EPIC, a digital rights non-profit organizations, filed a complaint with the FTC against Chinese toy manufacturer Genesis Toys and speech recognition technology provider Nuance Communications for violating both children-specific privacy laws and general privacy laws in the United States.
“Smart Toys” Exposing Children To Hacks And Spying
Last year, Mattel’s “Hello Barbie” doll came under fire by Campaign for a Commercial-Free Childhood (CCFC) for recording children’s voices and then sending those recordings to the company’s servers for analysis. The CCFC argued that this was a privacy violation because Mattel was recording children without parental approval.
Often, the companies behind such “smart toys” don’t even use good security, which makes those recordings vulnerable to hackers. The “Hello Barbie” toy was found to be vulnerable to remote hacking, and last year we also saw a large data breach of a Hong-Kong-based toy manufacturer that exposed 4.9 million accounts of parents and 6.3 million accounts of children. Almost half of the accounts were from parents and children living in the United States.
EPIC Complaint
EPIC, along with the CCFC, the Center for Digital Democracy (CDD), and the Consumers’ Union (which is Consumer Reports’ policy and mobilization division), accused Genesis Toys and Nuance Communications of recording users without parental consent, which violates U.S. privacy laws. The complaint specifically mentioned two smart toys called My Friend Cayla and the i-Que Intelligent Robot.
The main target of the complaint is Nuance, because that’s where all the recorded data goes. EPIC said that Nuance doesn’t comply with children's privacy laws such as the Children’s Online Privacy Protection Act of 1998 (COPPA).
Because of its too-general privacy policy, EPIC fears that Nuance may also use the automatic listening capability on the two toys to record children, as well as parents and others around the children, for law enforcement purposes. Nuance offers biometric voice identification services to law enforcement by analyzing voices of people who use its speech recognition services in consumer products. It then gives law enforcement access to all of its stored 30 million voiceprints for the purpose of fighting crime.
The company’s “Nuance Identifier” service is described as follows:
“Nuance Identifier is a highly accurate voice biometric solution that allows public security officials to quickly and easily identify known individuals through their voice within large audio data sets, as well as enroll voiceprints for individuals under surveillance or investigation to:
Connect the dots – quickly
Deliver operational efficiencies by minimizing manual audio analysis”
Genesis Toys was also accused of not having a privacy policy on its website or on the mobile app that controls the toys. The toys also use insecure Bluetooth connections, to which anyone passing by the children’s homes could connect.
EPIC called on the FTC to investigate Genesis Toys and Nuance Communications and halt any activity that doesn’t comply with U.S. privacy laws. The nonprofit organization also asked for “relief” for the affected customers, potentially in the form of refunds.
The Norwegian Consumer Council also evaluated the two toys made by Genesis Toys and described all the security issues in the video below:


With the rise of the Internet of Things, everything around us will get "smarter" by using more powerful chips, more microphones, and more cameras, and this includes children's toys. It will be up to the society at large, politicians, and enforcement agencies to strike a balance between allowing the products to be useful and preventing them from causing significant harm to their users through automatic voice and video recording and poor security that allows those recordings to be used by malicious actors.