I've recently been dealing with various Internet-of-Things things, which have obvious privacy implications.
But! They also have nonobvious privacy and security issues.
For example: a particular home-monitoring gadget can be user-configured (locally) to report to the server of the user's choice, apparently removing the obvious issue of sending household data to the device vendor's server.
Except... if you need to change the server to which it reports? The vendor can do that. Remotely.
Which means the gadget must be checking in with the vendor's server anyway, looking for commands.
And, when you think about it... the typical* Internet-enabled gadget in your home is just a cutely-packaged little Linux box, with full capabilities.
Behind your firewall.
So it can be sniffing all your network traffic, rummaging around any unprotected network filesystems, and generally getting up to mischief.
And giving the vendor, or anyone who's hacked the vendor's update/control server, full access to your private network.
* I originally said "any" here, but then realized that some of them may use proprietary operating systems. I built a TCP-connected, non-Linux gadget a few years ago; it was server-only, had carefully constrained functions allowed over the network, and only worked on a LAN (lacking the ability to operate via an IP router). Not exactly an IoT gadget, nor household, but an example of a networked non-spying device.