Information Commissioner's Office
The 12 ways that Christmas shoppers can keep children and data safe when buying smart toys and devices
In an increasingly digital world, more and more toys and devices aimed at children now have internet-connected technology. As the Christmas shopping season begins, many parents will be considering buying them for their children.
The ICO supports innovation and creative uses of personal data, but this cannot be at the expense of people’s privacy and legal rights, whatever their age. Concerns have been raised in recent months, not only in the UK but in Europe and the USA, that the growth in toys containing sensors, microphones, cameras, data storage and other multi-media capabilities could put the privacy and safety of children at risk.
There have also been data protection concerns relating to some products over what data is collected, by whom, where it is stored and how it is secured.
The Information Commissioner’s Office (ICO) wants parents, guardians and others to consider data protection and privacy issues in the same way they would check on the safety of presents they are planning to give to their children.
You wouldn’t knowingly give a child a dangerous toy, so why risk buying them something that could be easily hacked into by strangers?
In the same way that safety standards are a primary consideration for shoppers buying toys, we want those buying connected items in the coming weeks to take a pause and think about both the child’s online safety, and also the potential threat to their own personal data such as bank details, if a toy, device or a supporting app is hacked into.
Unlike Santa, those looking to hack into your devices don’t care whether you’ve been naughty or nice, so the ICO has the following advice for grown-ups considering buying smart toys and devices this Christmas:
- Research the security of a product before buying
Doing your homework before buying a connected device should allow you to recognise those with poor security. Research online reviews and manufacturers’ websites for information on privacy notices and policies. You should also look to see how a product will be updated in the future if a security issue is identified.
- Take care when shopping online
At this time of year, when online shopping is nearing its peak, scammers may be more likely to try to access your personal information such as bank account or credit card details. Only use secure sites when shopping online – secure sites usually carry the padlock symbol. Get Safe Online has advice on how to protect yourself.
- Take your time
Don’t wait until Christmas Day, when excited children will want to just turn on a new toy or device and skip as much of the set-up process as they can. Take the time beforehand to read the manual and familiarise yourself with the security and privacy options available to you.
- Change passwords and usernames from default
Default password or code protection will only provide the most basic security. Default credentials for many devices can be freely available on the web. You should always change the defaults immediately and choose a suitably strong password. Use a different password for each account and device.
- Is your router secure?
Your router is the first line of defence on the perimeter of your home network. If you have devices connected to your network, the default settings of your router might be exposing them to the internet and therefore everyone else. Create a strong password and look out for and install security updates.
- If there’s a two-step identification option – use it
Two-step authentication offers you an additional layer of security when logging in to an online service. While few devices will offer this service, the website you use to view its data might.
- Be camera aware – you never know who’s watching
Some toys and devices are fitted with web cameras. The ability to view footage remotely is both their biggest selling point and, if not set up correctly, potentially their biggest weakness, as the baby monitor hacking issue of a few years ago demonstrated. If you have no intention of viewing footage over the internet, then turn the remote viewing option off in the device’s settings, or else use strong, non-default passwords.
- Location, location, location
One of the main selling points of children’s smart watches is the ability for parents to know where their children are at all times. However, if this isn’t done securely, then others might have access to this data as well. Immediately get rid of default location tracking and GPS settings and set strong, unique passwords.
- Bluetooth ache
It is not just potentially insecure web connections that can put children‘s online safety at risk. Some toys and devices have been found to have unencrypted Bluetooth connections which can be easily accessed by strangers. Consider disabling this in a device’s settings or, where possible, set a strong password.
- Children have information rights too
Have age-appropriate conversations with children about their online safety. Children’s information rights and privacy are a key area of concern for the ICO. We are funding independent research into this area, are active members of the UK Council for Child Internet Safety and new legislation coming next year will also strengthen children’s legal rights.
- If in doubt, don’t splash out
If you aren’t convinced a smart toy or connected/wearable device will keep your children or your personal information safe, then don’t buy it. If consumers reject products that won’t protect them, then developers and retailers should soon get the message.
- Have a secure Christmas
By taking some time and care beforehand and following our advice, you can still see a child’s face light up when they open their new, web-connected Christmas present, safe in the knowledge that you are keeping them secure as well as happy.
The ICO and other stakeholders are also working with manufacturers, wholesalers and retailers through the Secure By Default project, which aims to encourage data protection considerations from the outset in product development and commercial purchasing decisions, providing better protection for consumers in future.
Latest News from
Information Commissioner's Office
ICO fines national takeaway pizza company for unlawfully sending marketing messages to its customers16/06/2021 13:05:00
The Information Commissioner’s Office (ICO) has fined Papa John’s (GB) Limited £10,000 for sending 168,022 nuisance marketing messages to its customers without the valid consent required by law.
ICO fines three companies £415,000 for nuisance marketing10/06/2021 12:25:00
The Information Commissioner’s Office (ICO) has fined three separate companies a total of £415,000 for sending nuisance marketing to people about car finance, solar panels and funeral plans.
Elizabeth Denham welcomes a delay to the launch of the GPDPR10/06/2021 10:38:00
Elizabeth Denham recently (08 June 2021) welcomed a delay to the launch of the GPDPR.
Statement in response to concerns around the GP Data for Planning and Research programme08/06/2021 16:15:00
Statement in response to concerns around the GP Data for Planning and Research programme.
Conservative Party fined £10,000 for sending unlawful emails03/06/2021 12:05:00
The Information Commissioner’s Office (ICO) has fined the Conservative Party £10,000 for sending 51 marketing emails to people who did not want to receive them.
Blog: How the digital design community can help shape the ICO’s work on the Children’s Code28/05/2021 12:25:00
A blog by Georgina Bourke, Principal Technology Adviser specialising in UX Design.
Blog: Spotlight on the Children’s Code standards – data protection impact assessments28/05/2021 09:10:00
A blog by Michael Murray, ICO’s Head of Regulatory Strategy.
Amex fined for sending four million unlawful emails21/05/2021 12:25:00
The Information Commissioner’s Office (ICO) has fined American Express Services Europe Limited (Amex) £90,000 for sending more than four million marketing emails to customers who did not want to receive them.
ICO and CMA set out blueprint for cooperation in digital markets19/05/2021 14:20:00
The Information Commissioner’s Office (ICO) and the Competition and Markets Authority (CMA) have published a joint statement, setting out their shared views on the relationship between competition and data protection in the digital economy.