The internet of toys refers to internet-connected children’s toys. It is a subcategory of Internet of things devices, which includes smartwatches and intuitive devices such as Alexa. Toys such as Hello Barbie, which uses AI to recognise speech and engage with children is an example. Another is CloudPets, a plush toy that allows children and family members to record and send voice messages. Both of these toys however compromise thousands of children’s data, as they are easily hackable. The internet of toys, therefore, , raises questions about children’s privacy and how we ought to regulate children’s interactions with the internet. Currently, there is a lack of adequate legislation regulating these toys.
In this article, we’ll explain the concept of the internet of toys and attempts to regulate it. For more information on the internet of things, you can read our guide on ‘The internet of things: what is it and key legal issues’.
What are the risks?
The primary risks associated with Internet of Toys is the threat to children’s privacy and the ethics of data collection.
All Internet of Thing devices collects vast amounts of data. This includes the internet of toys which may collect data about children’s names, addresses, or even their geolocation. This makes them extremely vulnerable where a hack occurs. For instance, a hack of toy manufacturer Vtech enabled hackers to access the personal records of thousands of children, including addresses. In the CloudPets hack, hackers were able to access the voice messages stored on the product’s database. In one of the most disturbing hacks, surveillance experts were easily able to hack into Hello Barbie during a test. They found out the toy was connecting to unsecured wi-fi networks, enabling hackers to communicate directly with children.
This also raises ethical concerns as Big Data is relatively new, and we have yet to see its long-term impacts and risks. By exposing children to internet-connected toys, they are unable to make informed choices about what data collection they engage with. A child’s inability to give informed consent exacerbates this. In addition, many toys use a opt-in opt-out form of consent. This means they give users the option to opt-out of data collection. However, this practice is unethical as opting-out usually results in users having sub-standard use of the toy. The OAIC makes clear that if users do not make a decision in 30 days, the individual gives implied consent. This tactic is unethical as it pressures children, and users more generally into consenting.
How is the Internet of Toys regulated?
Legislation
In Australia there is a code of practice for securing internet of things devices. This sets out recommendations to the internet of things industry for the security of their devices. This code is however voluntary, and therefore deficient in protecting the privacy and security of Australians.
The Privacy Act 1988 (Cth) also applies, as it is Australia’s primary data protection law. It requires businesses and government agencies to comply with a set of privacy principles that aim to protect individuals’ data. These provisions often require businesses or agencies to obtain consent from the individual. The Act does not make any specific provision relating to children’s data. This is despite the perception children are unable to give valid consent in the same way as adults. For instance, it’s unreasonable to expect children to understand what they are consenting to when ticking a terms of service.
For more information, you can read our guide on ‘What are the Australian privacy principles’
Australian Toy Association
The Australian Toy Association is the body responsible for the regulation of toys. It sets standards and works with other State and Federal regulators to ensure the safety of toys. However the association is slow to catch up with the emerging area of internet-connected toys. As a result, these new internet-connected toys receive a lack of attention.
Conclusion
In order to safeguard children from the risks associated with the Internet of Toys, stronger regulation is required. This may involve a compulsory code of practice for the security of Internet of Things devices, as well as introducing a specific Act to protect the privacy and data of children.
