In a coordinated effort, public interest organizations announced on December 6 the submittal of complaints to the Federal Trade Commission (FTC) and European Union and Member State consumer and data privacy authorities to investigate two connected toys, My Friend Cayla and i-Que robot. The groups allege violations of privacy, security and advertising laws. While this is not the first time advocacy groups have sought to prompt regulators to investigate alleged lapses involving connected children's products, this appears to be the first globally-coordinated initiative.
The FTC petition, filed on December 6, 2016, by the Electronic Privacy Information Center (EPIC), the Campaign for a Commercial Free Childhood (CCFC), the Center for Digital Democracy (CDD), and Consumers Union, alleges violations of the federal Children's Online Privacy Protection Act (COPPA) and other consumer protection laws. Namely, the groups allege that Genesis Toys' My Friend Cayla doll and i-Que Intelligent Robot deliberately "record and collect the private conversations of young children without any limitations on collection, use, or disclosure of this personal information" and without parent's knowledge or consent. The organizations further allege that Genesis stores and sends the voice recordings to its technology partner, Nuance Communications, Inc. (who provides the speech recognition software), and that it is unclear what Nuance does with the data it receives.
In Europe, complaints spearheaded by Forbrukerradet, the Norwegian arm of the European Consumer Organisation BEUC (an umbrella organization for 43 European consumer advocacy groups), were reportedly filed with the European Commission, the International Consumer Protection and Enforcement Network, and national data protection authorities in Norway, France, Sweden, Greece, Belgium, Ireland and the Netherlands. The complaints allege the toys violate the EU Unfair Contract Terms Directive and the EU Data Protection Directive, and possibly the Toy Safety Directive. The consumer groups are also using social media to campaign against the toys.
Genesis and Nuance deny the allegations. Nuance said it had "adhered to our policy with respect to the voice data collected through the toys referred to in the complaint," according to an article in the Wall Street Journal. Nuance denies that it shares voice data collected from individual toys with any of its other customers and says the data collected is used to improve services for the toys and other products.
How Connected Toys Work
Connected toys offer many interactive features to provide a child with a different play experience. My Friend Cayla is an interactive doll that talks and plays games, tells stories, and shares photos when online. It also has an offline feature for storing and playing information. The i-Que Intelligent Robot is an interactive robot that can take part in conversations, tell jokes, spell, pronounce, define 80,000 words from the Merriam-Webster Intermediate Dictionary and access information from the Encyclopedia Britannica stored in the robot's permanent memory. Its software also allows the robot to expand its knowledge base with personal interaction.
Bluetooth and Wi-Fi are common connection techniques for all sorts of connected products, not just toys. Cayla and the i-Que robot are each equipped with a microphone, speakers and speech recognition software, and use Bluetooth technology connected to a smartphone app to connect to the Internet. According to the toys' specifications, children's speech is converted into text. The application then uses the text to search Google, Wikipedia, and Weather Underground in response to the child's inquiry.
The Legal Framework
In the United States, COPPA imposes certain requirements on operators of websites or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age. It requires that companies post their privacy policies, notify parents of their information-collection practices, and get verifiable parental consent, among other steps, before collecting personal data from children.
Currently, EU law does not have a similar children's privacy legal instrument, but a provision of the General Data Privacy Regulation (GDPR), expected to enter into force in 2018, does incorporate obligations related to children's privacy. For a summary of the GDPR and a checklist for businesses prepared by Keller and Heckman LLP, click here.
The Future of Connected Toys
Connected toys offer innovative play experiences for children, but they have been a lightning rod for complaints about privacy and security. While such complaints often turn out to be unfounded or exaggerated, the coordinated complaints targeting these two products may represent a new strategy between European and U.S. consumer groups who advocate greater restrictions going forward, and raise alarms about "commercialization."
Parents today are connected, and connected parents want connected toys. Children's privacy should of course be protected with appropriate security and privacy measures suitable to the technology platform and appropriate to foster a safe and fun play experience for that particular toy. In an effort to respond to this growing demand to give children connected play experiences, toy manufacturers are implementing privacy and security impact assessments and legal compliance strategies on top of the extensive safety testing obligations applicable to toys worldwide. In the complex world of IoT, there is much for manufacturers to consider (see our recent article available here). Thoughtful attention to overall consumer protection obligations is certainly necessary for any connected product manufacturer, and continuing to improve is part and parcel of product innovation. Connected toy manufacturers, however, may also need to consider the possibility that their products will be targets for critics.