Trouble in Toyland 2023

We talked to pediatricians who strongly recommend waiting for Meta to do more thorough testing to ensure VR is safe, and for other research on the effects on kids’ and teens’ developing brains before getting one. “It’s just not worth the risk right now,” developmental pediatrician Dr. Mark Bertin said in an interview with PIRG.

According to Meta, your child could end up with minor injuries, or possibly problems with visual development.

It feels so real it’s even being used to do virtual exposure therapy for phobias. But as child clinical psychologist Dr. Brett Kennedy pointed out, “If it feels that real, how you use it really matters.” Even mild violence is a lot more intense in 3-D. VR content can also have a bigger impact on users’ bodily reactions and mood than 2-D games, especially for younger users, and those effects can last long after you’ve taken the headset off. 

In PIRG’s testing, we found interactions with our test 10-year-old’s junior account ranged from bizarre to disturbing, including another player shooting himself in the head in front of our young player in an app rated OK for 10-year-old children. Other researchers using teen accounts on popular apps have experienced sexual harassment and even sexual assault attempts, particularly when using teen girl accounts.

This includes lewd audio group chats and people using their virtual avatars to simulate sex. Researchers have found minors have ready access to this content thanks to loopholes, poor moderation controls and content labeling failures.

Playing games often requires agreeing to different third-party companies’ data practices wholesale. VR headsets can also gather sensitive motion data, which can be used to infer health or demographic details about you, and there’s virtually no regulation controlling how companies or other actors use this data. 

The experts we spoke to recommend parents approach VR using the precautionary principle – don’t use it at all until these problems have far better solutions, and Meta proves we can trust it with our children and teens. 

If you are thinking of going ahead and getting a Meta Quest VR headset for your child or teen, we walk through the things to think about. 

An uncomfortable reality of smart toys: We don’t know with certainty when our child plays with a connected toy that the company isn’t recording us or collecting our data. All we have is their promise and the threat of consequences if they break it.

“A company is required by law to abide by claims about its privacy practices stated in its privacy policy and in other representations,” Samuel Levine, director of the Bureau of Consumer Protection at the Federal Trade Commission (FTC), told U.S. PIRG Education Fund. “If the toy is directed to children under 13 years old, the Children’s Online Privacy Protection Act, or COPPA, requires the toy company to ask for your consent before it collects your child’s personal information.”

But there’s a long list of companies the FTC has sanctioned, saying they violated COPPA. In these cases, consumers found out only after the fact. 

Recent FTC violations include: 

Microsoft, 2023. Will pay $20 million to settle allegations that it collected children’s information on its Xbox gaming system including their full name, phone number, email address and date of birth without parental consent. As part of the action, the FTC also made it clear to Microsoft and other companies that a child’s personal information includes health information, vital signs and biometric data such as eye tracking, iris and retina scans, voiceprints, fingerprints, and hand and face geometry. 

Edmodo, 2023. Ordered to pay $6 million but it was suspended because of the company’s inability to pay. This was an educational product aimed at students, not a toy, but the company was accused of using children’s data for advertising purposes.

Google and YouTube, 2019. Paid $170 million to settle allegations that Google’s YouTube video sharing service illegally collected personal information from children without parental consent.

VTech, 2018. Paid $650,000 to settle allegations that its Kids Connect app, used with various Vtech toys, “collected the personal information of hundreds of thousands of children” without notice or consent from parents as required under COPPA. This was the FTC’s first children’s privacy case involving a toy that connects to the internet.

And the previously mentioned case involving Amazon, 2023. The FTC and DOJ charged Amazon with violating children’s privacy laws by using its Alexa/Echo service to obtain and keep children’s voice recordings and geolocation data for years, and then deceiving parents who requested data be deleted and using the data for its own purposes. The government proposed ordering Amazon to pay $25 million for its COPPA violation.

It’s notable that Amazon also offers Alexa-enabled devices and toys, such as a play kitchen and a board game currently. It’s removed at least one toy’s Alexa functionality by taking down the software that once connected the Fuzzible Friends stuffed animals to Alexa and Echo. We may see a growing number of toys in the future that connect to Alexa.  

Internet- and bluetooth-connected toys come with particular risks

Connected toys that access the internet can often collect and store personal data, including audio recordings and user preferences. Collecting this type of data can make your or your child’s information more vulnerable to hacking or unauthorized access, as was alleged with Hello Barbie and CloudPets. Data breaches involving various toys and unencrypted data from child users have already been reported.

