as SONOS has opted to be regulated by the Dutch Data Protection Authority my complaint has been forwarded to that regulator. Apparently they are already dealing with another complaint. Despite having lodged my complaint over three months ago the Dutch regulator has made no effort to communicate with me, let alone acknowledging receipt of my complaint via the ICO.

My concern of course is that there may be a temptation to dismiss my complaint, which would be unfortunate. Somebody within SONOS probably "thought this was a good idea" and forced it on its user base. I cannot see what benefit SONOS is getting from this and, if anything, it simply means I no longer trust SONOS. The products remain good but the company's intentions are not good. The privacy policy can be fixed quickly but the programming needed to permit stand alone use (ie not requiring a SONOS account) may take a little bit of effort. By all means, SONOS, give the user a choice; but one of the choices must be a non-invasive mode of operation under which no data is harvested.

This topic has been closed for further comments. You can use the search bar to find a similar topic, or create a new one by clicking Create Topic at the top of the page.

21 replies

This ought to be good ...😀
Despite having lodged my complaint over three months ago the Dutch regulator has made no effort to communicate with me

What do you think is the reason for that?
But it has always been necessary to register an account. At least as long as I have been a Sonos user. One reason is to determine from the user's location which music services they are legally entitled to link to the Sonos account, as some of these are geo-limited.
Badge
But it has always been necessary to register an account. At least as long as I have been a Sonos user.

I first came across Sonos in an office that had a Play 5 speaker about 5 years ago and anyone could use their phone to control the music, if I remember correctly the only thing you needed was the wifi password but I'm sure there was no requirement to set up an account.

I will follow the progress of this complaint with interest (though having just become the proud owner of a Sonos Sub to complement a range of speakers already residing in my home it will likely have no impact on future purchase decisions).
I first came across Sonos in an office that had a Play 5 speaker about 5 years ago and anyone could use their phone to control the music, if I remember correctly the only thing you needed was the wifi password but I'm sure there was no requirement to set up an account.

Anyone with the Wifi password can today as well; this has nothing to do with account thing.

I first came across Sonos in an office that had a Play 5 speaker about 5 years ago and anyone could use their phone to control the music, if I remember correctly the only thing you needed was the wifi password but I'm sure there was no requirement to set up an account.
Anyone with the Wifi password can today as well; this has nothing to do with account thing.

Indeed. Setting up the system required an account. Nothing to do with individual access to that system.
There's always been a requirement to set up a Sonos account, otherwise the update servers wouldn't know which software version to deliver nor, as John B says, which service availability list to issue. My account dates from 12 years ago, when my first Sonos bundle arrived.

Apple, Google, Amazon ... these all require an account before they'll deliver software. There's nothing new under the sun.

What has changed in recent times is the requirement in the controller to sign in, before configuration changes can be made and new devices added to the household. Sensible security precautions in my view.

What has changed in recent times is the requirement in the controller to sign in, before configuration changes can be made and new devices added to the household. Sensible security precautions in my view.


Exactly. With Sonos more open to the internet due to Cloud services and voice control, Sonos has stepped up the security in order to protect users! This authentication before adding a speaker or registering a new controller (not to mention other settings like volume control) is so outside hackers cannot gain access to your network.

Only in this day of tin foil hats would someone complain about a company increasing security while simultaneously carrying around a device that has an active microphone, a tracking GPS, and a video camera, and has been 100% proven to be spying on users, even after those things are specifically turned off.
Userlevel 4
Badge +6


Only in this day of tin foil hats would someone complain about a company increasing security while simultaneously carrying around a device that has an active microphone, a tracking GPS, and a video camera, and has been 100% proven to be spying on users, even after those things are specifically turned off.


So if you own a cell phone one gives up the right to complain about any privacy issues with Sonos?

Android and iOS don't require an account to activate and use.


