Connected toys: CNIL publicly serves formal notice to cease serious breach of privacy because of a lack of security
The Chair of the National Data Protection Commission (CNIL) issues formal notice to the company GENESIS INDUSTRIES LIMITED to secure its web-connected toys intended for children: the doll « My Friend Cayla » and the robot « I-QUE ».
The robot « I-QUE » and the doll « My Friend Cayla » are so called “connected toys”. They answer children’s questions on various subjects such as mathematical calculations or concerning the weather. The toys are equipped with a microphone and speaker and are associated to a mobile application downloadable on smartphones or tablets. The answer is extracted from the internet by the application and given to the child through the toys.
Alerted in December 2016 by a consumer association to the lack of security concerning the two toys, the Chair of the CNIL decided to perform online inspections in January and November 2017. Moreover, she sent to the company, located in Hong Kong, a questionnaire in March 2017.
These controls allowed to notice that the company collects a multitude of personal data about children and their family and friends: voices, content of the conversations with the toys (which can reveal identifying data such as an address, a name…) but also information filled in the form in the application “My Friend Cayla App”.
Several breaches of the French Data Protection Act have been observed, in particular:
Violation of the right to privacy because of a lack of security
Controllers of the CNIL observed that any individual located 9 meters away from the toys, outside a building, can connect (or “pair”) a mobile phone to the toys through the wireless technology standard Bluetooth, without having to log in (for instance, with a PIN code or a button on the toy).
The individual located at such a distance is able to listen and record the talks between the child and the toy or any conversation taking place nearby.
The CNIL delegation also observed that it was possible to communicate with the child close to the product through two methods:
- Either by releasing, via the loudspeaker, sounds or words previously recorded with the “Dictaphone” application available on some mobile phones;
- Or by using the toys with the “hands-free kit”. One only has to call the phone connected to the toy with another one in order to talk with the child located near it.
The Chair of the CNIL considered that the lack of securing regarding the toys, enabling therefore anybody with a device equipped with the Bluetooth function to pair to it without the knowledge of the children and toys’ owners, and to access the conversations between friends or family, breaches the Article 1 of the French Data Protection Act which provides that information technology “shall not violate human identity, human rights, privacy, or individual or public liberties”.
Lack of information of toys ‘users
Even though the company processes personal data, the delegation of the Commission observed that toys’ users are not informed of the data processing carried out by the company. Moreover, they are not informed of the fact that the company transfers contents of conversations to a service provider in a non-EU country.
The Chair of the CNIL therefore decided to issue formal notice to the company GENESIS INDUSTRIES LIMITED to comply with the Data Protection Act within two months.
In view of the invasion of privacy, of the particular vulnerability of the public concerned and of the obligation to inform individuals of this lack of securing, the Executive Committee of the CNIL decided to make this formal notice public.
For the record, the CNIL wishes to state that formal notices are not sanctions and no further action will be taken if the company complies with the Act within the specified timescale, in which case the notice proceedings will be closed and this decision will also be made public.
Should GENESIS INDUSTRIES LIMITED fail to comply with the formal notice within the specified timescale, the Chair may appoint an internal investigator, who may propose that the CNIL’s restricted committee responsible for examining breaches of the Data Protection Act issues a sanction against the company.