• At Kemp Little, we are known for our ability to serve the very particular needs of a large but diverse technology client base. Our hands-on industry know-how makes us a good fit with many of the world's biggest technology and digital media businesses, yet means we are equally relevant to companies with a technology bias, in sectors such as professional services, financial services, retail, travel and healthcare.
  • Kemp Little specialises in the technology and digital media sectors and provides a range of legal services that are crucial to fast-moving, innovative businesses.Our blend of sector awareness, technical excellence and responsiveness, means we are regularly ranked as a leading firm by directories such as Legal 500, Chambers and PLC Which Lawyer. Our practice areas cover a wide range of legal issues and advice.
  • Our Commercial Technology team has established itself as one of the strongest in the UK. We are ranked in Legal 500, Chambers & Partners and PLC Which Lawyer, with four of our partners recommended.
  • Our team provides practical and commercial advice founded on years of experience and technical know-how to technology and digital media companies that need to be alert to the rules and regulations of competition law.
  • Our Corporate Practice has a reputation for delivering sound legal advice, backed up with extensive industry experience and credentials, to get the best results from technology and digital media transactions.
  • In the fast-changing world of employment law our clients need practical, commercial and cost-effective advice. They get this from our team of employment law professionals.
  • Our team of leading IP advisors deliver cost-effective, strategic and commercial advice to ensure that your IP assets are protected and leveraged to add real value to your business.
  • Our litigation practice advises on all aspects of dispute resolution, with a particular focus on ownership, exploitation and infringement of intellectual property rights and commercial disputes in the technology sector.
  • We have an industry-leading reputation for our outsourcing expertise. Our professionals deliver credible legal advice to providers and acquirers of IT and business process outsourcing (BPO) services.
  • We work alongside companies, many with disruptive technologies, that seek funding, as well as with the venture capital firms, institutional investors and corporate ventures that want to invest in exciting business opportunities.
  • Our regulatory specialists work alongside Kemp Little’s corporate and commercial professionals to help meet their compliance obligations.
  • With a service that is commercial and responsive to our clients’ needs, you will find our tax advice easy to understand, cost-effective and geared towards maximising your tax benefits.
  • At Kemp Little, we advise clients in diverse sectors where technology is fundamental to the ongoing success of their businesses.They include companies that provide technology as a service and businesses where the use of technology is key to their business model, enabling them to bring their product or service to market.
  • We bring our commercial understanding of digital business models, our legal expertise and our reputation for delivering high quality, cost-effective services to this dynamic sector.
  • Acting for market leaders and market changers within the media industry, we combine in-depth knowledge of the structural technology that underpins content delivery and the impact of digitisation on the rights of producers and consumers.
  • We understand the risks facing this sector and work with our clients to conquer those challenges. Testimony to our success is the continued growth in our team of professionals and the clients we serve.
  • We advise at the forefront of the technological intersection between life sciences and healthcare. We advise leading technology and data analytics providers, healthcare institutions as well as manufacturers of medical devices, pharmaceuticals and biotechnological products.
  • For clients operating in the online sector, our teams are structured to meet their commercial, financing, M&A, competition and regulatory, employment and intellectual property legal needs.
  • Our focus on technology makes us especially well positioned to give advice on the legal aspects of digital marketing. We advise on high-profile, multi-channel, cross-border cases and on highly complex campaigns.
  • The mobile and telecoms sector is fast changing and hugely dependent on technology advances. We help mobile and wireless and fixed telecoms clients to tackle the legal challenges that this evolving sector presents.
  • Whether ERP, Linux or Windows; software or infrastructure as a service in the cloud, in a virtualised environment, or as a mobile or service-oriented architecture, we have the experience to resolve legal issues across the spectrum of commercial computer platforms.
  • Our clients trust us to apply our solutions and know-how to help them make the best use of technology in structuring deals, mitigating key risks to their businesses and in achieving their commercial objectives.
  • We have extensive experience of advising customers and suppliers in the retail sector on technology development, licensing and supply projects, and in advising on all aspects of procurement and online operations.
  • Our legal professionals work alongside social media providers and users in relation to the commercial, privacy, data, advertising, intellectual property, employment and corporate issues that arise in this dynamic sector.
  • Our years of working alongside diverse software clients have given us an in-depth understanding of the dynamics of the software marketplace, market practice and alternative negotiating strategies.
  • Working with direct providers of travel services, including aggregators, facilitators and suppliers of transport and technology, our team has developed a unique specialist knowledge of the sector
  • Your life as an entrepreneur is full of daily challenges as you seek to grow your business. One of the key strengths of our firm is that we understand these challenges.
  • Kemp Little is trusted by some of the world’s leading luxury brands and some of the most innovative e-commerce retailers changing the face of the industry.
  • HR Bytes is an exclusive, comprehensive, online service that will provide you with a wide range of practical, insightful and current employment law information. HR Bytes members get priority booking for events, key insight and a range of employment materials for free.
  • FlightDeck is our portal designed especially with start-up and emerging technology businesses in mind to help you get your business up and running in the right way. We provide a free pack of all the things no-one tells you and things they don’t give away to get you started.

