Recent data breaches involving children’s Internet-connected toys pushed U.S. Sen. Bill Nelson to write a letter to the Federal Trade Commission (FTC), detailing what steps it’s taken to protect the personal data of the children using such toys.
This isn’t the first letter Nelson, a Democrat from Florida, has written in response to security breaches. Earlier in March — after security flaws in the connected CloudPets toys exposed personal information, photos and children’s voice messages of some 800,000 user’s — Nelson penned a letter directly to Spiral Toys, the company that developed CloudPets.
RELATED CONTENT: Series of missteps leaves smart-toy brand CloudPets database exposed
And last December, Nelson released a report titled, “Children’s Connected Toys: Data Security and Privacy Concerns,” which highlighted how if improperly secured, criminals can use private information from children in a variety of ways. For instance, social security numbers can be stolen and used to apply for a loan, or home addresses could be used to abduct a child.
Nelson addresses these issues and more in his letter to the Mark Meyers, CEO of Spiral Toys. He requested detailed answers regarding the breach and steps the company is taking to protect consumers’ personal information. He also highlighted that this incident underscores growing concerns from lawmakers and consumers over security and privacy risks associated with IoT toys.
For instance, in 2015, devices manufactured by VTech exposed personal information of more than 6 million children globally. In February of this year, the “My Friend Cayla” doll which records children’s speech, was found to be vulnerable to hackers. Germany actually banned both the sale and ownership of the doll made by the U.S. company Genesis Toys, deeming it a “concealed surveillance device” that violates federal privacy regulations, according to a report.
As these toys become a benefit to children’s education, Nelson said it’s concerning that these connected devices pose significant privacy and security risks. He is asking the FTC to address these issues more effectively, according to his recent letter.
“Please explain what actions the FTC has taken in response to these recent data breaches, which have exposed the personal information of millions of children,” writes Nelson. “Specifically, I would like to know what actions the FTC has taken under the COPPA Rule to protect the personal data of children using connected toys.”
COPPA, or the Children’s Online Privacy Protection Act, is implemented and enforced by the FTC through the COPPA Rule. It protects children under the age of 13 by requiring companies to obtain explicit parental consent before collecting online information under children, according to Nelson.
In 2013, Nelson said that the FTC revised the COPPA Rule to broaden the definition of children’s personal information “to include children’s photos, videos, audio recordings, and geolocation information.” The FTC also expanded this rule to include mobile apps, websites and online services that collect and use personal information from children.
Spiral Toys’ Meyers did respond to Nelson’s letter, answering his questions regarding the breach. He also added at the end of his response: “We will continue to improve our security on CloudPets and future products. We have hired a third party consultant to evaluate our data services and help us put in place new and enhanced security measures and safety procedures.”
Meyers also wrote that “CloudPets’ application does not enable the features covered under COPPA, but COPPA is a great guideline on how children should be administered by an operator.”
Still, Nelson thinks that the FTC should revise the COPPA Rule, should they feel it “lacks sufficient authority under the COPPA Rule to protect children using connected toys.” He is asking the FTC provide a response by April 19.