Children’s Privacy in the Internet of Things – Part 1: Threats that IoT poses to children’s privacy

Feb 9, 2017

Nowadays everyday objects have been datafied and are able to measure, store or analyze information more than ever before. The so called “Internet of Things” (IoT) is not only used in everyday objects designed for adults but also for children – which means that children´s dolls, teddy bears and other toys are also connecting to the communicational network­­s. These “smart” toys are often designed to monitor children’s locations and health as well to analyse personal qualities. For example, an innocent-looking teddy bear may be able to collect information widely from its surroundings and store the collected data to an open source cloud service. Some of the smart toys are also developed to have two-way conversations with a child over the Internet and to respond based on children’s moods and preferences.

The IoT phenomenom brings a number of novel threats especially for children´s privacy. There is an increased risk that smart toys can easily be hacked or hijacked by a third-party in ways that are especially challenging. For example, in 2015 news revealed that a children’s toy manufacturer was hacked by an “unauthorized party” and the hacker walked away with personal data of over six million children. In another case a Wi-Fi connected talking doll was turned into a surveillance device by a hijacker. These data breaches and hijacks are largely a result of to the fact that the level of data protection and data security in the toys is often too low. At the same time consumers are not aware of the hidden dangers.

Nevertheless, it should be noted, that these threats we are facing nowadays are not the only possible dangers: there is an increased risk that the collected data can be used also in the future. For example, collected data may also be used as a key material in the automated decision making processes concerning financial or employment related decisions. The trend to use data collected via smart devices as a part of the decision making process can already be seen as companies are selling e.g. insurances which are priced according to the activity measured by a smart device. If the collected data turns out to be incorrect or inaccurate, it may have a significant impact on the rights of the child and the rights of the future adults.

The second part of our blog series will take a glance on how the GDPR will affect to children’s privacy in the Internet of Things.



Saara Koski, Privacy Specialist