Georgetown Law
Technology Review

Introduction

Today, the average person spends the majority of time plugged into the internet. A phone has become a pocket assistant that lives in the Cloud, binge streaming TV shows online has become a popular Saturday night affair, and most job searches entail uploading a resume to the Internet. Even children can be exposed to the Internet at young ages through education websites and tablet apps. Many children may turn to physical toys to get some time away from screen. Toy manufacturers, however, are increasingly developing toys that connect to the Internet.1 See FUTURE OF PRIVACY F. WITH FAMILY ONLINE SAFETY INSTITUTE, KIDS & THE CONNECTED HOME: PRIVACY IN THE AGE OF CONNECTED DOLLS, TALKING DINOSAURS, AND BATTLING ROBOTS 2–6 (Dec. 2016), https://fpf.org/wp-content/uploads/2016/11/Kids-The-Connected-Home-Privacy-in-the-Age-of-Connected-Dolls-Talking-Dinosaurs-and-Battling-Robots.pdf [https://perma.cc/BRM8-VWZ9]. Many physical toys on the market today, though screenless, connect to the Internet in some way, whether directly to the Cloud or via an app. These are called connected toys.2 Id.

There is a range of connected toys on the market right now. Some focus on giving a child a companion, some focus on toy customizability, and some focus on education. Wiggy, a connected toy, focuses on financial education.

The Technology

In 2016, Spiral Toys released Wiggy, a physical piggy bank that connects to an app through which parents, relatives, or other loved ones can send money to children for finishing chores or as birthday presents.3 See Meet Wiggy, WIGGY, http://wiggyapp.com/ (last visited Mar. 15, 2017) [https://perma.cc/A8JJ-AN38]. Additionally, The app’s functions were explored and downloaded onto an Android on February 2, 2017. The physical pig toy connects to the Wiggy app on a device through Bluetooth, while the app connects to the internet.4 Apps that accompany connected toys may connect to the internet in a variety of ways. Some apps may connect directly to the internet, sometimes to a cloud server, which enables certain features such as location tracking and receiving data from the internet that allows deeper levels of interactive playtime. For example, the connected Furby toy allows real-time interaction with the physical toy reacting to games one can play on the accompanying app. See Furby Connect World, Permissions: View Details, GOOGLE PLAY STORE, https://play.google.com/store/apps/details?id=com.hasbro.FurbyWorldAPPSTORE&hl=en (last updated Dec. 6, 2016) [https://perma.cc/D62C-APPK]. This contrasts with other ways an accompanying app may connect with the internet, such as when the app goes through automatic updates, connecting to the cloud only when it updates the app, but not sharing or receiving data in any way. For example, the accompanying app for CHiP, a robot dog, does not connect to the internet directly unless it is processing an update to the app as the app only acts as a remote control for the physical toy. See CHiP – Your Lovable Robot Dog, Permissions: View Details, GOOGLE PLAY STORE, https://play.google.com/store/apps/details?id=com.wowwee.chip&hl=en (last updated Jan. 26, 2017) [https://perma.cc/6TLT-YK7E]. The Wiggy app connects to the internet directly as it tracks location and receives data from the internet. See Wiggy Toy App (Unreleased), Permissions: View Details, GOOGLE PLAY STORE, https://play.google.com/store/apps/details?id=com.spiraltoys.wiggypiggy&hl=en (last updated Feb. 1, 2017) [https://perma.cc/63XD-U9WH]. The funds that parents send to their children’s Wiggy account show up on the child’s app account. Parents can also choose to withdraw funds, set tasks, or use ‘stars’ in the app to send a more abstract reward. Children can set tasks, view their funds, and add items to a wish list.

