FTC Should Step Up Smart Toys Privacy Enforcement

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Jimmy H. Koo

Web-connected toys pose privacy risks and the FTC will likely focus more enforcement attention there, attorneys told Bloomberg BNA Dec. 14.

The child privacy “drum beats are getting louder and louder” and the attention on internet-connected smart toys is becoming “too great to ignore,” Phyllis H. Marcus, counsel in the global competition team at Hunton & Williams LLP in Washington and a former Federal Trade Commission attorney, told Bloomberg BNA. The FTC often picks emerging areas and tries to demonstrate through enforcement actions that the law applies to these new technologies, she said.

Helping to beat the drum, Sen. Bill Nelson (D-Fla.), ranking member of the Senate Commerce, Science & Transportation Committee, unveiled a report Dec. 14 warning parents about the privacy risks associated with internet-connected toys.

Before purchasing a smart toy, parents should investigate the manufacturer’s information collection, retention and transfer practices, the report said. After buying the toy, parents should change its default passwords and, if possible, alter the toy’s privacy settings to limit the amount of personal data it shares with the toy manufacturer, it said.

“The FTC should carefully monitor the connected toy space and exercise its authority” as the U.S.'s principal consumer protection agency, the Senate report said.

With the rise of ubiquitous internet connectivity, the number of internet of things (IoT)—including smart homes, smart toys, self-driving cars and other connected devices—is expected to increase up to 50.1 billion by 2020. Privacy and security attorneys previously told Bloomberg BNA that the FTC will likely turn its attention to data security cases involving IoT in 2017.

According to Gary A. Kibel, a New York-based partner in the Digital Media, Technology & Privacy practice of Davis & Gilbert LLP, the FTC has already been “very public” about its enforcement focus on IoT data security.

Connected toys are simply subsets of connected devices that the FTC is focused on, Kibel told Bloomberg BNA Dec. 14.

Growing Concerns

According to Marcus, the Senate report shouldn’t be analyzed in a vacuum, but in the context of the recent increase in entities raising concerns over connected toy-related privacy and security issues.

Consumer privacy groups Dec. 6 urged the FTC to investigate allegations that web-connected toys from Genesis Toys recorded and disclosed children’s voices without parental notice and consent, as required under the Children’s Online Privacy Protection Act (COPPA).

Additionally, the Future of Privacy Forum and the Family Online Safety Institute Dec. 1 released a white paper saying that “parents need to be aware of how a toy collects, shares and stores their child’s information.” The report also said that toy manufacturers “must ensure the safety and security of that data and find innovative and effective ways to inform parents of how their child’s information is being used.”

The Senate report, the complaint against Genesis Toys and the white paper all urge the FTC to step up its enforcement involving smart toys and urges companies to think about privacy and security by design, Marcus told Bloomberg BNA. There are number of different toys and different companies, but the same problems are being highlighted by various entities, she said.

Kibel agreed. “Everyone is looking at the issues” raised by the Senate report, he said. There is a legitimate interest in “protecting children because they may not act as adults do, considering privacy issues,” Kibel said.

Consumers can no longer view smart toys as just “having cool features without considering where the information is going and what the vulnerabilities are,” Marcus said.

Kibel said that connected toy manufacturers shouldn’t back off from this industry simply because of the privacy and security concerns. Toy makers can certainly make “great connected toys” by making sure that they’re following legal requirements and best practices regarding privacy and data security, Kibel told Bloomberg BNA.

Marcus added that protecting children’s privacy is an international issue. For example, there are complaints filed against Genesis Toys in seven European countries, she said.

To contact the reporter on this story: Jimmy H. Koo in Washington at jkoo@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law Privacy and Data Security