According to cybersecurity expert Troy Hunt, more than 820, 000 user accounts were exposed and over 2.2 million voice messages, from both children and parents, were leaked during the severe CloudPets data breach.
[5] Although the database is not publicly accessible anymore, Spiral Toys have not informed their users regarding the data leak, which is a violation of the security breach notification law in California.
[6] In November 2015, VTech suffered a severe data breach on their information storing system, where the hacker used SQL injection, which is “an injection attack wherein an attacker can execute malicious SQL statements (also commonly referred to as a malicious payload) that control a web application’s database server (also commonly referred to as a Relational Database Management System – RDBMS),” to get full authorization to the database where he can access children and parents’ personal data.
Nuance Communications have a record of selling biometric solutions to military, intelligence, and law enforcement agencies, which is put into consideration of privacy issues regarding connected toys.
"[11] The Norwegian Consumer Council did an investigation on the terms of use and privacy policies on My Friend Cayla and i-Que Intelligent Bot in 2016.
They found that the privacy policies do not specifically mention how long the data will be retained after the users stop using the service or delete the account.
[1] Specifically, My Friend Cayla's privacy policy mentions that "it is not always possible to completely remove or delete all of your information from our databases without some residual data because of backups and other reasons.
[13] The agency further states that any toy that transmits data, including features such as recording video and voice, without detection is banned in Germany.
The Federal Network Agency advised the parents to immediately destroy the toy to avoid potential risk in comprising personal data privacy.
[3] Toys that are able to connect to the internet in various ways are subject to regulation from the Children's Online Privacy Protection Act (COPPA).
The Electronic Privacy Information Center, the Campaign for a Commercial-Free Childhood, the Center for Digital Democracy, and Consumers Union submitted a complaint to the Federal Trade Commission regarding how My Friend Cayla and I-Que Intelligent Bot produced by Genesis Toys have violated the laws of COPPA.