Only in this day of tin foil hats would someone complain about a company increasing security while simultaneously carrying around a device that has an active microphone, a tracking GPS, and a video camera, and has been 100% proven to be spying on users, even after those things are specifically turned off.
So if you own a cell phone one gives up the right to complain about any privacy issues with Sonos?

Android and iOS don't require an account to activate and use.

And when did you last activate iOS or Android?

And when did you last activate iOS or Android?


Don't bother John. We all know the shtick by now.
Android and iOS don't require an account to activate and use.
The app stores do.
Userlevel 4
Badge +6

The app stores do.


Yep, but you can still use the phone, activate it etc. without providing an account.
Userlevel 5
Badge +6
You do have to have an account with a mobile provider in order for a phone to work. And, try using your iPhone without an Apple Account. It will pester the crap out of you until you activate one. You also cannot do any updates to the operating system without an account.


The app stores do.
Yep, but you can still use the phone, activate it etc. without providing an account.

You are using the phone. The phone is using an OS. Sonos is a product you buy. So is a phone. An operating system is not. It is a preposterous and illogical analogy.

In fact you have switched from talking abour activating the OS originally to talking about activating a phone when challenged.

You had best stop digging.
It is a preposterous and illogical analogy.
Of course it is. Without an account a phone would get no OTA upgrades, no sync, no backup, no apps ... not to mention the obvious need to have a SIM to actually use it as a phone.

This is a sterile discussion. Sonos simply won't deliver firmware updates without a SonosID/account. Period.
No worries, OP. I’m certain your complaint was filed - straight into the circular file.
Userlevel 4
Badge +6



The app stores do.
Yep, but you can still use the phone, activate it etc. without providing an account.
You are using the phone. The phone is using an OS. Sonos is a product you buy. So is a phone. An operating system is not. It is a preposterous and illogical analogy.

In fact you have switched from talking abour activating the OS originally to talking about activating a phone when challenged.

You had best stop digging.


If you buy an Android or iOS device you don't require an account to turn it on and use it. I'm not referring to apps or cellular service.

If you look back it was in response to another post making another point. I was not saying sonos is like a phone, that Sonos shouldn't require an account nor was I saying anything negative about your precious Sonos.
Userlevel 4
Badge +6

It is a preposterous and illogical analogy.Of course it is. Without an account a phone would get no OTA upgrades, no sync, no backup, no apps ... not to mention the obvious need to have a SIM to actually use it as a phone.

This is a sterile discussion. Sonos simply won't deliver firmware updates without a SonosID/account. Period.


Pixel and iOS devices don't require cellular for ota updates. I know you know you can Side load Android apps. On Android you could side load a phone app to make a call. In the country I live you can buy a pre pay Sim with cash at a store, no account needed.

Keep trying.

Again this was in response to the poster commenting to the op.
Badge


I first came across Sonos in an office that had a Play 5 speaker about 5 years ago and anyone could use their phone to control the music, if I remember correctly the only thing you needed was the wifi password but I'm sure there was no requirement to set up an account.
Anyone with the Wifi password can today as well; this has nothing to do with account thing.
Indeed. Setting up the system required an account. Nothing to do with individual access to that system.


That (to my mind) presents more interesting questions about the collation of data not necessarily relating to the individual's use of Sonos and perhaps makes a more compelling case for transparency from Sonos about exactly how they use/intend to use the data.

As I said I'm not particularly perturbed (yet), just an interested observer for now. Also, thanks for the input.
That (to my mind) presents more interesting questions about the collation of data not necessarily relating to the individual's use of Sonos and perhaps makes a more compelling case for transparency from Sonos about exactly how they use/intend to use the data.

As I said I'm not particularly perturbed (yet), just an interested observer for now. Also, thanks for the input.



Sonos' privacy policy is pretty straightforward when it comes to explaining how they use the data:

https://www.sonos.com/en-us/legal/privacy#using-personal-information


They also state unequivocally that they do not, and never will, sell your data. That is a legally binding statement under the jurisdiction of the FTC in the US.