Using technology to teach children practical lessons about money is nothing new.5 In 1971, the game Oregon Trial was developed, with the 1992 computer game version popularly used in schools to teach children not just about history, but also about resource and finance management. See Bonnie Burton, Oregon Trail game co-inventor talks pioneer survival and life lessons, CNET (Feb. 6, 2016), https://www.cnet.com/news/oregon-trail-game-co-inventor-talks-pioneer-survival-and-life-lessons/ [https://perma.cc/Q9JP-KMZN]. Spiral Toys, however, seems to be developing a way to connect parent bank accounts to Wiggy to allow funds to be rooted in spendable money.6 It is unclear whether Spiral Toys is in the process of developing or has already implemented a method that would allow parents to link their Wiggy accounts to bank accounts to send their children spendable money. See Spiral Toys, Wiggy: The Smartest Way To Get Your Kids Savings, SPIRAL TOYS, http://spiraltoys.com/wiggy/ (last visited Feb. 12, 2017) [https://perma.cc/2TN8-3KGV] (stating “Once each task is complete, you transfer the reward to your child’s Wiggy Card instantly[,]” and “[i]n short, the Wiggy Card is real money! It functions as a digital wallet and prepaid debit card designed just for kids.”); see Spiral Toys, Spiral Toys Provides Product Update and 2016 Outlook, SPIRAL TOYS (June 30, 2016), http://spiraltoys.com/spiral-toys-provides-product-update-and-2016-outlook/ [https://perma.cc/JF2Z-EE8S] (stating “Spiral has expanded the current feature set to include parent approved ecommerce transactions by potentially partnering with large online retailers such as Amazon and Walmart through their affiliate programs. This affiliate program will become an additional revenue stream for Spiral. In addition, Spiral is developing a debit card program with a leading nationwide debit card provider. Doing so will allow parents to set-up a debit card for their children from their Wiggy account.”). The company stated that this aspect of Wiggy would “become a reoccurring monthly revenue stream for Spiral. Spiral has found multiple avenues for maximizing the revenue opportunity with Wiggy by developing these revenue streams.”7 Spiral Toys, Spiral Toys Provides Product Update and 2016 Outlook, SPIRAL TOYS (June 30, 2016), http://spiraltoys.com/spiral-toys-provides-product-update-and-2016-outlook/ [https://perma.cc/JF2Z-EE8S]. Spiral explains that this service is implemented using Wiggy Cards. The Wiggy Card would function like a digital wallet and pre-paid debit card for children.8 See Spiral Toys, Wiggy: The Smartest Way To Get Your Kids Savings, SPIRAL TOYS, http://spiraltoys.com/wiggy/ (last visited Feb. 12, 2017) [https://perma.cc/2TN8-3KGV]. The details of how Spiral will gain revenue through this service, or how children will be able to use the pre-paid debit card and whether only certain venues will accept it remains unclear. That being said, the service that Spiral describes implies that Wiggy may act as a sort of financer between banks and consumers, much like Venmo.9 See Leena Rao, How Venmo Plans to Make Money, FORTUNE TECH (Dec. 29, 2015), http://fortune.com/2015/12/29/p2p-mobile-payment-venmo-paypal/ [https://perma.cc/5P4N-T3QZ]. These sorts of services are usually referred to as P2P or peer-to-peer payments technology.10 See id. Usually P2P services do not produce revenue unless done with a credit card that charges fees.11 See id. This bring up an interesting question of what kinds of laws apply to a connected toy such as Wiggy, which implicates both children’s personal information and financial privacy issues.

The Laws

Organizations that conduct P2P services may be referred to as money transmitters, since they are not financial institutions, such as a bank, but still handle the exchange of finance substance and information. In this case, Wiggy can be considered a money transmitter toy. Setting aside several state data breach or financial privacy acts that may apply, several federal privacy laws may apply to a money transmitter toy such as Wiggy.

