This article contains affiliate links. If you buy through our links, we may earn a small commission at no extra cost to you. We only recommend products we've researched thoroughly. Full disclosure.

Your smart home is watching you. Your voice assistant logs your questions. Your robot vacuum maps your floor plan and uploads it. Your smart TV tracks what you watch, second by second. And until now, there was no easy way to tell which devices took your security seriously and which ones just hoped you wouldn't ask.

That's changing. The FCC's new U.S. Cyber Trust Mark is a cybersecurity label for smart home and IoT devices — a shield logo with a QR code that tells you whether a product meets real security standards. Think of it as an Energy Star rating, but for keeping your data safe instead of saving electricity. The program launched its filing window in January 2026, and the first labeled products are hitting shelves this year.

This is genuinely good news. But it's also not the full story. Because the Cyber Trust Mark addresses security — whether your device can be hacked — not privacy — what data your device collects about you and where it goes. And that distinction matters more than most people realize.

Here's what the label actually tells you, what it doesn't, and what you can do right now to make your smart home both secure and private.

Key Takeaways

  • The U.S. Cyber Trust Mark is a new voluntary FCC label that shows IoT devices meet NIST cybersecurity standards — look for the shield logo with a QR code
  • The QR code links to a public registry with detailed security information about each certified device, managed by the ioXt Alliance
  • The label covers security cameras, voice assistants, smart appliances, fitness trackers, baby monitors, garage door openers, and more
  • The label is voluntary — no label doesn't mean a device failed, it means the manufacturer chose not to participate
  • The Cyber Trust Mark addresses cybersecurity, not privacy — a certified device can still collect extensive personal data (Alexa tracks 28 of 32 possible data points)
  • Use the label as one factor in buying decisions, but still review privacy settings, set up a separate IoT network, and run regular audits

What Is the U.S. Cyber Trust Mark?

The U.S. Cyber Trust Mark is a voluntary labeling program created by the Federal Communications Commission (FCC) for consumer IoT devices — the connected gadgets in your home. It launched after years of growing concern about smart home security breaches, from hacked baby monitors to compromised security cameras.

The program is built on cybersecurity criteria developed by the National Institute of Standards and Technology (NIST), which is the same organization that sets security standards used by government agencies and major corporations. If a device earns the Cyber Trust Mark, it means the manufacturer has demonstrated compliance with these baseline security requirements.

The ioXt Alliance was named the Lead Administrator for the program, effective April 13, 2026. They oversee the certification process and maintain the public registry. The filing window for manufacturers opened on January 26, 2026, and the first wave of certified products is already working through the process.

In practical terms, this means you'll start seeing a small shield logo on product packaging at stores and online. That shield tells you, at a glance, that the device meets established cybersecurity standards. It's not a guarantee of perfection. It's a baseline — and it's a baseline that didn't exist before.

How the Cyber Trust Mark Works: QR Code + Public Registry

The label itself has two parts: the shield logo and a QR code. The shield is the visual signal — it catches your eye on a shelf or in an online listing. The QR code is where the real value lives.

Scan that QR code with your phone and it takes you to a publicly available registry entry for that specific device. That registry entry shows you:

  • What cybersecurity standards the device meets
  • When the certification was granted
  • What security features are built in (encryption, update policies, authentication methods)
  • The manufacturer's commitments to ongoing security updates

This is a big deal because it moves security information from buried-in-the-fine-print to scannable-in-three-seconds. Before this, figuring out whether a smart camera had proper encryption or whether a fitness tracker received regular security patches meant digging through technical documentation that most people would never find, let alone read.

The registry is maintained by the ioXt Alliance, and the information is publicly accessible. You don't need an account. You don't need to download an app. Point your phone camera at the QR code, and you get the facts. That transparency alone represents a meaningful shift in how consumer electronics companies communicate about security.

What Devices Are Covered?

