January 21, 2018

January 19, 2018

Subscribe to Latest Legal News and Analysis

Connected Toys Scrutinized Over Privacy and Security Weaknesses

Two connected toys, My Friend Cayla and i-Que robot, by Genesis have been receiving trans-Atlantic attention this month for alleged privacy, security and advertising law violations. On December 6, 2016, public interest organizations in the U.S. and European Union submitted complaints to the Federal Trade Commission (“FTC”) and EU Data Protection Authorities (“DPAs”). The complaints describe a number of privacy and security weaknesses in the toys, such as the toys failing to obtain consent from parents for the processing of minors’ personal data, and weak security safeguards that allow the toys to be easily hacked.

The Toys

The toys provide children with an interactive experience via a microphone, speech recognition software, connection to the Internet, and speakers. Such toys have become very popular because they are constantly learning from these interactions through the speech recognition software and Wi-Fi or Bluetooth connection to the Internet (which is able to search Google, Weather Underground and Wikipedia). The toys are able to talk to children, make jokes, play games, and much more. While kids play with the toys, much of the interactions are recorded and then shared with other parties.

The Complaints

Specifically, the U.S. FTC complaint alleged violations of the Children’s Online Privacy Protection Act (“COPPA”) and consumer protection law, and was filed by the Electronic Privacy Information Center (“EPIC”), the Center for Digital Democracy (“CDD”), Consumers Union and the Campaign for a Commercial Free Childhood (“CCFD”). Under COPPA, operators of websites or online services directed at children under 13 years of age must post their privacy policies, and notify parents of their data collection practices and receive verifiable parental consent before collecting personal data from children.

The EU complaint alleges the toys violate the EU Data Protection Directive and EU Unfair Contract Terms Directive, and was filed with EU Commission, the International Consumer Protection and Enforcement Network, and national DPAs in Norway, Greece, Belgium, France, the Netherlands and Ireland. Under current EU law and the upcoming General Data Protection Regulation (“GDPR”), data controllers and processors must meet certain obligations when they collect, process, and share data.

Next Step

As everyday items are becoming a part of the Internet of Things (“IoT”), more and more companies will need to consider data privacy and cybersecurity as part of their designs. In general companies should take into account state, federal, and international data protection laws when designing their products and services. Most laws have certain requirements that must be met for companies to lawfully collect, process and share data. An effective way to understand the potential privacy and security issues of your company’s products and services is to map the company’s data flows, and to conduct a privacy impact assessment and testing of security vulnerabilities. In addition, as shown by the recent complaints in the EU and U.S., toy manufacturers must be sensitive to children’s privacy and security.

© Copyright 2018 Squire Patton Boggs (US) LLP


About this Author

Gretchen A. Ramos, Squire Patton Boggs, complex commercial disputes lawyer, Client Services Attorney

Gretchen Ramos, CIPP/US, CIPP/E, is an aggressive litigator with a long track record in complex commercial disputes. In addition to her prodigious legal skills, Gretchen brings a direct, no-nonsense approach to client service, and uses her creativity to simplify matters for in-house counsel with dozens of other cases – and little time – on their hands.

Gretchen is known for her ability to get to the heart of any dispute. She can quickly identify the key issues, eliminate the extraneous ones, and draw out a strategic roadmap that is both cost-...

415 743 2576
Zerina Curevac, Squire Patton, HIPAA Compliance Lawyer, Information Privacy attorney

Zerina Curevac focuses her practice on data privacy and cybersecurity as well as intellectual property and technology matters. She is a Certified Information Privacy Professional in U.S. privacy law (CIPP/US) and has worked with clients in the US, EU and Asia Pacific on a range of matters, such as HIPAA compliance, EU-US Privacy Shield certification and EU General Data Protection Regulation preparation. Her approach to data protection optimizes business goals and strategy and supports technology investments.

During law school, Zerina worked with various technology companies on corporate legal, policy and compliance matters to manage cybersecurity and data privacy risks. She served as an editor to the nationally and internationally recognized High Tech Law Journal at Santa Clara University. Zerina graduated with a High Tech Law Certificate with Honors.