The FTC and FBI are shining the spotlight on your kid's smart toys
© Getty Images

While children may be fans of talking dinosaurs, robots and stuffed animals, the federal government appears to have its concerns. At least that is the suggestion from a warning to parents from the Federal Bureau of Investigation that came on the heels of a Federal Trade Commission announcement that connected toys must comply with the Children’s Online Privacy Protection Act (COPPA).

In June, the FTC announced that it had updated its COPPA compliance plan for businesses to make inescapably clear that internet-enabled toys and other “internet of things” (IoT) devices that collect personal information from children may be subject to COPPA. Shortly thereafter, the FBI issued a public service announcement warning parents that connected toys “could put the privacy and safety of children at risk due to the large amount of personal information that may be unwittingly disclosed.”

As the federal government addresses security issues from the broader realm of smart devices, these announcements suggest that connected toys will engender particular scrutiny given the sensitivity of children’s data. At one level, the FTC’s modified compliance plan broke no new ground. Although COPPA was adopted long before the proliferation of connected toys, it applies not only to websites but also to “online services.”

It had therefore been widely accepted that COPPA covers internet-enabled toys and other connected devices if they are directed at children or if their operators have actual knowledge that they are collecting personal information from a child under the age of 13. The revised COPPA compliance plan also includes two additional ways for businesses to obtain parental consent — asking knowledge-based authentication questions and using facial recognition to match against government-issued identification. But the FTC had approved these methods several years ago.


At another level, the FTC’s formal pronouncement that COPPA applies to connected toys and other IoT devices may serve as a shot against the bow, and likely foreshadows enforcement activity with regard to connected toys. It is a safe bet that the FTC has been paying close attention to the privacy and security ramifications of smart toys and privacy issues with such devices, including the recent CloudPets breach.

In addition to being the author and lead enforcer of COPPA (which is also enforced by the state attorneys general), the FTC has demonstrated a keen interest in the internet of things well before it was a household word, dating back to an IoT workshop and its first IoT security enforcement action, both in 2013. This announcement may indicate that the FTC is laying the groundwork for enforcement at the intersection of IoT and COPPA.

Whatever the FTC’s announcement may portend, it was moderate in tone by comparison to the FBI’s public service announcement. The FBI encouraged parents to “consider [cybersecurity] prior to introducing smart, interactive, internet-connected toys into their homes.” It alluded to the range of information that connected toys might collect, such as recordings of a child’s voice, physical location, internet use history, and IP addresses, and associate with account information, which could include the child’s name and address.

According to the FBI, the “exposure of such information could create opportunities for child identity fraud. Additionally, the potential misuse of sensitive data such as GPS location information, visual identifiers from pictures or videos, and known interests to garner trust from a child could present exploitation risks.” The FBI explained that data could be exposed if the toy manufacturer, the technology developer, a cloud service provider, or another third-party partner fails to properly protect it.

The FBI urged parents to research connected toys before purchasing them to learn of any known security issues, to closely monitor children’s use of such toys, and to follow good security practices, such as ensuring that the toys are running updated firmware and that they are turned off when not in use. As for legal protections, the FBI noted that smart toys must comply with COPPA and Section 5 of the Federal Trade Commission Act.

U.S. government agencies are not alone in focusing on connected toys. For example, earlier this year a German agency banned a connected doll, alleging privacy concerns. Such foreign scrutiny is likely to increase when the General Data Protection Regulation, which will impose new requirements for parental consent to collect children’s data, goes into effect in the European Union next May.

The FTC and FBI announcements reflect the growing attention of a variety of federal agencies to the security of consumer smart devices. That focus has increased following the broad distributed denial of service attack in October 2016 that stemmed from the Mirai malware infection of devices connected to the internet of things.

When policymakers address any privacy and security issue, they generally pay special attention to children’s data, particularly with respect to new technologies. That is evident in Congress’ adoption of COPPA itself in 1998, when the internet was a new technology. The recent FTC and FBI announcements suggest that IoT will be no exception to that phenomenon.

Today, of course, technology issues generate substantial attention not only from policymakers but also from the mainstream media, a more mature technology press, and in social media. As a result, as toy manufacturers and technology companies enter the field of connected toys, they should be prepared for scrutiny by the media and a host of state, federal and foreign government agencies.

Janis Kestenbaum is a partner in the privacy and security practice at Perkins Coie LLP in Washington, DC. She previously served as senior legal adviser to Chairwoman Edith Ramirez at the Federal Trade Commission during the Obama administration.

The views expressed by contributors are their own and are not the views of The Hill.