How Safe is Your Children’s Personal Data? Depends on Their Toys

By John Weaver

Citing concerns for children’s personal data, U.S. Senator Mark Warner recently asked the Federal Trade Commission to work with Congress to identify  methods to better protect children “as technology changes the way they access and use the Internet.” Specifically, Sen. Warner asked the FTC to respond to the following questions:

1. While the Children’s Online Privacy Protection Act (COPPA) has requirements regarding the security of children’s data, hacks of companies like CloudPets and VTech have shown that children’s data is still vulnerable. Do COPPA’s data security – including retention and data minimization – standards need to be updated? Are companies ignoring COPPA requirements, or are COPPA requirements not keeping pace with developments in data security and cyber security best practices?
2. Does the FTC need additional authority from Congress to regulate the remote storage of data by operators or by third parties who store and handle children’s personal information?
3. In the case of a civil enforcement action related to a violation of either Section 5 or COPPA, does the FTC’s injunctive authority extend to requiring defendants to recall insecure products designed for, marketed, and sold to U.S.-based consumers? Under what circumstances might the FTC require a ‘buy-back’ for insecure products, as it did in a recent Section 5 case involving an automaker’s deceptive marketing? 
4. Has the FTC been in contact with CloudPets or its parent company Spiral Toys? If not, why has the FTC not been in contact?
5. What guidance has the FTC given to Spiral Toys or CloudPets? Has the FTC issued guidance or considered issuing guidance to consumers who bought products from Spiral Toys or CloudPets whose data has been compromised?
6. As mentioned above, privacy advocates filed a complaint with the FTC in December 2016 regarding “My Friend Cayla.” Has the FTC taken any action with respect to “My Friend Cayla” or other products manufactured by Genesis Toys?
7. Insecurities associated with IoT devices have been widely known for a number of years. On what basis are you concluding that these risks have yet to materialize, or that market solutions have successfully addressed these harms?

The Senator’s concerns are apt. Toys are becoming more and more interconnected to external apps and websites that increase a toy’s ability to interact with children, but also increase the ability of outside parties to gain access to information shared to promote those interactions. For example, CloudPets are stuffed animals that permit parents to record and send a message remotely via an app; the toy plays the message when squeezed. Or as the company’s tagline puts it, “A message you can hug.”

It’s also a message you can hack. Per Sen. Warner’s office, CloudPets reportedly exposed the personal data of more than 800,000 customers, including 2 million voice recordings sent by parents to their children. Just as bad, subsequent reports suggest that individuals may be able to control the device if they are within Bluetooth range.

Although this is just one example, the market place is filled with numerous toys that employ similar functionality, and their developers and manufacturers need to employ rigorous data protection procedures. It is also a useful reminder to the developers and manufacturers of all devices that rely on casual data sharing for users to maximize a device’s utility, including Amazon’s Echo, Google Home, and apps that remotely control your home’s utilities. The personal data used by those devices should be considered in any company’s data protection policies.