The Cyber Trust Mark applies to consumer IoT devices — essentially anything in your home that connects to the internet and isn't a traditional computer or smartphone. The eligible categories include:

Cameras
Security & doorbell cameras
Voice
Smart speakers & assistants
Trackers
Fitness & health wearables
Home
Appliances, locks, thermostats

The full list includes:

  • Security cameras and video doorbells — indoor, outdoor, and wired/wireless models
  • Voice assistants and smart speakers — Amazon Echo, Google Nest, Apple HomePod, and similar devices
  • Smart home appliances — refrigerators, ovens, washing machines with WiFi connectivity
  • Fitness trackers and smartwatches — any wearable that connects to the internet
  • Garage door openers — smart-connected models with app control
  • Baby monitors — WiFi-enabled audio and video monitors
  • Smart thermostats — devices like Nest, Ecobee, and similar
  • Smart locks — Bluetooth and WiFi-connected door locks
  • Robot vacuums — LIDAR-equipped models that map your home
  • Smart lighting and plugs — connected switches and outlets

The average American home now has 17 connected devices. That's 17 potential entry points for hackers, 17 devices collecting data, and 17 products whose security practices you'd have to research individually. The Cyber Trust Mark doesn't eliminate that work entirely, but it gives you a quick filter: certified or not.

The Privacy Problem the Label Doesn't Solve

Here's where it gets important. The Cyber Trust Mark is about cybersecurity — protecting your devices from being hacked, exploited, or used as entry points into your home network. That's valuable. But it's not the same thing as privacy.

A device can be fully secure against outside threats while still collecting enormous amounts of data about you and sending it to the manufacturer's servers. And right now, that's exactly what many mainstream smart home devices do.

Amazon Alexa: 28 Out of 32 Data Points

Amazon's Alexa ecosystem collects data across 28 of 32 possible categories. That's roughly three times more data than the average app or connected device. These categories include your voice recordings, search history, purchase behavior, contact lists, precise location data, and detailed usage patterns.

Alexa knows when you wake up (first voice command), when you go to bed (last voice command), what music matches your mood, what you're curious about at 2 AM, and what products you're considering buying. That profile doesn't live on your device — it lives on Amazon's servers, where it's used for ad targeting, product recommendations, and product development.

A Cyber Trust Mark on an Echo device would tell you it's secure against hackers. It wouldn't tell you anything about the 28 categories of personal data Amazon collects from it every day.

Smart TVs and Automatic Content Recognition

Most smart TVs ship with a feature called Automatic Content Recognition (ACR) enabled by default. ACR takes a snapshot of what's on your screen every few seconds and matches it against a database to identify exactly what you're watching — what show, what scene, what ad. That data gets packaged and sold to advertisers who use it to target you across all your devices.

You watched a documentary about homesteading? Expect ads for garden tools. You paused on a news segment about interest rates? Expect ads for mortgage refinancing. ACR turns your TV into a data collection device that happens to also show you entertainment.

Again — a Cyber Trust Mark would confirm that your TV's WiFi connection is encrypted and that the device gets security patches. It would not address whether ACR is silently cataloging your viewing habits.

LIDAR Vacuums: Detailed Floor Plans of Your Home

Robot vacuums equipped with LIDAR sensors create extraordinarily detailed maps of your home. Room dimensions, furniture placement, doorway locations, the layout of every floor — all mapped with precision and, in many cases, uploaded to the manufacturer's cloud servers.

That floor plan reveals more about you than you might think. The size of your home signals your income bracket. The number of rooms suggests your household size. The presence of pet areas (vacuums know where pet hair concentrates) reveals whether you have animals. Some manufacturers have faced criticism for privacy policies that technically allowed sharing this mapping data with third-party partners.

The Cyber Trust Mark would verify that the vacuum's connection is secure. Whether the manufacturer sells your floor plan to data brokers? That's a separate question entirely.

What the Label Tells You (And What It Doesn't)

Let's be clear about the boundary lines, because understanding what the Cyber Trust Mark does and doesn't cover is the key to using it properly.

What the Label Covers What the Label Does NOT Cover
Strong default passwords What data the device collects about you
Data encryption in transit Who the manufacturer shares your data with
Regular security update commitments Whether the device tracks your behavior
Protection against common exploits How long your data is stored
Secure authentication methods Whether you can delete your data
Resistance to known vulnerabilities Third-party ad tracking integration

The label is a floor, not a ceiling. It tells you a device meets minimum cybersecurity standards. It doesn't tell you the device respects your privacy, limits data collection, or gives you meaningful control over your personal information. Both matter. The Cyber Trust Mark handles one; you need to handle the other yourself.

