Fuzzy talking toys are no longer the annoying, yet benign Christmas gifts they used to be. Many of today’s toys, like refrigerators, cars, and televisions, are “smart,” and may come gift-wrapped with all of the emerging cybersecurity risks the internet has to offer. And as various government agencies grapple with the regulation and enforcement of smart products, the Federal Trade Commission (“FTC”) may be narrowing in on smart toy manufacturers as a potential target. The FBI and FTC issued separate alerts last week highlighting potential threats posed by cuddly friends that collect children’s voices and other identifying information and putting manufacturers on notice of potential enforcement actions for failure to comply with the Children’s Online Privacy Protection Act (“COPPA”), respectively.

The FTC issued COPPA guidance on July 21 – on the heels of the FBI’s internet-connected toys threats warning and mitigation recommendations issued July 17. While the FBI notice alerted consumers to the protections afforded by COPPA, the FTC has updated its step-by-step COPPA compliance guidance for smart toy manufacturers, specifically including “connected toys or other Internet of Things devices” in its definition of “website or online services” which must comply with COPPA. COPPA requires operators of websites and online services directed to children under the age of 13 or who are collecting personal information online from children under 13 to take certain disclosure, parental consent, and security precautions. Personal information includes, but is not limited to, full names, addresses, user or screen names, and photos and audio files of a child or a child’s voice.

Manufacturers that market their inter-connected toy products to children under the age of 13 or whose products are known to be used by children under 13 should be taking the following actions in accordance with FTC guidance:

  1. Determine whether their products are collecting “personal information” of children;
  2. Provide a sufficient privacy policy;
  3. Notify parent’s directly about the company’s information practices before collecting a child’s personal information;
  4. Obtain verifiable parental consent before collecting a child’s personal information;
  5. Honor parents’ ongoing decisions to revoke consent, refuse further use of a child’s information, or delete a child’s personal information; and
  6. Establish reasonable data confidentiality, security, and integrity procedures including holding information only for so long as it is needed for the reason it was collected, disposing of information, and disposing of information securely.

The flurry of legislative, regulatory and enforcement activity surrounding smart toys and the protection of children’s information – including Senator Mark Warner’s letter to the FTC expressing smart toy privacy concerns, consumer advocate pressure, and the FTC and FBI responses – indicates that a government enforcement effort in this area may be on its way.