Spielwarenmesse: Protecting children in the digital age: what to watch out for with internet­connected toys

Choose language


Datenschutzrichtlinien bei Kindern


Protecting children in the digital age: what to watch out for with internet­connected toys

from Dr. Maximilian Schenk

Digitisation and globalisation have not bypassed children’s rooms. You simply need to visit your nearest toy shop or the toy fair Spielwarenmesse® to confirm this in a big way. Dolls, action figures, remote-controlled cars, model railways: lots of new toys need power and internet connectivity. Consumers are now wondering whether there may be security risks associated with toys being permanently hooked up to the internet, for example. Toy manufacturers and retailers are also required to address the digital security of their toys and let their customers know about this.

The digital revolution in the toy world is no surprise. After all, with mums and dads hardly able to tear their eyes away from their smartphones, kids also want to get their hands on these gadgets and technologies. Such digital shifts are presenting manufacturers of children’s toys with completely new challenges. They must now hire IT people. But more than that, requirements in complex areas such as IT security and data privacy in particular are also increasing.

There can be many pitfalls associated with developing and using the relevant technologies and platforms and these are in no way trivial. A number of data privacy incidents from last year, such as those involving educational learning toy manufacturer VTech and Mattel’s "Hello Barbie", are just some examples of this.

Data privacy: following the lead of the video game industry

Manufacturers of digital toys can take a leaf out of the video game industry’s book somewhat when it comes to this problem. The computer and video game industry has been facing such data privacy challenges since at least the development of online multiplayer games. These challenges have become even greater in recent years. For example, it is no longer sufficient to simply guarantee security on game servers. On the one hand, computer and video games are increasingly downloaded via online platforms nowadays. On the other hand, elements of online social networks are now an important aspect of many games.

As a result of this, many computer and video game companies which sell their games via their own or external online platforms or have created their own community networks have to handle lots of sensitive information relating to their customers. This ranges from socio-demographic data, such as age and gender, and invoice addresses through to credit card information.

It is very important for each individual company in the toy industry as well as the computer and video game industry as a whole that this data be protected. Recurring problems with respect to IT security and data privacy would permanently damage customer confidence in the associated platforms and services, which will continue to gain relevance, and therefore have a strong impact on market development.

Data privacy for children and minors

IT security and data privacy breaches are particularly sensitive when they involve data relating to young adults or even children. So what needs to be watched out for in this respect? The surprising news first: the European Data Protection Directive and its German counterpart have few special provisions for handling the data of minors. In actual fact, the European Data Protection Directive is less strict than, for example, the Child Online Protection Act (COPA) in the US. The age from which minors can decide for themselves how their data is handled by giving consent is an especially relevant question with respect to data privacy laws here.

The German Data Protection Act (Bundesdatenschutzgesetz - BDSG) does not currently define a fixed age limit, but instead provides an abstract mechanism: if the minor has the necessary capacity, then he or she may consent independently. In practical terms, this presents considerable difficulties for companies. After all, how should they establish this using, e.g. an input screen on a website or app?

Therefore, 14 has become the de facto age limit in practice. When in doubt, minors of at least this age may consent independently to their data being used. If the child is younger, however, the consent of a parent or guardian is required. The European Union's new General Data Protection Regulation should improve clarity with regard to this in the future as an age limit of 16 will then apply across Europe. However, Member States may again allow for exceptions in some cases.

When handling the data of minors, it must be ensured that texts aimed specifically at minors can also be understood by them to a sufficient degree, to name just one example. This applies to declarations of consent and privacy statements in particular.

Data privacy principles

Below are the key principles which toy manufacturers should be aware of when handling customer data:

  • Ban subject to permission: According to this principle, companies may not collect, use or save personal data in principle unless the legislator has permitted this as an exception in particular situations or the minor himself permits it by giving consent.
  • Data economy: Companies may only ever collect just as much data as is required to fulfil a particular purpose. For example, completing a participation form for a competition does not mean minors should also have to provide information on hobbies, preferences and similar personal circumstances.
  • Purpose: Even if the company may legally collect and use certain data for a particular purpose, this does not mean that the company may then also use the data for a completely different purpose now that it has it.
  • Transparency: The persons affected must always be able to trace which data a company is using for which purposes and to whom the company is passing on this data where applicable.

Let's talk transparency

Transparency can be achieved online through a legally mandated privacy statement. It is important that the privacy statement clearly indicates to the average reader how their data will be used. The forthcoming EU General Data Protection Regulation already alluded to will offer one interesting approach involving the use of pictograms. To a certain extent, companies can already go a step beyond and document their conscientious handling of data through test and quality seals, thereby signalling to parents that they can trust how data will be dealt with when it comes to products for children and young people in particular.

Companies demonstrate to concerned parents the degree of importance they place on data privacy when they heed these principles relating to data handling, ensure communication is always transparent and understandable and build up data security expertise in-house. Only in this way can the toy industry boost confidence in the digital, internet-connected toys making their way into children’s hands for the long term.

Be the first to know what moves the toy industry! With the play it! online newsletter, you get the latest information on toy trends and innovations, best practice tips from experts as wells as updates on current toy market developments worldwide. Register now!


Author of this article:

Dr. Maximilian Schenk, BIU

Tags in this article:

Related links:


Stay informed with trends and developments of the toy market. Register for one of our newsletter.



Stay informed with trends and developments of the toy market. Register for one of our newsletter.