What Smart Toys Actually Record: The Data Behind Hello Barbie, Cayla, and Learning Tablets

The box says the toy “learns and grows with your child.” What the box doesn’t say is where that learning goes. Your 7-year-old has been talking to a Wi-Fi-connected plush animal for six months: asking it questions, telling it about her day, sharing her name and her teacher’s name and the name of her dog. Every one of those conversations was transmitted to a cloud server, processed by a voice recognition system, and stored in a database that could be breached, sold to a data broker, or accessed by a government with a subpoena. This is not a hypothetical worst case. The FTC has taken enforcement action against connected toy makers for exactly these practices, and independent security researchers have documented encryption failures, unencrypted Bluetooth connections, and indefinite data retention in multiple popular products.

Key Takeaways

• Hello Barbie, My Friend Cayla, Furby Connect, and several children’s learning tablets have documented histories of transmitting voice data to cloud servers, often without adequate parental disclosure.
• The FTC settled with VTech in 2018 for $650,000 after a breach exposed data on 6.4 million children including names, home addresses, email addresses, and photos.
• Germany banned My Friend Cayla in 2017 under telecommunications law, classifying it as a covert surveillance device.
• Many kids’ tablets sold on Amazon and in big-box retailers run heavily customized Android with pre-installed apps that are not updatable and continue collecting data even after the child outgrows the device.
• COPPA (the Children’s Online Privacy Protection Act) requires parental consent for data collection from children under 13, but enforcement has historically lagged behind the actual practices of toy manufacturers.

The Regulatory Framework: What COPPA Requires

The Children’s Online Privacy Protection Act, enforced by the FTC, requires that operators of websites and online services directed at children under 13 obtain verifiable parental consent before collecting personal information. The rule was updated in 2013 to cover voice recordings, photos, and persistent identifiers — a direct response to emerging connected devices.

In practice, COPPA compliance in the connected toy space has been inconsistent. The FTC’s actions against toy companies have established a pattern: toys collect data beyond what the privacy policy discloses, the privacy policy is written in terms parents cannot easily parse, and parental consent mechanisms are either absent or easily bypassed.

The FTC’s settlement in 2022 with Epic Games over Fortnite’s data practices — a $520 million settlement in part for collecting data on children — signaled that enforcement attention was expanding to cover the broader connected device and gaming space, not just toys specifically.

Case Studies: What Specific Products Actually Collected

My Friend Cayla

My Friend Cayla was a Wi-Fi-connected doll that used voice recognition to hold conversations with children. The doll transmitted voice recordings to a cloud service for processing, which returned spoken responses. Security researchers at Pen Test Partners published a 2016 analysis demonstrating that:

• Cayla’s Bluetooth connection required no PIN, allowing any nearby Bluetooth device to connect and transmit audio through the doll’s speaker
• Voice recordings were transmitted to a third-party speech processing company (Nuance Communications, which also supplied voice processing to law enforcement agencies)
• The privacy policy did not clearly disclose the involvement of third-party processors

The German Federal Network Agency (Bundesnetzagentur) banned Cayla in February 2017 under Section 90 of the German Telecommunications Act, which prohibits devices that can transmit data covertly. The agency explicitly stated that the doll constituted an illegal covert surveillance device and instructed parents to destroy them. Approximately 500,000 Caylas had been sold in Europe and the United States before the ban.

Hello Barbie

Mattel’s Hello Barbie, released in 2015, was a Wi-Fi-connected doll that used ToyTalk’s (later PullString’s) platform to process conversations and generate contextual responses. The privacy setup required parents to create a ToyTalk account and download an app — a parental consent mechanism on paper.

In practice, security researchers at Bluebox Security published a 2015 analysis finding:

• The companion app had SSL certificate validation issues that made it vulnerable to man-in-the-middle attacks
• Voice recordings were retained on ToyTalk’s servers by default
• The terms of service allowed ToyTalk to use recordings to “improve” its services — language that in commercial practice typically means use in AI training

Mattel discontinued Hello Barbie in 2017. The ToyTalk/PullString platform was acquired by Apple in 2019. The fate of existing voice recordings accumulated before the acquisition was not publicly disclosed.

Furby Connect

Hasbro’s Furby Connect (2016) used Bluetooth LE to connect to a companion app. Security researchers at Context Information Security published a 2017 analysis showing that the Bluetooth connection was entirely unencrypted and unauthenticated — any device within Bluetooth range could send commands to the Furby, including audio playback through the toy’s speaker.

Unlike Cayla and Hello Barbie, Furby Connect’s primary data concern was unauthorized access and manipulation rather than cloud data retention. The unencrypted connection meant that in a school setting, a child with a mobile device could interact with another child’s Furby without either child’s parent knowing.

