In March 2015, there was growing concern over privacy issues related to collecting data via “smart toys.” At that time, Mattel had just released its newest Barbie, “Hello Barbie,” which contained an embedded microphone in the doll’s belt to record a child’s response to the doll’s questions. The child’s responses were sent back to Mattel through the doll’s WiFi capabilities. Mattel claimed the voice-recognition software and recording capabilities would allow the doll to learn to respond to the child’s statements and even learn the family dog’s name or other topics a child would enjoy discussing. In explaining the doll’s capabilities, Mattel Senior Vice President of Global Communications stated “[t]he number one request we receive from girls globally is to have a conversation with Barbie, and with Hello Barbie we are making that request a reality.”
At the time, there were concerns regarding how Mattel and other toy manufacturers would use the data collected from their toys. Angela Campbell from Georgetown University’s Center on Privacy and Technology warned, “[i]f I had a young child, I would be very concerned that my child’s intimate conversations with her doll were being recorded and analyzed.”
There were also concerns beyond what the toy manufacturers would do with the information. This data held by toy manufacturers could be a prime target for hackers. Privacy concerns were based on the fact that children and adolescents are the fastest growing sector of identity fraud victims. It has been widely accepted that children are targeted because they have good credit reports and their credit histories may not be reviewed for years until they apply for student loans or their first loans.
Unfortunately, this concern has become a reality since the introduction of “Hello Barbie.” On December 1, 2015, VTech Holdings Ltd., a manufacturer of digital toys and telephones, reported it suffered a data breach on November 14, 2015. VTech reported this breach involved “child profile information,” including the name, gender and birth date of the child. The “unauthorized party” gained access to information stored as part of VTech’s “Learning Lodge” app store on the company’s website.
The concerns over “Hello Barbie” and other smart toys were further validated when on September 13, 2016, the New York State Attorney General settled matters with Viacom, Mattel, Hasbro and JumpStart related to the use of tracking technology on their toys and websites. The settlement included an agreement by the toymakers to pay a combined $835,000 in fines for tracking and collecting personal data of children online in violation of the Children’s Online Privacy Protection Act.
In response to the settlement, Hasbro’s spokesperson said, “[w]e are rolling out a new, stricter online privacy protection policy for our partners, and enacting new protocols and technology to scan our digital properties for any cookies, widgets or other applications that may violate our policy.” The settlement also included an agreement by the toy makers to routinely scan their websites and assess their data collection practices.
The early discussion concerning “smart toys,” which culminated in the NY Attorney General taking action, provides a great snapshot on the rapid development of these privacy issues. The landscape has changed dramatically in the last year and a half since the release of “Hello Barbie,” as more private information from children falls prey to hackers and other criminals. Eric Schneiderman, New York’s Attorney General, may have said it best, “[n]ow children live online and we have to police the internet as we seek to police our streets…I don’t want there to be a dossier on any child that can be used later to scam them.”