Georgetown Law
Technology Review

INTRODUCTION

Recent technological innovations have led to an increasing number of devices connecting to the Internet, which in turn collect and store user data. The expansion of the Internet of Things (IoT) industry raises new privacy and security concerns for users of these devices. One surprising area of concern is children’s privacy and security in the connected toys industry. Connected toys connect to the Internet using technologies such as Wi-Fi and Bluetooth, and typically operate in conjunction with companion apps to enable interactive play for children.1Carolina Alonso et al., Kids & The Connected Home: Privacy in the Age of Connected Dolls, Talking Dinosaurs, and Battling Robots 1 (Dec. 2016), https://fpf.org/wp-content/uploads/2016/11/Kids-The-Connected-Home-Privacy-in-the-Age-of-Connected-Dolls-Talking-Dinosaurs-and-Battling-Robots.pdf [https://perma.cc/UG8F-RBLA]. According to Juniper Research, in 2015 the market for connected toys reached $2.8 billion and is predicted to increase to $11 billion by 2020.2Id. at 2. These toys collect and store personal information from children including names, geolocation, addresses, photographs, audio, and video recordings. The primary cop on the beat for children’s privacy and security online is the Federal Trade Commission (FTC), which enforces the Children’s Online Privacy Protection Act (COPPA).3See 16 C.F.R. § 312.1 (2017). However, given the several recent security breaches of connected toys, it is clear that COPPA is not providing adequate security for children’s personal information, and new solutions are needed to improve the security of connected toys.

One of the most egregious examples of poor security exhibited by a toymaker comes from VTech, a maker of smart computing devices for children, which exposed 6.4 million children’s personal information when its database was hacked.4VTech hack: Data of 6.4M Kids Exposed, CNBC (Dec. 2, 2015, 12:08 AM), http://www.cnbc.com/2015/12/02/vtech-hack-data-of-64m-kids-exposed.html [https://perma.cc/8JGM-BAHQ]. In one of the largest data breaches in history,5Lorenzo Franceschi-Bicchierai, One of the Largest Hacks Yet Exposes Data on Hundreds of Thousands of Kids, Vice: Motherboard (Nov. 27, 2015, 11:08 AM), https://motherboard.vice.com/en_us/article/one-of-the-largest-hacks-yet-exposes-data-on-hundreds-of-thousands-of-kids [https://perma.cc/W9C4-995X]. the hacker obtained children’s first and last names, genders, birthdays, photos, and chat logs.6VTech Hack: Data of 6.4M Kids Exposed, supra note 4; Lorenzo Franceschi-Bicchierai, Hacker Obtained Children’s Headshots and Chatlogs from Toymaker VTech, Vice: Motherboard (Nov. 30, 2015, 1:57 PM), https://motherboard.vice.com/en_us/article/hacker-obtained-childrens-headshots-and-chatlogs-from-toymaker-vtech [https://perma.cc/S93E-H3QS]. This hack could have been avoided if VTech’s data operators guarded against the hacker’s SQL-injection technique, which is decades old, well-known, and easily prevented.7VTech Hack: Data of 6.4M Kids Exposed, supra note 4; Joseph Cox, The History of SQL Injection, the Hack That Will Never Go Away, Vice: Motherboard (Nov. 20, 2015, 8:00 AM), http://motherboard.vice.com/en_uk/read/the-history-of-sql-injection-the-hack-that-will-never-go-away [https://perma.cc/5SG8-G2Q5].