VTech Learning Tablets

VTech’s line of children’s learning tablets — including the InnoTab, VTech Storio, and associated Kid Connect messaging service — resulted in the largest children’s data breach in history at the time of the 2015 incident.

A security researcher and journalist at Troy Hunt and Motherboard published findings showing that VTech’s servers had been breached, exposing:

• 4.8 million parent accounts (names, email addresses, encrypted passwords, home addresses, download history)
• 6.4 million child profiles (first names, genders, birthdates)
• 190GB of children’s photos taken on and uploaded from VTech tablets
• Chat logs from the Kid Connect messaging service between parents and children

VTech’s encryption practices were inadequate: passwords were stored with MD5 hashing without salt, a standard that had been considered cryptographically weak for over a decade before the breach. The FTC settled with VTech in January 2018 for $650,000 and required implementation of a comprehensive data security program.

What Children’s Tablets from Major Retailers Collect Today

The VTech breach predates the current generation of budget children’s tablets, but the data practice landscape has not uniformly improved.

A 2022 analysis by the Electronic Frontier Foundation (EFF) of several Amazon best-selling children’s tablets found:

• Pre-installed apps with advertising SDK integrations that could not be removed by parents
• System-level data collection that persisted regardless of parental control settings
• Amazon’s own Freetime/Kids+ service, which collects detailed engagement data on every app interaction, game played, book read, and video watched — used to generate the “age recommendations” and also retained for product improvement

Amazon’s Kids+ service is notably more transparent than the earlier generation of connected toys: its privacy policy describes data collection in relatively clear terms, and parents can delete accumulated data through the Parent Dashboard. The structural question — whether detailed behavioral profiling of children’s media consumption from ages 3 through 10 is appropriate even with disclosure — is one that COPPA was not written to answer because the law requires disclosure and consent, not restrictions on what can be consented to.

Smart Toy Data Practices Comparison

Product	Primary Data Collected	Encryption	Third-Party Access	Regulatory Action
My Friend Cayla	Voice recordings	Weak (no Bluetooth PIN)	Nuance Communications	Banned in Germany 2017
Hello Barbie	Voice recordings, conversation history	SSL issues documented	ToyTalk/PullString (now Apple)	No formal action; discontinued
Furby Connect	None (local only)	None (Bluetooth)	Hasbro	None; security advisory issued
VTech tablets	Photos, messages, profiles, location	Inadequate (MD5/no salt)	Breached externally	FTC settlement $650K 2018
Amazon Kids+	Full behavioral profile	Standard	Amazon services	No action; ongoing disclosure
Generic Android kids tablets	Varies by pre-installed apps	Varies	Ad networks, varies	No specific action

What Parents Can Do Before Buying

The most effective intervention happens before purchase. When evaluating a connected toy or tablet:

Check the privacy policy for these specific items:

• What data is collected (specifically: voice, location, photos, behavioral data)
• Who are the named third-party processors?
• How long is data retained, and is there a deletion mechanism?
• What happens to existing data if the company is sold or goes out of business?

If a connected toy’s privacy policy does not address these questions clearly, that absence is itself informative.

Search “[product name] security researcher” before buying. Academic and independent security researchers regularly publish analyses of connected toy security. These analyses are usually more technically specific than news coverage. The European Consumer Organisation (BEUC) and Which? in the UK have both published systematic reviews of smart toy security in recent years.

Consider whether the connectivity adds meaningful value. Many smart toy features — responsive audio, adaptive games — can be delivered without cloud processing or persistent data collection. A toy that processes locally and doesn’t require account creation collects no data that can be breached, sold, or subpoenaed.

After Purchase: Limiting Data Collection

For devices already in the home:

Review app permissions. Connected toy companion apps frequently request location access, contact list access, and storage permissions that are not necessary for the toy’s functions. Deny these on installation; the toy typically functions without them.

Delete recordings where the option exists. Amazon’s Alexa app allows parents to review and delete all voice recordings associated with a household. Similar tools exist in Google Assistant settings. For dedicated smart toys, check the manufacturer’s app or account portal.

Network segmentation for the most cautious approach. Setting up a separate Wi-Fi network (“IoT network”) for smart devices keeps their traffic isolated from computers and devices containing financial or identity information. If a smart toy’s traffic is intercepted or a connected toy is compromised, the attacker cannot pivot to other household devices. Consumer routers from ASUS, Netgear, and others support guest networks that accomplish this.

Disconnect before reselling or gifting. A 2021 analysis by Which? found that a significant fraction of secondhand smart toys retained previous owners’ account credentials and in some cases voice recording libraries. Factory reset any connected toy before it leaves the household.

