WASHINGTON – U.S. Sen. Mark R. Warner (D-VA) today applauded the Federal Trade Commission’s (FTC) move to better protect children’s personal information by modernizing its rules to reflect current consumer and technology trends. The FTC updated its guidance on June 21^st to make it clear that smart toys must comply with the Children’s Online Privacy Protection Act (COPPA), which requires parental consent before businesses or online services can collect the personal information of children under the age of 13.

In a May 22^nd letter to FTC Acting Chair Maureen Ohlhausen, Sen. Warner had noted several recent high-profile instances of children’s personal data being hacked through the proliferation of apps and Internet-connected smart toys, and asked for clarity from the consumer protection agency. In the same way that the FTC revised COPPA in 2013 to reflect new mobile and app-based online services, Sen. Warner encouraged the FTC to examine how the rules should apply to the growing market of Internet of Things (IoT) devices designed for children.

“I am pleased that the FTC has recognized that parents and consumers need to understand the ways that Internet-connected smart toys can transmit and store user data about their kids,” Sen. Warner said. “Smart toys provide great opportunities for kids to learn and play, and it is critically important that the FTC is not just shrugging-off legitimate privacy and security concerns.” 

The FTC enforces the COPPA Rule’s requirements dealing with children’s privacy and safety online. The updated guidance adds new information on situations where COPPA applies and steps to take for compliance. In addition to specifying new, secure ways for vendors to obtain parental consent, the revised guidance makes clear that technologies such as connected toys and other Internet of Things devices are covered by COPPA, as Sen. Warner called for.

According to multiple media reports, CloudPets, a product line manufactured by Spiral Toys and marketed as ‘a message you can hug,’ stored customers’ personal data in an insecure, public-facing online database. CloudPets reportedly exposed over 800,000 customer credentials and more than two million voice recordings sent between parents and children. Subsequent reports have raised questions about security at the device level, with individuals able to hack CloudPets’ toys and remotely control the devices, including the microphone, if they are within Bluetooth range.

In 2016, privacy advocates filed a complaint with the FTC regarding the children’s doll “My Friend Cayla” amid concerns that it could be used for unauthorized surveillance. In February 2017, the Bundesnetzagentur, Germany’s equivalent of the FTC, pulled “My Friend Cayla” off the market due to concerns over the doll’s surveillance capabilities.

More broadly, the Senator has raised concerns about the proliferation of insecure connected devices, including in the wake of the Dyn attack and WannaCry ransomware outbreak.

Sen. Warner, the Vice Chair of the Senate Select Committee on Intelligence and former technology executive, is the co-founder and co-chair of the bipartisan Senate Cybersecurity Caucus and a leader in Congress on security issues related to the Internet-of-Things (IoT).

###