Spiral Toys, the makers of CloudPets—stuffed animals that allow parents, children, and other family and friends to record and send messages across the world8How It Works, CloudPets, http://cloudpets.com/how-it-works [https://perma.cc/8CSS-AGFH].—had its vulnerable databases hacked, compromising 800,000 account credentials and over 2 million voice recordings, many of which contained children’s voices.9Lorenzo Franceschi-Bicchierai, Internet of Things Teddy Bear Leaked 2 Million Parent and Kids Message Recordings, Vice: Motherboard (Feb. 28, 2017, 12:25 PM), https://motherboard.vice.com/en_us/article/internet-of-things-teddy-bear-leaked-2-million-parent-and-kids-message-recordings [https://perma.cc/XJ7A-Q9PQ]. Though Spiral Toys was first warned of its database vulnerabilities on December 31, 2016, and multiple times after that, Spiral Toys took no action to secure the exposed customer data.10Troy Hunt, Data from Connected CloudPets Teddy Bears Leaked and Ransomed, Exposing Kids’ Voice Messages, Troy Hunt (Feb. 28, 2017), https://www.troyhunt.com/data-from-connected-cloudpets-teddy-bears-leaked-and-ransomed-exposing-kids-voice-messages/ [https://perma.cc/6SV6-NMKK]. Finally, on January 12, 2017, hackers performed a ransom attack on the still-exposed database, meaning hackers captured all CloudPets’ customer personal information, wiped the database, and demanded ransom for its return.11Id. It was not until after this story broke to the public in February 2017 that Spiral Toys notified parents of their children’s compromised personal data and publicly acknowledged the breach occurred.12See CloudPets Data Breach FAQs, CloudPets (Mar. 1, 2017, 3:04 PM), https://cloudpets.zendesk.com/hc/en-us/articles/115003696948 [https://perma.cc/BS84-A43B] (stating CloudPets was not aware of the breach until February 22, 2017, despite evidence to the contrary).

My Friend Cayla, an interactive doll that asks and answers children’s questions, granted hackers an open door to the toys’ functionality by allowing anyone within thirty feet to connect to the toy via an insecure Bluetooth connection that did not require any form of authentication.13Thomas Claburn, Smash Up Your Kid’s Bluetooth-Connected Cayla ‘Surveillance’ Doll, Germany Urges Parents, Register (Feb. 17, 2017, 7:45 PM), https://www.theregister.co.uk/2017/02/17/cayla_doll_banned_in_germany/ [https://perma.cc/3U4Q-UDHD]. In turn, hackers could take control of the doll and make it say anything to children, including asking personal questions and making inappropriate comments.14See, e.g., Shainee Lover, Talking Doll ‘Cayla’ is Hacked, YouTube (Jan. 30, 2015), https://www.youtube.com/watch?v=QQWbOeg2lpk [https://perma.cc/3PC4-YNFG]. Genesis Toys, makers of My Friend Cayla, could have easily combatted these types of attacks by simply requiring Bluetooth authentication when attempting to connect the doll to a device, thereby preventing hackers from easily taking control.