Children’s Online Privacy Protection Act

First, the Children’s Online Privacy Protection Act (COPPA)12 Children’s Online Privacy Protection Act (COPPA) 15 U.S.C §§ 6501–6508 (2013), http://www.ecfr.gov/cgi-bin/text-idx?SID=4939e77c77a1a1a08c1cbf905fc4b409&node=16%3A1.0.1.3.36&rgn=div5 [https://perma.cc/HFL4-KZ64]. applies to a connected toy such as Wiggy. COPPA regulates operators of online services that directly target children under the age of thirteen, or companies that have actual knowledge that they are collecting, using, or disclosing personal information from children under thirteen.13 See Complying with COPPA: Frequently Asked Questions, FED. TRADE COMM’N (Mar. 20, 2015), https://www.ftc.gov/tips-advice/business-center/guidance/complying-coppa-frequently-asked-questions [https://perma.cc/KFC5-4C58]. The Federal Trade Commission (FTC), which has the ability to bring enforcement actions against online service providers under COPPA, has indicated that it considers COPPA to apply to connected toys, as some of their functions rely on online services.14 See id. at pt. A, subdiv. 9. The FTC applies COPPA to online services such as online games, websites, and applications.15 See Federal Trade Commission, supra note 13, at A.9. COPPA applies to these connected toys as well since they are providing children services online through the physical toy directly to the cloud or through an associated application.

COPPA implicates several regulations on connected toys, including obtaining consent from parents and limitations on collecting, using, and securing children’s data in certain ways. For example, toy manufacturers need to give clear and accessible notice about their privacy policies, must delete children’s data if requested by parents, cannot condition a child’s participation on the collection of children’s personal information, cannot retain children’s personal information for longer than necessary to fulfill the purpose of collecting the data, and must take reasonable steps to release children’s personal information only to third parties who can assure the capability of maintaining the confidentiality, security, and integrity of such information.16 See Children’s Online Privacy Protection Rule (COPPA), 16 CFR § 312 (1998), http://www.ecfr.gov/cgi-bin/text-idx?SID=4939e77c77a1a1a08c1cbf905fc4b409&node=16%3A1.0.1.3.36&rgn=div5 [https://perma.cc/ZM86-5LS2].

Despite these regulations, there are some nuances that may confuse toy manufacturers with how to protect the data they collect. For example, COPPA covers children’s data that is obtained from a child rather than data about a child,17 See id. at § 312.2. meaning that toy manufacturers attempting to comply with COPPA would prefer to treat all the data they collect in blanket form rather than spend the time to figure out what kinds of data is actually obtained from children. This may clash with other types of regulations that may apply to a money transmitter toy like Wiggy such as the Gramm-Leach-Bliley Act, which regulates data associated with financial institutions such as banking and credit card information.

