U.S. and EU Consumer Groups Ask Global Regulators to Investigate Two Connected Toys

Genesis and Nuance deny the allegations. Nuance said it had "adhered to our policy with respect to the voice data collected through the toys referred to in the complaint," according to an article in the Wall Street Journal. Nuance denies that it shares voice data collected from individual toys with any of its other customers and says the data collected is used to improve services for the toys and other products.

How Connected Toys Work

Connected toys offer many interactive features to provide a child with a different play experience. My Friend Cayla is an interactive doll that talks and plays games, tells stories, and shares photos when online. It also has an offline feature for storing and playing information. The i-Que Intelligent Robot is an interactive robot that can take part in conversations, tell jokes, spell, pronounce, define 80,000 words from the Merriam-Webster Intermediate Dictionary and access information from the Encyclopedia Britannica stored in the robot's permanent memory. Its software also allows the robot to expand its knowledge base with personal interaction.

Bluetooth and Wi-Fi are common connection techniques for all sorts of connected products, not just toys. Cayla and the i-Que robot are each equipped with a microphone, speakers and speech recognition software, and use Bluetooth technology connected to a smartphone app to connect to the Internet. According to the toys' specifications, children's speech is converted into text. The application then uses the text to search Google, Wikipedia, and Weather Underground in response to the child's inquiry.  

The Legal Framework

In the United States, COPPA imposes certain requirements on operators of websites or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age. It requires that companies post their privacy policies, notify parents of their information-collection practices, and get verifiable parental consent, among other steps, before collecting personal data from children.

Currently, EU law does not have a similar children's privacy legal instrument, but a provision of the General Data Privacy Regulation (GDPR), expected to enter into force in 2018, does incorporate obligations related to children's privacy. For a summary of the GDPR and a checklist for businesses prepared by Keller and Heckman LLP, click here.

The Future of Connected Toys

Connected toys offer innovative play experiences for children, but they have been a lightning rod for complaints about privacy and security. While such complaints often turn out to be unfounded or exaggerated, the coordinated complaints targeting these two products may represent a new strategy between European and U.S. consumer groups who advocate greater restrictions going forward, and raise alarms about "commercialization." 

Parents today are connected, and connected parents want connected toys. Children's privacy should of course be protected with appropriate security and privacy measures suitable to the technology platform and appropriate to foster a safe and fun play experience for that particular toy. In an effort to respond to this growing demand to give children connected play experiences, toy manufacturers are implementing privacy and security impact assessments and legal compliance strategies on top of the extensive safety testing obligations applicable to toys worldwide. In the complex world of IoT, there is much for manufacturers to consider (see our recent article available here). Thoughtful attention to overall consumer protection obligations is certainly necessary for any connected product manufacturer, and continuing to improve is part and parcel of product innovation. Connected toy manufacturers, however, may also need to consider the possibility that their products will be targets for critics.