Additionally, some connected toys can access internet content, which can expose children to inappropriate or harmful material without proper filtering and parental controls. Parents may want to weigh any possible educational benefits of devices with internet access against the risk of children unknowingly accessing inappropriate photos or websites. 

While regulators and lawmakers have focused on the safety and privacy of children online for a quarter-century, it’s an evolving issue as we see new technology and better technology every year. Levine of the FTC notes the agency has focused on children’s privacy online since supporting COPPA in 1998.

It’s good for parents to know that regulators are monitoring the landscape for companies that violate the law and put our children at risk. We likely will see more enforcement and further regulation in the future.

“The FTC is staying on top of trends in the marketplace, like the emergence of artificial intelligence, virtual reality and augmented reality, and their potential implications for children’s online privacy,” Levine said. “Congress is also considering legislation that would strengthen privacy protections for children.”

In the meantime, parents and gift-givers can assess a toy they may be considering, or a toy their child already has using our tips below.

• Is the toy’s microphone always on? Does it have a wake word? (This can mean it’s always listening.) Or is there a button you have to hold down in order to activate the microphone? The latter option is the safest feature.
• Is there a light or some indication the microphone is listening? 
• Does it have a secure Wi-Fi or Bluetooth connection, which would prevent a stranger from talking to or listening to your child through the toy? For example, does it require you to set up your own strong password before play? Or does it allow you to use the toy with a weak default password that could be easily guessed – which could put your kid in danger? 
• Do the recordings get collected by someone or some company using a Wi-Fi or Bluetooth connection?
• Where is the collected information stored – just on the toy, or also on the toy company’s back-end server, or that of a third party “service provider”? The more companies store your child’s data on their servers, the more likely it will be exposed in a breach or a hack.
• How are the recordings used? Some companies say they use recordings to improve their products. Others share them with third parties. In both examples, children and their families could be at higher risk of fraud, unwanted advertising and identity theft. 
• Does the privacy policy specifically mention security being a priority for data it collects? Are the recordings stored securely? If not, then you may be better off finding a toy company that takes your child’s safety and security more seriously. 
• How long are the recordings retained? If the company fails to delete the data beyond what’s necessary to fulfill the play function, it can increase the odds your child’s data will eventually be exposed in a breach or a hack. 
• Who has access to the recordings, or who are they shared with?
• Can you review recordings of your child and tell the company to delete the ones you may be uncomfortable with? This is useful particularly in the case of a child sharing more personal information with a conversational toy than you’re comfortable with.

• Are the photos your child takes stored on an SD card or sent through Wi-Fi or Bluetooth? Storage on an SD card allows you to  review and better control what happens with the photos. Sending photos via W-iFi or Bluetooth is faster but can represent a risk of photos getting in the wrong hands.
• If they can be sent, are the photos stored on the toy company’s back-end server?
• Does the privacy policy specifically mention the security it uses for images or photos it collects? 
• Who has access to the images or photos or who are they shared with? Does the company’s privacy policy say it shares with third parties?
• Can you access images or photos the company stored or shared??
• What does the company’s privacy policy say about your ability to  require the company to delete images or photos?

• Does it connect automatically to unsecured Wi-Fi networks? A toy for a child should not. You want a button on the toy that must be pressed or some intentional action you take to allow it to search for a network.  If there’s not a button, is there at least an app that requires a password to connect to Wi-Fi?
• If the toy connects to an unsecured Wi-Fi network, is it able to block any intrusions? You likely have to test this.
• Does it provide a way for your child to send or receive messages, or connect to any social media accounts? The privacy policy might indicate this. Or you might discover it when setting up the toy. It might recommend you to sign in via Instagram or Facebook, for example, or send messages to invite “friends” to connect to your child, and their toy. You don’t want to connect a toy to a social media account. 

• Does it share any information about your child, including geolocation? If so, it should be clear in the privacy policy, and you want to approach with caution whenever a toy gathers data as sensitive as your child’s whereabouts. 

• Is the Bluetooth connection secure with a strong password? Or when you set it up, does it pair automatically with a device that’s close, without a password? This could be dangerous if the toy has a range outside your home, or if the child takes the toy to public places.
• Does it contain a GPS that can be tracked, as many smartwatches have? This should be stated in the privacy policy. Location tracking could put your child at risk if the Bluetooth connection isn’t secure. Good smartwatches and other secure products will allow you to block unauthorized pairing or require two-factor authentication.