Gramm-Leach-Bliley Act

The Gramm-Leach-Bliley Act (GLBA) applies to financial institutions and to money transmitters if they receive “nonpublic personal information” from an unaffiliated financial institution.18 See Financial Privacy Rule (GLBA), 16 C.F.R. § 313 (2000), http://www.ecfr.gov/cgi-bin/text-idx?c=ecfr&tpl=/ecfrbrowse/Title16/16cfr313_main_02.tpl [https://perma.cc/HRL2-D44P]; FED. TRADE COMM’N, HOW TO COMPLY WITH THE PRIVACY OF CONSUMER FINANCIAL INFORMATION RULE OF THE GRAMM-LEACH-BLILEY ACT (July 2002), https://www.ftc.gov/tips-advice/business-center/guidance/how-comply-privacy-consumer-financial-information-rule-gramm [https://perma.cc/Z6QH-F3GJ] (explaining that “Even if your business is not a financial institution that has consumers or customers, the Privacy Rule may limit your use of NPI. Your ability to reuse and re-disclose the information may be restricted if you receive NPI from a nonaffiliated financial institution,” namely money transmitters that receive information from a nonaffiliated financial institution). It is unlikely that Spiral is considered a financial institution, let alone a financial institution that has customers. The FTC defines a financial institution as an organization that is significantly engaged in financial activities that might include lending, exchanging, transferring, investing for others, or safeguarding money or securities, providing financial, investment, or economic advisory services, brokering or servicing loans, debt collecting, or providing real estate settlement services.19 See FED. TRADE COMM’N, supra note 18. The Wiggy Card, though potentially thought of as transferring money from parent to child, does not seem to be done by the toy itself or even the toy manufacturer. Spiral, when explaining the Wiggy Card, implied that it partners with a bank to conduct transfers from a parent’s bank account to a pre-paid debit card meant for children using Wiggy’s application as the platform of the transfer rather than a separate financial institution.20 See Wiggy: The Smartest Way To Get Your Kids Savings, SPIRAL TOYS (last visited Feb. 12, 2017), http://spiraltoys.com/wiggy/ [https://perma.cc/2TN8-3KGV]. This seems to be far from a significant engagement.21 See FED. TRADE COMM’N, supra note 18 (stating that the FTC’s “significantly engaged” standard is intended to exclude certain activities that might otherwise fall under the Privacy Rule. Two factors are particularly important in determining whether you are “significantly engaged” in a financial activity. First, is there a formal arrangement? A storeowner or bartender who “runs a tab” for customers is not considered to be significantly engaged in financial activities, but a retailer that offers credit directly to consumers by issuing its own credit card would be covered).

A service like Wiggy Card, however, may certainly be considered a money transmitter that receives nonpublic personal information (NPI) from an unaffiliated financial institution. Under the GLBA, nonpublic information is considered “any information an individual gives you to get a financial product or service,” “any information you get about an individual from a transaction involving your financial product(s) or service(s),” or “any information you get about an individual in connection with providing a financial product or service.”22 See FED. TRADE COMM’N, supra note 18. This may include names, social security numbers, bank account numbers, and other related information. NPI does not include information that one can reasonably believe is lawfully made public such as federal, state, or local government records publicly available and information that is widely distributed media.23 See id. The caveat here is that when a list is derived from NPI, even if some of the information in the list is not NPI, the list itself is still considered NPI.24 See id. In Wiggy Card’s case, a list of Wiggy Cards distributed to children may be considered NPI if the list contains parents’ names associated with the financial service of transferring funds from a bank account to a child’s Wiggy Card. It is unclear whether a list of just children’s names associated with Wiggy Cards containing no information on the Wiggy Card or the financial information association associated with the Card is considered NPI.

The GLBA restricts NPI reuse and re-disclosure. When it comes to NPI received by nonaffiliated financial institutions, money transmitters may disclose the information to process financial services in a necessary capacity without informing consumers of these processes.25 See id. at pt. III. If Wiggy uses NPI in a way that is not necessary to deliver a financial service, however, Wiggy can only use NPI from consumers that were informed of these possible uses in a privacy notice given to them by the financial institution and who subsequently did not opt out.26 See id. at pt. II. Even then, the use of NPI is limited to internal purposes and re-disclosure is limited by the privacy policy of the associated financial institution.27 See id.

These regulations, when paired with other relevant laws like COPPA, can lead to some confusion for toy manufacturers attempting to deliver a service like the Wiggy Card. This is because financial data may be paired or comingled with children’s data. For example, account numbers are prohibited from being disclosed for marketing purposes,28 See FED. TRADE COMM’N, supra note 18, at pt. IV. but it is not against COPPA to use children’s personal information for contextual advertising,29 As opposed to behaviorally targeted advertising. For example, a company may use potential personal information such as a child’s age to deliver age appropriate advertisements to six-year-olds versus twelve-year-olds, but may not create profile of a child to target specific advertisements to a certain child based on that child’s unique interests and personal information. See FED. TRADE COMM’N, supra note 18. creating technical difficulties for companies to pull different data lists for different purposes while attempting to comply with different privacy regulations. Because COPPA’s regulations are largely built around parental consent, it also brings in issues of how to properly give transparent and accessible notice to parents to understand how information may be collected, used, and transferred. It also highlights issues on how to give parents and children alike control over different types of data, whether financial or children’s data.