The Internet of Toys: A leap forward in stimulating children's creativity or a privacy and security nightmare?

In March 2017 the European Commission published a report entitled “Kaleidoscope on the Internet of Toys: Safety, security, privacy and societal insights”[1] a technical report produced by the Joint Research Centre (JRC). The report addresses questions emerging from the rise of the Internet of Toys by offering the views on six specific topics analysed by different experts.

This article first examines what is meant by a connected toy and then explores privacy and security concerns surrounding some of these toys. Thereafter the conclusions of the JRC report will be discussed and finally some predictions will be made about the future of connected toys.

What are connected toys?

The JRC report refers to the concept of “Internet of Toys” namely internet-connected toys which constitute a subset of the Internet of Things (IOT).  In order for a toy to be connected it is not necessary for it to have a screen or otherwise resemble devices we traditionally associate with a connection to the internet, such as a computer, iPad or smart phone. The toys can take many different forms and be anything from a teddy bear or a doll to a watch. The common feature they all share is that they are all connected to the internet in some way. Some are also “smart” toys.

A distinction can be drawn between smart and connected toys. Smart toys are toys that have electronic features, for instance a camera, sensor, or microphone that facilitate interaction between the toy and a child and allow the toy to adapt to a child’s actions. Smart toys do not, however, necessarily have a connection to the internet. Robots that can interact with humans in an autonomous and socially meaningful way (i.e. not necessarily toys), also referred to as “social robots”, can be a smart toys as well.[2] Connected toys, by contrast, are toys designed to connect to the internet, but they are not necessarily smart. This distinction between smart and connected toys has been described by the Future of Privacy Forum & Family Online Institute.[3] Toys that are both connected and smart can record, among other things sounds, images, movement, and location but their key distinguishing feature is that they can also share the data which it has recorded, the so-called “play data”.[4]

Toys that record sounds, images and the like and interact with a child are not new but have in fact existed for decades. Social robots have also been used in toys for some time already; for instance a robot dinosaur called Pleo[5] was introduced nearly ten years ago. Because social robots and other smart toys often look very much like ordinary toys, a child’s interaction with them is much like it would be with a non-smart version, however, the interactive features allow the child and the toy to engage reciprocally. What is new, however, is the connection to the internet.[6]

The purpose of the internet connection is the sharing the play data. The internet connection can allow the toy to adjust the interaction to the child by personalising it, for example based on previous interactions or information about other toys’ interactions with similar children. Analysis of the play data may also facilitate learning by providing feedback to the child. One specific area where such learning may be facilitated is foreign languages where connected toys may serve as a virtual language tutors.[7]

An example of a connected toy is the Furby,[8] a furry robotic toy that somewhat resembles a hamster, first released in 1998 and whose most recent version is connected to a mobile app. A Furby can be fed and can use a toilet via the app and children can for instance collect and swop virtual Furby eggs. When the app is used the toy has an actual physical reaction such as flashing its eyes or talking in “Furbish”. It is also connected to popular songs and videos. One of the contributors to the JRC report referenced observations of a two-year old playing with a Furby. She explained that the toddler engaged in extensive imaginative play, leading to the conclusion that although children have always pretended that toys are alive, the fact that the Furby talks, sings and flashes its eyes makes that leap easy.[9]

It has therefore been argued that when playing with connected toys the key differences compared to conventional toys are: the extent to which children may connect with others; the merging of online and offline domains and public and private spaces; and the extent to which play can be shaped by global factors, such as music or videos. Play and social interactions by children are no longer confined to where they are located physically, and the Internet of Toys enables children’s imaginations to encompass a different kind of virtuality, with the toy operating as a “boundary object”.[10]

According to the JRC report the connected toys market was worth $2.8 billion in 2015, compared to $22 billion for the toy industry as a whole, but is projected to grow to $11.3 billion by 2020.

