France’s data protection commissioner joins others in taking action against toymaker Genesis Toys related to its popular internet-connected toys My Friend Cayla and i-Que Robot. Last December, a number of consumer groups filed complaints with regulators in the U.S. and Europe raising privacy and security concerns about the toys. The groups asserted that the toys fail to meet U.S. and E.U. privacy and data protection standards because the toys record and collect the conversations of children without parental consent and without limitations on the collection, use, or disclosure of the information, and because the toys can be easily hacked by third parties.
European regulators responded quickly. Germany’s equivalent of the FTC banned the sale of My Friend Cayla dolls in February, and advised anyone who had purchased the toys to destroy them due to concerns about the doll’s surveillance capabilities. Now, France’s regulator, the CNIL, has issued a public formal notice to Genesis that the toys violate the French Data Protection Act. The CNIL cited a “lack of security” due to a flaw that allows anyone in close proximity to connect any Bluetooth device to the toys, potentially allowing third parties to “listen and record” conversations between the child and the toy or other nearby conversations. CNIL was also concerned about a lack of privacy disclosures. It stated that Genesis failed to properly inform users about how their data would be processed or to tell users that the contents of their conversations would be transferred to a service provider outside the E.U. The CNIL decision indicates that Genesis may be subject to sanctions if it does not improve its security controls and data use notices within two months.
In the U.S., the Children’s Advertising Review Unit relayed its own concerns to the Federal Trade Commission about the My Friend Cayla doll violating the Children’s Online Privacy Protection Act after Genesis failed to respond to CARU’s own initial privacy inquiry in August of this year. While the FTC is still considering the matter, it has already updated its official guidance under COPPA to warn toy makers that internet-connected devices must comply with the Act.
Putting it Into Practice: In the era of the Internet of Things, businesses need to consider privacy and security regulations for connected devices. Regulators have indicated that they expect the same disclosures and security provisions for these new and cutting edge products.