Towards a better protection of children’s personal data collected by connected toys and devices
Interactive toys, such as the “Hello Barbie” and “My Friend Cayla” dolls engage in conversation with children, record children’s voices, store them through the services of different companies and may also transfer recorded data to advertising, analytics or other companies. Cuddly toys or baby clothing contain medical sensors that monitor children’s body temperature, heart rate and blood oxygen saturation levels which may be consequently sent to a parent or doctor’s app. Finally, cute connected robots now share features which include voice recognition, remote video control, gesture-based interactions and facial tracking of children. Given the fast-paced evolution of technology, unwavering advances in machine learning and big data analytics, and the ongoing digitisation of childhood, it can only be expected that such connected or smart toys and devices will continue to be de- veloped and marketed in the coming years.
Yet, in an environment where so much information can be collected through interaction with devices, children cease to be mere “players” or “consumers”. They become “data subjects” that disclose information or “personal data” about themselves, both consciously and unconsciously. Today, children’s personal information is collected and processed in unprecedented quantities, a phenomenon that scholars have denoted the “datafication” and “quantification” of children’s everyday lives from a very early age. This phenomenon is facilitated by the increasing adoption of digital devices, the embracing of apps and platforms for a variety of purposes and the vast possibilities to use, analyse and infer information about users, and, as such, becoming a standard practice that is here to stay.
Of course, personal data might be collected and processed to attain valid or beneficial objectives, think about improving a child’s health situation. Concerns, however, relate to the collection and combination of children’s (sensitive) personal information enabling the creation of child-user profiles. These profiles can then be used for many different purposes, such as, for instance, behavioural advertising which is so sophisticated that it affects people’s, and especially children’s, choices without them realising it. Moreover, constructing highly detailed personal profiles of children from a very young age onwards could also lead to potentially discriminatory practices in the future, such as excluding children with certain profiles from particular types of education or refusing to grant specific health insurance policies based on sensitive medical data that a cute cuddly lion once collected and stored.
In the same vein, the use of artificial intelligence technology which processes children’s personal information, such as their product preferences, ambitions, likes and dislikes, which is a feature already integrated in the “Hello Barbie” doll, has sparked difficult questions concerning the never-seen-before emotional bonds between children and objects. Finally, the security of such connected toys and the collected data is an increasing concern in many parts of the world. In Germany, for instance, children’s smart watches tracking their location (which were hacked in Belgium and the Netherlands) and the “My Friend Cayla” doll were banned because of security risks. The doll was discovered to be hackable, enabling strangers to talk to children through the doll. In the United States, the Federal Bureau of Investigation (FBI) has warned parents about the potential security risks concerning children’s interaction with internet connected toys that are equipped with sensors, cameras, microphones, data storage, voice recognition technologies and GPS trackers.
A recent recommendation by the Council of Europe on Guidelines to respect, protect and fulfil the rights of the child in the digital environment expects Member States, with regard to connected or smart devices, including those incorporated in toys and clothes, to take particular care that data protection principles, rules and rights are respected when such products are directed principally at children or are likely to be regularly used by or in physical proximity to children.
In the European Union (EU), the General Data Protection Regulation, or the GDPR, which became applicable in May 2018, explicitly acknowledges, for the first time in the context of EU data protection law, that children’s personal data merits specific protection since children may be less conscious of the risks, consequences and safeguards, and their rights in relation to the processing of personal data.
On the one hand, the GDPR affords certain rights to data subjects, children included, such as the right to be provided with transparent information about data collection, processing and storage in clear and plain language, the right to object, or to request erasure of their data. On the other hand, the GDPR requires data controllers (any natural or legal person which determines the purposes and means of the processing of personal data (article 4(7) GDPR), to adhere to certain data protection principles. These principles include, for in- stance, lawfulness, fairness and transparency of processing, data minimisation, purpose limitation, privacy by design and privacy by default, and ensuring the integrity, confidentiality and security of data. In the context of the Internet of Toys (IoT) devices, these requirements mean that the toys shall process children’s personal information fairly, only collect the necessary data for the toy, and protect its security. According to the GDPR, “profiling” and other forms of automated decision making that produces legal effects concerning a person or similarly significantly affects a person cannot concern children (see, for example, recital 71 GDPR). In its recent guidelines on profiling, the Article 29 Working Party confirms that there is no absolute prohibition on the profiling of children in the GDPR, but that organisations should, in general, refrain from profiling them for marketing purposes. This should be taken into account by Internet of Toys providers.
In short, just like general toy safety is regulated, as expected by society (for instance the Toy Safety Directive 2009/48/EC which requires particularly high standards concerning the physical, mechanical, chemical, electrical, hygiene and radioactivity risks), there is a lot of potential in the GDPR to ensure that the child’s right to data protection is ensured. The proof of the pudding, however, will be in the uptake and enforcement of those rules.
National Data Protection Authorities (DPAs) and the European Data Protection Board, established by the GDPR, are the key actors in terms of the actual enforcement of the obligations that the full chain of IoT providers, such as designers and manufacturers of toys, software and app developers and the platforms where the collected data is stored, have with regard to children and their parents. In the coming decade, the extent to which data processing practices through connected toys and devices will actually afford children the specific protection that they merit will not only be determined by those actors in the chain but will crucially depend on guidance and actions by DPAs.
Finally, governmental and non-governmental organisations, as well as schools and child rights advocates should continue to work on awareness-raising with regard to both the benefits and the risks that internet connected toys present, as well as the obligations of data controllers in this context. Participation of children in the connected society as em- powered digital citizens starts in early childhood, and all actors that are involved should do the utmost to ensure that this ambitious goal in achieved, here, now and in the future.