When “No Subscription” Doesn’t Mean “No Data”

A recent case involving the Guthrie’s family in the United States highlighted an unexpected issue with smart door cameras. Although the device had no active subscription and appeared to have no usable footage, evidence showed that motion was detected and some data persisted beyond what the consumer-facing app revealed. This incident underscores a fundamental disconnect between how connected devices operate and how they are marketed.

Perceptions vs. Reality

Many consumers believe that “no subscription” means the device stops recording, nothing is stored in the cloud, and no third party can access footage. In reality, smart cameras may still capture, transmit, or temporarily store data even without a paid plan. In the Guthrie case, footage wasn’t initially retrievable through the public app, but it existed in backend systems and was recoverable with federal cooperation. This gap between consumer expectations and technical practice is not just a marketing issue, it’s a matter of governance and trust.

Why This Matters for Consumers

Data Transparency: Under GDPR, organizations must explain what data is collected, how long it is stored, and for what purpose. If footage continues to reside in backend systems beyond consumer access, this raises important questions about retention policies and lawful processing.

Cybersecurity and Resilience: A device that remains connected, even without a paid service, can still generate backend traffic, link to cloud infrastructure, and introduce new attack surfaces. Consumers lack the technical visibility to assess these risks independently.

Trust: When a consumer buys a camera to feel safer, they should not have to become an expert in cloud architecture to understand what is and isn’t recorded.

How Regulation Helps

Regulatory frameworks like DORA (Digital Operational Resilience Act) and GDPR help bridge this gap. GDPR ensures data is collected lawfully, used for specific purposes, and retained only as necessary. DORA pushes organizations to manage ICT risk, enforce robust operational resilience, and require transparency in supply chains and third-party dependencies.

Together, these regulations shift responsibility from the consumer - who cannot reasonably audit backend systems - to the provider. They incentivize companies to design systems that are secure, transparent, and accountable, rather than opaque and unpredictable.

The Guthrie case is tragic on many levels, but it also serves as a technology cautionary tale. When devices absorb data without clear consumer consent or control, the risks extend beyond privacy into justice, security, and societal trust. Consumers, regulators, and providers must work together to ensure that connected devices deliver safety and transparency, not hidden vulnerabilities.