• Does it transparently and clearly ask for permission to collect data from your child before your child begins play? Companies are required to do this by law. The privacy policy should state its practices. But if your permission isn’t required when setting up the toy, you should return the product and report the company to the FTC online or by calling (877) FTC-HELP. If you need one-on-one help, the FTC says you should contact your state attorney general.  
• Does the toy state in its privacy policy that it is a product meant for children to use, or does it say, “This product is not intended for use by anyone under 13?” If it’s the latter, stay away. It will gather data about your child as if they were an adult, even if they are under 13.
• When you’re setting up the toy and receive the notification asking for your consent, does it contain a link to the service’s privacy policy, as it must by law? If it doesn’t, that’s a flag.
• Does it tell you how the information it collects is secured and note that you have the right to get your child’s information deleted? These are required by law. If it doesn’t provide these disclosures, you should return the product and report the company to the FTC online or by calling (877) FTC-HELP. If you need one-on-one help, the FTC says you should contact your state attorney general.

• Can you find its privacy policy? If not, stay away. Reading the privacy policy is where you’ll find the answer to some of these questions:
• What types of data does it collect? Photos? Recordings? Your location? You need to decide what you feel comfortable with. You may be OK with a device knowing your location, but not recording conversations. If the privacy policy isn’t acceptable, you shouldn’t buy the product. If you already have it, you should return it.
• Does the privacy policy say any information collected gets stored on a back-end server? The more information that’s stored, the more that can get into the hands of a bad guy if there’s a breach or hack.
• Does the privacy policy specifically mention security being a priority for the data it collects? Does it tell you that it stores data securely? If not, you may want to find a product from a company that takes your family’s safety and security more seriously.
• How is the information shared and who has access to it? Does it share with or sell data to third parties? This puts you at higher risk of fraud, unwanted advertising and identity theft.
• What are the default data collection settings? Especially pay attention to settings like collecting your geolocation automatically. 
• How difficult is it to find settings on the product or app that restricts features you don’t want to be active? If it’s too cumbersome, you may want to return the product.
• Does it push advertising, particularly based on personal information collected? Its privacy policy should say whether the company or a partner uses data for marketing purposes. If you don’t want more marketing calls, texts or emails, you should opt out of having your data, including your contact information, used for marketing.

• Does it make it easy for you to find information related to children’s data, like pulling the section on children’s privacy to the top of the document? If it doesn’t make it easy, this is a flag.
• Does it say the product isn’t intended for users under 13? That means it’s probably gathering a lot of data about your child because if it were for children under 13, the law requires greater data protections. 
• Can you find and easily understand the information you need to decide whether you can control what personal data is shared and with who? If not, you shouldn’t buy the product. If you already have it, return it.
• Does the company indicate it can “update” its privacy policy? Does it indicate how you will be notified if it does update or change anything? You should have the option to sign up for an email notice, instead of needing to remember to check  the company’s website periodically to find out.

• What information does it require to create an account? You should not allow a young child to create an account without your oversight or with an email account you can’t access.
• Does the app developer have a privacy policy you can easily locate? 
• Does the app’s privacy policy state that its services are not intended for children under 13? If this is the case, it’s very likely going to collect data on your child regardless of their age. 
• What data does the app collect, according to its privacy policy? What is it used for? In your device settings, you should be able to opt out of data sharing you don’t want, such as your location or browsing history.
• Does the app include in-app purchases? You may want to look into parental controls on spending so your child doesn’t inadvertently wrack up big bills you don’t want to pay. 
• How secure is the app? Does it have social features, allowing unwelcomed messages or allowing strangers to communicate with your child? You do not want to connect it to or sign in with social media. If you don’t and your child is getting unwanted messages, you may want to look at the settings again and delete the app if the problem persists. 

Substandard practices can lead to your child spending too much money without your permission or buying things you don’t approve of. 

• Is there a monthly subscription that costs more than you want to pay?
• Does it store payment information or link to an iTunes, Amazon, PayPal or other account, or save your credit card on file? This could make it easier for your child to spend money without your authorization.
• Does the account or app have parental controls you find useful to limit or monitor spending? This can include requiring  your approval for each transaction or for transactions above a certain dollar amount. You may also be able to set alerts to better monitor your child’s spending. 
• Does it require a balance to be kept in the account? This may allow purchases without your permission.
• What’s the process for challenging a transaction?
• What’s the highest dollar amount for a single item? Apps can include purchases ranging from 99 cents to $99.99. If high-priced items are easily purchased, it may be more important to you to find and set those parental spending controls.  

Amazmic Kids Karaoke Microphone

This $15 toy karaoke microphone “uses the latest Bluetooth 5.0 technology to provide a more stable connection” – up to 33 feet, according to the online listing. It promised fast pairing and said it’s compatible to pair with a phone, tablet, laptop, etc. It also is compatible with a TransFlash card and cable connection. 

