Connected toys: closure of the formal notice procedure served on GENESIS INDUSTRIES LIMITED
The Chair of the French data protection authority (CNIL) publicly issued a formal notice to the company GENESIS INDUSTRIES LIMITED on 20 November 2017 regarding the security of the connected toys « My Friend Cayla » and « I-QUE ». In view of the given responses, the Chair has decided to close the formal notice procedure.
Alerted by a consumer association to the lack of security concerning the two toys, the Chair of the CNIL had decided to send a questionnaire to the company located in Hong Kong and to carry out online inspections.
The lack of security regarding these toys, enabling anyone who has a device equipped with the wireless technology standard Bluetooth (a smartphone for instance) to connect to them without the knowledge of the children and toys’ owners, led the Chair of the CNIL to issue a formal notice on 20 November 2017 to the company GENESIS INDUSTRIES LIMITED to comply with the Data Protection Act within two months.
The company’s responses and subsequent controls by the CNIL
The company GENESIS INDUSTRIES LIMITED has dealt with several of the issues raised in the formal notice. Moreover, further controls were carried out by the CNIL in order to verify the assertions made by the company.
The company has in particular informed the Chair that speech recognition technology is no longer used when playing with the toy.
The controls carried out by the CNIL on 8 and 9 February 2018 confirmed that the speech recognition, a necessary technology allowing the toys to answer the questions asked by the children, was not used anymore by the company. The conversations held with the toys are no longer transferred to the servers of a third company in charge of the speech-to-text conversion processing.
As a result, the use of the toys does no longer process personal data that falls under the scope of the Act of 6 January 1978. The Chair of the CNIL has therefore closed the formal notice procedure.
However, the CNIL observed that it is still possible to pair to the toys with any device equipped with the wireless technology standard Bluetooth, without any authentication whatsoever and that they are still sold in France. Considering the security and conformity issues that still persist outside the scope of the Data Protection Act, the Chair of the CNIL decided to alert the Directorate-General for Competition, Consumer Affairs and Prevention of Fraud (DGCCRF), which is responsible for ensuring security and conformity of products and services.