In a promotional video for Amazon’s Echo virtual assistant device, a young girl no older than 12 asks excitedly: “Is it for me?”. The voice-controlled speaker can search the web for information, answer questions and even tell kids’ jokes. “It’s for everyone,” enthuses her on-screen dad.

Except that it isn’t. An investigation by the Guardian has found that despite Amazon marketing the Echo to families with young children, the device is likely to contravene the US Children’s Online Privacy Protection Act (COPPA), set up to regulate the collection and use of personal information from anyone younger than 13.

Along with Google, Apple and others promoting voice-activated artificial intelligence systems to young children, the company could now face multimillion-dollar fines.

“This is part of the initial wave of marketing to children using the internet of things,” says Jeff Chester, executive director of the Center for Digital Democracy, a privacy advocacy group that helped write the law. “It is exactly why the law was enacted in the first place, to protect young people from pervasive data collection.”

Google’s standalone Home device, announced on 18 May but not yet on sale, also targets children. A promotional video shown at the company’s I/O event has a young boy talking to the Home, while his sister uses it to get help with her schoolwork.

Apple’s Siri, found on iPhones and iPads, probably also violates COPPA. One advert for the virtual assistant includes a young girl talking to Siri, while its latest commercial features Cookie Monster from Sesame Street. The company is also rumoured to be working on a standalone voice-controlled device.

Facebook Twitter Pinterest An advert for Apple’s digital assistant Siri features Sesame Street’s Cookie Monster. Photograph: Apple

COPPA applies to online services that are either designed for children younger than 13 or that know those children are using them. It also singles out the use of celebrities, like Cookie Monster, who appeal to children. Khaliah Barnes, associate director of the Electronic Privacy Information Center (EPIC), believes that by showing pre-teenage children using voice-activated AI devices, Amazon, Google and Apple are admitting their services are aimed at youngsters.

“When your advertising markets this product to children, and parents with children, that would absolutely trigger COPPA,” she says. “Recording children in the privacy of the home is genuinely creepy, and this warrants additional investigation by the Federal Trade Commission (FTC) and [US] states.”

Jeff Chester agrees. “Online devices have replaced TV as the babysitter, and companies will know there’s a child there by the very nature of the interaction,” he says.

Amazon and Google told the Guardian that they comply with COPPA, while an Apple spokesperson said it complied and doesn’t target kids. All have extensive privacy policies.

Online devices have replaced TV as the babysitter, and companies will know there’s a child there by the ... interaction Jeff Chester

However, COPPA forbids a company from storing a child’s personal information, including recordings of their voice, without the explicit, verifiable consent of their parents. The law specifies the ways a company can get that consent, such as a signed letter, video chat or phone call. Although all three companies store audio files of voice requests in the cloud, none of them use a COPPA-approved method to seek consent beforehand.

One way to comply is to limit services to users older than 13. Microsoft, for instance, does not allow users whose age in their online profile is 12 or younger to access its Cortana virtual assistant on Windows computers, phones or tablets. On the company’s Xbox One console, younger users must get a parent to make a small (50 cent) purchase on a credit card to activate voice and video services – a method also approved by COPPA.

Another way is not to store voice recordings from children at all, although this can make the AI service less effective. Martin Reddy is chief technical officer at ToyTalk, developer of the Hello Barbie doll that can hold a conversation with young children. The toy uses a built-in microphone to send a child’s voice up to a speech recognition engine in the cloud. “In a perfect world, you’re done at that point and you can drop the audio data on the floor,” Reddy says. “But we’re storing it because it’s not a perfect world. We’re using it to build better models so kids can get a better experience.”

Reddy claims that analysing the recordings enables ToyTalk to boost the accuracy of what Hello Barbie hears by about 15%. ToyTalk uses an email process to ensure that parents know what is going on, a method allowed by COPPA in some situations. Parents can also log in to a website to review or delete audio. “We have contracts and written assurances that [our voice recognition service provider] complies with COPPA and they drop the data on the floor as soon as they finish making the transcription,” Reddy says.

Games developer TinyCo fined for illegally collecting children's data Read more

The penalties for violating COPPA can be heavy – up to $16,000 for every violation. In 2014, online review site Yelp paid $450,000 after admitting that it had collected children’s personal information without notifying parents and obtaining consent. And in December of 2015, two software developers paid $300,000 after allowing third-party advertisers to collect children’s personal information through their mobile apps.

The FTC, which handles infractions of COPPA, notes that financial penalties can depend on the number of children and the size of the company involved. Amazon has sold an estimated 3m Echo devices in the US, and Apple more than 100m iPhones – which could mean massive fines if the FTC decides to prosecute.

Jeff Chester of the Center for Digital Democracy believes that large fines would be unlikely, at least initially. “This is such a new area that it’s important to give industry guidance,” he says, “We’re going to recommend to the FTC that they give industry guidance of how the internet of things and COPPA should work together.”

However, Khaliah Barnes notes that even enforcing COPPA properly would not solve all the problems raised by virtual assistants. “Parents cannot reasonably review all the information that these ‘always on’ devices are collecting from children,” she says. “Then what about data security, hacking or when you walk into a home and you’re not aware there’s a recording device there?

“Do we want to live in a society that conditions children to constant surveillance?”