The above examples, among several other known breaches and vulnerabilities,15See, e.g., Claburn, supra note 13 (discussing vulnerabilities in I-Que Intelligent Robot); Mark Stanislav, R7-2015-27 and R7-2015-24: Fisher-Price Smart Toy® hereO GPS Platform Vulnerabilities (FIXED), Rapid 7 (Feb. 2, 2016), https://community.rapid7.com/community/infosec/blog/2016/02/02/security-vulnerabilities-within-fisher-price-smart-toy-hereo-gps-platform [https://perma.cc/ZEE2-92DQ] (detailing vulnerabilities discovered in both hereO GPS Watch and SmartToy); Privacy Groups Warn of Perils in Smartwatches for Kids, Phys.org (Oct. 18, 2017), https://phys.org/news/2017-10-privacy-groups-perils-smartwatches-kids.html [https://perma.cc/3HNM-W8AM] (detailing vulnerabilities found in two children’s watches sold under the Caref brand); Robert Hackett, Hello Barbie Doll Vulnerable to Hackers, Fortune (Dec. 4, 2015), http://fortune.com/2015/12/04/hello-barbie-hack/ [https://perma.cc/U7UG-H2FJ] (detailing vulnerabilities found in Hello Barbie); Steve Ragan, Database Leak Exposes 3.3 Million Hello Kitty Fans, CSO (Dec. 19, 2015, 6:26 PM), http://www.csoonline.com/article/3017171/security/database-leak-exposes-3-3-million-hello-kitty-fans.html [https://perma.cc/T6A4-JPAE] (detailing a security breach of servers related to the Hello Kitty franchise). have sparked widespread concern leading to members of Congress calling for better industry practices,16E.g., Andrew Blake, Senator Seeks Answers from Toymaker Following ‘CloudPets’ Teddy Bear Breach, Wash. Times (Mar. 7, 2017), http://www.washingtontimes.com/news/2017/mar/7/cloudpets-senate-commerce-nelson-spiral-toys/ [https://perma.cc/4W9S-ZEYH]; Jon Fingas, US Senator Wants to Make Sure The FTC Takes Smart Toys Seriously: He Wants to Know if Regulators are Doing Enough to Protect Kids’ Data, Engadget (May 23, 2017), https://www.engadget.com/2017/05/23/us-senator-grills-ftc-over-connected-toys/ [https://perma.cc/G72E-AD8Y]. the FBI issuing a warning to parents of the dangers posed by connected toys,17Lee Mathews, FBI Warns Parents about the Dangers of Connected Smart Toys, Forbes (July 18, 2017, 10:00 AM), https://www.forbes.com/sites/leemathews/2017/07/18/fbi-warns-parents-about-the-dangers-of-connected-smart-toys/#13db492539e6 [https://perma.cc/TV4B-ESY7]. the German government banning the My Friend Cayla doll and children’s GPS watches in Germany,18Claburn, supra note 13; Jane Wakefield, Germany Bans Children’s Smartwatches, BBC (Nov. 17, 2017), http://www.bbc.com/news/technology-42030109 [https://perma.cc/MLZ3-BC6F]. toymaker Mattel cancelling its children-focused AI device under pressure from children’s rights advocates and lawmakers,19Haley Tsukayama, Mattel Has Canceled Plans for a Kid-Focused AI Device That Drew Privacy Concerns, Wash. Post (Oct. 4, 2017), https://www.washingtonpost.com/news/the-switch/wp/2017/10/04/mattel-has-an-ai-device-to-soothe-babies-experts-are-begging-them-not-to-sell-it/ [https://perma.cc/NG97-TEVB]. and the FTC and Department of Education scheduling a workshop dedicated in part to improving children’s privacy relating to connected educational toys.20Lindsey Tonsager & Caleb Skeath, FTC and Department of Education Announce Joint Workshop on FERPA and COPPA Compliance for Ed Tech, Natl. L. Rev. (Oct. 9, 2017), https://www.natlawreview.com/article/ftc-and-department-education-announce-joint-workshop-ferpa-and-coppa-compliance-ed [https://perma.cc/D9UY-2XEU].

Under COPPA, data operators are required to exercise “reasonable procedures” to protect the security of children’s personal information collected by websites or online services.2116 C.F.R. § 312.3(e). Other than the recently updated guidance document entitled Children’s Online Privacy Protection Rule: A Six-Step Compliance Plan for Your Business,22Children’s Online Privacy Protection Rule: A Six-Step Compliance Plan for Your Business, Fed. Trade Comm’n, https://www.ftc.gov/tips-advice/business-center/guidance/childrens-online-privacy-protection-rule-six-step-compliance [https://perma.cc/H7CP-YGHY] [hereinafter Six-Step Compliance Plan]. there has been little movement to compel toymakers to improve data security practices.

As shown by the glut of recent children’s data breaches resulting from companies’ egregiously poor data security, it is clear that neither COPPA nor the FTC’s guidance documents are doing enough to protect children’s data online. As it currently stands, parents, rather than companies, are left as the sole protectors of children’s privacy and safety. Rather, companies—who possess greater resources, technical know-how, and expertise than parents—should be responsible for providing reasonable security with vigilance to ensure maximum safety and privacy of children.

