Playing safe? The nuts and bolts of connected toys

You may have noticed recent media coverage about internet-enabled toys, often referred to as ‘connected toys’. Whether it’s talking dolls, robotics, wearables or children’s tablets and phones, they’re increasingly popular, and widely available.

While connected toys can offer benefits for children through interactive play and education, they also raise privacy, security and safety risks. For parents, this can be a real concern.

Understanding how these toys work, and the data that can be collected by businesses who offer these toys, is important in helping parents know how to best safeguard their children while they play.

How do they work?

Internet-enabled toys work by connecting wirelessly to the internet. In most cases users need to connect toys with smart devices, such as mobiles, tablets and desktop computers, through an associated app.

Different toys have different data-processing capabilities and functions, depending on the type of sensors and technology they use. Some toys also include microphones and speech recognition software. This is becoming more common—where toys can talk to, and interact with, children by translating their words into text. Connected toys might also come with screens and web browsers, built-in cameras and sensors that guide and monitor a child’s task and play.

Connected toys can collect data from users. This data is generally sent to a remote server where it is stored and processed, often generating a return signal that prompts the toy to respond.

What types of data do they collect?

Connected toys can collect a variety of data from you and/or your child as you set up the necessary online account. Data can also be collected as they interact and play with the toy. Depending on the toy, data collected could include your child’s name, gender, date of birth and other information like their geolocation, profile picture and chat and voice messages.

These toys can also collect information about your child’s online habits and preferences, such as favourite websites, achievements in a game and audio and video recordings.

What are the risks?

The risks in connected toys include privacy and security issues which can vary depending on the type of data collected, whether the data is stored locally or sent externally (such as cloud storage), and whether any third-parties share the data.

The level of risk depends on the toy’s capabilities. Some may have only limited capabilities, and pose less of a risk. These toys use simple speech recognition where they work to a pre-set script, and questions and answers are limited to information such as favourite colour.

Even with the more simple connected toys, it’s important to be aware that things can go wrong. One example is where a company offering connected toys and devices has failed to secure the information they collect. In one case, customer data, including passwords and messages between children and parents, were stored on an unsecured server, leaving this information vulnerable to hackers. The toys themselves can also be hacked when manufacturers have not developed them with strong enough safety settings.

Ideally, toy manufacturers should put safety and privacy at the forefront when developing a connected device and ensure security of data before a product goes to market. It’s important to remember that something new out of a box does not always mean it is safe and secure.

A significant example of how hackers can exploit security vulnerabilities of connected devices includes the 2016 Dyn cyberattack which resulted in a blackout of some major websites, like the New York Times, Netflix and Twitter. This was done by exploiting the vulnerabilities of connected devices such as security cameras, DVR players and baby monitors.

For connected toys, vulnerabilities like this mean that would-be-attackers could also ‘hijack’ a toy and device, and directly access data through the toy. They may be able to listen in on conversations, communicate directly with a child through the toy and direct the toy to perform in a way not expected by the child or parent.

What can I do?

Sounds scary, but the reality is that connected devices, whether toys or other items, are becoming more integrated in our homes and lives. We can’t ignore that connected toys can open up new and exciting ways for children to learn and play. But it helps to be informed when you make a choice about which toy you want your child to interact with. Here’s how you can help:

  • stay informed about any security and software updates for the toy
  • be aware that toys may collect personal information directly from your child
  • check if any recording devices can be manually de-activated
  • ensure that your home network is secure and your devices are behind a firewall
  • look to change any default usernames and passwords
  • understand what happens with the information you, or your child, provide when setting up the account or through interactive play—are there any third party companies, apps or software that can access your data?

As a parent, you are your child’s best guide both in the real world, and the all-important world online. Help them by learning more about privacy, personal information and popular connected toys at

For more about safety by design, read Commissioner, Julie Inman Grant’s blog.