Can Privacy Regulations Outsmart Smart Toys?

The experience of perusing a toy aisle today often involves seeing shelves filled with toys that can listen and respond to their child owners—blurring the lines between reality and the movie, Toy Story.

As the technology in toys becomes more sophisticated, children become increasingly vulnerable to cyber home invasion via their internet-connected smart toys. In this brave new toy world, parents and guardians show concern about the privacy and safety of their children. Smart toys typically can connect to the internet, link to an app, and communicate using a microphone and speaker. For many parents and guardians, purchasing smart toys for their children causes some level of caution or apprehension.

Mainstream smart toys such as Hello Barbie—a doll brought to life by artificial intelligence software and hooked up to an app—risk being hacked. Because smart toys connect directly to the internet, these intelligent toys can endanger kids by involuntarily disclosing their private information.

The Federal Bureau of Investigation (FBI) released a public service announcement warning of the security risks that accompany smart toys, including the collection of sensitive data. The FBI encourages owners of these devices to take their own protective measures, which include researching the toy manufacturer’s policies prior to purchase.

The Children’s Online Privacy Protection Act of 1998 (COPPA), enforced by the Federal Trade Commission (FTC), regulates online services for children under 13 years old, including those that garner personal information from kids. COPPA requires providers to obtain parental consent before collecting data and if data are collected from a child user, to keep data secure.

The FTC first cracked down on a smart toy COPPA violation in 2018 when an electronic toy company accumulated data from children without parental consent. Since then, many advocates for privacy have pushed for more transparency from companies manufacturing smart toys, particularly when it comes to what kind of data manufacturers collect and whether users can delete that accrued data later. Because smart toys are here to stay, there is room for significant regulatory action to protect children at play.

In this week’s Saturday Seminar, scholars explore how privacy regulations around children’s smart toys intersect with company responsibility, user vulnerability, data sharing, and ethics.

• In an article published in The IEEE Ethics Journal, Meg Leta Jones of Georgetown University and Natalie Meurer of Probably Something argue that companies must construct smart toys carefully at each stage of development to ensure data protection and privacy. The design of some smart toys such as “Hello Barbie,” a doll that initiates and records conversations with children, values parental control over children’s privacy. Jones and Meuer argue that in the future, smart toy companies should create a higher standard of user data protection and integrate privacy values in their product design through strict regulation of company data sharing practices.
• In a paper in The Journal of Cyber Policy discussing the intricacies of consumer trust and smart toys Esther Keymolen of Tilburg University and Simone van der Hof of Leiden University explain the defenseless position of smart toy users. Unlike other toys, smart toys permanently remain in the control of the manufacturing company, and parents must trust the company to act responsibly, according to Keymolen and van der Hof. They argue that users must trust that companies have complied with regulations in terms of privacy protections and safety measures alike. Because of young users’ vulnerability, Keymolen and van der Hof suggest that both stricter federal privacy regulations and greater transparency on the company’s end are in order.
• In a report about the ethical issues facing smart toys, Victor Chang and Zhongying Li of International Business School Suzhou and Muthu Ramachandran of Leeds Beckett University argue that the government should regulate the development of internet-connected toys. Chang and his coauthors urge that parental guidance and toy safety rules should include privacy considerations. They explain five guiding principles to avoid ethical issues with smart toys: authentication, encryption, updates, disclosure, and control. For this framework to succeed, policymakers, consumers, and vendors all need to follow these guiding principles, Chang, Li, and Ramachandran suggest.
• In a paper in the University of Illinois Law Review, Eldar Haber of the University of Haifa recommends that policymakers stop regulating privacy by sector, and adopt an omnibus approach to protect children’s privacy. Haber predicts an “always-on” era in which daily life––from smart homes to smart infrastructure––will depend on internet-connected devices that continuously listen and collect data. Haber explains that COPPA alone is not enough to protect children’s privacy because children may be surrounded by always-on devices that lie outside of COPPA’s terms. Within the current sectoral approach, Haber advises policymakers to expand the scope of COPPA.
• COPPA falls short of protecting children’s privacy from smart toys, Eldar Haber of the University of Haifa argues in a paper in the Ohio State Law Journal. Although the FTC classifies connected toys as online services under COPPA, Haber suggests that smart toys present greater privacy risks than websites because companies can gain more data, more types of data, and more access to data from children. Haber recommends that companies limit data collection to what is required for the toy to function, as well as limit data retention and data sharing.
• In a study analyzing parents’ privacy norms with existing regulations, Noah Apthorpe of Colgate University, Sarah Varghese of McKinsey & Company, and Nick Feamster of the University of Chicago found that the regulations set forth by COPPA broadly align with parents’ expectations of privacy for their children’s toys. But the authors warn that the existence of COPPA may give parents a false sense of security that the FTC adequately protects their children’s data. The toy market still contains toys that violate COPPA, so Apthorpe and his coauthors recommend that both regulators and parents remain on high alert.