The instructions say the device requires a password to pair. Good. But the password is 0000. Not good. Further, our microphone paired in about two seconds – with no password at all. We tried this three times on three different iPhones. Same unsecure result with no password required. We were able to pair at about 30 feet. It’s troubling there doesn’t appear to be an easy way to make it undiscoverable so strangers can’t drop in on your child and send undesirable audio messages or play inappropriate music.  It does have all kinds of pretty lights. And when you play music through the speaker, it has great sound, to be honest.

VTech Kidi Star DJ Mixer

This does require a PIN, which the company encourages users to keep enabled: “VTech strongly recommends keeping the PIN security on for the use of Bluetooth transmission to avoid any connection by an unauthorized device. The disabling of the PIN security should only be used when the connection of an external device with PIN security is impossible. The use of the toy when PIN security has been disabled should be under the supervision of an adult.”

In addition, if a device tries to connect via Bluetooth, the toy requires giving it permission. The pairing process requires pressing the Bluetooth connect button to search for a nearby device. Once the device is paired, you have to press the Bluetooth input button to allow this as the audio source. It sells for about $54.

Prysyedawn Toy Smart Phone

This toy smart phone does not connect through Wi-Fi or an app. You can take photos, listen to music and play games. It also has other features such as an alarm clock and calculator. Photos are stored on an SD card. You have to connect it through a USB cord to download photos. This gives the user more control over their child’s data. This sold on Amazon for about $33.

Goopow Kids Camera-Video Camera for 3-8 Year Olds

This children’s camera takes photos and shoots video. It does not connect through Wi-Fi or an app. It says it can take up to 1440x1080P video and has other functions, including choosing different scenes. Photos and videos can be downloaded through an included card reader. This gives the user control. This is an Amazon “best-seller,” available for about $31.

Cognitoys Dino

This cloud-based, Wi-Fi-enabled smart dinosaur was introduced in 2016, aimed at 5- to 9-year-old children. The dinosaur engaged in conversations, told jokes and stories and answered questions. Connected through W-iFi and powered by IBM/Watson, it was intended to be a toy “that learns and grows with children.” 

Dino didn’t last long as the tech company behind the toy folded and the app support was discontinued. The privacy policy was disturbing. Here’s a small sample:

“Information We Collect 

“Personal Information. We collect information that possibly personally identifies you and your child, such as your full name, address, mobile phone number, wi-fi SSID, IP address, device MAC addresses, e-mail, payment information (including zip code), child’s name, child’s date of birth, child’s gender, and other personally identifiable information, that you choose to provide us with or that you choose to include in your account (“Personal Information”). For example, you may provide us with certain Personal Information when you use the Parent Panel. The “Parent Panel” is the interface available on the Site and through the Offerings, that allows parents to view Play Data (defined below) and to manage Dino settings.”

“Play Data. When a child interacts with his or her Dino, we automatically collect certain play-related information from your child and from such interactions (“Play Data”). For example, when your child plays with the Dino, we may automatically collect information about your child’s likes and dislikes, interests, and other educational metrics.” 

KAI: The Artificial Intelligence Robot
The Kosmos Artificial Intelligence robot allows users to “explore the concept of machine learning” by building and programming an intelligent, six-legged, app-enabled robot that is supposed to respond to sounds and gestures.

This toy’s privacy policy is an example of a good, easy-to-read explainer. It spans two pages of the toy’s 68-page instruction manual. A couple of excerpts below.

The last few years have seen a surge in consumer drones thanks to better technology, lower prices, increasingly user-friendly controls and opportunities for aerial photography and recreational use. As the technology continues to advance, the consumer drone industry is expected to continue to grow. An expanding market for retailers is marketing drones to children.  

Drones for children can vary greatly in price, capabilities and intended use, from indoor toys for preschoolers, to camera drones, racing drones and stunt drones. They can cost as little as $30 or can top $10,000. 

Drones come with a unique set of concerns:

1. Safety first: Drones with fast-spinning propellers can be dangerous. Collisions with people, animals or property can lead to injuries or property damage. A toddler in the UK lost an eye after being hit by a drone flown by a family friend.
2. Legal responsibilities: Drones come with unique legal responsibilities. The Federal Aviation Administration (FAA) oversees drone rules but states and localities may place additional restrictions. The FAA requires all drones that weigh greater than 0.55 lbs (250 grams) to be registered.
3. Respecting privacy: Drones equipped with cameras can intrude on others’ privacy, leading to unintentional privacy violations, which children might not fully grasp.

