While IoT devices are convenient and offer users a lot of useful information and services, they can also collect an enormous amount of data about you and your personal habits. In some cases, you may choose to share such information. But in other cases, the device may collect it automatically. For example, by analyzing when you interact with an IoT device, the maker may be able to infer when you come and go from your home or even your sleeping habits. For wearable IoT devices such as smartwatches, an IoT maker may know your location and be able to figure out when you are on vacation, your exercise habits, and other health-related information. This is a lot of data to entrust to an IoT device maker without knowing how this data will be used, shared or sold. Therefore, consumers should be concerned with the device maker’s privacy and security practices.

Privacy concerns not only include what information the device maker collects about you but how the device maker uses that data. Does the device maker use it only for the purpose for which the consumer provided the data? Or, does it use that data to market to you? Does it share or sell that data and, if so, for what purposes? What confidentiality obligations are these third-parties bound by? As far as security goes, what assurances has the maker given that it has put adequate safeguards in place to protect the data from being hacked?

The best place to find this information is in the IoT device maker’s privacy policy, likely found on its website. The privacy policy should describe the device maker’s data privacy practices and security measures. If the maker doesn’t have a privacy policy, that’s a red flag. If the device is marketed to children or likely to be used by children, does the maker take any special precautions with that data? The Children’s Online Privacy Protection Act (COPPA) requires verifiable parental consent before personal information is collected from a child under the age of 13. If the device is obviously going to be used by children under the age of 13 and the device maker takes a contrary position—stating that it is only for use by adults—this is another red flag. If non-internet-connected versions of a device are available—a refrigerator, for example—ask yourself whether the added benefit of having an IoT device outweighs the risks (potential to be hacked) and costs (potential use and commercialization of your data).

IoT devices are by definition connected to the internet and thus, like anything connected to the Internet, may be hacked by unscrupulous people. Sometimes, but not always, the device’s privacy policy will shed some light on the device maker’s security practices. If the information is available, does the device maker encrypt the data (translate it into a secret code)? Encryption decreases the likelihood that a hacker will be able to view, and thus use, your data if the hacker obtains it. Device makers who are hacked may be required to notify you under state data breach reporting laws. However, this is small consolation if your personal information is floating around on the dark web.

Before asking Santa for an IoT device, you should carefully weigh the benefits of owning the device against the data privacy and security risks. If the benefits outweigh the risks, consider keeping it on your list. The Fitbit Versa smartwatch is still on mine.