I. A BRIEF EXPLANATION OF COPPA

COPPA, enacted in 1998, carves out special requirements for data operators to protect children’s personal information online. These requirements are based in part on the idea that children’s personal information requires special care and protection from data operators because children have not developed the capacity to make informed decisions online.23Joshua Warmund, Can COPPA Work? An Analysis of the Parental Consent Measures in the Children’s Online Privacy Protection Act, 11 Fordham Intell. Prop., Media, & Ent. L.J. 189, 190 (2001). In this way, COPPA holds a unique place in the world of privacy regulations. Similar regulations do not exist for other vulnerable segments of the population who cannot make informed decisions related to privacy. The key question then becomes whether COPPA does an adequate job of protecting children’s personal information, given the particular concerns that arise when children’s information is collected and stored online.

A. What is Covered; What is Required?

To assess if COPPA is an effective means of protecting children’s personal information, it is important to understand what services fall under COPPA and what is required for compliance with its data security requirements. For an online service to fall under COPPA, it must be a website or online service, directed toward children2416 C.F.R. § 312.2 (2017) (stating that for the service to be deemed directed to children the Commission will consider elements such as visual content; use of animated characters; presence of child celebrities or celebrities that appeal to children; age of models; and other evidence such as empirical data proving audience composition). under thirteen years old,25Id. which is collecting children’s personal information.26Id. (stating that personal information includes data such as first and last name, geolocation, photographs of the child, and audio and video recordings of the child). In tandem with COPPA, the FTC has further clarified various requirements through the issuance of guidance documents.27Daniel J. Solove & Woodrow Hartzog, The FTC and The New Common Law of Privacy, 114 Colum. L. Rev. 583, 626 (2014) (stating that these guidance documents do not carry the force of law, but animate the FTC’s approach and interpretation of the law. Companies wanting to avoid settlements with the FTC look to these documents to inform their privacy and security practices, serving as a “soft rule” most akin to dicta in a Judicial opinion). In July of 2017, the FTC updated its guidance document titled: Children’s Online Privacy Protection Rule: A Six-Step Compliance Plan for Your Business.28Six-Step Compliance Plan, supra note 22. Here, the FTC clarified what was long expected: connected toys qualify as online services covered under COPPA.29Id. Though connected toys were long assumed to fall within COPPA’s purview, the FTC’s update to its guidance erases any doubt that connected toys do qualify as “online services” under the statute.

In conjunction with the collection of children’s personal information, COPPA requires that companies collecting personal information from children “establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.”3016 C.F.R. § 312.3(e) (2017). Neither COPPA nor the FTC precisely defines “reasonable security” practices. The FTC attempts to promote “reasonable” practices in its guidance documents by urging companies to minimize the amount of data collected from children, retain this data for as short a period as possible,31Six-Step Compliance Plan, supra note 22; see 16 C.F.R. § 312.10 (2017) (clarifying the data minimization principle by stating that companies “shall retain personal information collected online from a child for only as long as is reasonably necessary to fulfill the purpose for which the information was collected”). and make certain that any third parties who access this data maintain strong security.32Six-Step Compliance Plan, supra note 22. Additionally, the FTC could further clarify what is required from data operators through enforcement actions by issuing consent decrees for particular violations of the “reasonable security” standard under COPPA.3315 U.S.C. § 45 (2012). However, as of the time of this writing there have been no consent decree settlements specifically relating to toymakers exhibiting unreasonable security of children’s personal information. Therefore, other than the scant additional guidance offered by the FTC, toymakers are without a clear definition of the “reasonable security” required under COPPA.

B. Remedies for Parents

COPPA offers relief to parents of children whose personal information is collected by requiring data operators to allow parents to review all collected personal information, request its deletion, and forbid the data operator from further collection.3416 C.F.R. § 312.4(3) (2017). Because the FTC does not elaborate on what “reasonable security” entails under COPPA, nor does it enforce these principles with consent decree settlements for companies not practicing “reasonable security,” deletion is the only remedy available to parents to restrict access to their children’s personal information. Electing parents as the sole protectors of their children’s data proves to be neither practical nor effective in practice.