Roblox is one of the most popular mobile games among kids this year, cracking the top 10 in downloads for both Android and Apple. Roblox offers a creative and engaging platform for kids to design games, interact with friends and unleash their creativity, but it’s not without its potential dangers.

Inappropriate content: Roblox allows users to create and share content, leading to potentially age-inappropriate games and avatars. Instances of explicit or violent themes have been reported in Roblox games. User-made avatars can introduce children to inappropriate content.

1. Online predators: An 11-year-old girl from Delaware was kidnapped from her home by an adult who communicated to her through Roblox. She was later found safe.
2. In-app purchases and microtransactions: Roblox makes its money through in-app purchases and its artificial currency Robux. Kids may not grasp the consequences of real money spent on virtual items and spend more than parents would prefer.
   
3. Addictive nature: In 2020, 36 million people — two-thirds of them under 16 — spent more than 30 billion hours on Roblox. Its engaging gameplay can lead to excessive screen time, raising concerns with some experts about the game fostering Internet Gaming Disorder among young users.
   

Smart speakers are among the most popular Internet of Things (IoT) devices in American households. These voice-activated virtual assistants, such as Amazon Echo, Google Home and Apple HomePod, have found their way into millions of homes, offering various capabilities such as streaming music, sending messages, controlling other smart devices and conducting web searches. 

With more than 71 million Alexa-enabled devices in use as of 2023, these smart speakers have quickly become ubiquitous. However, the rise of conversational commercial products also raise significant privacy and safety concerns for both adults and children: 

1. Data collection: One of the primary issues with smart speakers is their persistent data collection. Equipped with internal microphones, these devices wait for a specific “wake word,” often the name of the virtual assistant persona created by the respective company, such as Amazon’s Alexa, Apple’s Siri, or Microsoft’s Cortana, to activate. While this system is designed to be convenient to consumers, it’s not without flaws.A 2020 study by Northwestern University researchers found that Apple, Microsoft, Google and Amazon smart speakers were prone to accidental activations, recording users’ conversations without a “wake word” prompt up to 19 times a day. In 2023, Amazon paid $25 million to settle FTC and DOJ allegations it had violated COPPA for failing to delete young users’ voice and geolocation data collected by its smart speakers.
2. Inappropriate content: Smart speakers can access content from the internet, which means children may encounter or request inappropriate content, such as explicit music, jokes or harmful advice. While these devices aim to filter profanity, third-party apps can contain content that parents may not want their children to access. In one case, academic researchers were successfully able to smuggle 234 policy-violating skills onto the Alexa Skills Store, the marketplace for third-party apps on the Echo smart speaker.
3. Voice-enabled online shopping: Smart speakers offer voice-activated online shopping, and children left unsupervised may make unauthorized purchases. This can result in high charges on a parent’s credit card, as was the case with Brooke Neitzel, a 6-year-old who unwittingly spent $160 of her mother’s money on a KidKraft Sparkle Mansion dollhouse and dozens of sugar cookies. Neitzel made the purchases by simply asking her Amazon Echo device “Can you play dollhouse with me and get me a dollhouse?”

Smartwatches can be a fun and functional wearable technology. They may provide entertainment for kids and peace of mind for parents hoping to have a way to communicate with their child before making the jump to buying a smartphone. 

There are hundreds of kids’ smart watches on the market with varying degrees of technical capabilities and at various price points. Some are very basic with low-fidelity LCD displays that allow kids to see the time and play some mobile games. They typically sell for less than $40. On the other end of the spectrum, there are watches such as Verizon’s Gizmo Watch 3, a 4G-enabled kids’ smart watch that acts as a communication device through its app with connected-GPS tracking and video calling capacities. The 8GB Gizmo Watch 3 sells for about $150.

Smartwatches come with some security and privacy considerations for parents and guardians. 

1. Location tracking risks: While location tracking is a key safety feature, it can inadvertently expose a child’s whereabouts and pose risks if data falls into the wrong hands. The Norwegian Consumer Council found multiple critical security flaws in various smartwatch brands that could expose real-time location data, and could be made by hackers to display an incorrect location — alarming if a child’s location was needed in an emergency.
2. Data privacy vulnerabilities: Some smartwatch companies share technical backend infrastructure, meaning vulnerabilities in one smartwatch can affect others. A study of children’s smartwatches in 2020 found that several lacked encryption and authentication, potentially exposing childrens’ sensitive data.
   
   Smartwatch companies have come under fire by European regulators, with kids’ smartwatches that can eavesdrop without being detected being banned within Germany. The German telecoms regulator, the Federal Network Agency (BNetzA), went as far as recommending that parents destroy these “eavesdropping” devices.

