Just two weeks after the major V-Tech hack, another toy company is in the press for privacy related issues.
Now it is Barbie’s turn. In early December, Mattel Inc. was hit with a class action lawsuit in California alleging that its new Hello Barbie doll records conversations without parental consent, in violation of the Children’s Online Privacy Protection Act (COPPA). Hello Barbie is created by Mattel in conjunction with ToyTalk, a venture-funded start-up that creates interactive toys and apps. Read more>
The plaintiffs are two California mothers: one bought the Hello Barbie doll for her daughter and signed up for the related online app. The second plaintiff did not purchase the product or sign up for the app – but her daughter played with the doll at a birthday party, the girl’s voice was recorded by the Hello Barbie doll and a copy of the recoding was stored by the app.
The Plaintiffs allege that the recording of the friend’s voice by the doll, without the permission of the friend’s mother, violates COPPA, and that it is false and misleading for Mattel and ToyTalk to advertise that Hello Barbie complies with COPPA.
These allegations raise an interesting question: the rule defines personal information to include “individually identifiable information about and individual collected online, including … a photograph, video or audio file where such file contains a child’s image or voice”.
It is clear that the voice of the child who owns the doll – and in whose name the doll is registered – is individually identifiable, because the doll and the related systems link that voice to that name.
But it may not be clear that any other voice that the doll happens to record should be considered individually identifiable personal information. While the Plaintiffs assume that any voice meets the COPPA definition of personal information, we will see whether a judge – or the FTC – would concur with the view that an unnamed and unidentified voice is “personal information”.
Toy and app manufacturers should carefully consider these questions, particularly whether there are practical alternatives, such as the Plaintiffs’ suggestion that the Hello Barbie doll should “implement a process” to record the voice of the registered owner (where the parent has consented) and recognize the voices of other children – and then delete or obtain parental consent relating to the other voices.
As a parent, I am more troubled by the public concerns that the Mattel/ToyTalk system may be vulnerable to hackers, such that the Hello Barbie Doll could be directed to respond as the hacker – rather than Mattel/ToyTalk – direct.
This risk echoes the recent difficulties faced by V-Tech, where system vulnerabilities created the opportunity for a devastating data breach. I expect that parents would be shocked and disappointed if the Hello Barbie doll were to be hacked, as they have relied on Mattel’s and ToyTalk’s assurances that the Hello Barbie doll and the ToyTalk system are secure.
Clearly, makers of toys and apps have a minefield of issues to consider as they launch interactive toys at the edge of the “internet of things”.