II. CHILDREN’S SAFETY ONLINE SHOULD NOT BE SOLELY IN THE HANDS OF PARENTS

Relying on parents to maintain their children’s privacy and safety is unreasonable given the absence of parental notice of the collection and storage of their children’s personal information, the ineffectiveness of COPPA’s relief mechanism, and a lack of alternatives other than not buying the toy.

A. Parents Do Not Have Notice of Toymakers’ Data Collection and Retention Practices or the Deletion Remedy

In order for concerned parents to request that a toymaker delete and discontinue the collection of their children’s personal information, parents must first have notice that the personal information is being collected and stored and that deletion is an available remedy.35See 16 C.F.R. § 312.4 (2017) (requiring that parents receive notice of the collection and storage of the data and provide parental consent for the collection, retention, and sharing of children’s personal information). As required under COPPA, data operators must obtain parental consent before collecting children’s data.3616 C.F.R. § 312.3(b) (2017). Moreover, COPPA requires that data operators disclose how parents may request deletion.3716 C.F.R. § 312.4(c)(2)(iii) (2017). However, just because a parent is clicking “I agree” before allowing their child to interact with the toy, it in no way indicates that the parent has taken the time to look at, let alone read and understand, the toymaker’s terms and conditions detailing their privacy and security practices. It is well documented that the majority of Internet users never even look at the text of terms and conditions before clicking “I agree.”38David Berreby, Click to Agree with What? No One Reads Terms of Service, Studies Confirm, Guardian (Mar. 3, 2017, 8:38 AM), https://www.theguardian.com/technology/2017/mar/03/terms-of-service-online-contracts-fine-print [https://perma.cc/3XCU-H3LY]. Parents with children anxious to play with a new toy might be even less likely than most users to take the time to read and comprehend privacy policies, making it very unlikely parents receive notice of security practices and the deletion remedy contained within the terms. In addition, given the societal distribution of parenting hours, the responsibility of protecting children’s security online will disproportionately fall on the mother, who generally takes on the majority of parental responsibilities.39Sara Raley et al., When Do Fathers Care? Mothers’ Economic Contribution and Fathers’ Involvement in Childcare, 117 A. J. Soc. 1422, 1437 (2012) (stating that on average mothers dedicate 49.8 hours per week to childcare compared with fathers who dedicate 31.4 hours per week). This not only further decreases the ability of the child’s guardian to receive notice of policies and remedies, it constitutes an even more unfair burden on the parent, adding another responsibility to the already-challenging task of parenting.

In the unlikely event that a parent does take the time to investigate the toymaker’s data collection and security practices, they will encounter terms that tend to be too long,40See, e.g., VTech Privacy Policy, VTech (last updated July 25, 2017), https://www.vtechkids.com/privacy_policy/ [https://perma.cc/P4CU-WGWU]. hard to locate,41See, e.g., Complaint and Request for Investigation, Injunction, and Other Relief at 10, In re Genesis Toys & Nuance Commc’ns (Dec. 6, 2016), https://consumermediallc.files.wordpress.com/2016/12/epic-ipr-ftc-genesis-complaint.pdf [https://perma.cc/DPL6-3RXC] (describing the several steps a parent must take simply to access the terms and conditions for My Friend Cayla). written in a difficult and confusing prose,42See, e.g., Cloud Computing Agreement, HereO, https://www.hereofamily.com/cca/ [https://perma.cc/359E-W3M8]. and sometimes non-existent.43Some websites’ links to privacy policies and terms and conditions pages lead users to empty placeholder pages. See, e.g., Privacy Policy, Beamz by Flo, http://www.beamzbyflo.com/privacy-policy/ [https://perma.cc/D3PG-ZW3N] (an empty placeholder privacy policy page); Terms and Conditions, Beamz by Flo, http://www.beamzbyflo.com/terms-conditions/ [https://perma.cc/QF9J-424G] (an empty placeholder terms and conditions page). All of these factors ultimately push the high bar even higher, as parents are even less likely to receive notice of the toymaker’s collection and retention of data, making parents unlikely to seek the deletion remedy baked into COPPA.