Ashley Haugen wishes they never existed. It’s been six years since her 10-month old daughter Kipley swallowed some small colorful water beads that belonged to her older sister. That was the beginning of the Texas family’s nightmare during the hours it took for the beads to be discovered and surgically removed, and the weeks after that as Ashley and her husband realized Kipley suffered from brain damage.

It also began Haugen’s mission to warn other parents and regulators about the dangers of water beads through her non-profit organization, That Water Bead Lady. 

Haugen has spent the years learning about the science and the marketing and the lack of understanding and resources. 

Unfortunately, other children have since been injured and at least one died this year after ingesting the squishy beads, which – when wet – can grow from the size of an ice cream sprinkle to an inch in diameter or larger – even 100 times their original size – and cause an intestinal blockage. 

Haugen and other parents whose children were seriously hurt after swallowing a water bead met last spring with Hoehn-Saric, along with Commissioners Mary Boyle, Peter Feldman and Richard Trumka, to plead for water beads to be better regulated or even banned.

Water beads are often sold in packages of 30,000 to 50,000. They’re tiny. They roll. They stick in hidden places. “Dry water beads can be the size of a pinhead, making them nearly undetectable if dropped on the floor or spilled in a playroom,” the CPSC says in an advisory on its website.

In September, the first recall of water beads since 2013 was announced after a 10-month-old Wisconsin baby died and a 9-month-old baby in Maine was seriously injured after swallowing one of the water beads. About 52,000 Chuckle & Roar Ultimate Water Beads Activity Kits were recalled. The water beads were sold by Target for about $15 from March 2022 through November 2022.

More importantly, the CPSC signaled more regulation and restrictions of water beads are coming. The risk is not limited to a single product, Hoehn-Saric said.

“I am deeply concerned about the hazard posed to small children from water beads,” Hoehn-Saric said. “This year we issued a recall of one water bead product following the death of a small child. We also made clear in our public messaging that water beads should never be in homes or other spaces where babies and small children may spend time.”

Haugen takes some comfort knowing her message is getting out. “I am hearing an overwhelming uproar from families across the country, signaling the increasing surge in awareness about the dangers of water beads,” she told U.S. PIRG Education Fund. 

“As a parent it is deeply unsettling to discover water beads in unexpected places, like ticking time bombs around your home, or utilized as sensory toys in your child’s school or therapy clinic without your knowledge or consent.”

Based on all of the conversations Haugen has had with families across the country, she said it’s important to realize that an injury from a water bead “can happen to any family. … Implying that better supervision or cleaner homes is the solution to preventing these incidents is misleading.”

Haugen’s goal is to get water beads banned and to warn families who may already have them in their homes.

Gowda of Kids In Danger said water beads are not worth the risk. 

“No amount of supervision can keep children safe from water beads. Even if you’re buying them for older kids, the tiny beads can spread in the home and a younger child may get hold of them,” Gowda said. 

“Get rid of any you have in your home now and then stay vigilant because families have reported that they continue to find water beads even years later.”

The letters were sent by House Energy and Commerce Committee Chair Cathy McMorris Rodgers (R-WA); Full Committee Ranking Member Frank Pallone, Jr. (D-NJ); Innovation, Data; Commerce Subcommittee Chair Gus Bilirakis (R-FL); and Subcommittee Ranking Member Jan Schakowsky (D-IL).

A few months earlier, in April, CPSC Chair Alex Hoehn-Saric sent his second letter in as many years to Facebook/Meta CEO Mark Zuckerberg. The message was about the same as in the 2022 letter.

Much of the ire has stemmed from sales of recalled Rock ‘n Play rockers, which have been connected to about 100 infant deaths in recent years. But the principle – that it’s illegal to sell recalled products – applies to all products, including toys. 

“Facebook is uniquely positioned to identify recalled and violative products … and stop their sale before they are listed,” Hoehn-Saric wrote. “Moreover, at best, CPSC is catching these unlawful products after they have been listed for sale and made available to the public; we do not know how many illegal sales occurred that we did not identify. … If CPSC staff can identify these illegal listings using your site, Meta indisputably can prevent them from appearing in the first place.”

To carry that further, if U.S. PIRG Education Fund can so easily find and buy recalled toys, why can’t these companies update their sites once a week to reflect the CPSC’s newly recalled products? Of course they can. For the products we bought, the listings weren’t even misspelled. Some had been recalled months before. For last year’s investigation, some of the products had been recalled a year or two before.

And some of these sites allow you to save searches and get email alerts when a new product matching those keywords is listed. So they can do that but not flag those listings? Of course they can.