Are there reasons to be concerned about these toys?

The fact that connected toys are directly connected to the internet has, however, raised a number of concerns. The sharing of play data raises the question of who is able to access that data. For data that allows interaction with the toy access should most obvious be had by the child him/herself or the parents. In some cases, analysis of play data may even help parents, teachers and health care providers to monitor the child’s use of the toy or even bodily functions such as heart rate. However, other entities may also have access.

The service provider of the connected toy also not only has access to the data but can record and manipulate it. One contribution to the JRC report discusses this topic, explaining that what play data is recorded, and the purpose for which it is stored, analysed and shared is usually set out in the toy company’s privacy policy, although in reality not many parents actually read these policies. Play data is personal data and it is therefore crucial that toy companies and their service providers treat it with the required precautions. In addition to play data, depending on the toy, other personal data that it may also be possible to collect and manipulate include the name, age, location, email address, and postal address. Other data, including IP addresses and online behaviour can also potentially be collected.[11]

An even greater concern is presented if there are data security problems and what may transpire if the toys are vulnerable to being hacked. Such concerns have been brought to light by white hat hackers who have tested toys.

One such case is the Fisher-Price Smart Bear, reported in March 2016. The toy is a connected teddy bear advertised as having the ability to learn about a child. The bear is accompanied by an app through which parents can enter information that enables the bear to interact with a child. Testers, however, found multiple security flaws in the app that would allow easy access to the information about the child that had been entered by a parent via the app such as name, birthdate and gender. Fisher-Price has since remedied the security flaws but it was suggested that they could, for instance, have been used to gather information on a child’s family to trick the family in a phishing attack.[12]

Another case is Mattel’s Hello Barbie which was first publicised in late 2015. This Barbie doll is marketed as interactive and able to listen to a child and respond. It has a microphone that records the child’s speech, and through a Wi-Fi connection sends it out to Mattel’s voice-processing partner, Toy-Talk, for processing and the doll then responds in natural language. Testing revealed, however, that the doll was vulnerable to hacking. In fact, it was not difficult to gain access to its system, account information, stored audio and microphone.  Although the doll only records when a button is pressed and the recordings are encrypted, a hacker only needs to gain control of the doll’s system and once that has been achieved all privacy features can be turned off and the microphone can be used as a surveillance device.[13] Mattel has since addressed the problem and offered a bug bounty program with ToyTalk. Since then Mattel has received positive feedback for its privacy policy and for minimising data collection.[14]

A third example is two connected toys by Genesis Toys, a doll named My Friend Cayla marketed to girls, and a robot named i-Que marketed to boys, which are said to be able to hold a conversation with a child. They access the internet by connecting to smartphones using Bluetooth and with speech recognition software use a child’s statements to find answers from for instance Google or Wikipedia. The toys can understand and nearly instantaneously respond to almost anything, including sing, tell stories, play games, and share photos from an album. According to the Genesis privacy policy all data can be stored and shared with certain third parties. In January 2015 testers at Pen Test Partners revealed that My Friend Cayla and I-Que were vulnerable to hacking, however, two years later the problem still has not been rectified.[15]  Concerns about these toys were raised in December 2016 in a complaint by consumer groups before the Federal Trade Commission in the US, alleging that the toys ask for personal information, such as parents’ names, school name and home city, and record conversations without any limitations on the use or disclosure of the recorded information.[16]

The consumer groups also say the toys do not employ basic Bluetooth security, such as requiring a pairing code which means that when the toys are on and not already paired with another device, any smartphone within a 50-foot range can establish a connection which in turn means that anyone within that distance can use the toy as a surveillance device. [17] In addition, although the toymaker states that the toys contain software to block hundreds of inappropriate words, testers found it fairly easy to hack into the toy and program it to say words from the blocked list.[18]

A complaint similar to the one in the U.S. has already been filed an Norway and complaints will also be filed in France, Sweden, Greece, Belgium, Ireland and the Netherlands, with further calls for investigations into the privacy concerns surrounding these toys.[19] The latest development is that in February 2017 Germany went as far as banning the My Friend Cayla doll ordering parents to destroy or disable it on grounds that it could be used for surveillance.[20] Jochen Homann, President of Germany's Federal Network Agency, or Bundesnetzagentur, stated that "Objects that conceal transmittable cameras or microphones and thus pass on data unintentionally endanger the privacy of the people” and that the ban was "about the protection of society's most vulnerable."[21]

What can we learn from the JRC report?

