These days, internet-connected toys are in huge demand. Children want internet-connected toys such as Mario Kart Live: Home Circuit which allows you to take the online game and recreate it in your own home, setting up circuits and controlling the players via the Nintendo Switch.
Or they might ask for Artie 3000, a drawing robot which children can play games with and program via a PC, tablet, or Mac.
Then, there’s Osmo, an iOS game which uses an iPad as a gaming board and its on-board camera to see what the player is doing.
Or they may want the Harry Potter Kano Coding Kit, which allows them to build a wand that includes an accelerometer, gyroscope, and magnetometer. It can track the speed, location, and the position of a hand. Its sensors detect the motions of spells in the Harry Potter world, then children can use it on challenges inside the Kano app.
All of this gives them useful technological skills and helps in their development, but it does leave the toy makers and toy sellers with some food for thought.
Internet-connected toys and devices raise particular data protection issues because of their considerable scope for collecting and processing personal data, via their functions such as cameras and microphones.
They are also often used by multiple people of different ages, sometimes by very young children without adult supervision.
As a result, the Information Commissioner’s Office has published Age-Appropriate Design: A Code of Practice for Online Service.
The code of practice came into force in September 2020 and toy sellers and manufacturers have until September 2021 to comply.
What does the code define as a ‘connected toy’ or connected device?
The code defines these as toys or devices which access the internet. This could include talking teddy bears, home hub interactive speakers which record voices and access the net, and fitness bands which connect to an app.
This code doesn’t apply to electronic toys or devices that do not connect to the internet and only store personal data within the device itself. They do not have access to any personal data.
If you provide a connected toy or device, then you need to comply with the General Data Protection Regulation (GDPR) and follow this code. You must also make sure that any third parties you use to deliver your overall product do so too.
What does the code say?
You must be clear about who will process the personal data the toy or device transmits and what the data protection responsibilities are. If you provide both the toy and the online functions, then you’re solely responsible.
If not, you cannot absolve yourself of your data protection obligations by outsourcing the ‘connected’ element of your toy or device to someone else. You and third party need to comply with GDPR and follow the code.
It must be clear whether they are data controllers or merely data processors for you.
The toy should have adequate security measures to mitigate the risk of hacking to communicate with a child, unauthorised access to data, or tracking a location.
You must pay attention to the potential for a toy to be used by multiple users of different ages. Interactive toys are often shared or used by several children at once when they play together.
You should ensure the default service is suitable for all children and user profiles can be provided for regular users, helping adults tailor the service to their children.
Clear information showing the toy processes personal data should be provided at the point of sale and before the device is set up. Packaging and leaflets or instructions should show it clearly.
Potential buyers should be able to view your privacy information, your terms and conditions of use, and any other relevant information online without purchasing. They need to make informed decisions.
There should be a particular focus on set up and providing key information about how personal data is used and the implications of this.
How settings can be changed is also important. For example, only allowing default settings changes via a support app.
What about when the toy or device is in listening mode?
If a device is on standby listening for the child’s name or key words or phrases, it should be clear that this mode is active, and you shouldn’t collect personal data in listening mode. You should be able to switch this mode off easily on the toy or online.
It should also be clear when personal data is being collected. For example, there should be a light that switches on when a toy or device is filming, recording audio, or collecting data in another way.