Bring An Equalizer to the Fight. Choose a Firm That Was Created to Advocate for Victims.

"Smart" Toys Pose Privacy Risks

Kids Playing with Toy
Children’s toys are increasingly connected to the Internet. However, there is growing concern that these “smart toys” are too easily hacked. In a recent letter to the Acting Chairwoman of the Federal Trade Commission (FTC), Sen. Mark R. Warner (D-Va.) questioned whether the agency is doing enough to safeguard children’s privacy.

Children’s Privacy Under COPPA

The FTC is tasked with enforcing the Children’s Online Privacy Protection Act (COPPA). The federal statute requires businesses that employ online marketing to children under age 13 to provide notice and obtain parental consent before collecting items of “personal information” from children. The rule is not just for children’s websites and online services, but also applies to operators of general audience websites or online services with “actual knowledge that they are collecting, using, or disclosing personal information from children under 13.”

Under COPPA, businesses must maintain the confidentiality, security, and integrity of information they collect from children, including taking reasonable steps to release such information only to parties capable of maintaining its confidentiality and security. The statute also mandates that companies retain personal information collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected and delete the information using reasonable measures to protect against its unauthorized access or use.

Sen. Warner’s Letter to FTC

In his letter to Acting Chairwoman Ohlhausen, Sen. Warner highlighted several high-profile instances of children’s data being hacked. Last year, privacy advocates filed a complaint over children’s doll “My Friend Cayla,” which raised concerns that the “smart” toy could be used for unauthorized surveillance. In February 2017, the Bundesnetzagentur, Germany’s equivalent of the FTC, pulled “My Friend Cayla” off the market due to privacy concerns.

Sen. Warner also noted the recent data breach involving CloudPets, a product line manufactured by Spiral Toys and marketed as “a message you can hug.” The company stored customers’ personal data in an insecure, public-facing online database, which resulted in a breach involving 800,000 customer credentials and more than two million voice recordings sent between parents and children. There are also concerns about the security of the actual device, with individuals able to hack CloudPets’ toys and remotely control the devices, including the microphone, if they are within Bluetooth range.

“Recent events have illustrated that in addition to security concerns with the devices themselves, new data-intensive functionalities of these devices necessitate attention to the manner in which vendors transmit and store user data collected by these devices,” Sen. Warner wrote in his letter to Acting Chairwoman Ohlhausen. “Reports of your statements casting these risks as merely speculative – and dismissing consumer harms that don’t pose ‘monetary injury or unwarranted health and safety risks’ – only deepen my concerns.”

Sen. Warner also asked the FTC how it plans to respond to the above security incidents and enhance its efforts to protect children’s privacy. His letter poses the following questions, among others:

  • Does the FTC need additional authority from Congress to regulate the remote storage of data by operators or by third parties who store and handle children’s personal information?
  • In the case of a civil enforcement action related to a violation of either Section 5 or COPPA, does the FTC’s injunctive authority extend to requiring defendants to recall insecure products designed for, marketed, and sold to U.S.-based consumers?
  • Under what circumstances might the FTC require a ‘buy-back’ for insecure products, as it did in a recent Section 5 case involving an automaker’s deceptive marketing?
If your child or someone you love has suffered serious harm due to a dangerous or defective toy, don’t hesitate to contact a San Diego product liability lawyer at the Law Offices of Robert Vaage for a free consultation.