Unfair or Deceptive Acts

In order to solve for issues relating to notice, consent, and user control, the FTC has some limited enforcement actions based on unfair or deceptive acts.30 See 15 U.S.C. §45 (2006), https://www.law.cornell.edu/uscode/text/15/45 [https://perma.cc/6YUF-M5TE]. Based on public statements Wiggy has made about its services, the FTC is able to enforce against services such as the Wiggy Card. Unfair practices are considered acts that cause or are likely to cause substantial injury to consumers, cannot be reasonably avoided by consumers, and are not outweighed by countervailing benefits to consumers or to competition.31 FED. RESERVE BD., FEDERAL TRADE COMMISSION ACT, SECTION 5: UNFAIR OR DECEPTIVE ACTS OR PRACTICES 1 (Dec. 2016) https://www.federalreserve.gov/boarddocs/supmanual/cch/ftca.pdf [https://perma.cc/Q5YJ-5AGL]. Deceptive practices are considered acts where a representation, omission, or practice misleads or is likely to mislead the consumer; a consumer’s interpretation of the representation, omission, or practice is considered reasonable under the circumstances; and the misleading representation, omission, or practice is material.32 See id. The FTC usually evaluates deceptive practices when looking at privacy policies.33 Enforcing Privacy Promises, FED. TRADE COMM’N, https://www.ftc.gov/news-events/media-resources/protecting-consumer-privacy/enforcing-privacy-promises (last visited Feb. 13, 2017) [https://perma.cc/J2PB-8SES]. By not distinguishing between financial and children’s data, companies may find themselves under FTC investigation for deceptive practices as privacy policies may lead users to misunderstand the way their data is being collected, used, and shared if the difference between types of data is not distinguished. Therefore, it is important for companies like Wiggy to publish privacy policies in accessible places and ensure that their data collection, use, and transfer policies are transparent to consumers. This would include describing the differences between financial and children’s data and explain the security and consent implications of both to parents.

In February 2017, one of Spiral’s other connected toys, CloudPets, was identified as having various security and privacy issues. CloudPets was shown to have kept children’s personal information in an unsecure fashion, allowing the data to be breached.34 See Lorenzo Franceschi-Bicchierai, A company that sells “smart” teddy bears leaked 800,000 user account credentials—and then hackers locked it and held it for ransom, MOTHERBOARD (Feb. 27, 2017) https://motherboard.vice.com/en_us/article/internet-of-things-teddy-bear-leaked-2-million-parent-and-kids-message-recordings [https://perma.cc/27JV-J5KQ]; Troy Hunt, Data from connected CloudPets teddy bears leaked and ransomed, exposing kids’ voice messages, TROY HUNT BLOG (Feb. 28, 2017), https://www.troyhunt.com/data-from-connected-cloudpets-teddy-bears-leaked-and-ransomed-exposing-kids-voice-messages/ [https://perma.cc/3MXB-6EYP]. CloudPets’ privacy policy states that CloudPets takes “reasonable measures to protect personal information in an effort to prevent loss, misuse, and unauthorized access, disclosure, alteration, and destruction. For example, we use secure, encrypted communications when transferring all personal information over the web.”35 Terms and Conditions, Privacy Policy, SPIRAL TOYS, http://spiraltoys.com/products/cloudpets/terms-and-conditions/ (last revised Jan. 15, 2016) [https://perma.cc/9JFB-942C]. As demonstrated, Spiral’s privacy policies contradict its actual practices and may land CloudPets and possibly other Spiral’s connected toys under FTC investigation and enforcement. As of now, there does not seem to be an accessible privacy policy for Spiral’s Wiggy, leaving Wiggy similarly vulnerable.

