The Internet of Toys: Playing Games with Children’s Data?

  • Ingrida Milkaite
  • Eva LievensEmail author
Part of the Studies in Childhood and Youth book series (SCY)


Children are increasingly the subject of data collection practices. A growing point of contention is the way in which the Internet of Things (IoT), and in particular the Internet of Toys, affects children and their rights to privacy and data protection. This chapter conducts an exploration of key fundamental rights and data protection legislation that are relevant to the Internet of Toys context in the United States and the European Union. Adopting a children’s rights perspective, it conducts an analysis of the US Children’s Online Privacy Protection Act, the EU General Data Protection Regulation and the future ePrivacy Regulation, and it reflects on their implementation and enforcement in practice. Finally, it makes a number of practical recommendations for Internet of Toys actors, policymakers and regulators.


Connected toys Children’s rights Privacy Data protection Children’s Online Privacy Protection Act (COPPA) General Data Protection Regulation (GDPR) ePrivacy regulation 


  1. Article 29 Working Party. (2017a). Opinion 01/2017 on the Proposed Regulation for the ePrivacy Regulation (2002/58/EC) WP 247.Google Scholar
  2. Article 29 Working Party. (2017b). Guidelines on Data Protection Impact Assessment (DPIA) WP 248 REV 01.Google Scholar
  3. Article 29 Working Party. (2018a). Guidelines on Automated Individual Decision-Making and Profiling for the Purposes of Regulation 2016/679 WP 251 REV 01.Google Scholar
  4. Article 29 Working Party. (2018b). Guidelines on Consent under Regulation 2016/679 WP 259 REV 01.Google Scholar
  5. Article 29 Working Party. (2018c). Guidelines on Transparency under Regulation 2016/679 WP 260 REV 01.Google Scholar
  6. Borgesius, F. Z., & Lievens, E. (2019). Commentary Article 8 GDPR, Conditions applicable to child’s consent in relation to information society services. In M. Cole & F. Boehm (Eds.), Commentary on the general data protection regulation. Cheltenham: Edward Elgar (forthcoming).Google Scholar
  7. Chaudron, S., Di Gioia, R., Gemo, M., Holloway, D., Marsh, J., Mascheroni, G., & Yamada-Rice, D. (2017). Kaleidoscope on the internet of toys—Safety, security, privacy and societal insights (No. EUR 28397 EN). Luxembourg: European Union.Google Scholar
  8. Council of Europe, European Convention for the Protection of Human Rights and Fundamental Freedoms, 4 November 1950, ETS 5.Google Scholar
  9. Council of Europe, Modernised Convention for the Protection of Individuals with Regard to the Automatic Processing of Individual Data, 10 0ctober 2018, CETS 223.Google Scholar
  10. European Commission. (2017). Proposed regulation on privacy and electronic communications.Google Scholar
  11. European Consumer Organisation. (2017). Proposal for a Regulation on Privacy and Electronic Communications (e-Privacy). BEUC Position Paper, BEUC-X-2017–059—09/06/2017.Google Scholar
  12. European Data Protection Supervisor. (2017). Opinion 6/2017 on the Proposal for a Regulation on Privacy and Electronic Communications (ePrivacy Regulation).Google Scholar
  13. European Parliament Committee on the Internal Market and Consumer Protection. (2017, October 23). Opinion on the proposal for a regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications).Google Scholar
  14. European Union. (2012). Charter of Fundamental Rights of the European Union, 26 October 2012, /C 326/02.Google Scholar
  15. Federal Bureau of Investigation. (2017, July 17). Consumer notice: Internet-connected toys could present privacy and contact concerns for children.
  16. Federal Trade Commission. (2013a). Children’s online privacy protection rule (‘COPPA’). 26 February 2018.
  17. Federal Trade Commission. (2013b). FTC grants approval for new COPPA verifiable parental consent method. 26 February 2018.
  18. Federal Trade Commission. (2015). Complying with COPPA: Frequently asked questions. 26 February 2018.
  19. Federal Trade Commission. (2018a, February 26). VTech Electronics Limited.
  20. Federal Trade Commission. (2018b, February 15). Electronic toy maker VTech settles FTC allegations that it violated children’s privacy law and the FTC act.
  21. Future of Privacy Forum, & Family Online Safety Institute. (2016). Kids & the connected home: Privacy in the age of connected dolls, talking dinosaurs, and battling robots.
  22. Gray, S. (2017). Federal trade commission: COPPA applies to connected toys. February 26, 2018.
  23. Halzack, S. (2015, March 11). Privacy advocates try to keep ‘creepy,’ ‘eavesdropping’ Hello Barbie from hitting shelves. Washington Post.Google Scholar
