Presuming that Santa is up with the times, and actually knows what a connected toy is, does the child know what they asked for, and why does this matter?

What are connected toys? A source of information…

The kid asked for a toy that is connected to the internet, a characteristic that amplifies the potentiality of the toy in multiple ways (learning tasks, personalization, interactivity, etc.), providing an experience for the child that goes far beyond what the physical object could offer if it was not connected.

In fact, from the moment the toy connects to the internet, it ceases to be a simple object and becomes an “information society service”. What the specific service of a connected toy is, depends from the toy configuration. What the definition means, however, is that – whatever the service may be – it is provided through the transmission of data (=information). From the toy to the child and, obviously, from the child to the… internet.

A service that is meant to be accessed by children…

Connected toys have another very important quality: they offer a service that is meant to be accessed by children, one of the most vulnerable categories of data subject. In fact, children are particularly prone to abuse (for example, through nudging techniques that encourages them to provide more data than they would otherwise do), and harm (like secret tracking, exhortation to take actions which put their physical and mental well-being at risk and, unfortunately, many more).

Connected toys play, talk, listen, teach, some are even capable of empathy-based dialogues… Such toys engage with kids (almost) any time kids want (true, at some point toys need to re-charge their batteries too), and provide an almost constant source of fun and entertainment. Connected toys create and control the game, rather than being passively “acted on”. How is this possible?

While there are many technical solutions among which manufacturers could choose to enable their toys to “control the game”, the underlying idea is the same: toys should be able to absorb information from children (based on children’s behaviour, play practice, vocabulary, tone of voice, sometimes even images, etc.), analyse the information received (i.e., conduct a personality assessment), and infer new pieces of information about the children (i.e., delineate a profile) on which basis new inputs should be provided to children. More information on the implications of growing up in the digital environment can be found here.

What are the risks and how can we mitigate them?

In addition to those already mentioned (abuse and physical or mental harm), there is another risk, namely the so called “datafication” of children (a condition in which the development of children’s personality is driven by data – both “given” by the data subjects and “derived” from them– rather than by the children themselves), without them being aware of it.

The risk can be mitigated in two ways: on the one hand, provide children with the skills and tools necessary to defend themselves and, on the other hand, regulate the use that online providers do of children data.

The ICO Age appropriate design code

This challenge has been embraced by the UK Information Commissioner’s Office (ICO) who – as requested by Section 123 of the UK DPA – developed the Age appropriate design code (the “Children’s code”).

The Children’s code is a regulatory instrument that sets forth standards “to be desirable having” (says Section 123 of the UK DPA) in order to make online services and products that are likely to be accessed by children “children-proof”.

The explanatory memorandum to the code can be found here.

The Children’s code applies to providers of information society services (included connected toys) that process (or are likely to process) personal data of children in the UK.

It entered into force on 2 September 2020 and provided for a transitional period that ended on 2 September 2021.

Which connected toy shall Santa choose based on the Children code?

According to the standard n. 14 (which specifically addresses connected toys) “if you provide a connected toy or device, ensure you include effective tools to enable conformance to this code”, which bring us to standards from 1 to 13, namely:

  • design the toy in the best interest of the child (= the child interest prevails)
  • establish the appropriate age for the toy to be used safely
  • provide information about the toy in a language that is suitable to the age of the child (when possible…)
  • do not use child data in a way that in manifestly detrimental for the child
  • practice what you preach
  • by default, set the toy on high privacy standards
  • minimize the data collected
  • do not share child data with external parties
  • disable geolocation
  • if parental control is needed, make sure the kid is informed
  • only use profiling techniques if additional measures exist which prevent harmful consequences for the child
  • do not nudge the child to provide unnecessary data or turn off security measures

How toys manufacturers keep all this under control is carrying out a data protection impact assessment (standard n. 2) ideally before they put the toy on the market.

Some examples…

A toy can be used by multiple children (of different ages) at the same time. According to the code, this means that a connected toy in principle should be designed keeping in mind children of all ages. This make toys different from online websites, for which an appropriate age verification tool could be implemented, making it easier to limit the use of the web service to children of a specific “age range”.

Design a toy suitable for children of all ages may seem restrictive and difficult to implement. What it means in practice would require an ad hoc assessment of the risks concealed in the toy.

What comes to mind is that the toy should be designed taking into consideration the most vulnerable (among the vulnerable) subjects and, hence, the least intrusive options should be set by default (no geolocation; no passive collection of data; provide the clearest information possible about the toy functionalities; when it is possible to dialogue with the toy, special care should be used in the selection of the expressions used by the, etc.).

Because it is difficult to foresee all the possible uses of a toy, it is advisable to provide profile options among which children (or adults on their behalf) can choose. This would give control on the tool back to users, which should be free to choose for themselves what is most appropriate for them.

Toys manufacturers should disable passive collection of data and make it clear to the children and their parents (or carers) when the toy is collecting data.

These are only some examples. You can read more on the standard of age appropriate design for connected toys here.

What happens if connected toys providers do not conform to the standards?

According to the ICO, non-conformation to the standards will likely result in difficulties to demonstrate compliance with the GDPR when processing personal data of children in the UK, hence the risk of fines is higher. This holds for any online service and product provider to whom the code applies.

When assessing the processing of UK children’s personal data, the ICO will take account of the risks to the children that arise from the processing under scrutiny, and the efforts made to conform to the standards set forth in the code.

Companies who did not take any steps to conform, despite being clear that: i) children are likely to access the service they offer, and ii) that significant risks exist from the use of children’s data, are more likely to trigger regulatory action from the Authority. You can find more information about this aspect here.

Dear Child, do you still want a connected toy?

Dear Santa, sure, why not? Do you mind to check that all the above is implemented in the toy you choose for me? I look very much forward to it!