The FTC has attempted to enhance parental notice by including innovative suggestions in its recent update to its COPPA guidance aimed at verifying that the actual parent is the person agreeing to the toymaker’s terms and conditions, rather than the child.44Six-Step Compliance Plan, supra note 22. These suggestions include requiring a parent to answer knowledge-based questions that only the parent could answer and using facial recognition technology to recognize that the parent is agreeing to the terms and conditions.45Id. While these innovations may solve the problem of parental notice, they do not address the problem of ensuring that the parent clicking to agree to terms has actually read and understood these terms and is aware of available remedies. Additionally, toymakers do not have the incentive to follow the FTC’s suggestions because they are expensive to implement and lack the force of law.

B. Even with Notice, COPPA’s Remedy Is Ineffective

If and when the rare parent who receives notice of the toymaker’s data collection and retention practices requests to review, delete, and stop the collection of their children’s data, their children’s personal information will continue to remain vulnerable to security breaches. Because many of the toymakers share children’s personal information with third parties, who often share this same data with even more third parties, fully deleting data is a difficult, if not impossible task.46See, e.g., VTech Privacy Policy, supra note 40 (stating that VTech will share children’s personal information with third parties). Full deletion of data would involve tracking all data collected, which has passed through many databases, and making certain that all of the data is deleted by the many data operators in control of the collected and shared data. Recently, the FTC attempted to curb sharing of some collected children’s data by issuing new guidance.47See Public Statement, Fed. Trade Comm’n, Enforcement Policy Statement Regarding the Applicability of the COPPA Rule to the Collection and Use of Voice Recordings (Oct. 20, 2017), https://www.ftc.gov/system/files/documents/public_statements/1266473/coppa_policy_statement_audiorecordings.pdf [https://perma.cc/KR8F-5GA7]. This guidance prohibits data operators from sharing children’s audio recordings used to operate the toy with third-party advertisers and marketers and requires data operators to delete the data from servers before it is made public.48Id. at 2 (noting that the FTC would not launch an enforcement action against a data operator that does not obtain parental consent for the collection of audio recordings used to operate the connected device, as long as the operator provides notice and the recordings do not contain children’s personal information as defined under COPPA). While this guidance takes a step in the right direction of enhancing children’s security by discouraging the sharing of children’s data and encouraging deletion, it narrowly applies to only one type of children’s data and does not have the force of law.49See John Eggerton, FTC Allows Kids Online Command Collection without Parental OK, Broadcasting & Cable (Oct. 23, 2017, 1:35 PM), http://www.broadcastingcable.com/news/washington/ftc-allows-kids-online-command-collection-without-parental-ok/169574 [https://perma.cc/FNA6-WCC9]. Additionally, even if toymakers heed the FTC’s guidance to share personal information only with third parties whose security practices are reliable,50Six-Step Compliance Plan, supra note 22. actually tracking and deleting the data remains an enormously costly undertaking beyond the capabilities of most toymakers.

C. Parents Are Left with the False Choice of Not Buying the Toy

Other than COPPA’s ineffective remedy for parents to protect their children’s personal information, parents have few alternatives to ensure children’s safety online but to choose not to buy the toy. Though some connected toys and apps do offer the option to turn off the collection of personal information, this usually results in the toy being unable to function as intended, while removing the toy’s “hook” of connectivity.51See, e.g., Alonso et al., supra note 1, at 24 (detailing a connected toy called Dino on which parents can disable collection of personal information, which effectively removes the toy’s ability to “grow” with the child). Additionally, parents wishing to bring a complaint in court will face an uphill, if not insurmountable, battle to meet the “injury in fact” standing requirements for data breaches.52See generally Lexi Rubow, Standing in the Way of Privacy Protections: The Argument for a Relaxed Article III Standing Requirement for Constitutional and Statutory Causes of Action, 29 Berkeley Tech. L.J. 1007 (2014). Further, parents cannot rely on COPPA’s data minimization requirements, aimed at reducing the amount of data collected and the amount of time this data is stored, because the FTC has not enforced this clause to prevent companies from collecting surplus data. In fact, companies are currently incentivized to retain surplus data because retention is inexpensive, especially compared to the cost of maintaining a robust security mechanism responsible for data minimization.53Mark Nunnikhoven, The Principle of Least Data, LinkedIn (Nov. 30, 2015), https://www.linkedin.com/pulse/principle-least-data-mark-nunnikhoven [https://perma.cc/7Y72-MXU8].