One more critical detail: the label is voluntary. Manufacturers choose whether to apply for certification. A device without the Cyber Trust Mark hasn't necessarily failed any test — it simply didn't participate. That could mean the manufacturer doesn't meet the standards, or it could mean they haven't gotten around to applying yet, or they disagree with the program. The absence of a label is ambiguous, and that ambiguity is worth keeping in mind when shopping.

How to Check Your Existing Devices

Most of the devices already in your home won't have the Cyber Trust Mark — the program is brand new. But you can still evaluate the security and privacy posture of your current setup. Here's how.

Check for Firmware Updates

Open the app for each connected device and look for a firmware or software update option. Devices that receive regular updates are actively maintained by the manufacturer. Devices that haven't been updated in over a year may have unpatched security vulnerabilities. If a device has been abandoned by its manufacturer (no updates for 18+ months), seriously consider replacing it.

Review Privacy Settings Device by Device

Each smart home platform has a privacy dashboard:

  • Amazon Alexa: Settings > Alexa Privacy > Review Voice History
  • Google Home: myactivity.google.com
  • Apple HomeKit: Settings > Privacy & Security
  • Ring: Control Center in the Ring app
  • Smart TV: Settings > Privacy (look for ACR, "Viewing Information Services," or "Samba TV")
  • Robot vacuum: App settings > Data sharing or Cloud mapping

Go through each one. You'll probably be surprised by how many data-sharing options are enabled by default. Disable anything you don't actively need.

Check Your Router's Connected Device List

Log into your router's admin panel (usually 192.168.1.1 or 192.168.0.1 in your browser) and look at the list of connected devices. Count them. Compare that to the devices you actually know about. If there are devices you don't recognize, investigate. Old devices you forgot about — a smart plug from three years ago, a connected picture frame nobody uses — are security liabilities if they're not receiving updates.

Your Smart Home Privacy Audit Checklist

Here's a practical audit you can do right now. It takes about 15 minutes and covers both the security side (what the Cyber Trust Mark addresses) and the privacy side (what it doesn't).

Complete Home Privacy Audit

  • Count all connected devices in your home — compare to your router's device list
  • Update firmware on every device that has a pending update available
  • Change default passwords on any device still using factory credentials
  • Enable two-factor authentication on all smart home accounts
  • Set up a separate WiFi network for IoT devices (use your router's guest network)
  • Delete stored voice recordings on all smart assistants
  • Set voice recordings to auto-delete after 3 months or less
  • Disable ACR (Automatic Content Recognition) on your smart TV
  • Review and disable cloud mapping on your robot vacuum if you don't need remote access
  • Turn off "help improve" and human review options on all voice assistants
  • Disable features you never use: drop-in, Sidewalk, always-on microphones
  • Check smart thermostat and smart lock data-sharing settings
  • Remove or replace any device that hasn't received an update in 18+ months
  • Set a monthly calendar reminder to repeat this audit

That's 14 items. You probably won't get through all of them today, and that's fine. Start with the top five — those cover the biggest risks. Come back for the rest this weekend. The point isn't perfection. The point is intentional control over what's happening in your own home.

Smart Home Devices That Respect Your Privacy

If you're upgrading or replacing devices, here are categories where privacy-respecting alternatives exist. These products let you keep the convenience of a smart home without handing your data to the highest bidder.

Local-Processing Smart Hub

A local smart home hub processes your automations on your own hardware instead of sending everything through the cloud. It controls your lights, locks, thermostat, and sensors without any data leaving your home network. This is the single biggest upgrade you can make for smart home privacy — it removes cloud dependency from the equation entirely.

Privacy-Focused Mesh WiFi

A mesh WiFi system with built-in IoT network segmentation makes it easy to keep your smart devices on a separate network from your personal devices. If a smart plug gets compromised, the attacker can't jump to your laptop. Look for systems that offer automatic device categorization and network isolation without requiring technical expertise.

Local-Storage Security Cameras

Choose security cameras with local storage — models that save footage to an onboard SD card or a local NAS drive instead of a cloud subscription. You get the same remote viewing capability through your home network, but your footage stays on hardware you own. No monthly cloud fees, no footage on corporate servers, no third-party access.

Privacy-Respecting Smart Lock

A smart lock that works over Bluetooth or your local network — rather than requiring a cloud connection — keeps your entry logs private. Look for locks that store access logs locally and offer optional (not mandatory) cloud connectivity for remote access. Your front door activity shouldn't live on someone else's server.