As highlighted in the examples set out in the previous sections, sharing play data from connected toys can have useful purposes, but depending on the toy company the play data, other personal data and other information may be passed on to third parties. Most critically if the toys contain flaws or vulnerabilities the connection to the internet may make them susceptible to hacking which may pose serious privacy and security concerns. The JRC report has set out the findings of several experts in connection with the current state of connected toys.

One contribution to the report focused on the fact that play data as personal data must be carefully managed. Accordingly, the conclusion was that while it is generally parents who make decisions about play data there should also be an obligation on the part of the toy industry to address data protection concerns in a child- and family-friendly way.[22]

Another author called the impact of connected toys the “dataification” of children. This term refers to tracking of human activity using smart devices and storing the data, which in the case of children, unlike with adults who voluntarily choose to track themselves, is either done by adults or by children based on incentives to do so. The author hence cautioned that such practices turn the concept of surveillance into something normal.  Such surveillance, however, raises exactly the kinds of concerns referred to previously, namely threats to children’s privacy considering that at the moment there a lack of transparency about how the data is recorded and  manipulated.[23]

A third author had a somewhat different outlook, feeling that connected toys do not require a fundamental re-thinking of what play is, nor that they suggest that children are less creative, but that they offer further opportunities for children. She concluded that it is necessary to consider a number of factors, including the concerns raised by other authors of the JRC report, but emphasised that , the focus should be on considering the quality of play that takes place when they are used not on anxiety about the potential loss of play and creativity.[24]

A fourth author felt that connected toys likely present both opportunities and risks for children; specifically, for cognitive, socio-emotional, and moral-behavioural development. On the socio-emotional level, for example, interacting with toys may compensate for deficits in interactions with humans which could be a positive consequence unless it is used to displace actual interaction with humans.[25]

To date, little discussion regarding connected toys has taken place and as a result there is at present scant regulatory oversight of these products. One author discussed that fact that very recently, however, consumer groups in Norway and the US have raised privacy and security concerns related to connected toys, including by petitioning the US Federal Trade Commission to take action against toy companies. The author concluded by hoping that the steps taken by these consumer groups will bring about a more nuanced discussion, as well as policy and regulatory attention as to what needs to be done in terms of policy, industry practice and parenting advice in order to mitigate risks and maximise benefits of the Internet of Toys.[26]

Finally, one author explained that the knowledge of child development, play and communication varies among toy manufacturers, and that as a result some of the connected toys are not as well made as they could be, while at the same time changes are sometimes called for by academics that are not easily possible or commercially viable. She therefore concluded that academics, designers and the industry need to work together to produce the best products possible.[27]

There was general consensus among all of the authors that increased research into connected toys and their influence on children is needed in order to better understand what impact they have on children, including on their development.

Finally, the JRC report provides an overall conclusion that refers to an urgent need for a framework for the use of connected toys.

Are connected toys here to stay?

The argument can easily be made that it is better for children to focus on real human interaction than to play with toys that emulate human interaction. Considering the pace of technological development and the development of the internet in particular, it is, however, probably not realistic to imagine that toys can be eliminated from among internet-connected devices now that they have been developed and are on the market.

That being said, the concerns highlighted by the Smart Bear, the Hello Barbie, and the My Friend Cayla and i-Que toys, discussed above, particularly vulnerabilities to hacking and a lack of clarity on the part of toy companies about their use of the personal data they collect, suggest that there is a rush to get connected toys onto the market before their possible repercussions have been fully analysed. This in turn makes it plain that there definitely are serious questions concerning privacy and security that must be looked into and addressed.

As evidenced by researches testing and seeking to hack into these connected toys and the recent consumer group complaints that have resulted it appears, however, that these toys are already being subjected to greater scrutiny. It is therefore possible that this increased scrutiny might lead to regulators also taking a greater interest in the subject. Such regulations might include requiring improved security features to prevent hacking, greater transparency and clarity about the intended use of play data and other personal data, including specifically the ability to for parents to opt out, as well as requiring privacy policies that minimise the use of any personal data that is collected. It should be emphasised, however, that in connection with data protection in particular the law already places significant restrictions on the use of personal data which therefore need to be effectively implemented.  