The other question is why some companies, such as T.J. Maxx, Home Depot, Best Buy and Meijer have faced multi-million dollar civil penalties for selling recalled products, but companies such as Facebook Marketplace and eBay haven’t? 

“Under CPSC’s statute, different safety obligations apply when a company is a manufacturer, distributor, private labeler, or retailer of goods,” Hoehn-Saric told U.S. PIRG Education Fund. “Online marketplaces that host third-party sellers don’t fit neatly into one of those categories for most of their operations.”

It may come down to Section 230 of the 1996 Communications Decency Act, which some say insulates online platforms from being responsible for products sold illegally on their websites. It says: “No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.”

Now, many would say that publishing opinions is one thing and allowing the illegal sale of goods is something else. Still, if Congress would amend the law, or the question would be resolved in a court case, the CPSC would have more clarity to pursue enforcement against platforms such as Facebook Marketplace and eBay, just like the regulator does with big box retailers.

CPSC Commissioner Peter Feldman told U.S. PIRG Education Fund that something needs to change with these online companies. “The status quo can’t stand,” he said. “It’s clear there’s more they can do and should be doing to keep their users safe. These firms absolutely have the resources necessary to prevent these transactions.”

If these online retailers continue to allow the sale of recalled products, the CPSC may try a different tactic than just sending letters, Feldman said. “All options are on the table.”

Aside from the interpretation of the law that may protect online retailers for now, there’s certainly no reason the companies couldn’t voluntarily block the sale of recalled products, as they do with other products they’re not allowed to or don’t want to sell, such as guns, animals or drugs.

“Yes, I share your concern about recalled, non-compliant, and dangerous products online,” said Hoehn-Saric, the CPSC chair, told U.S. PIRG Education Fund.

That’s why he met with six of the largest online marketplaces in the last year, including eBay and Facebook Marketplace, to urge them to work with the CPSC. 

“Online marketplaces can and should adopt common sense practices to protect consumers,” Hoehn-Saric said. “This includes prioritizing product safety within the companies and vetting sellers and products that platforms allow to be sold on their sites. Some companies are taking steps in the right direction, but clearly not enough is being done.”

For now, the CPSC is playing whack-a-mole. When listings for recalled products are found or reported to the CPSC, the regulator issues “take-down requests.” 

The CPSC issued more than 57,000 take-down requests to e-commerce platforms in FY23, with the vast majority of those going to Facebook Marketplace.

“This reliance on industry’s good will,” Hoehn-Saric said, “is not a long-term solution to the problem.”

The expectations for toys are high. “All children’s toys manufactured or imported on or after February 28, 2018, must be tested and certified to ASTM F963-17 (ASTM International was formerly known as American Society for Testing and Materials,” the CPSC says. 

Further, “all toys intended for use by children 12 years of age and under must be third-party tested and be certified in a Children’s Product Certificate as compliant to the federal toy safety standard enacted by Congress,” the CPSC says. The laboratory must be one accepted by the CPSC. 

The standards vary depending on the type of toy and the age group it’s marketed to. 

About 54,300 people went to emergency rooms from 2011 through 2021 after button or coin batteries were ingested or inserted in their body, such as through their nose or ear, according to CPSC estimates based on data from the National Electronic Injury

Surveillance System. Victims are usually children 4 years old and younger.

At least 32 deaths are blamed on button batteries from Jan. 1, 2011 through March 31, 2023, including three last year and two in the first three months of this year.

CPSC Commissioner Richard Trumka noted in a statement the CPSC gave product manufacturers six months to comply after its September 2023 vote. “But make no mistake: manufacturers shouldn’t wait six months — I expect them to comply with the rule ASAP. Compliance with CPSC’s rule on  button and coin cell batteries will save lives.”

The new rules for battery compartments and packages of replacement batteries will better protect children. It’s still important for parents and caregivers to make sure compartments are secure and that young children can’t access discarded or replacement batteries. 

The CPSC launched a massive labeling campaign. By Jan. 1, 1995, all newly manufactured toys intended for children 3 to 6 years old had to be labeled as a choking hazard to children younger than 3. The change was aimed at saving lives.

In 2021, one child died from choking on a toy, according to the CPSC. The 17-month-old boy swallowed a plastic toy, which was part of a playset. Still, though, more than 9,000 children age 4 or younger were treated in emergency rooms in 2021 for ingesting a toy or a piece of a toy.

To determine whether a toy or part could be a choking hazard, check whether it can fit through a cardboard toilet paper roll. If it does, it could be swallowed by a child.

