Web Toys Spied on Children, Privacy Groups Tell FTC

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Jimmy H. Koo

Dec. 6 — Web-connected products from Genesis Toys record and disclose children’s voices without federally-required notice and parental consent, consumer privacy advocacy groups told the FTC Dec. 6.

FTC officials have said the agency will be addressing more internet of things scenarios in the coming year and has actively worked to oversee compliance with the Children’s Online Privacy Protection Act (COPPA). It is unclear whether the federal privacy regulator will react to the request for investigation with just over a month before President-elect Donald Trump takes office. Trump’s plans for the Federal Trade Commission aren’t established, but on the campaign trail the president-elect promised a less activist regulatory enforcement approach by the federal government.

Allison Fitzpatrick, a partner at Davis & Gilbert LLP in New York, told Bloomberg BNA Dec. 6 that “companies that market smart toys to children need to be careful that they are in strict compliance with COPPA and other privacy laws because the FTC and consumer advocacy groups will be watching them closely to ensure full compliance.”

However, Fitzpatrick noted that the request for investigation was filed by advocacy groups, and isn’t a complaint by the FTC. “As such, we should not take the allegations in the complaint to be true without conducting due diligence,” she said.

Genesis, which the investigation request said is incorporated in Hong Kong but based in Los Angeles, operated an online service directed to children. The service was tied to the company’s My Friend Cayla and i-Que Intelligent Robot dolls and companion applications, which collected children’s voices, names, location and internet protocol addresses.

Disregarded Obligations

Claire Gartland of the Electronic Privacy Information Center (EPIC) in Washington told Bloomberg BNA Dec. 6 that Genesis “completely disregarded” its obligations to children’s privacy and chose to “exploit children’s sensitive voice recordings and private conversations for corporate profit.”

The request for investigation, filed by EPIC, The Campaign for a Commercial Free Childhood, The Center for Digital Democracy and Consumers Union, also named Nuance Communications Inc., which provides voice recognition technology for Genesis.

According to the advocacy groups, the internet-connected toys talk and interact with children by recording and analyzing their communications. These recordings are then stored, and used for “a variety of purposes beyond providing for the toys’ functionality,” the groups alleged.

The request for investigation alleged that Genesis violated COPPA by failing to provide prominent link to the toys’ or apps’ privacy policies that clearly described its data collection, use and disclosure policies. Genesis also failed to make reasonable efforts to make sure parents received direct notice of its practices, the groups said.

The advocacy groups also alleged that Genesis violated the FTC Act by failing to employ “basic security measures” to prevent unauthorized connections with the toys.

The groups are urging the FTC to halt the companies’ unfair and deception practices.

“The FTC should issue a recall on the dolls and halt further sales pending the resolution of the privacy and safety risks identified in the complaint,” Gartland said. “This is already happening in the European Union, where Dutch stores have pulled the toys from their shelves,” she said.

To contact the reporter on this story: Jimmy H. Koo in Washington at jkoo@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

For More Information

Text of the request for investigation is available at https://epic.org/privacy/kids/EPIC-IPR-FTC-Genesis-Complaint.pdf.

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law Privacy and Data Security