CONNECTED TOYS

The increasing digital trend in which everyday objects are being connected to the internet is creating new challenges for consumer protection and online security. ‘Connected toys’ typically contain a microphone and speaker, and an app to process the data. While it’s undeniable that these hi-tech gadgets can inject life into playtime, they can often cause huge issues in terms of protecting privacy.

'Huggybug your Family today!'

At the 2018 G20 Consumer Summit, Consumers International launched a 60-second spoof advert ‘Huggy Bug Your Family’, highlighting some of the problems found in internet-connected children’s products.

We are calling on the G20 countries to improve the security and data protection of children's connected products and services over the next year and support greater international co-operation on the topic.

READ MORE

#TOYFAIL

We are working hard to make sure that connected toys are safe and children are not put at risk. So far our campaigning activity around connected toys has focused on two particular products: the ‘i-Que Intelligent Robot' and ‘My Friend Cayla’ doll, manufactured by Genesis Toys.

Analysis by the Norwegian Consumer Council found these popular toys are:

  • Dangerously easy for others to gain access, as physical access to the toy is not required in order to connect.
  • Recording everything the child says around the doll and transferring it to a company which can sell this information to third parties.
  • Embedded with pre-programmed phrases endorsing commercial partnerships.


The issue of the toys’ lack of security was raised with the manufacturers of the ‘i-Que Intelligent Robot’ and ‘My Friend Cayla’ doll almost two years ago. The problems have still not been fixed.

The manufacturers are accused of failing to prevent unauthorized Bluetooth devices from connecting to the toys. This means that someone could eavesdrop on conversations, which could in turn increase the threat of predatory stalking and physical danger. Bluetooth normally requires that you be relatively close (within about 33 feet) to share information, but even at that distance, someone at a playground or outside the child’s home could snoop on children using these connected toys.

 



Not only do the toys capture children’s voices without adequate notice or permission; they send it to a US-based company specialising in voice- and speech-recognition, with few safeguards over how that information is handled.

This video released by the Norwegian Consumer Council explores how these toys operate; claiming that they’re ‘not as innocent as they look’, with no added security to prevent hackers from talking or listening through the dolls.

What needs to happen?

Manufacturers need to reconsider how they make these kinds of toy, especially those which use cameras and microphones to capture what kids are doing. They’re not the same as a smart speaker or other typical voice-activated device; because they are specifically aimed at children, they should fulfil much more stringent privacy expectations.

Together with the Norwegian Consumer Council and several other members, we’re calling on toy manufacturers to:

Only collect necessary data; using it solely for the purpose of the toy.

Prevent these issues resurfacing by committing to privacy and security by design, with privacy and security-related risk assessments undertaken during the entire design-process; and sufficient privacy and security measures are worked into the product design itself.

Make these toys safer by increasing security features in how devices are paired, to stop unauthorised people from connecting to the toy.

Stop direct marketing to children.

Highlights and successes

  • Our members around the world continue to call for investigations into the manufacturers, Genesis Toys. In December 2016 a formal complaint (eng) was made in the US by consumer groups, accusing the makers of the i-Que and Cayla smart toys of subjecting children to ‘ongoing surveillance’ and posing an ‘imminent and immediate threat’ to their safety and security.
  • In February 2017 Germany’s telecommunications watchdog ordered parents to destroy or disable all Cayla dolls. The country now classifies the dolls as ‘illegal espionage apparatus’ due to their ability to spy on children. As a result, retailers and owners could face fines if they continue to stock it or fail to permanently disable the doll’s wireless connection.
  • There are also reports that Dutch shop owners have been choosing to refund customers for Cayla dolls, even though the manufacturers are still not recalling the product.

Media across the world covered the #ToyFail story

Related materials

Connected and Protected in a digital age: Briefing

Addressing smart and Internet of Things technologies; the risks and opportunities for consumers' and the extent to which existing consumer protection frameworks are able to address and remedy potential problems. Available in English and Arabic

#Toyfail

 

An analysis of consumer and privacy issues in three internet-connected toys, looking specifically at the terms and conditions and technical features of three popular dolls, My Friend Cayla, Hello Barbie, and the robot i-Que. (eng)

news

Consumers International calls for climate action and stronger cross-border protection at Davos 2020

Consumers International joined world leaders at the World Economic Forum's Annual meeting in Davos, 21-24 January 2020, to ensure that the global consumer voice was represented in high-level discussions on privacy and digital rights, sustainable consumption, plastics recycling, the future of food, finance and energy.

READ MORE

blog

How safe are products in the Internet of Things?

To mark International Product Safety Week, our latest blog explains why urgent action is needed to resolve issues around the safety and security of connected products.

READ MORE

Our Latest Publication

Summary of Report: Recommendations for Interoperable & Consumer-Centric Redress in Data Misuse Across Borders: Summary Report

View all publications