The ICO exists to empower you through information.

Connected toys and devices

Share Download options

Pages

Format

Control measure: There is clarity provided on who is processing the personal information and what their responsibilities are for all connected toys and devices.

Risk: Without clear data mapping to document the flow of information and contractual agreements (where appropriate) between all parties involved in providing and delivering the services, this may breach articles 5, 6, 15-22, 25 and 28 of the UK GDPR.

Ways to meet our expectations:

  • Make it clear in privacy information who will process the personal information that the toy or device transmits via the network connection and what their data protection responsibilities are.
  • Ensure appropriate contracts are in place that clearly outline controller and processor responsibilities if the online functionality or connected element of the toy or device is outsourced or ‘bought in’. 
  • Provide clear information to indicate that the product processes personal information at the point of sale and before device set-up. 
  • Ensure both the packaging of the physical product, and the product leaflet or instruction booklet (paper or digital), carry a clear indication (such as an icon) that the product is ‘connected’ and processes people’s personal information.
  • Provide potential purchasers with the ability to view clear product privacy information, terms and conditions of use and other relevant information online, without having to purchase and set up the device first. This means they can make an informed decision about whether to buy the device in the first place.
  • Communicate ‘just in time’ information to the child or their parent, for example:
    • use auto-play audio messages;
    • only allow default settings to be changed by a support app; or 
    • support interactive auto-bot ‘conversations’ with the user.

Options to consider:

  • Provide focused or bite-sized privacy information for processing by connected devices.
  • Provide information or explanations using graphics or visual content to support accessibility.

 

Control measure: There are appropriate technical security measures, including encryption in transfer, when using connected toys and devices.

Risk: Without the appropriate security measures, there is a risk of a security or privacy breach, including unauthorised or unlawful processing and accidental loss, destruction or damage. This may breach article 5(1)(f) and 32 of the UK GDPR.

Ways to meet our expectations:

  • Implement appropriate security measures to mitigate risks such as:
    • unauthorised access to information in transfer;
    • ‘hacking’ of the device in order to communicate with the child (eg by taking over microphone capabilities); or 
    • the unauthorised tracking of their location. 
  • Provide multiple user profile options for people of different ages who use the device regularly (eg household members and frequent visitors to a household) to support use by adults, or to tailor the service to the age of a particular child.
  • Include features that make it clear to the child or their parent when the device or toy is collecting personal information (eg a light that switches on when the device is audio recording, filming or collecting personal information in another way).
  • Clearly indicate when listening mode is active if the device uses a stand-by or ‘listening’ mode (eg it listens out for the name the parent or the child has given to the device, or for another key word or phrase to be used, and activates data collection when that word or phrase is used).
  • Avoid or prevent collecting personal information in listening mode.
  • Introduce features that allow collection or listening modes to be easily switched off on the device itself (a ‘connection off’ button), or by online functionality options.

Options to consider:

  • Review security measures in place when you collect information, during transit, and at storage or rest.
  • Regularly check that security measures are in place and working effectively.