Self-Regulation

Self-regulation may be a good option for money transmitter toys like Wiggy to ensure they adhere to privacy regulations. Because of the possible clash between current privacy regulations, companies can bring some consistency by taking initiative through implementing best practices already being practiced by big players in the ecosystem. The best practices that toy manufacturers can take include reasonable security, accessible and transparent privacy policies, and allowing consumer control.36 See FUTURE OF PRIVACY F., supra note 1, at 12–16. For example, money transmitter toys could implement easy to use user interfaces in their accompanying apps that would allow parents to easily unlink bank accounts from connected toys and apps and be certain that such data is not being retained unnecessarily.

Although there are several FTC-approved safe harbor organizations that companies could join in order to state their compliance with COPPA regulations,37 COPPA Safe Harbor Program, FED. TRADE COMM’N (last visited Feb. 13, 2017), https://www.ftc.gov/safe-harbor-program [https://perma.cc/L4C8-M2AK]. toy manufacturers that also provide P2P services may encounter difficulties finding cohesive self-regulation structures specifically made for money transmitter toys. They should look to innovating best practices by looking to financial regulations, while paying attention to the types of information they are collecting from children. Parents, while they can take several steps to educate themselves in how companies collect data, should not have to jump through hoops to understand whether a finance education toy protects their financial data or their children’s personal information.

The Social Implications

Connected toys are not only becoming more popular, but they are also expanding the ways in which children are experiencing the physical world. Though connected toys root from virtual worlds, a physical representation of that world can lead to several physiological implications. Toy manufacturers not only should look to current legal implications, but should also look to potential social implications that may inspire future regulations.

Several connected toys autonomously develop personalities, whether through artificial intelligence38See Meet the CogniToys Dino, COGNITOYS, https://cognitoys.com (last visited Mar. 15, 2017) [https://perma.cc/Z5D3-BNYC] (stating “There’s nothing prehistoric about CogniToys, the Wi-Fi-enabled, educational smart toy Dinosaurs that learn and grow with children. Loaded with fun personalities and tons of information, CogniToys are redefining learning in the digital age. The curious and conversational Dinos are powered by IBM Watson and Elemental Path’s Friendgine technology, allowing them to deliver the kind of personalized play experience every child deserves.”); see also Myles Gough, An IBM Supercomputer Is Making Its Debut in a Kid’s Toy: And it will learn and grow with your babies., SCI. ALERT (Feb. 24, 2015), https://www.sciencealert.com/ibm-s-jeopardy-destroying-watson-makes-its-debut-in-a-kid-s-toy [https://perma.cc/YEE7-LP7R]; see also Nick Statt, Anki’s Cozmo robot is the new, adorable face of artificial intelligence, VERGE (Oct. 14, 2016) http://www.theverge.com/2016/10/14/13276752/anki-cozmo-review-ai-robot-toy [https://perma.cc/6T9D-XBPA]. or through a child’s imagination. Children can quickly bond with their toys and adding an element of education to toys may lead children to rely on toys for more than play. Though educational toys are not new, connected toys may create a culture among new generations that change the way that children view the physical world.

Wiggy, for example, provides an incentive for parents to stray away from giving children physical cash, while simultaneously allowing children to see finances as more abstract than a dollar they may hold in their pocket. Though it is unclear how this may change the way children view the value of money or how they learn accounting, social implications are important to take into consideration when developing toys that rely heavily on the internet.

Conclusion

In time, connected toys will become a standard birthday gift. Connected toys may start to replace babysitters or act as home teachers. Toys may even become personal accountants for children. In cases where toys may cross over into territories not usually attributed to children, such as finance, toy manufacturers should look to current privacy regulations and aim for best practices in order to build trust and protect consumers. By having descriptive, transparent, and accessible privacy policies and providing reasonable security, toy manufacturers can take the first steps in finding a balance in protecting consumer’s data while also being able to use data to develop and deliver better services to users.