Toys that contain small parts and pose a choking risk must be labeled that they’re not safe for children less than 3 years old, as the ones below are labeled prominently.

In fiscal year 2022, CBP seized 381 shipments of toys worth $7 million for copyright infringement, meaning they’re counterfeits. 

One shipment seized on a given day could contain hundreds or even thousands of the same item. 

Last year’s seizures are up from 284 shipments the year before, an increase of 34%.

“Legitimate toy companies spend significant resources to bring their products to market – including steps to certify their products are safe,” said Joan Lawrence, senior vice president of standards and regulatory affairs for The Toy Association, the industry’s trade association. 

“However, under current law, sellers on third-party online marketplaces are unfortunately able to operate anonymously and take advantage of consumer faith by selling products that may be counterfeit, stolen, or recalled and may not comply with safety laws – putting our children at risk.” 

The Toy Association has been urging Congress to pass stronger laws, aimed in particular at online marketplaces that sell all kinds of products, whether they’re counterfeit, stolen or recalled. 

Congress did pass the INFORM Act aimed at counterfeit and stolen goods, but it only cracks down on higher-volume sellers.

Counterfeit products can pose other risks, Lawrence said. They may not be appropriately age-labeled, especially if they have small parts, and they’re often made of materials of poor quality that can put children at risk. 

Counterfeit smart toys are a growing problem as smart toys become more popular.

“It may be tempting to purchase one online at a low price from an unknown seller,” Lawrence said. But these toys may violate FTC guidelines and federal children’s privacy laws, she said.

The tiny, colorful magnets are often marketed as fidget toys. But they caused 26,600 children to be rushed to hospital emergency rooms from 2010 through 2021, according to the CPSC. At least seven children have died after ingesting high-powered magnets. The problem: if two or more magnets are swallowed, they can connect and pinch internal tissue together and cause serious issues such as intestinal blockage or blood poisoning. 

Effective last year, federal standards now require magnets that are loose or able to come out of products to be either too large to swallow or weak enough to reduce the risk they’ll connect inside the body if two or more were swallowed. If magnets fail the CPSC’s small parts cylinder test – any object fits completely into a test cylinder 2.25 inches long by 1.25 inches wide, then they must have a flux index (a measurement of strength) of less than 50 kG2 mm2.

Despite the new standards, these dangerous magnets are still in many, many homes.

The incidence of injury was greatest among children 4 years old and younger: 432 out of every 100,000. That compares to 267 out of every 100,000 children 14 and younger and 63 out of every 100,000 people of all ages.

About 94% of toy-related injury patients were treated and released.

As for the types of injuries:

• 41% were classified as lacerations or contusions/abrasions. 
• 46% were to the head and face area.
• Non-motorized scooters were connected with the largest number of toy-related injuries for all ages among products classified as toys. 

There were 11 toy-related deaths among children 14 and younger in 2022: Five were related to balls, including choking on bouncy balls and blunt force trauma to the head. Others involved balloons, stuffed animals or other toys.

There is good news: The numbers of toy-related injuries for children 14 and younger decreased significantly — by more than 10% since 2015, the CPSC said.

Injuries and incidents occur when:

• Toys don’t meet standards, such as if they have parts that can easily be removed or break off and be ingested.
• Children get access to a toy not meant for a child their age, such as a small bouncy ball or building blocks.
• Children use a toy in a way that wasn’t intended. 
• Counterfeit toys are purchased.
• Toys violate our children’s privacy.

Toys that don’t meet standards or wear over time is the reason parents and caregivers should inspect new toys and consider whether a particular toy is appropriate for their child right now, said Dr. Jerri Rose, associate division chief of pediatric emergency medicine, at UH-Rainbow Babies & Children’s Hospital in Cleveland.

Issues to consider:

• Are there small parts that can break off that the child could put in their mouth? A small part is defined by the CPSC as any object that fits completely into a test cylinder 1.25 wide by 2.25 inches long. The diameter of a toilet paper tube works for a home test. This is about the size of the fully expanded throat of a child less than 3 years old.
• Could a piece of the toy break off easily and produce something sharp that could cut the child or poke an eye?
• What does the label on the box or package say? When a toy is approved and meets standards, it should say what age it’s approved for, Rose said.
• Does the label say non-toxic?
• If the toy involves electricity, does it say it’s UL-approved?
• If there are batteries, especially button batteries, are the compartments secure so they can’t be opened by a young child. Screws can come loose during shipping.
• Is your child old enough to play with the toy responsibly? Just because a child is older than 3 doesn’t mean he can automatically be trusted to not put small parts in his mouth. Parents know their children best.