Privacy Risks of Children's Smart Toys: What Every Parent Should Know

Internet-connected toys have transformed playtime. AI-powered dolls hold conversations, smartwatches track your child's location, and interactive tablets adapt to learning habits. But behind the fun lies a serious problem: many of these toys collect vast amounts of personal data from children, often with weak security and minimal parental transparency. With the smart toy market projected to reach $25 billion globally by 2030, understanding these risks has never been more important.

What Data Do Smart Toys Actually Collect?

Modern connected toys are equipped with cameras, microphones, GPS sensors, accelerometers, and wireless connectivity. Depending on the toy, the data collected can include:

• Voice recordings: AI-powered dolls and interactive toys record children's speech to process commands and generate responses. These recordings are often transmitted to cloud servers for processing and storage.
• Photos and videos: Toys with built-in cameras capture images and videos that may be uploaded to companion apps or stored on manufacturer servers.
• Location data: GPS-enabled smartwatches and tablets for kids track precise location in real time, creating detailed records of where your child goes throughout the day.
• Usage patterns: How long a child plays, what features they use, what questions they ask, and how they interact with the toy all generate behavioral data.
• Personal profile information: Many companion apps require a parent to enter the child's name, age, gender, birthday, and sometimes a photo during initial setup.
• Biometric data: Some advanced toys collect voice prints or facial recognition data for personalization features.

Real Data Breaches Involving Children's Toys

These are not hypothetical risks. Multiple high-profile breaches have exposed millions of children's personal data:

VTech (2015)

Electronic toy maker VTech suffered one of the largest breaches of children's data in history. A hacker used SQL injection to compromise VTech's database, exposing 4.8 million parent accounts and 6.4 million children's profiles worldwide. The leaked data included names, email addresses, passwords, mailing addresses, and download histories. The FTC later fined VTech $650,000 for violating COPPA and the FTC Act, and the company was required to implement a comprehensive data security program subject to independent audits for 20 years.

CloudPets (2017)

CloudPets, an internet-connected stuffed animal that allowed families to exchange voice messages, left its entire database publicly exposed without a password or firewall. Over 820,000 user accounts and more than 2.2 million voice messages from both children and parents were leaked. The manufacturer, Spiral Toys, never informed its users about the breach, violating California's security breach notification law.

Bondu AI Toy (2026)

In January 2026, security researchers discovered that an AI toy called Bondu had left more than 50,000 children's chat transcripts exposed on a web-based console. Anyone with a Gmail account could log in and access entire conversation histories, along with children's names, birthdates, family details, and device information.

COPPA: What It Protects and What It Does Not

The Children's Online Privacy Protection Act (COPPA) is the primary U.S. federal law governing how companies collect data from children under 13. It requires operators of online services directed at children to:

• Post clear online privacy policies
• Provide notice and obtain verifiable parental consent before collecting data
• Allow parents to review and delete their child's data
• Take reasonable steps to secure collected data

The 2025 amendments, which took effect in June 2025 with a compliance deadline of April 2026, expanded the definition of personal information, introduced stricter requirements for parental consent, and tightened rules around modern data types including device identifiers and biometric data.

However, COPPA has significant limitations:

• Enforcement gaps: The FTC has limited resources to monitor and enforce compliance across thousands of connected toys and apps. Many manufacturers, particularly those based overseas, operate with little oversight.
• Loopholes in "general audience" classification: If a toy or app is not explicitly directed at children, the manufacturer may argue COPPA does not apply, even if children are the primary users.
• International manufacturers: A new wave of AI-enabled toys manufactured in China is raising alarms among U.S. officials, as these products may not comply with COPPA and can transmit data to servers outside U.S. jurisdiction.
• Data broker pipeline: COPPA restricts how the original toy manufacturer handles data, but once data is shared with or sold to third parties, enforcement becomes far more difficult.

How Children's Data Ends Up on Data Broker Sites

You might wonder how a child's data from a toy or app ends up in the hands of data brokers. The pathway is more direct than most parents realize:

• Direct data sales: Some toy and app companies sell or share collected data with advertising networks and data brokers. Platforms have been caught selling children's viewing habits, voice recordings, and location data without parental consent.
• Family apps that sell data: Life360, marketed as a family safety app, was found selling location data about both parent and child users to data brokers.
• Data breaches: When a toy company's database is hacked, children's personal information enters underground markets and can eventually surface on people search sites and data broker databases.
• Profile aggregation: Data brokers aggregate information from multiple sources to build family profiles that include children's ages, interests, family income, games played, search queries, and ads clicked. Even deidentified data can be reidentified using device IDs linked to other identifying information.
• Public records and school systems: Schools collect data through educational apps, online testing platforms, and administrative systems. This data can also find its way to brokers.

How to Evaluate a Smart Toy's Privacy Practices

Before purchasing a connected toy, ask these questions:

1. What data does it collect? Read the privacy policy and companion app permissions. If the toy requires a microphone, camera, or location access, understand why.
2. Where is data stored? Is data processed on the device or transmitted to cloud servers? On-device processing is safer.
3. Who has access? Check whether the manufacturer shares data with third parties, advertisers, or analytics companies.
4. Can you delete data? Look for options to delete voice recordings, photos, and account data. No clear deletion process is a red flag.
5. What security is in place? Does the toy use encryption? Does it require strong passwords and receive security updates?

Essential Settings to Change on Smart Toys

If your child already has a connected toy, take these steps immediately:

• Disable always-on microphones: Turn off voice activation when the toy is not actively being used. If the toy does not allow this, consider physically muting it when not in use.
• Turn off location tracking: Unless GPS tracking is the core purpose of the device (such as a child safety watch), disable location services.
• Limit companion app permissions: Review the companion app on your phone and revoke access to contacts, photos, camera, and other unnecessary permissions.
• Disable social sharing features: Many toys encourage children to share creations or recordings online. Turn these features off.
• Use a strong, unique password: If the toy or its app requires an account, use a strong password and enable two-factor authentication if available.
• Regularly delete stored data: Periodically log into the companion app and delete stored voice recordings, photos, and activity history.
• Keep firmware updated: Install security updates for both the toy and the companion app as soon as they become available.

Protecting Your Family's Data Beyond the Toy Box

Smart toys are just one avenue through which your family's personal data enters the digital ecosystem. Data brokers assemble detailed profiles on families, including children's information, from dozens of sources. Even if you take every precaution with a connected toy, your family's personal details may already be available on people search sites and data broker databases.

PrivacyOn helps protect the whole family by removing personal information from over 100 data broker sites and continuously monitoring for re-listings. Family plans cover up to 5 members, making it possible to protect both parents and children under a single subscription. By proactively removing your family's data from broker sites, you reduce the risk that information collected from toys, apps, schools, and other sources can be aggregated into detailed profiles. Plans start at $8.33 per month with 24/7 monitoring and dark web alerts.

Smart toys can be wonderful tools for learning and play, but only when parents understand the privacy trade-offs. Research before you buy, lock down the settings, and take active steps to remove your family's data from the broader data broker ecosystem.