This code came into force on 2 September 2020, with a 12 month transition period. Organisations should conform by 2 September 2021.
If you provide a connected toy or device, ensure you include effective tools to enable conformance to this code.
What do you mean by ‘connected toys and devices’?
These are children’s toys and other devices which are connected to the internet. They are physical products which are supported by functionality provided through an internet connection. For example:
- a talking teddy bear with a microphone that records what the child is saying and then sends this data back to your servers so that you can use it to personalise the teddy bear’s responses;
- a fitness band that records the child’s level of physical activity and then transmits this back to your servers so the child can then access activity reports via a fitness app; or
- a ‘home hub’ interactive speaker device that provides internet based services via a voice recognition service.
You need to conform to the standards in this code if you provide a toy or device which collects and personal data and transmits it via a network connection in this way. If you provide electronic toys or devices that do not connect to the internet, and only store personal data within the device itself, this code does not apply to you as you do not have access to any personal data.
Why is this important?
Connected toys and devices raise particular issues because their scope for collecting and processing personal data, via functions such as cameras and microphones, is considerable. They are often used by multiple people of different ages, and by very young children without adult supervision. Delivering transparency via a physical rather than a screen-based product can also be a particular challenge.
Nevertheless you still have a responsibility to meet GDPR requirements and to ensure your processing is lawful, fair and transparent as required by Article 5(1); so you need to make sure you have tools to enable you to conform with this code.
How can we make sure that we meet this standard?
Be clear about who is processing the personal data and what their responsibilities are
If you provide a connected toy or device then you need to be clear about who will process the personal data that it transmits via the network connection and what their data protection responsibilities are.
If you provide both the physical product and the online functionality that supports it, then you are solely responsible for ensuring compliant processing. If you outsource or ‘buy in’ the online functionality or ‘connected’ element of the device then whoever provides this aspect of the overall product will also have responsibilities. The extent of these will vary depending on whether they are a ‘processor’ acting only on your behalf, or a ‘controller’ in their own right.
However, you cannot absolve yourself of your data protection obligations by outsourcing the ‘connected’ element of your toy or device to someone else. If you provide a connected toy or device then you need to comply with the GDPR and follow this code, and make sure that any third parties you use to deliver your overall product do so too.
This is particularly important when you are making sure that the product incorporates adequate security measures to mitigate risks such as unauthorised access to data, or ‘hacking’ of the device in order to communicate with the child (eg taking over microphone capabilities) or track their location.
Anticipate and provide for use by multiple users of different ages
If you provide a connected device then you need to pay attention to the potential for it to be used by multiple users of different ages. This is particularly the case for devices such as home hub interactive speaker devices which are likely to be used by multiple household members, including children, and may also be used by visitors to the home. Similarly interactive toys are often shared or may be used by several children at once when they play together.
You can do this by a combination of:
- making sure that the service that you provide by default (the service that would be provided, for example, to occasional visitors to a household) is suitable for use by all children; and
- providing user profile options for people who use the device regularly (eg household members and frequent visitors to a household) to support use by adults, or to tailor the service to the age of a particular child.
Provide clear information about your use of personal data at point of purchase and on set-up
You should provide clear information indicating that the product processes personal data at the point of sale and prior to device set-up. Both the packaging of the physical product, and your product leaflet or instruction booklet (paper or digital) could carry a clear indication (such as an icon) that the product is ‘connected’ and processes users’ personal data.
You should allow potential purchasers to view your privacy information, terms and conditions of use and other relevant information online without having to purchase and set up the device first, so that they can make an informed decision about whether or not to buy the device in the first place.
You should also have a particular focus on the tools you provide to facilitate the set-up of the connected toy or device. This is a key opportunity for you to provide information about how your service works, how personal data is used and to explain the implications of this, especially if set-up is activated using a screen-based interface. If the child’s ongoing use of the device is not screen-based this is particularly important as this may limit the ways in which you can convey information to the child on an ongoing basis.
Find ways to communicate ‘just in time’ information
You should consider how your connected device operates and how best to communicate ‘just in time’ information to the child or their parent. (See the section of this code on transparency for more detail about ‘just in time’ notices.)
For example using auto-play audio messages, only allowing default settings to be changed via use of a support app, or facilitating interactive auto-bot ‘conversations’ with the user.
Avoid passive collection of personal data
You should provide features that make it clear to the child or their parent when you are collecting personal data. For example a light that switches on when the device is audio recording, filming or collecting personal data in another way.
If the device uses a stand-by or ‘listening’ mode (eg it listens out for the name you or the child has given to the device, or for another key word or phrase to be used, and activates data collection when that word or phrase is used) again you should provide a clear indication that listening mode is active. You should not collect personal data in listening mode.
You should provide features which allow collection or listening modes to be easily switched off on the device itself (a ‘connection off’ button), or via online functionality options, so that the toy or device can be used as a non-connected device so far as this is practicable.