This leaves parents who seek enforcement of strong data security practices against toymakers with the false choice of not buying the toy for their child. The choice is false because their children’s personal information could still be collected and stored by a toymaker with poor data security practices when children interact with connected toys at friends’ homes or playgrounds.

III. POSSIBLE SOLUTIONS

To spur industry-wide improvement related to connected toys’ data security practices, the FTC can no longer rely on parents to be the sole guardians of their children’s safety and must place a heavier burden on the companies collecting and retaining the data. The following are some potential solutions aimed at starting the conversation for methods of enforcing stronger data security in the connected toys industry.

One option for the FTC to enhance data security would be to levy consent decree settlements against toymakers not practicing “reasonable security.” The issuance of these fines and conditions would help animate the industry’s understanding of what does and does not qualify as “reasonable security” under COPPA. Moreover, issuing a consent decree specifically addressing children’s data security would underscore the FTC’s dedication to consumer protection and invoke industry concern that if data security practices are not improved, operators will be penalized. Potential issues with this solution include the difficulty of the FTC in levying consent decrees given its heavy workload, tight budget, and diminished staff.54See Fed. Trade Comm’n, Fiscal Year 2018 Congressional Budget Justification 2–4 (May 22, 2017), https://www.ftc.gov/system/files/documents/reports/fy-2018-congressional-budget-justification/2018-cbj.pdf [https://perma.cc/XLC8-BZVR]. Additionally, many smaller startup toymakers do not have the financial resources to create and maintain robust data security programs, which might discourage these toymakers from entering the market.

Another possible solution would involve the FTC continuing to update its guidance documents with specific examples of what qualifies as reasonable and unreasonable data security. Potential drawbacks to this solution are that guidance documents do not exercise the force of law, and creating a list of “check boxes” that represent “reasonable security” could result in companies meeting only these security requirements, while neglecting other prudent security measures unnamed in the guidance.

The FTC could also continue to hold workshops, like the aforementioned workshop relating to children’s privacy in educational toys,55Tonsager, supra note 20. to brainstorm potential solutions for the poor data security endemic to the industry. Here, the FTC could invite cybersecurity professionals, toymakers, data operators, children’s rights and health advocates, and parents to the workshop to discuss solutions. Even though they would not guarantee immediate or effective action, these discussions could serve as a starting point for reducing security risks.

Other solutions would involve movement from Congress on new bills aimed at improving cybersecurity related to the IoT,56See, e.g., DIGIT Act, S. 2607, 114th Cong. (2016). and connected toys in particular. However, new bills could take an extended time period to be enacted into law, especially given the still-evolving IoT landscape. Moreover, maintaining better data security in connected toys might be low priority compared to other IoT devices, such as connected cars, that have a greater economic impact and more pressing safety and security concerns.

CONCLUSION

Despite several recent breaches and security vulnerabilities found in connected toys and COPPA’s ineffectiveness at protecting children’s privacy, there is hope for stronger cybersecurity in the connected toys industry moving forward. It is encouraging that Congress and the FBI have voiced concern with the current state of the industry, the FTC has updated some of its guidance and scheduled a workshop related to COPPA concerns, and the country’s largest toymaker, Mattel, has canceled the sale of a children’s AI device amid pressure from advocates and lawmakers. Additionally, the press has reported on children’s security concerns at length, increasing awareness among Congress and consumers. While there is no simple solution to the problem of maintaining robust Internet security, all sides continue to view children’s privacy and security online as a unique issue worth singling out for special protection.