The commissioning of a research report by the European Commission with a conclusion that there is an urgent need for a framework to address the topic in and of itself already highlights that the issue is already receiving more attention and is now at the very least on the radar of decision makers within the EU. As is often the case, however, it appears as though connected toys are a case where policy and regulations must try to play catch-up with an industry that has already put the new products on the market. In light of the latest development in connection with the My Friend Cayla doll with Germany already having gone as far as banning the product it will remain to be seen whether other countries will take a similar approach.

Due to the added publicity that these concerns are receiving it can also be hoped that parents and carers become better informed about connected toys so as to be able to make more informed decisions about whether to purchase them for their children. For better or for worse connected toys are probably here to stay.

To read more about connected toys, read our article One voice to rule them all: Smart home devices, AI children and the law

[2] Jochen Peter, Social robots and the robotification of childhood, http://publications.jrc.ec.europa.eu/repository/bitstream/JRC105061/jrc105061_final_online.pdf

[3] Future of Privacy Forum - Family Online Institute (FOSI), Kids & the connected home: privacy in the age of connected dolls, talking dinosaurs and battling robots, 2016.

[4] Stephane Chaudron, Rosanna Di Gioia, Monica Gemo, Internet of Toys – Safety and Security considerations, http://publications.jrc.ec.europa.eu/repository/bitstream/JRC105061/jrc105061_final_online.pdf

[6] Stephane Chaudron, Rosanna Di Gioia, Monica Gemo, Internet of Toys – Safety and Security considerations, http://publications.jrc.ec.europa.eu/repository/bitstream/JRC105061/jrc105061_final_online.pdf

[7] Jochen Peter, Social robots and the robotification of childhood, http://publications.jrc.ec.europa.eu/repository/bitstream/JRC105061/jrc105061_final_online.pdf

[8] https://www.hasbro.com/en-gb/brands/furby

[9] Jackie Marsh, The Internet of Toys and the Changing Nature of Play, http://publications.jrc.ec.europa.eu/repository/bitstream/JRC105061/jrc105061_final_online.pdf

[10] Jackie Marsh, The Internet of Toys and the Changing Nature of Play, http://publications.jrc.ec.europa.eu/repository/bitstream/JRC105061/jrc105061_final_online.pdf

[11] Stephane Chaudron, Rosanna Di Gioia, Monica Gemo, Internet of Toys – Safety and Security considerations, http://publications.jrc.ec.europa.eu/repository/bitstream/JRC105061/jrc105061_final_online.pdf

[12] https://www.theguardian.com/technology/2016/feb/02/fisher-price-mattel-smart-toy-bear-data-hack-technology

[13] https://www.theguardian.com/technology/2015/nov/26/hackers-can-hijack-wi-fi-hello-barbie-to-spy-on-your-children

[15] http://www.bbc.co.uk/news/technology-38222472.

[18] https://article.wn.com/view/2015/02/09/Talking_Doll_Cayla_Hacked_To_Spew_Filthy_Things/

[19] http://www.bbc.co.uk/news/technology-38222472.

[21] http://www.dw.com/en/german-regulator-tells-parents-to-destroy-spy-doll-cayla/a-37601577.

[22] Stephane Chaudron, Rosanna Di Gioia, Monica Gemo, Internet of Toys – Safety and Security considerations, http://publications.jrc.ec.europa.eu/repository/bitstream/JRC105061/jrc105061_final_online.pdf

[23] Giovanna Mascheroni, The Internet of Things and the Quantified Child, http://publications.jrc.ec.europa.eu/repository/bitstream/JRC105061/jrc105061_final_online.pdf

[24] Jackie Marsh, The Internet of Toys and the Changing Nature of Play, http://publications.jrc.ec.europa.eu/repository/bitstream/JRC105061/jrc105061_final_online.pdf

[25] Jochen Peter, Social robots and the robotification of childhood, http://publications.jrc.ec.europa.eu/repository/bitstream/JRC105061/jrc105061_final_online.pdf

[26] Donell Holloway, The Internet of Toys: media, commercial and public discourses, http://publications.jrc.ec.europa.eu/repository/bitstream/JRC105061/jrc105061_final_online.pdf

[27] Dylan Yamada-Rice, Designing connected play: Perspectives from combining industry and academic know-how, http://publications.jrc.ec.europa.eu/repository/bitstream/JRC105061/jrc105061_final_online.pdf