26 January 2021

Why will every toy seller in the UK soon need to up their game about data protection?

These days, internet-connected toys are in huge demand. Children want internet-connected toys such as Mario Kart Live: Home Circuit which allows you to take the online game and recreate it in your own home, setting up circuits and controlling the players via the Nintendo Switch.

Or they might ask for Artie 3000, a drawing robot which children can play games with and program via a PC, tablet, or Mac.

Then, there’s Osmo, an iOS game which uses an iPad as a gaming board and its on-board camera to see what the player is doing.

Or they may want the Harry Potter Kano Coding Kit, which allows them to build a wand that includes an accelerometer, gyroscope, and magnetometer. It can track the speed, location, and the position of a hand. Its sensors detect the motions of spells in the Harry Potter world, then children can use it on challenges inside the Kano app.

All of this gives them useful technological skills and helps in their development, but it does leave the toy makers and toy sellers with some food for thought.

Internet-connected toys and devices raise particular data protection issues because of their considerable scope for collecting and processing personal data, via their functions such as cameras and microphones.

They are also often used by multiple people of different ages, sometimes by very young children without adult supervision. 

As a result, the Information Commissioner’s Office has published Age-Appropriate Design: A Code of Practice for Online Service.

The code of practice came into force in September 2020 and toy sellers and manufacturers have until September 2021 to comply.

What does the code define as a ‘connected toy’ or connected device?

The code defines these as toys or devices which access the internet. This could include talking teddy bears, home hub interactive speakers which record voices and access the net, and fitness bands which connect to an app.

This code doesn’t apply to electronic toys or devices that do not connect to the internet and only store personal data within the device itself. They do not have access to any personal data.

If you provide a connected toy or device, then you need to comply with the General Data Protection Regulation (GDPR) and follow this code. You must also make sure that any third parties you use to deliver your overall product do so too.

What does the code say?

You must be clear about who will process the personal data the toy or device transmits and what the data protection responsibilities are. If you provide both the toy and the online functions, then you’re solely responsible.

If not, you cannot absolve yourself of your data protection obligations by outsourcing the ‘connected’ element of your toy or device to someone else. You and third party need to comply with GDPR and follow the code.

It must be clear whether they are data controllers or merely data processors for you.

The toy should have adequate security measures to mitigate the risk of hacking to communicate with a child, unauthorised access to data, or tracking a location.

You must pay attention to the potential for a toy to be used by multiple users of different ages. Interactive toys are often shared or used by several children at once when they play together.

You should ensure the default service is suitable for all children and user profiles can be provided for regular users, helping adults tailor the service to their children.

Clear information showing the toy processes personal data should be provided at the point of sale and before the device is set up. Packaging and leaflets or instructions should show it clearly.

Potential buyers should be able to view your privacy information, your terms and conditions of use, and any other relevant information online without purchasing. They need to make informed decisions.

There should be a particular focus on set up and providing key information about how personal data is used and the implications of this.

How settings can be changed is also important. For example, only allowing default settings changes via a support app.

What about when the toy or device is in listening mode?

If a device is on standby listening for the child’s name or key words or phrases, it should be clear that this mode is active, and you shouldn’t collect personal data in listening mode. You should be able to switch this mode off easily on the toy or online.

It should also be clear when personal data is being collected. For example, there should be a light that switches on when a toy or device is filming, recording audio, or collecting data in another way.

Do you need expert advice on data protection and connected toys? Please call us on 029 2000 2339 or email contact@iolis-legal.com.

Recent Posts

Why will every toy seller in the UK soon need to up their game about data protection?

These days, internet-connected toys are in huge demand. Children want internet-connected toys such as Mario Kart Live: Home Circuit which allows you to take the online game and recreate it in your own home, setting up circuits and controlling the players via the Nintendo Switch. Or they might ask for Artie 3000, a drawing robot […]

Read more
5 Things to Remember When Meeting Over Video

As industry and commerce gets used to the ‘new normal’, the use of video conferencing facilities and software is becoming widespread. It is a useful tool and has undeniably been a major factor in bringing teams back together in a virtual way during the pandemic lockdown. There has been a lot of media coverage on […]

Read more
Will monitoring your home-working staff land your business in hot water?

Large scale working from home happened very quickly at the start of the COVID-19 pandemic, and many organisations didn’t have time to fully explore the impact this could have on working practices. Some businesses and organisations had already embraced the benefits of remote working for their employees. Others had been wary of it and had […]

Read more
The 7 easy ways you can avoid data protection in your business becoming a Halloween horror show...

I was working as a DPO, late one night,When my eyes beheld an eerie sight.For a monster problem began to riseAnd suddenly, to my surprise,There was a breach, a data breach.How far’d it reach, that data breach?Where did it reach? Don’t be left singing your own version of the Monster Mash this Halloween! There are […]

Read more
How could the right to be forgotten affect your amateur rugby or football club?

The General Data Protection Regulation was ground-breaking legislation in several ways. It brought data protection rules to filed paper documents, for example, and gave individuals a standard mechanism to request what data an organisation holds on them. Among the new rights it introduced was the right for individuals to ask to have their personal data […]

Read more

Does your UK business need support? Tell us how we can help you.

Call us to start the conversation on 029 2000 2339 or email contact@iolis-legal.com

Contact us
26 January 2021
Why will every toy seller in the UK soon need to up their game about data protection?
These days, internet-connected toys are in huge demand. Children want internet-connected toys such as Mario Kart Live: Home Circuit which allows you to take the online game and recreate it in your own home, setting up circuits and controlling the players via the…
Read More
9 November 2020
5 Things to Remember When Meeting Over Video
As industry and commerce gets used to the ‘new normal’, the use of video conferencing facilities and software is becoming widespread. It is a useful tool and has undeniably been a major factor in bringing teams back together in a virtual way during the pandemic lockdown.…
Read More
25 October 2020
Will monitoring your home-working staff land your business in hot water?
Large scale working from home happened very quickly at the start of the COVID-19 pandemic, and many organisations didn’t have time to fully explore the impact this could have on working practices. Some businesses and organisations had already embraced the benefits…
Read More
25 October 2020
The 7 easy ways you can avoid data protection in your business becoming a Halloween horror show...
I was working as a DPO, late one night,When my eyes beheld an eerie sight.For a monster problem began to riseAnd suddenly, to my surprise,There was a breach, a data breach.How far’d it reach, that data breach?Where did it reach? Don’t be left singing your own version…
Read More
20 October 2020
How could the right to be forgotten affect your amateur rugby or football club?
The General Data Protection Regulation was ground-breaking legislation in several ways. It brought data protection rules to filed paper documents, for example, and gave individuals a standard mechanism to request what data an organisation holds on them. Among…
Read More
13 October 2020
What are the 4 common data protection mistakes which could cost your business dearly?
Every business has a duty of care for the personal data of its customers, suppliers, and staff. The law enshrines it in the General Data Protection Regulation (GDPR), the Data Protection Act 2018, and the PECR, and any data breach must be reported to the relevant authorities,…
Read More
© 2020 IOLIS Ltd. Reg. in England & Wales Num.11968202 For reg. address see contact details | Website designed, hosted, and maintained by Jötnar Systems