Connected homes: Is bystander privacy anyone’s responsibility?

Smart doorbells, connected cameras, and home monitoring systems have become common sights on doorsteps and living rooms. They promise safety and convenience, but they also raise a problem. These devices record more than their owners. They capture neighbors, visitors, and anyone passing by.

Overlooking bystander privacy

A new study from researchers at the Budapest University of Technology and Economics shows that while companies selling these products talk about privacy, they rarely protect those who never agreed to be recorded.

The researchers examined how twenty major smart camera and doorbell companies describe privacy in their official policies. They wanted to see whether these documents address the rights of people who appear in footage but do not use the products. Their review shows that most vendors place the burden on the device owner rather than taking responsibility for bystander privacy themselves.

Laws like the GDPR and CCPA protect individuals whose data is collected by a company, but they do not define responsibility when the recording happens on private property that faces public areas. A person walking by a house equipped with a video doorbell is unlikely to know that they are on camera, much less where that footage goes or how long it is stored.

How the study was done

The team analyzed privacy policies from leading smart home brands sold in the US and EU. They looked for six key elements:

• Whether companies acknowledge that devices collect data about bystanders
• What kinds of data are collected
• What control users have
• How data is stored and shared
• How companies claim legal compliance
• Whether they provide any notice to non-users

The researchers reviewed the policies manually after gathering them from official vendor websites. They compared each company’s language to legal standards such as the EU’s GDPR and California’s Consumer Privacy Act.

What the researchers found

Every company studied describes how it collects and uses customer data. Most include strong statements about encryption, cloud storage, and security. But when it comes to people outside the customer relationship, policies offer little detail. Only a small share of companies acknowledge that their cameras capture bystanders. Fewer still offer a way for those people to learn about, control, or remove their data.

The captured data can include more than video. Some cameras record audio from several meters away, detect faces, log motion, and measure environmental data such as light and temperature. This means that the privacy of non-users is affected even when they have no knowledge of the recording.

Out of the twenty brands analyzed, only a handful mentioned bystander privacy in their documents. Even those that did mostly used general warnings or disclaimers. Policies rarely provide embedded mechanisms to alert bystanders or handle objections, relying instead on user-side notices and disclaimers.

How companies shift responsibility

The study shows that privacy policies often serve as legal shields instead of tools for transparency. Several vendors position the owner as controller and the company as processor in key contexts, which limits the vendor’s direct responsibility. They tell owners to comply with laws and to inform others that recording is taking place.

For example, one policy tells users they may need to display a notice to alert visitors that video or audio is being recorded. Another says users must ensure compliance with applicable law and obtain consent from people who may be recognized by the camera. These lines appear across several brands.

In practice, these disclaimers push the ethical and legal burden onto everyday homeowners who have little understanding of privacy law. The vendors avoid accountability while offering no tools or guidance to help users meet those expectations. The policies often cite legal frameworks but do not explain which parts apply or how users should act.

What needs to change

The researchers recommend that vendors rewrite privacy policies to make accountability and expectations plain. They suggest simple language explaining that owners may act as joint controllers of others’ data and that their actions have privacy consequences for non-users. Policies should guide owners on how to post notices, obtain consent where required, and handle requests from people recorded on camera.

They also argue that companies can add design features to help users act responsibly. For instance, devices could include visible recording lights, optional privacy zones that block neighboring areas, or automatic alerts when recording begins. Vendors could supply sticker notices to place near cameras, making it easier for owners to inform others.

Technical safeguards are another route. Temporary storage that deletes footage after a short period, and scheduled quiet times for cameras could all reduce unnecessary data capture. These features exist in research prototypes but are rarely available in consumer devices.