Carolina Alonso

This Little Piggy Went to Wall Street: Privacy Law When a Toy Becomes Your Child’s Banker



Introduction

Today, the average person spends the majority of time plugged into the internet. A phone has become a pocket assistant that lives in the Cloud, binge streaming TV shows online has become a popular Saturday night affair, and most job searches entail uploading a resume to the Internet. Even children can be exposed to the Internet at young ages through education websites and tablet apps. Many children may turn to physical toys to get some time away from screen. Toy manufacturers, however, are increasingly developing toys that connect to the Internet.1 Many physical toys on the market today, though screenless, connect to the Internet in some way, whether directly to the Cloud or via an app. These are called connected toys.2

There is a range of connected toys on the market right now. Some focus on giving a child a companion, some focus on toy customizability, and some focus on education. Wiggy, a connected toy, focuses on financial education.

The Technology

In 2016, Spiral Toys released Wiggy, a physical piggy bank that connects to an app through which parents, relatives, or other loved ones can send money to children for finishing chores or as birthday presents.3 The physical pig toy connects to the Wiggy app on a device through Bluetooth, while the app connects to the internet.4 The funds that parents send to their children’s Wiggy account show up on the child’s app account. Parents can also choose to withdraw funds, set tasks, or use ‘stars’ in the app to send a more abstract reward. Children can set tasks, view their funds, and add items to a wish list.

Using technology to teach children practical lessons about money is nothing new.5 Spiral Toys, however, seems to be developing a way to connect parent bank accounts to Wiggy to allow funds to be rooted in spendable money.6 The company stated that this aspect of Wiggy would “become a reoccurring monthly revenue stream for Spiral. Spiral has found multiple avenues for maximizing the revenue opportunity with Wiggy by developing these revenue streams.”7 Spiral explains that this service is implemented using Wiggy Cards. The Wiggy Card would function like a digital wallet and pre-paid debit card for children.8 The details of how Spiral will gain revenue through this service, or how children will be able to use the pre-paid debit card and whether only certain venues will accept it remains unclear. That being said, the service that Spiral describes implies that Wiggy may act as a sort of financer between banks and consumers, much like Venmo.9 These sorts of services are usually referred to as P2P or peer-to-peer payments technology.10 Usually P2P services do not produce revenue unless done with a credit card that charges fees.11 This bring up an interesting question of what kinds of laws apply to a connected toy such as Wiggy, which implicates both children’s personal information and financial privacy issues.

The Laws

Organizations that conduct P2P services may be referred to as money transmitters, since they are not financial institutions, such as a bank, but still handle the exchange of finance substance and information. In this case, Wiggy can be considered a money transmitter toy. Setting aside several state data breach or financial privacy acts that may apply, several federal privacy laws may apply to a money transmitter toy such as Wiggy.

Children’s Online Privacy Protection Act

First, the Children’s Online Privacy Protection Act (COPPA)12 applies to a connected toy such as Wiggy. COPPA regulates operators of online services that directly target children under the age of thirteen, or companies that have actual knowledge that they are collecting, using, or disclosing personal information from children under thirteen.13 The Federal Trade Commission (FTC), which has the ability to bring enforcement actions against online service providers under COPPA, has indicated that it considers COPPA to apply to connected toys, as some of their functions rely on online services.14 The FTC applies COPPA to online services such as online games, websites, and applications.15 COPPA applies to these connected toys as well since they are providing children services online through the physical toy directly to the cloud or through an associated application.

COPPA implicates several regulations on connected toys, including obtaining consent from parents and limitations on collecting, using, and securing children’s data in certain ways. For example, toy manufacturers need to give clear and accessible notice about their privacy policies, must delete children’s data if requested by parents, cannot condition a child’s participation on the collection of children’s personal information, cannot retain children’s personal information for longer than necessary to fulfill the purpose of collecting the data, and must take reasonable steps to release children’s personal information only to third parties who can assure the capability of maintaining the confidentiality, security, and integrity of such information.16

Despite these regulations, there are some nuances that may confuse toy manufacturers with how to protect the data they collect. For example, COPPA covers children’s data that is obtained from a child rather than data about a child,17 meaning that toy manufacturers attempting to comply with COPPA would prefer to treat all the data they collect in blanket form rather than spend the time to figure out what kinds of data is actually obtained from children. This may clash with other types of regulations that may apply to a money transmitter toy like Wiggy such as the Gramm-Leach-Bliley Act, which regulates data associated with financial institutions such as banking and credit card information.

