Good and Bad Toys for Families
A few examples of devices that highlight why strong protections for consumers are necessary.
The Teddy Bear and Toaster Bill (SB 327), authored by California State Sen. Hannah-Beth Jackson, would help inform consumers about the basic privacy and security practices of devices on the market today. But which devices are good and which are bad?
SB 327 would require manufacturers to use reasonable security, indicate if the device is collecting information, and provide point-of-sale notice of what data is collected, where to find more privacy information, and whether any security patches or software updates are provided.
Determining whether devices on the market today are good or bad for consumers from a privacy and security standpoint is not easy. Manufacturers often do not provide adequate transparency about a device's data-collection or -security practices so consumers can make informed decisions. To evaluate whether a product is good, Common Sense took a look at numerous products on the market to see whether they purport to use reasonable security practices; indicate when the device is collecting information; and provide notice of what data is collected, where consumers can find more information, and whether any security patches or software updates will be provided for the product. Good products meet many of these requirements. Good products also are updated in response to discovered vulnerabilities.
It is important to understand that cybersecurity professionals will continue to discover vulnerabilities in products as technology evolves. What is important -- and what can differentiate good or bad products -- is whether, after a manufacturer is notified of any potential security vulnerability in their product, they take the report seriously and immediately respond with security patches or updates to fix the issue.
Evaluating whether a product is bad for consumers is unfortunately not that hard, because it is clear that far too many devices on the market today do not have adequate privacy policy statements or fail to inform consumers about what data a device collects or whether the device uses reasonable security practices to protect consumers' data. To make matters worse, many of these devices have experienced recent data breaches that exposed millions of kids' personal information or have security vulnerabilities that have yet to be fixed. Bad products do not meet basic privacy or security standards and have known vulnerabilities or data breaches.
The following are a few examples that highlight why strong protections for consumers are necessary. There are hundreds of products that put consumers at risk, and we hope by highlighting some good and some bad, more companies will prioritize consumer protections moving forward.
Good Devices
Here are some examples of good devices. They aren't perfect, but they're the best of the bunch:
Fisher-Price Smart Bear: A teddy bear that uses voice and image recognition so a child can choose activities such as stories, games, and adventures and that learns a child's favorite things and activities.
- Notice is provided that the product never transmits any personally identifiable data from the device.
- Notice of audio and image recognition and collection is provided on package.
- Notice of unlimited Wi-Fi content updates through the free parent mobile application is provided on package with sticker.
CogniToys Dino: A Wi-Fi-enabled educational smart toy that learns and grows with children. The cloud-connected Dino can answer questions, tell bedtime stories, and provide interactive games.
- Provides a "Parent Panel" to monitor a child's interaction with the device and indicates it performs security best practices with encryption and security audits.
- Notice of audio collection is provided on package.
- Notice that device updates software automatically is provided.
Nest Cam Indoor: A security camera that connects to Wi-Fi and can stream 1080p HD video to a mobile device.
- Detailed "Data Security" policy outlines device-encryption features and data-security best practices.
- Lights on device indicate when recording, streaming, or speaker is in use.
- Notice of security patches and software updates is provided.
Bad Devices
Here are some examples of bad devices. These devices have a long way to go:
CloudPets: Can record and send messages using the CloudPets app from anywhere in the world.
- Product data breach exposed over 500,000 children's personal information.
- No privacy policy is available.
- No notice of security patches or software updates is provided.
My Friend Cayla: A doll that can answer all sorts of questions, play games, tell stories, and talk about pictures in her photo albums with the help of her mobile application.
- Product has known security vulnerabilities that could allow for a data breach of personal information, but the manufacturer has yet to fix the issues.
- No notice that device is collecting audio information when in use is provided.
- No notice of security patches or software updates is provided.
Vtech InnoTab Max: A multifunctional tablet that combines interactive animated ebooks, tilt-sensor learning games, creative activities, and a rich collection of applications into a toy that kids will want to play with.
- Product had data breach that exposed over 6 million children's personal information.
- Notice that device collects video, audio, and images is provided.