Smart Thermostat with Local Control

A smart thermostat that integrates with local smart home hubs gives you scheduling and automation without sending your occupancy patterns to a manufacturer's cloud. You still get the energy savings and convenience, but your daily schedule stays between you and your thermostat.

Privacy-Minded Robot Vacuum

Look for a robot vacuum that processes maps locally rather than uploading them to cloud servers. Some newer models store floor plans entirely on the device, with optional cloud backup that you can disable. Your home's floor plan is sensitive information — treat it that way.

When shopping for any of these, the Cyber Trust Mark gives you a quick check on the security side. For the privacy side, look for: local processing options, opt-out (not opt-in) data sharing, clear data deletion tools, and privacy policies written in plain language. If you can't understand the privacy policy, that's not your fault — it's a red flag.

The Bigger Picture: Security Labels Are Just the Beginning

The Cyber Trust Mark represents a real step forward. For the first time, there's an official, standardized way to evaluate the cybersecurity of the connected devices you bring into your home. That matters. The average home with 17 connected devices has 17 potential vulnerabilities, and until now, evaluating each one required technical expertise that most people don't have.

But labels work best when you understand what they measure. The Cyber Trust Mark measures security. It does not measure privacy. A certified device can be hardened against hackers while simultaneously collecting 28 categories of personal data and sharing them with advertising partners. Both of those things can be true at the same time.

The practical approach is straightforward: use the Cyber Trust Mark as a factor in your buying decisions, especially for high-risk devices like cameras, locks, and baby monitors. But don't stop there. Run the privacy audit. Set up a separate network. Choose local processing where it's available. Review your settings regularly.

Your smart home should work for you — not the other way around. The Cyber Trust Mark helps you verify that your devices are secure. The rest is about making sure they're also respectful. You can have a connected, convenient home that doesn't require you to hand over a detailed map of your life to companies whose business model depends on knowing everything about you.

That's not paranoia. That's just good judgment. And now you have the tools to act on it.

For a deeper dive into the specific privacy risks lurking in your current setup, check out our full guide on smart home privacy risks and how to fix them. If you're also rethinking your home's energy setup, our DIY home energy audit guide covers how to take control of that side of things too. And if all this talk about intentional living resonates with you, our quiet living guide takes the same philosophy beyond technology.

How private is your smart home, really?

Our free Smart Home Privacy Scan analyzes your connected devices and shows you exactly where your biggest risks are — with personalized fixes for each one. Takes 2 minutes.

Take the Free Scan
Browse Privacy-Friendly Smart Hubs

What to Read Next

Frequently Asked Questions

No. The U.S. Cyber Trust Mark is completely voluntary. Manufacturers choose whether to apply for certification. A device without the label hasn't necessarily failed any test — it may simply not have participated. However, as consumer awareness grows, the absence of a label could start raising questions about why a manufacturer chose not to seek certification. When shopping, treat a missing label as worth investigating rather than an automatic disqualifier.

Not exactly. The label means a device meets baseline cybersecurity standards set by NIST — things like strong default passwords, regular security updates, and data encryption. It significantly reduces risk, but no connected device is 100% hack-proof. Think of it like a safety rating on a car: it tells you the manufacturer met established standards, but it doesn't guarantee you'll never have an issue. You still need strong passwords and a separate IoT network.

The program focuses primarily on cybersecurity — protecting devices from being hacked or exploited. It does not directly regulate what data a company collects about you or how they use it. A device could earn the Cyber Trust Mark and still collect extensive personal data. Amazon Alexa, for example, collects 28 of 32 possible data points. That's why you should treat the label as one piece of the puzzle, not the whole picture. Always check privacy policies and device settings separately.

Use your phone's camera app to scan the QR code on the product packaging or the device itself. It links to a public registry entry showing the device's security details — what standards it meets, when certification was granted, and what security features are included. The registry is maintained by the ioXt Alliance, the FCC's designated Lead Administrator. No app or account needed — just point your camera and tap the link.

Don't panic — most devices on the market right now won't have it yet since the program just launched. Focus on the basics: update firmware regularly, use strong unique passwords, enable two-factor authentication, put IoT devices on a separate WiFi network, and review privacy settings on each device. When it's time to replace or upgrade, look for the Cyber Trust Mark as one factor in your buying decision alongside privacy policies and local-processing options.