Proposed ‘Teddy Bears and Toasters’ legislation mandates security

Bride of Chucky?

The demise of My Friend Cayla in the German market wasn’t exactly a scene from a vintage horror movie – there were no pitchforks and torches – but the doll was run out of town nonetheless. However, the story was scary enough to move a California lawmaker to try to prevent the same situation from happening in her state.

The Cayla doll, aimed at young children, listens to its living playmates, records their speech and uploads those recordings to an app connected to the doll over Bluetooth. The app conducts internet searches about the content of the recordings and fashions a reply, which is sent back to the doll that then “speaks” it to the child.

This was too much for Germany’s Federal Network Agency, the country’s telecom watchdog, which banned the doll in early 2017 as a threat to the privacy of its owners. The doll was removed from store shelves, and parents were asked to destroy dolls they had purchased. If this seems extreme, consider that only two years earlier, the doll had been hacked by security firm experts, who had publicized their feats; one expert claimed to have loaded the doll with sound clips from Poltergeist.

On this side of the Atlantic, Cayla’s makers faced scrutiny from the Children’s Advertising Review Unit (CARU). Genesis Toys, Cayla’s creator, ignored CARU’s inquiries, and as a result, its case was forwarded to the Federal Trade Commission for review in July 2017. There has been no word from the commission yet.


My Friend Cayla is a cautionary tale, and not just for parents. Device manufacturers staking out territory in the rapidly expanding “internet of things” are harnessing the internet to create innovative products, but will their creations be seen as monsters in the United States?

California lawmaker Hannah-Beth Jackson, state senator representing San Diego, is attempting to put some restraints on internet-connected products. In early 2017, she introduced California Senate Bill 327 – the “Teddy Bear and Toaster Act” – which, as its name suggests, aims to address the myriad devices that are currently appearing in the matrix.

As California law, the act’s scope would be significant; the Golden State is the epicenter of global high technology and boasts the world’s fourth-largest economy. Any move by the state to affect electronic privacy or security will impact manufacturers and consumers around the globe.

Opening Salvo

The law as originally introduced in February 2017 was nothing short of sweeping. It required that manufacturers equip “connected devices” sold in California with “reasonable security features appropriate to the nature of the device.”

But the privacy provisions of the bill were even more ambitious.

All connected devices would be required to disclose on the packaging, corporate website or product itself whether the device is capable of collecting various types of information, including audio, video and location – and to explain the process of collection: its frequency, and what actions or situations trigger collection. Moreover, the bill required connected devices to obtain consent from the consumer before collecting or transmitting “information beyond what is necessary in order to fulfill a user transaction or for the stated functionality of the connected device.”

The Takeaway

In June 2017, after several amendments the month before, Bill 327 was shelved as “inactive” at Sen. Jackson’s request. It was only recently shocked back to life: It was ordered for a second reading on Jan. 11, 2018, and passed by a 28-9 vote in the Senate on Jan. 23. It will now be put forth for consideration by the Assembly.

But it’s a much different bill. The revision history is a sea of red: As currently construed, all the disclosure provisions have been removed. Only the security provision remains. The cause for the changes is unclear, but no matter what final form the act takes, it will have an outsized effect on the evolving connected landscape.