Privacy advocates in both the United States and Europe are urging regulators to take a hard look at the privacy ramifications of internet-connected toys, which are often conventional toys augmented by companion mobile applications.
In December, the privacy advocacy group Electronic Privacy Information Center (EPIC), joined by several other organizations, filed a complaint with the Federal Trade Commission regarding two firms that manufacture, sell, and operate internet-connected dolls. The dolls have built-in Bluetooth enabled microphones that enable them to record conversations between children and the dolls. These conversations are then stored on a server and used, according to the privacy policy accompanying the app, to “improve […] products and services, and for advertising and marketing.”
EPIC alleges that the two firms violate the FTC’s COPPA Rule by failing to obtain verified parental consent prior to the collection of data from children using the doll and the app, and that the dolls violate the FTC’s more general prohibition on unfair or deceptive practices by failing to implement security measures sufficient to ensure that each doll is paired only with an authorized device.
The same dolls were banned in Germany in February by the Federal Agency for Electricity, Gas, Telecommunications, Post and Railway (the Bundesnetzagentur), following complaints from privacy advocates. German officials pointed to “particular danger in toys being used as surveillance devices” in justifying the ban.
As we have written, voice-activated devices present diverse questions about privacy and fairness, often at a pace that is faster than applicable rules or guidance. Though children’s devices present special concerns because of the COPPA Rule, any firm wanting to bring to market a product relying on voice-recognition or voice-activation would be well-advised to ensure its consumer disclosures and privacy policies are air-tight before doing so.