  24. Harris, M. (2016, May 26). Virtual assistants such as Amazon’s Echo break US child privacy law, experts say. The Guardian.Google Scholar
  25. Holloway, D., & Green, L. (2016). The internet of toys. Communication Research and Practice, 2(4), 506–519. Scholar
  26. Huggler, J. (2017). Germany bans internet-connected dolls over fears hackers could target children.
  27. Information Commissioner’s Office. (2017). Consultation: Children and the GDPR guidance.
  28. Lievens, E., Livingstone, S., McLaughlin, S., O’Neill, B., & Verdoodt, V. (2018). Children’s rights and digital technologies. In U. Kilkelly & T. Liefaard (Eds.), International human rights of children. Scholar
  29. Lievens, E., & Verdoodt, V. (2018). Looking for needles in a haystack: Key issues affecting children’s rights in the general data protection regulation. Computer Law & Security Review, 34(2), 269–278.CrossRefGoogle Scholar
  30. Livingstone, S., & Haddon, L. (2009). EU kids online: Final report. LSE. London: EU Kids Online (EC Safer Internet Plus Programme Deliverable D6.5).CrossRefGoogle Scholar
  31. Livingstone, S., & O’Neill, B. (2014). Children’s rights online: Challenges, dilemmas and emerging directions. In S. van der Hof, B. van den Berg, & B. Schermer (Eds.), Minding minors wandering the web: Regulating online child safety (pp. 19–38). The Hague and The Netherlands: Springer with T. M. C. Asser Press.Google Scholar
  32. Lupton, D., & Williamson, B. (2017). The datafied child: The dataveillance of children and implications for their rights. New Media & Society, 19(5), 780–794.CrossRefGoogle Scholar
  33. Manning, C. (2016). Challenges posed by big data to European data protection law.
  34. Mascheroni, G., & Holloway, D. (2017). The internet of toys: A report on media and social discourses around young children and IoToys. DigiLitEY.Google Scholar
  35. McReynolds, E., Hubbard, S., Lau, T., Saraf, A., Cakmak, M., & Roesner, F. (2017). Toys that listen: A study of parents, children, and internet-connected toys. ACM Press.
  36. Milkaite, I., & Lievens, E. (2018, May). GDPR is here: Mapping the GDPR age of consent across the EU. Better Internet for Kids.
  37. Montgomery, K., & Chester, J. (2017). Data protection for youth in the digital age: Developing a rights-based global framework. European Data Protection Law Review, 1(4), 277–291.Google Scholar
  38. Montgomery, K. C., Chester, J., & Milosevic, T. (2017). Ensuring young people’s digital privacy as a fundamental right. In International handbook of media literacy education. London: Routledge. CrossRefGoogle Scholar
  39. Newcomb, A. (2017). That chatty smart toy your kid loves is now part of an FBI alert. February 18, 2018.
  40. Rouvroy, A. (2016). ‘Of data and men’: Fundamental rights and freedoms in a world of big data. Council of Europe, T-PD-BUR(2015)09REV.Google Scholar
  41. Turner, K. (2016, June 6). Analysis: The internet of things has a child privacy problem. Washington Post.Google Scholar
  42. UN Committee on the Rights of the Child. (2014). Report of the 2014 day of general discussion “Digital media and children’s rights”.Google Scholar
  43. UN General Assembly, Convention on the Rights of the Child, November 20, 1989,1577 UNTS 3.Google Scholar
  44. UN General Assembly, International Covenant on Civil and Political Rights, December 16, 1966, 999 UNTS 171.Google Scholar
  45. UN General Assembly, Universal Declaration of Human Rights, December 10, 1948, 217 A(III).Google Scholar
  46. United States Congress. (1998). Children Online Privacy Protection Act, 15 U.S.C. §§ 6501–6506.Google Scholar
  47. van der Hof, S. (2017). I agree … Or do I?—A rights-based analysis of the law on children’s consent in the digital world. Wisconsin International Law Journal, 34(2), 101–136.Google Scholar
  48. van der Hof, S., & Lievens, E. (2018). The importance of privacy by design and data protection impact assessments in strengthening protection of children’s personal data under the GDPR. Communications Law, 23(1), 33–43. Google Scholar
  49. van Hoboken, J., & Zuiderveen Borgesius, F. J. (2015). Scoping electronic communication privacy rules: Data, services and values. JIPITEC, 6, 198.Google Scholar
  50. Verdoodt, V., & Lievens, E. (2017). Targeting children with personalised advertising: How to reconcile the best interests of children and advertisers. In G. Vermeulen & E. Lievens (Eds.), Data protection and privacy under pressure: Transatlantic tensions, EU surveillance, and big data. Antwerp: Maklu. Google Scholar
  51. Vincent, J. (2015). This ‘smart’ Barbie is raising concerns over children’s privacy.

Copyright information

© The Author(s) 2019

Authors and Affiliations

  1. 1.Law and Technology, Faculty of Law & CriminologyGhent UniversityGhentBelgium

Personalised recommendations