The Broader Issue: Children as Data Subjects

The debate about smart toy privacy sits at the intersection of COPPA compliance and a broader unresolved question: should companies be allowed to build detailed behavioral profiles of children at all, even with parental consent?

This question is increasingly being asked in policy contexts. The COPPA Rule review initiated by the FTC in 2022 specifically solicited comments on whether to strengthen restrictions on data retention for children under 13, and whether to extend COPPA protections to teens under 16 (in line with the EU’s approach under GDPR, which applies the highest protections to users under 16).

For families already thinking about digital literacy and data privacy for kids, connected toys offer an age-appropriate entry point into the conversation: “When this toy talks to the internet, it sends some of what you said to a computer far away. That’s how it knows what to say back. We think that’s okay, but we want you to know it happens.”

What to Watch For Over 3 Months

Month 1: Audit connected toys and tablets currently in your home. For each device, locate the manufacturer’s privacy portal and review what data has been collected. Delete any stored voice recordings.

Month 2: If your household has smart toys that your children have outgrown, factory-reset them before donation or disposal. Check whether the associated app is still installed on any phone and revoke its permissions before uninstalling.

Month 3: Before the next gift-giving season, apply a simple pre-purchase check to any connected toy on your list: search the product name plus “privacy” or “security researcher,” read the resulting coverage, and check whether the toy requires account creation. If the answer is yes and the data practices are not clearly disclosed, consider alternatives.

Frequently Asked Questions

Is Amazon Kids+ (FreeTime) safe for children’s tablets?

Amazon Kids+ is substantially more transparent than most connected toy platforms: its data practices are disclosed in reasonably clear language, and the Parent Dashboard provides access to collected data. The question of whether behavioral profiling of children’s reading and viewing habits is appropriate is a values question beyond safety. For families comfortable with Amazon’s data practices generally, Kids+ represents a better-disclosed option than most alternatives.

My child’s connected toy was recalled — is our data still out there?

Recall applies to the physical product, not to server-side data. Your data remains on the manufacturer’s servers unless you explicitly delete it through their privacy portal or submit a deletion request under CCPA (if you are a California resident) or GDPR (if you are in the EU or UK). If the company has gone out of business, the data may have been sold as an asset or deleted — there is typically no reliable way to confirm which.

Do Roblox or Minecraft “toys” (plush figures, licensed accessories) collect data?

Standard plush figures and non-electronic licensed merchandise collect no data. Electronic figures that sync with in-game accounts (such as Skylanders or Lego Dimensions amiibo-style figures) use NFC for near-field identification; they do not contain microphones and do not transmit voice data. The data collection risk in those products is limited to the account linkage.

How do I know if a smart toy is collecting data even when we’re not actively using it?

On your home router’s traffic monitoring or via a network monitoring app like GlassWire, you can observe outbound connections from the toy’s IP address. A legitimate toy should show minimal or no traffic when idle; persistent outbound connections during quiet periods are a flag. Network segmentation (IoT network) makes this monitoring easier by isolating smart device traffic.

What should I tell my child about why their toys talk to the internet?

Age-appropriate honesty works well here. For children 6–10: “When you talk to this toy, it sends your words to a big computer to figure out what to say back. That computer saves what you said for a while.” This is accurate, demystifying, and introduces the concept of data transmission without being frightening.

---

About the author

Ricky Flores is the founder of HiWave Makers and an electrical engineer with 15+ years of experience building consumer technology at Apple, Samsung, and Texas Instruments. He writes about how kids learn to build, think, and create in a tech-saturated world. Read more at hiwavemakers.com.

Sources

1. Federal Trade Commission. (2018). VTech Settlement: Children’s Data Breach. ftc.gov/news-events/press-releases/2018/01/electronic-toy-maker-vtech-settles-ftc-allegations
2. Federal Trade Commission. (2013). COPPA Rule: Children’s Online Privacy Protection Act. ftc.gov/legal-library/browse/rules/childrens-online-privacy-protection-rule-coppa
3. Pen Test Partners. (2016). My Friend Cayla — A Privacy Disaster. pentestpartners.com/security-blog/my-friend-cayla-a-privacy-disaster
4. Bundesnetzagentur. (2017). Ban on “My Friend Cayla” doll. bundesnetzagentur.de
5. Bluebox Security. (2015). Hello Barbie Security Analysis. (archived research)
6. Context Information Security. (2017). Furby Connect Security Analysis. contextis.com
7. Electronic Frontier Foundation. (2022). Children’s Tablet Privacy Analysis. eff.org
8. Which? (2021). Smart Toy Security: Secondhand Device Risks. which.co.uk