Gramm-Leach-Bliley Act

The Gramm-Leach-Bliley Act (GLBA) applies to financial institutions and to money transmitters if they receive “nonpublic personal information” from an unaffiliated financial institution.18 It is unlikely that Spiral is considered a financial institution, let alone a financial institution that has customers. The FTC defines a financial institution as an organization that is significantly engaged in financial activities that might include lending, exchanging, transferring, investing for others, or safeguarding money or securities, providing financial, investment, or economic advisory services, brokering or servicing loans, debt collecting, or providing real estate settlement services.19 The Wiggy Card, though potentially thought of as transferring money from parent to child, does not seem to be done by the toy itself or even the toy manufacturer. Spiral, when explaining the Wiggy Card, implied that it partners with a bank to conduct transfers from a parent’s bank account to a pre-paid debit card meant for children using Wiggy’s application as the platform of the transfer rather than a separate financial institution.20 This seems to be far from a significant engagement.21

A service like Wiggy Card, however, may certainly be considered a money transmitter that receives nonpublic personal information (NPI) from an unaffiliated financial institution. Under the GLBA, nonpublic information is considered “any information an individual gives you to get a financial product or service,” “any information you get about an individual from a transaction involving your financial product(s) or service(s),” or “any information you get about an individual in connection with providing a financial product or service.”22 This may include names, social security numbers, bank account numbers, and other related information. NPI does not include information that one can reasonably believe is lawfully made public such as federal, state, or local government records publicly available and information that is widely distributed media.23 The caveat here is that when a list is derived from NPI, even if some of the information in the list is not NPI, the list itself is still considered NPI.24 In Wiggy Card’s case, a list of Wiggy Cards distributed to children may be considered NPI if the list contains parents’ names associated with the financial service of transferring funds from a bank account to a child’s Wiggy Card. It is unclear whether a list of just children’s names associated with Wiggy Cards containing no information on the Wiggy Card or the financial information association associated with the Card is considered NPI.

The GLBA restricts NPI reuse and re-disclosure. When it comes to NPI received by nonaffiliated financial institutions, money transmitters may disclose the information to process financial services in a necessary capacity without informing consumers of these processes.25 If Wiggy uses NPI in a way that is not necessary to deliver a financial service, however, Wiggy can only use NPI from consumers that were informed of these possible uses in a privacy notice given to them by the financial institution and who subsequently did not opt out.26 Even then, the use of NPI is limited to internal purposes and re-disclosure is limited by the privacy policy of the associated financial institution.27

These regulations, when paired with other relevant laws like COPPA, can lead to some confusion for toy manufacturers attempting to deliver a service like the Wiggy Card. This is because financial data may be paired or comingled with children’s data. For example, account numbers are prohibited from being disclosed for marketing purposes,28 but it is not against COPPA to use children’s personal information for contextual advertising,29 creating technical difficulties for companies to pull different data lists for different purposes while attempting to comply with different privacy regulations. Because COPPA’s regulations are largely built around parental consent, it also brings in issues of how to properly give transparent and accessible notice to parents to understand how information may be collected, used, and transferred. It also highlights issues on how to give parents and children alike control over different types of data, whether financial or children’s data.