- Notice that the device is collecting information is provided when in use.
The Teddy Bear and Toaster Bill (SB 327), authored by California State Sen. Hannah-Beth Jackson, would help inform consumers about the basic privacy and security practices of devices on the market today. But which devices are good and which are bad?
SB 327 would require manufacturers to use reasonable security, indicate if the device is collecting information, and provide point-of-sale notice of what data is collected, where to find more privacy information, and whether any security patches or software updates are provided.
Determining whether devices on the market today are good or bad for consumers from a privacy and security standpoint is not easy. Manufacturers often do not provide adequate transparency about a device's data-collection or -security practices so consumers can make informed decisions. To evaluate whether a product is good, Common Sense took a look at numerous products on the market to see whether they purport to use reasonable security practices; indicate when the device is collecting information; and provide notice of what data is collected, where consumers can find more information, and whether any security patches or software updates will be provided for the product. Good products meet many of these requirements. Good products also are updated in response to discovered vulnerabilities.
It is important to understand that cybersecurity professionals will continue to discover vulnerabilities in products as technology evolves. What is important -- and what can differentiate good or bad products -- is whether, after a manufacturer is notified of any potential security vulnerability in their product, they take the report seriously and immediately respond with security patches or updates to fix the issue.
Evaluating whether a product is bad for consumers is unfortunately not that hard, because it is clear that far too many devices on the market today do not have adequate privacy policy statements or fail to inform consumers about what data a device collects or whether the device uses reasonable security practices to protect consumers' data. To make matters worse, many of these devices have experienced recent data breaches that exposed millions of kids' personal information or have security vulnerabilities that have yet to be fixed. Bad products do not meet basic privacy or security standards and have known vulnerabilities or data breaches.
The following are a few examples that highlight why strong protections for consumers are necessary. There are hundreds of products that put consumers at risk, and we hope by highlighting some good and some bad, more companies will prioritize consumer protections moving forward.
Good Devices
Here are some examples of good devices. They aren't perfect, but they're the best of the bunch:
Fisher-Price Smart Bear: A teddy bear that uses voice and image recognition so a child can choose activities such as stories, games, and adventures and that learns a child's favorite things and activities.
- Notice is provided that the product never transmits any personally identifiable data from the device.
- Notice of audio and image recognition and collection is provided on package.
- Notice of unlimited Wi-Fi content updates through the free parent mobile application is provided on package with sticker.
CogniToys Dino: A Wi-Fi-enabled educational smart toy that learns and grows with children. The cloud-connected Dino can answer questions, tell bedtime stories, and provide interactive games.
- Provides a "Parent Panel" to monitor a child's interaction with the device and indicates it performs security best practices with encryption and security audits.
- Notice of audio collection is provided on package.
- Notice that device updates software automatically is provided.
Nest Cam Indoor: A security camera that connects to Wi-Fi and can stream 1080p HD video to a mobile device.
- Detailed "Data Security" policy outlines device-encryption features and data-security best practices.
- Lights on device indicate when recording, streaming, or speaker is in use.
- Notice of security patches and software updates is provided.
Bad Devices
Here are some examples of bad devices. These devices have a long way to go:
CloudPets: Can record and send messages using the CloudPets app from anywhere in the world.
- Product data breach exposed over 500,000 children's personal information.
- No privacy policy is available.
- No notice of security patches or software updates is provided.
My Friend Cayla: A doll that can answer all sorts of questions, play games, tell stories, and talk about pictures in her photo albums with the help of her mobile application.
- Product has known security vulnerabilities that could allow for a data breach of personal information, but the manufacturer has yet to fix the issues.
- No notice that device is collecting audio information when in use is provided.
- No notice of security patches or software updates is provided.
Vtech InnoTab Max: A multifunctional tablet that combines interactive animated ebooks, tilt-sensor learning games, creative activities, and a rich collection of applications into a toy that kids will want to play with.
- Product had data breach that exposed over 6 million children's personal information.
- Notice that device collects video, audio, and images is provided.
- Notice that the device is collecting information is provided when in use.
Recommended reads on this topic
