The parade of “smart” toys also brings a host of security concerns. In 2017, a “conversation” doll was banned in Germany after researchers found that its Bluetooth connection could be hacked to allow strangers to listen in on children. In 2020, privacy advocates raised concerns about Nintendo’s mixed-reality game Mario Kart Live: Home Circuit, which equips IRL toy race cars with cameras that zoom around the house and relay video to the game’s Switch. (Nintendo has said that they do not use game data to create Roomba-esque maps of users’ homes, nor do they share information with third parties.) Once internet connection is added to a toy, it could potentially be used to collect and share information about your child, says R. J. Cross, campaign director of the Don’t Sell My Data Campaign with the nonprofit US Public Interest Research Group. Sensors (like cameras and microphones) and Bluetooth connections are also vulnerable to being hijacked. Cross points out that any data collected could be used to create an advertising profile of your child, or compromised in a breach. “Before you know it, information about your kid may be ricocheting around the databases of companies that you’ve never even heard of,” she says. WIRED’s general advice? Don’t get your kid an internet-connected toy. But if your kid just unwrapped one, or if you don’t want to throw the cursed doll into the pyre quite yet, you should at least be aware of what data is being collected and the risks attached to it. Here’s what to look out for, how to keep your kids safe, and the signs that you should start looking for the gift receipt. When your child receives a toy, take note of any information-gathering features, like cameras, microphones, location-tracking, Bluetooth, or an internet connection. Try to figure out how these features are being used. Will they make playtime more fun or meaningful for your kid? Is it possible that the sensors will pick up on bystanders as well, like siblings or friends? Whatever sensors or inputs the toy contains, make sure that they can be turned off. If a toy includes location-tracking, shut it off, or restrict it to only being used while the toy is actively being played with. Similarly, if a toy with a microphone has a “listening” capacity, like any kind of interactive “conversation” toy, make sure that the “listening” can be shut off after playtime is over and isn’t ambiently waiting for a wake word. (If your kid did get a smart speaker, like an Echo Dot, here’s how to set it up in the most privacy-protective way possible.) Do a Google search on the toy company, too. Are they a well-known and reliable company? Do they have a strong track record of creating privacy-protective products? Have they suffered a data breach? If the company doesn’t disclose how they handle user data, email customer support and ask. All of this information can help you decide whether to keep or ditch the toy. Current children’s privacy laws in the US don’t do much to protect kids in the 21st century, says Cross. So it’s often parents’ responsibility to decide what kinds of data privacy they will and won’t consent to—and that often means reading the toy’s privacy policies. “I hate having to give that advice, but the fine print is the place where you’re most likely to find the information to key questions,” she says. To find a toy’s privacy policy, try the back of the manual, or look online. If a toy has a companion app or website, remember to scan their terms and conditions as well before you hit the big green Accept button. If you are able to set aside the time to read the fine print, keep these questions in mind:
What data is being gathered on users?What is it being used for? Where is it going to end up?
There are key words that you should comb for: “Data” is the biggest one—Cross recommends doing a Ctrl-F search to read every instance of “data.” You can also look for the words “microphone,” “camera,” and “location.” To figure out how data is shared, search for the words “providers,” “third party,” “marketing,” or “advertiser.” It’s important to acknowledge that reading the fine print is only accessible to parents who have the luxury of time to weed through dense legal language, which is not always offered in languages other than English. A good sign of a thoughtfully designed and privacy-protective toy is if the fine print is easy to find and easy to read. “If it’s not decked out in legalese, and you can understand what’s happening, that’s usually a pretty good sign that they’re trying to be transparent,” says Cross. You’ve probably already heard of augmented and mixed reality games like Pokémon Go, Mario Kart Live: Home Circuit, or Lego’s AR app. Your family might already own a VR headset. As sophisticated extended reality toys become more mainstream, it’s more important to be aware of the data they collect. Extended reality, or XR, relies heavily on sensor data. “XR uses this data to accurately place a user in a virtual space and enable more realistic sound effects and support interactions,” says Daniel Berrick, policy counsel at the Future of Privacy Forum, whose work focuses on technology and consumer privacy law issues. This means that the device is tracking body and eye movements, as well as the surrounding environment, in order to make gameplay more immersive—after all, a VR headset needs to track how your kid’s body is moving in order to slash through a game of Fruit Ninja or Beat Saber. Devices also gather usage data and data across applications, like how much time a user is spending on an activity and what kind of content they engage with. It would also use location data. If you’re evaluating XR devices or games for your kids, be extra vigilant about toggling data permissions. (More on this in the next section.) Because XR games tend to be more immersive, and potentially more intense, Berrick recommends checking for a maturity rating to make sure that that experience is appropriate for your child. If a toy includes privacy settings, make sure you’ve set them to collect as little data as possible, says Cross. Some toys might have parental controls that help you keep tabs on your children’s activity or limit the time they spend on the toy. Consider turning these on, too. Take every opportunity to set secure passwords and multi-factor authentication. “Don’t be afraid of making up information” if a companion site or app asks you for personal details about your child, says Cross. A site or app might ask for a child’s birthday to make sure that they’re old enough to use it. You’re not obliged to give an exact or even accurate birth date. Sometimes, toys collect data to make the game experience more engaging or immersive. For example, eye-tracking in VR games makes players’ avatars more realistic. Berrick recommends weighing what’s appropriate for your child given their age and the nature of the game. Does the game allow players to interact with others over the internet? If so, you might want to set more restrictive limits. Are your children playing solo or only with trusted friends? You could consider loosening the digital reins. Have you made it this far and decided to keep the smart toy in your home? Just make sure that playtime happens in a supervised setting. If you wouldn’t leave a small kid home alone with a baseball bat within reach, don’t leave them alone with a toy that could potentially be hacked. It’s entirely possible for kid-appropriate tech to inspire all the joy and imagination that you’d want in a toy, just with a little more fumbling with fine print and the ever-present shadow of privacy risks. Or you can simply get them that good ol’ analog skateboard already.