Unfair or Deceptive Acts

In order to solve for issues relating to notice, consent, and user control, the FTC has some limited enforcement actions based on unfair or deceptive acts.30 Based on public statements Wiggy has made about its services, the FTC is able to enforce against services such as the Wiggy Card. Unfair practices are considered acts that cause or are likely to cause substantial injury to consumers, cannot be reasonably avoided by consumers, and are not outweighed by countervailing benefits to consumers or to competition.31 Deceptive practices are considered acts where a representation, omission, or practice misleads or is likely to mislead the consumer; a consumer’s interpretation of the representation, omission, or practice is considered reasonable under the circumstances; and the misleading representation, omission, or practice is material.32 The FTC usually evaluates deceptive practices when looking at privacy policies.33 By not distinguishing between financial and children’s data, companies may find themselves under FTC investigation for deceptive practices as privacy policies may lead users to misunderstand the way their data is being collected, used, and shared if the difference between types of data is not distinguished. Therefore, it is important for companies like Wiggy to publish privacy policies in accessible places and ensure that their data collection, use, and transfer policies are transparent to consumers. This would include describing the differences between financial and children’s data and explain the security and consent implications of both to parents.

In February 2017, one of Spiral’s other connected toys, CloudPets, was identified as having various security and privacy issues. CloudPets was shown to have kept children’s personal information in an unsecure fashion, allowing the data to be breached.34 CloudPets’ privacy policy states that CloudPets takes “reasonable measures to protect personal information in an effort to prevent loss, misuse, and unauthorized access, disclosure, alteration, and destruction. For example, we use secure, encrypted communications when transferring all personal information over the web.”35 As demonstrated, Spiral’s privacy policies contradict its actual practices and may land CloudPets and possibly other Spiral’s connected toys under FTC investigation and enforcement. As of now, there does not seem to be an accessible privacy policy for Spiral’s Wiggy, leaving Wiggy similarly vulnerable.

Self-Regulation

Self-regulation may be a good option for money transmitter toys like Wiggy to ensure they adhere to privacy regulations. Because of the possible clash between current privacy regulations, companies can bring some consistency by taking initiative through implementing best practices already being practiced by big players in the ecosystem. The best practices that toy manufacturers can take include reasonable security, accessible and transparent privacy policies, and allowing consumer control.36 For example, money transmitter toys could implement easy to use user interfaces in their accompanying apps that would allow parents to easily unlink bank accounts from connected toys and apps and be certain that such data is not being retained unnecessarily.

Although there are several FTC-approved safe harbor organizations that companies could join in order to state their compliance with COPPA regulations,37 toy manufacturers that also provide P2P services may encounter difficulties finding cohesive self-regulation structures specifically made for money transmitter toys. They should look to innovating best practices by looking to financial regulations, while paying attention to the types of information they are collecting from children. Parents, while they can take several steps to educate themselves in how companies collect data, should not have to jump through hoops to understand whether a finance education toy protects their financial data or their children’s personal information.

The Social Implications

Connected toys are not only becoming more popular, but they are also expanding the ways in which children are experiencing the physical world. Though connected toys root from virtual worlds, a physical representation of that world can lead to several physiological implications. Toy manufacturers not only should look to current legal implications, but should also look to potential social implications that may inspire future regulations.

Several connected toys autonomously develop personalities, whether through artificial intelligence38 or through a child’s imagination. Children can quickly bond with their toys and adding an element of education to toys may lead children to rely on toys for more than play. Though educational toys are not new, connected toys may create a culture among new generations that change the way that children view the physical world.

Wiggy, for example, provides an incentive for parents to stray away from giving children physical cash, while simultaneously allowing children to see finances as more abstract than a dollar they may hold in their pocket. Though it is unclear how this may change the way children view the value of money or how they learn accounting, social implications are important to take into consideration when developing toys that rely heavily on the internet.

Conclusion

In time, connected toys will become a standard birthday gift. Connected toys may start to replace babysitters or act as home teachers. Toys may even become personal accountants for children. In cases where toys may cross over into territories not usually attributed to children, such as finance, toy manufacturers should look to current privacy regulations and aim for best practices in order to build trust and protect consumers. By having descriptive, transparent, and accessible privacy policies and providing reasonable security, toy manufacturers can take the first steps in finding a balance in protecting consumer’s data while also being able to use data to develop and deliver better services to users.

* Privacy Law Junior Fellow at the Future of Privacy Forum; Admitted to the California Bar; J.D., Georgetown University Law Center, 2016; B.A. in Political Science, University of California Davis, 2012. The opinions expressed are solely her own and do not necessarily express the views or opinions of her employer. © 2017, Carolina Alonso