Children’s toys are increasingly connected to the Internet. However,
there is growing concern that these “smart toys” are too easily
hacked. In a recent letter to the Acting Chairwoman of the Federal Trade
Commission (FTC), Sen. Mark R. Warner (D-Va.) questioned whether the agency
is doing enough to safeguard children’s privacy.
Children’s Privacy Under COPPA
The FTC is tasked with
enforcing the Children’s Online Privacy Protection Act (COPPA). The federal statute requires businesses that employ online marketing
to children under age 13 to provide notice and obtain parental consent
before collecting items of “personal information” from children.
The rule is not just for children’s websites and online services,
but also applies to operators of general audience websites or online services
with “actual knowledge that they are collecting, using, or disclosing
personal information from children under 13.”
Under COPPA, businesses must maintain the confidentiality, security, and
integrity of information they collect from children, including taking
reasonable steps to release such information only to parties capable of
maintaining its confidentiality and security. The statute also mandates
that companies retain personal information collected online from a child
for only as long as is necessary to fulfill the purpose for which it was
collected and delete the information using reasonable measures to protect
against its unauthorized access or use.
Sen. Warner’s Letter to FTC
letter to Acting Chairwoman Ohlhausen, Sen. Warner highlighted several high-profile instances of children’s
data being hacked. Last year, privacy advocates filed a complaint over
children’s doll “My Friend Cayla,” which raised concerns
that the “smart” toy could be used for unauthorized surveillance.
In February 2017, the Bundesnetzagentur, Germany’s equivalent of
the FTC, pulled “My Friend Cayla” off the market due to privacy concerns.
Sen. Warner also noted the recent data breach involving CloudPets, a product
line manufactured by Spiral Toys and marketed as “a message you
can hug.” The company stored customers’ personal data in an
insecure, public-facing online database, which resulted in a breach involving
800,000 customer credentials and more than two million voice recordings
sent between parents and children. There are also concerns about the security
of the actual device, with individuals able to hack CloudPets’ toys
and remotely control the devices, including the microphone, if they are
within Bluetooth range.
“Recent events have illustrated that in addition to security concerns
with the devices themselves, new data-intensive functionalities of these
devices necessitate attention to the manner in which vendors transmit
and store user data collected by these devices,” Sen. Warner wrote
in his letter to Acting Chairwoman Ohlhausen. “Reports of your statements
casting these risks as merely speculative – and dismissing consumer
harms that don’t pose ‘monetary injury or unwarranted health
and safety risks’ – only deepen my concerns.”
Sen. Warner also asked the FTC how it plans to respond to the above security
incidents and enhance its efforts to protect children’s privacy.
His letter poses the following questions, among others:
If your child or someone you love has suffered serious harm due to a dangerous
or defective toy, don’t hesitate to
a San Diego product liability lawyer at the Law Offices of Robert Vaage
for a free consultation.
- Does the FTC need additional authority from Congress to regulate the remote
storage of data by operators or by third parties who store and handle
children’s personal information?
- In the case of a civil enforcement action related to a violation of either
Section 5 or COPPA, does the FTC’s injunctive authority extend to
requiring defendants to recall insecure products designed for, marketed,
and sold to U.S.-based consumers?
- Under what circumstances might the FTC require a ‘buy-back’
for insecure products, as it did in a recent Section 5 case involving
an automaker’s deceptive marketing?