Connected toys violate European consumer law

The internet-connected toys My Friend Cayla and i-Que fail miserably when it comes to safeguarding basic consumer rights, security, and privacy.

The Norwegian Consumer Council has looked at the terms and the technical features of selected connected toys. The findings show a serious lack of understanding of children’s rights to privacy and security.

Based on what was discovered, consumer organizations in Europe and the United States in cooperation file formal complaints to relevant authorities on what seems to be obvious breaches of several consumer laws.

– Children are especially vulnerable, and are entitled to products and services that safeguard their rights to security and privacy. As long as the manufacturers are not willing to take these issues seriously, Internet of things-technologies are not suited for toys, says Finn Myrstad, Head of section, digital services in the Norwegian Consumer Council.

– With internet-connected devices gaining ground, market supervision will become increasingly complex. The challenge to make sure EU consumers are properly protected is huge and co-operation between authorities and consumer organisations is key. The fact that business malpractices do not halt at the border is making this task even harder, says Monique Goyens, Director General of The European Consumer Organisation (BEUC)

The toys fail at several points

In their review of the toys, the Consumer Council has found several serious issues:

Lack of security

With simple steps, anyone can take control of the toys through a mobile phone. This makes it possible to talk and listen through the toy without having physical access to the toy.This lack of security could easily have been prevented, for example by making physical access to the toy required, or by requiring the user to press a button when pairing their phone with the toy.

With simple steps, anyone can take control of the toys through a mobile phone. This makes it possible to talk and listen through the toy without having physical access to the toy.This lack of security could easily have been prevented, for example by making physical access to the toy required, or by requiring the user to press a button when pairing their phone with the toy. Illegal user terms

Before using the toy, users must consent to the terms being changed without notice, that personal data can be used for targeted advertising, and that information may be shared with unnamed 3rd parties.This and other discoveries are, in the NCC’s opinion, in breach of the EU Unfair Contract Terms Directive, the EU Data Protection Directive, and possibly the Toy Safety Directive.

Before using the toy, users must consent to the terms being changed without notice, that personal data can be used for targeted advertising, and that information may be shared with unnamed 3rd parties.This and other discoveries are, in the NCC’s opinion, in breach of the EU Unfair Contract Terms Directive, the EU Data Protection Directive, and possibly the Toy Safety Directive. Kids’ secrets are shared Anything the child tells the doll is transferred to the U.S.-based company Nuance Communications, who specialize in speech recognition technologies. The company reserves the right to share this information with other third parties, and to use speech data for a wide variety of purposes.

Anything the child tells the doll is transferred to the U.S.-based company Nuance Communications, who specialize in speech recognition technologies. The company reserves the right to share this information with other third parties, and to use speech data for a wide variety of purposes. Kids are subject to hidden marketingThe toys are embedded with pre-programmed phrases, where they endorse different commercial products. For example, Cayla will happily talk about how much she loves different Disney movies. Meanwhile, the app-provider has a commercial relationship with Disney.

Watch how the toys fail

– These problems are emblematic of the increased spread of connected devices. In a growing market, it is essential that consumers, and especially children, are not being used as subjects for products that have not been sufficiently tested, says Finn Myrstad.

– As an increasing amount of manufacturers and service-providers move into the digital field, they must be mindful of the security and privacy risks that the digital world opens up. We therefore urge toy companies to make sure that these issues are resolved before importing or selling connected toys, concludes Myrstad.

Consumer advice

Due to the lack of security and privacy protection in these toys, you should think twice before buying them for your children. If you have already bought the toy, you can try to complain and return it in the store on the grounds that it is not safe to use and does not meet consumer and data protection standards. If the toy was purchased online, you have the right to cancel the purchase within 14 days. If you want to keep the toy, remember to switch it off when not in use. This way you have control over who can connect to the toy, but it does not solve the other issues. Also, remember, your child might turn on the toy again, leaving the device vulnerable.

About the companies

Genesis Toys

Manufacturers of the Cayla and i-Que toys. Based in Los Angeles, California. Partners with Wal-Mart, Toys R Us, Amazon, Target, and K-Mart . Distributes Cayla and i-Que in the US, Norway, Sweden, Denmark, Australia, Netherlands, and the Middle East

ToyQuest

Makers of the Cayla and i-Que companion apps. Partners with a wide range of licensors, including Disney, Nickelodeon, and Dreamworks. Offices in Los Angeles, London, Hong Kong, Vietnam, and Shanghai.

Vivid

The largest British toy company. Distributes Cayla and i-Que in the UK, France, Germany, Austria, Ireland, and Switzerland.

Nuance Communications

Provides speech-to-text services for Cayla and i-Que. Receives voice data from the Cayla and i-Que companion apps. US-based company specializing in voice- and speech-recognition services in a broad variety of areas including biometric voiceprints for use in fraud-detection, health care, and intelligence services. Were certified under the Safe Harbor agreement.

Report Toyfail Technical analysis of the dolls Complaint Data Protection Authority and Consumer Ombudsman Letter of concern to The Directorate for Civil Protection