The internet of toys and internet of things are interchangeable; they both refer to smart devices that, at their most basic, are physical objects that connect to the internet, which in turn allows them to send, receive and exchange data with the user. Smart watches come under this terminology.
Like any other device that connects to the internet, these items are open to the risk of having security and privacy breaches. How this data is then used is one of the main concerns. There are many well documented risks associated with these devices; smart watches can be hacked for their GPS location, conversations can be listened to, and the camera used to spy. The Norwegian Consumer Council (Forbrukerrådet) have previously reported on the hacking of these devices that have camera and speaker capability and that also track the location of your child via GPS.
The responsibility of checking privacy and security of a product are placed with the purchaser, the parent. The Norwegian Consumer Council have looked into the terms and conditions of various smart devices and toys and noted there were issues in relation to privacy, security, and rights, with a distinct lack of regard for any of these, even on a basic level. Further issues were found in terms of data retention, termination, and transfer of information to third parties.
The companion apps to these devices can be equally as disappointing in terms of security. The regulation of these devices is, to put it mildly, confusing. Devices are made in one location and then sold all around the world. Once a product enters another jurisdiction, that product should adhere to their specific laws and policies. The privacy principles of the New Zealand Privacy Act 2020 govern how personal information should be collected and handled. In particular, privacy principle 4 has a particular focus on children, providing that personal information may be collected by an agency only by lawful means and on the particular circumstance of each case. When having regard to children, it is to be fair and that it will not intrude upon the personal affairs of the individual.
If a person feels their privacy has been interfered with, they can follow the complaints procedure under section 70 of the Privacy Act 2020 by making a complaint to the Privacy Commissioner or the Ombudsman. The complaints procedure appears to be relatively straight forward; however, how complex the process may become when a complaint is made about an overseas organisation is unclear.
The underlying message here is for parents to do their research and read the terms and conditions before purchasing a smart watch for their children. Particular consideration should be given to whether you will be provided notifications as to a change in terms, limiting the use of personal data, the deletion of data from the app, the ability to set automatic deletion of location data after a set period of time, to be able to delete your account and a clear note of where possible data is stored (and transmitted to).