How to read a smart toy’s privacy policy

What to look for in the fine print when buying a high-tech toy for your kid

It's important to read the terms & conditions and privacy policies for internet-connected and smart toys. These toys can collect data on your child during play. Here's what to look for.

Pixnio, CC0 | Public Domain
The internet has become a central part of children's lives.

Smart and internet-connected toys are growing in popularity. These high-tech can gather a lot of data about children during play. You want to do your homework before buying a smart toy for your child, and that includes looking at the toy’s fine print for answers to key questions. We’ll walk through good questions to ask below.

Before we begin, it’s worth saying that reading terms & conditions and privacy policies is hard. They’re full of legal lingo and can hide important information. It’s very normal to feel confused when looking at these documents. We’re here to help.

The terms & conditions and privacy policy documents are usually two separate documents – you’ll want to find both.

Where to find the privacy policy and terms & conditions documents

Typically, you’ll find these somewhere on the toy manufacturer’s website. A lot of times it’ll be at the very bottom of their site with a little link that says “terms & conditions” or “privacy” or “legal information”. You can also search the name of the company and “privacy policy” online and see if that helps you find it.

Businesses are legally required to post both terms & conditions and privacy policies, but that doesn’t mean they’re easy to find. If you can’t find these documents, it’s better to move on and find a different toy made by a different company that’s more transparent.

Other companies

Sometimes smart toy manufacturers partner with other tech companies to deliver all the features of a smart toy. If this is the case, you’ll want to find the privacy policies for each. They’ll have their own documents, and you may find something in that fine print that you don’t like. You can usually find a toy manufacturer’s tech partners on the toy’s informational page on the manufacturer’s site, in its FAQs, or in the manufacturer’s privacy policy (we’ll help you find where).

If the toy has an app you have to download in order to play, the app will have its own fine print. You’ll definitely want to find this. Devices like smartphones and tablets are capable of sucking up a lot of unnecessary data, and app developers in general are notorious for collecting children’s data illegally. You should be able to find the privacy policy in the app’s description in the app store. There’s usually a link listed there. If it’s not, try looking at the app company’s website. If you can’t find it there either, better to leave this toy behind.

What to look for in the fine print

Once you’ve found the documents, it’s important to try and find answers to key questions. 

  1. Does the toy have a child-specific privacy policy?

    Any product designed for children should have a separate children’s privacy policy, or at least a section of its privacy policy dedicated to the rights of children. To find it quickly, search the privacy policy for the word “child”. If a child-specific section or document doesn’t exist – or you can’t easily find it – this is a red flag from the get go.

    Suggested search terms for scanning the fine print: child, minor.

     

  2. If the toy has a microphone or camera, is it recording your child’s interactions with it? Are those communications transferred anywhere? To whom, and for what purpose?

    This data can be sensitive and even dangerous if it falls into the wrong hands.

    Suggested search terms: camera, microphone, voice, photo, recording, transcript, video.

     

  3. Is the toy collecting any other information about your child?

    You want to be pretty careful with toys that gather your child’s location in particular.

    Suggested search terms: location, geolocation.

    Is your child’s data being shared with other companies? 

    Manufacturers may sell, share or transfer your child’s data to other parties, and if they do, you want to see a list of names. Privacy policies may just say “we share your information with service providers” or “third parties” or “business partners” and then give you no clue about who those entities are. The best toy manufacturers will follow any of these phrases up with specific names of who, exactly, is getting your child’s data.

    If other companies are named, you’ll want to find their privacy policies, too, and look for the answers to the same questions we’re walking through now.

    Suggested search terms: data, personal information, transfer, share, sell, third party, third parties, service provider, partner, business.

     

  4. Does the company retain the right to share your child’s data with advertisers?

    Any manufacturer that states it can share data with advertisers is likely worth staying away from – advertisers tend to have weaker security protocols in place and tend to share data with a lot of other companies. Plus, targeted ads to kids has been linked with unhealthy habits, like craving junk food. In a privacy policy, targeted advertising may also be called “interest-based” or “personalized” advertising.

    Suggested search terms: advertiser, advertising, marketing.

     

  5. Can you request a record of your child’s data so you can see what the company has on file? And can you request your child’s data be deleted?

    You want to have control over your kid’s information. You want to be able to delete data if, for example, you have reason to believe your child overshared some sensitive information. You’ll also want to delete data once your child outgrows a toy, so you can make sure the company isn’t holding onto information unnecessarily, which can put your kid at risk during a data breach even months or years down the line.

    Suggested search terms: delete, deletion, parental access, personal information rights, your rights.

     

  6. If there’s a data breach, will you be notified?

    You want a company that commits to transparent communication if there’s a possibility your child’s data has been compromised in any way.

    Suggested search terms: security, breach, hack, notify, communication.

     

  7. Does the company state it is allowed to change the terms & conditions or privacy policy without notifying you?

    This can be a red flag if they can make big changes without alerting you, especially if those changes include the types of data they collect and who they share it with.

    Suggested search terms: change, revision, revised, edited, notify. 

Unfortunately, it’s possible after hunting down all the documents and reading the fine print that you won’t be able to find the answers to all of these questions. These documents can leave out important information, like a full list of companies the manufacturer may share your child’s data with. If this is the case, it’s safer to find a different toy made by a company that takes the security of your child more seriously.

 

Topics
Authors

R.J. Cross

Director, Don't Sell My Data Campaign, U.S. PIRG Education Fund

R.J. focuses on data privacy issues and the commercialization of personal data in the digital age. Her work ranges from consumer harms like scams and data breaches, to manipulative targeted advertising, to keeping kids safe online. In her work at Frontier Group, she has authored research reports on government transparency, predatory auto lending and consumer debt. Her work has appeared in WIRED magazine, CBS Mornings and USA Today, among other outlets. When she’s not protecting the public interest, she is an avid reader, fiction writer and birder.