The FTC is watching when your children’s toys are listening

The recent Federal Trade Commission (FTC) update to its Children’s Online Privacy Protection Act (COPPA) compliance plan, is the latest in a series of regulatory moves to bring attention to the serious cybersecurity and data privacy issues latent in the ever-expanding internet of things and the ever-smartening supply chain.

While focused on internet-enabled “smart toys,” this FTC update is also part of a larger regulatory trend which will require companies to take a fresh look not only at what opportunities their new “smart” business models open up, but also at what new vulnerabilities and new regulatory requirements emerge as well.

{mosads}The FTC has long been a leader in enforcement actions aimed at applying new technologies to COPPA, and this move likely signals enforcement actions aimed at toys that interface with the internet and capture children’s voices, record video, or otherwise collect information without necessarily requiring manual input through a keyboard or mobile application.

Since the FTC updated its COPPA rule in December 2012, it has taken numerous actions against mobile applications and third-party tracking companies, but not against smart toys. Private suits alleging violation of a child’s privacy by toys have already begun — including one in December 2015 in which parents sued two toy manufactures for enabling a popular child’s doll to upload and store conversations the child has with the doll online without adhering to the rules outlined in the act — but so far the FTC has not yet taken action.

That is likely to change. With this update, it is increasingly clear that if a smart toy is directed at children and collects private information on the child, the company collecting the information (usually the toy manufacturer or a service provider) must take several steps to ensure that the information is collected and handled in compliance with COPPA.

Beyond the issue of smart toys, updated FTC guidance also represents larger regulatory convergence around the need to apply privacy safeguards to connected objects, even the most seemingly banal. From toys to thermostats, coffee pots to refrigerators, and from cars to medical devices, a simple chip enabling an internet connection can transform a simple appliance into a powerful data collection and storage device, which may trigger regulatory requirements.

In other words, it is not just financial services, technology and telecommunications companies that must care about the privacy implications of data collection and handling — but also manufacturers of medical devices, appliances, and even children’s toys.

Furthermore, this FTC update, while concerned with privacy, actually highlights another core concern: the safety and cybersecurity vulnerabilities of the internet of things. The chip in a toy can both cause the toy to fail or melt down, as well as be part of a botnet army that could cause whole systems to fail.

For example, improperly secured smart devices, like DVR set-top boxes, wireless security cameras, and even coffee makers, were accessed this past October and used as bots to successfully carry out one of the largest distributed denial of service attacks ever seen, limiting access to a number of internet storefronts and services for the better part of a day.

Regulators are starting to see the vulnerabilities the internet of things presents for perhaps a surprising number and type of devices. For example, the Federal Drug Administration (FDA) in April sent a warning letter to a prominent medical manufacturing company about its cybersecurity practices relating to connected pacemakers. The laboratory recently announced that it had shared its detailed plans to improve cybersecurity with the FDA.

Regulators are also seeing the explosion of attack vectors from both a privacy and cybersecurity perspective as the supply chain smartens and more third parties are connected to core business functions, including the collection and retention of nonpublic information. Accordingly, regulations both at home and abroad have begun to mandate reviews of supply chains and third party contracts in an effort to further confirm that privacy and security protections implemented are pervasive.

For example, the European General Data Protection Regulation, when it enters into effect in May 2018, will require organizations comprehensively review and audit third-party contracts and supply chains to ensure compliance. The New York Department of Financial Services has cybersecurity rules for financial services companies, which similarly require firms under regulation to implement written policies and procedures to “ensure the security” of information systems and nonpublic Information that are “accessible to, or held by” third-party service providers.

It is unlikely that a manufacturer will partner with a financial services company registered in New York to develop a smart toy for toddlers (although a “fun” device geared at older children designed to teach them how to handle “my first bank account” is conceivable). But the point is that regulators across the spectrum are signaling the need for companies to review all those third parties who touch sensitive data or incorporate chips into their products to recognize that new vulnerabilities exist and laws and regulations seemingly inapplicable actually do apply.

Therefore, whether a company manufactures smart toys or not, the one key takeaway from FTC’s latest COPPA guidance is that new technologies can raise privacy and cybersecurity concerns in surprising ways. Companies that manufacture and have smart components as part of their supply chain, or have third parties connect to their networks, not only have new business opportunities, but also face new risks associated with cybersecurity vulnerabilities and regulatory responsibilities. Thus, companies need to take a fresh look at what their supply chains and their new, “smart” business models not only enable, but require.

Michael Bahar is leader of the U.S. cybersecurity and privacy team at Eversheds Sutherland. He previously served as staff director and general counsel to the minority staff of the U.S. House of Representatives Permanent Select Committee on Intelligence and as deputy legal adviser to the National Security Council under President Obama.

The views expressed by contributors are their own and are not the views of The Hill.