back to checklists

Privacy in Internet-Connected Toys

Many of the devices we buy are now connected to the internet in some fashion, we call these devices Internet of Things or IoT for short. But there is a new type of IoT devices on the market: children's toys, which is giving IoT a new meaning. The Internet of Toys refers to children's toys that can connect through Wi-Fi or Bluetooth to the internet. This raises the question of how do you keep your children's personal information safe from hackers and other breaches containing sensitive personal information? This checklist takes you through a detailed account of what to watch for and actions to take in order to prevent your children’s IoT toy from creating a privacy nightmare for your family.

Privacy protection for IoT toys occurs in two stages. The first is before you purchase the toy, and the second are the preventative measures to take after you purchase the toy. The first half of the list provides the issues you should be aware of before you purchase an IoT toy and the second part of the list provides measure to take after you purchase the toy to ensure the upmost privacy in your home.

Before you buy the toy you should research the following factors:

  • Know how the toy connects to the internet

  • Know what the toy can do and how it interacts with its surroundings.

  • Watch for any "red flags" when initially purchasing the toy.

  • Know where user data is stored – with the company, third party services, or both – and whether any publicly available reporting exists on their reputation and posture for cyber security

  • Conduct research into any known reported security issues using online resources from sites that conduct cyber security research, consumer product reviews, and child and consumer advocacy.

  • Know if the company will notify you under the following circumstances:

  • Only connect and use toys in environments with trusted and secured Wi-Fi Internet access.

  • When setting up the device, make sure to read through each screen and don’t press “yes” until you understand the terms. You will often have the option to press “no.” This can be especially important for such features as GPS tracking and downloading.

  • Provide only what is minimally required when inputting information for user accounts (e.g., some services offer additional features like birthdays or information on a child’s preferences are provided)

  • Use strong and unique login passwords when creating user accounts (e.g., lower and upper case letters, numbers, and special characters)

  • When Connecting the toy to the internet:

  • If your toys receives firmware and/or software updates and security patches then always install the new software, firmware, or security patches as this will keep the toy more secure than using outdated software etc.

  • Monitor your children’s interactions with the toy(s) (such as conversations and voice recordings) through the toy’s partner parent application, if such features are available.

  • Turn the toy “off” when not in use, particularly those with microphones and cameras. These devices have the potential to continue uploading user data when not in use and this leaves the toy vulnerable to attack.

  • If you suspect your child’s toy may have been compromised, you can file a complaint with


back to checklists

The Office of Privacy and Data Protection announces beta testing of “Privacy Modeling,” a new web application that identifies the privacy laws relevant to the product or service you wish to create.

Go to Privacy Modelling App

Something went wrong. Please try again.