Keeping Up with Cayla: Concerns over Interactive Toys Spur an FTC Update of COPPA Guidelines

Cayla-interactive-toys-300x300Pleeeease?!” Buying a quick gift or giving in to your child’s pleas for a new toy is quickly becoming a more serious decision. In the age where toys can happily entertain kids by talking to them, the few precious moments those toys buy parents may not be without risk. It’s possible for anyone within an internet-connected toy’s Bluetooth range to connect to the toy and receive their audio recordings, while being up to 100 feet away. For example, in December 2015, VTech allegedly exposed the personal information of 6.4 million children, which included their names, genders and birthdays. Stealing a child’s personal information is, at the very least, concerning. However internet-connected toys come with an additional danger—localized hacking. Just look at Cayla, an internet-connected fashion doll manufactured and sold by Genesis Toys. My Friend Cayla answers fact-based questions, plays games, reads stories, and even solves math problems. Genesis uses third-party voice-recognition software by U.S.- based company, and the doll requires an iOS/Android application to use the software. The doll’s mobile application researches and supplies Cayla with factual answers to questions, but it also prompts children to set their physical location, parents’ names and school name.

Given the kind of private contact information Cayla collects, the toy was likely to garner global scrutiny from concerned parents, watchdogs and consumer agencies. In December 2016, consumer groups filed a complaint and request for investigation with the FTC.. The complaint alleged that because the Cayla doll facilitates collecting children’s communications and uploads them for commercial use without verifiable parental consent, it violates the Children’s Online Privacy Protection Act (COPPA).

COPPA regulates websites and online services, and requires them to give notice and obtain verifiable parental consent before they knowingly collect children’s personal information. Genesis obtains parental consent for collecting children’s personal information when the user downloads the mobile application and agrees to the terms of service. However, since a child could click agree in the mobile application when prompted and solve the simple-addition question that verifies that a human is agreeing, the parental consent may not be verifiable. That issue was the possible impetus for the addition of FTC-approved COPPA consent requirements, which added knowledge-based authentication questions that only a parent or guardian could answer.

The FTC’s June 2017 update to COPPA guidelines also added internet-connected toys, children’s products that collect personal information, and voice-activated devices (Amazon Echo, Google Home, etc.) to the products and services covered by COPPA. Additionally, the update added two new methods for obtaining parental consent—authentication questions and facial recognition.

My Friend Cayla’s troubles were not limited to U.S. shores. In February 2017, Germany’s Federal Network Agency banned My Friend Cayla outright, citing the doll’s collection and transmission of everything it hears. Germany’s concern was that the device could be hacked and used for unauthorized surveillance. The ban referenced a German law that makes it illegal to sell or possess a banned surveillance device, and imposed penalties of a 25,000-euro fine and two years in prison.

Soon after the German ban, hackers gained access to a different internet-connected toy manufacturer’s user database—CloudPet. E-mail addresses, passwords, profile pictures, and more than two million voice recordings of children and adults were deleted from the database and replaced with a ransom demand.

After the acting FTC Commissioner testified before a Congressional committee in March 2017, Sen. Mark Warner of Virginia sent two letters to the FTC. The letters discussed children’s privacy and internet-connected toys, and Sen. Warner’s “worry that protections for children [were] not keeping pace with consumer and technology trends shaping the market.” Sen. Warner also asked whether the FTC had taken any action with respect to the My Friend Cayla doll or other products manufactured by Genesis Toys. On June 22, 2017, the FTC responded to Sen. Warner and noted that the new guidance applied to connected toys and mobile applications, and that although rules prevented the FTC from revealing whether it had opened an investigation into Genesis Toys, the FTC was committed to using its enforcement tools. The COPPA update is a reminder and opportunity for businesses to determine whether they are covered by COPPA, and if so, exercise best practices to comply. In the age where in-home devices designed to make our lives easier collect and store more personal information, and in which toys are likewise becoming smarter and collecting more information on families and kids, it will be necessary for all device manufacturers to make sure they are complying with COPPA.