Smart toys that connect to the internet may be fun, but they're also raising some alarming issues.
US lawmakers warn that personal information given to smart toys -- like kids' names, birthdays and even photos -- could be vulnerable to hackers when passed to companies' data servers.
"Unfortunately, as toys have become 'smarter' and more prevalent, some connected toy makers have failed to implement sufficient data security practices," said Florida Sen. Bill Nelson in a report (PDF) filed Wednesday by the Senate committee on commerce, science and transportation.
The report highlights privacy and security issues that arise when smart toys, an estimated $2.8 billion industry, collect personal information from parents and children. Breaches could lead to inappropriate contact, abduction or identity theft, according to the report. It cites an ID Analytics report from 2011 that estimated more than 140,000 US children are victims of identity fraud annually.
In the Senate report, Nelson referenced the November 2015 hack of toy maker VTech Electronics, which exposed the data of more than 6 million children and 4 million parents. VTech didn't respond to requests for comment, but has said its made improvements to its cybersecurity.
The report also took aim at how much information smart toys collect from parents and children. One unnamed toy maker told Senate researchers it could save information logged onto its children's tablets for up to 10 years.
"While most parents are not data privacy or security experts...parents should nevertheless make efforts to learn about the ways in which a toy maker collects, uses, and secures data -- and reject connected toys that do not provide this information," Nelson said in the report.
Last week, the Electronic Privacy Information Center filed a complaint with the Federal Trade Commission that alleges Genesis Toys, which makes the My Friend Cayla doll and the i-Que Intelligent Robot, and speech-recognition software maker Nuance Communications violated federal rules by listening to children and saving the recordings. The 1998 Children's Online Privacy Protection Act requires websites to get parental permission before making any use of data provided by kids younger than 13.
Lawmakers recommended the FTC keep a tighter eye on connected toys, while urging toy makers to improve security and only collect essential data smart toys need to operate.