Taking inspiration from Apple’s Siri, Mattel alongwith its technology partner ToyTalk, launched Hello Barbie this year. The Barbie, available through online purchase, is a wi-fi enabled, interactive doll, equipped to hold a conversation at the press of a button on its belt. The audio files processed over the internet makes the experience an interactive one. The doll has become a subject of controversy after a security expert based out of the U.S. declared that on hacking the Hello Barbie system, he managed to procure wi-fi network names, MP3 files and account IDs which could be traced back to someone’s home. Several consumer groups have protested the sales of the Barbie emphasizing on the eavesdropping nature of the doll indicating that Mattel’s innovation has not been well received.

 Distinct features of the Doll

Mattel is responsible for manufacturing the doll, and ToyTalk induces the technical nuances into Hello Barbie. The doll uses artificial intelligence and voice recognition software to process children’s questions over the internet to ToyTalk servers, and a pre-recorded response is selected that is generated as Barbie’s words. Downloading the Hello Barbie companion app facilitates the registration and activation of the doll on purchase. The press of a button makes the doll a responsive toy that is capable of interacting with the child. The responses given by Hello Barbie are pre-determined by the parents through a password enabled ToyTalk account, which requires an online registration. Alexandra Saddler in her investigation, reported that the conversations are recorded and stored in the cloud and could be used by the Company anonymously to create more pre-recorded messages.

Surrounding Privacy Concerns:

The interactive doll comes with a memory  because the communication between Barbie and the child is simultaneously recorded. The recorded conversations are accessible by parents and ToyTalk which implies that there are two levels of access to any communication made. The doll employs voice recognition techniques which enables online identification of the child. Such identifiers are protected as personal information under United States’ Children’s Online Privacy Protection Act (COPPA). The right to privacy is however, a subjective right and the extent of expectation of privacy, a child is likely to have, is debatable.

A wi-fi enabled doll with a companion app that requires online registration will generate  information in addition to the child’s conversations with the Barbie. The dolls are mostly purchased by placing an order online which is a definite means to handover a person’s address. Irrespective of the mode of purchase, the company has legitimate access to wi-fi name being used, the name of the user; the mobile number used for accessing the online companion application, and other information which can be traced back to one’s home in which Hello Barbie resides. The collected data is processed, stored and shared by the company with third parties and transferred to other countries, as indicated in ToyTalk’s privacy policy.

Protected data is increasingly losing ground in the name of commercial exchange of information by conglomerates. Transfer of data in the U.S., is seen as a necessity for fostering free flow of information. Obtaining access and transferring data through a child’s toy might however be taking it too far.

Mattel’s attempts to assuage privacy concerns:

Parents of the kids who own the Barbie are not only granted access to the conversations between their kid and the Barbie, they also have the option of deleting recorded conversations from ToyTalk’s database through the ToyTalk account. Hello Barbie uses an encryption security feature to protect consumers’ privacy and security at the time of processing communications over the Internet. Mattel claims that these safeguards are sufficient to ensure that the parents remain the sole gatekeepers of the communication and the recorded data. ToyTalk also assertively mentions in its privacy policy that the recordings will not be shared with Mattel.

Analyzing ToyTalk’s Privacy Policy:

A cursory reading of the  Privacy Policy attached to ToyTalk gives an insight into how the company intends to handle the collected data. ToyTalk admits that the communication may constitute personal information within the meaning of the Children’s Online Privacy Act:

“we cannot prevent children from providing personal information when they talk with Hello Barbie, and such information may be captured in the Recordings. However, it is our policy to delete such personal information where we become aware of it and we contractually require our service providers to do the same.”   

Further, the Policy explicitly states that: “we may store and process personal information in the United States and other countries”, and adds that subject to COPPA requirements, the information will be shared with third parties for a list of purposes. Commercial exchange of information is generally permitted in the name of customized services to customers and developing statistics for company’s review. The clause however, doesn’t restrict processing of data to within the country, which is a cause for concern since not all countries are equipped to handle and process data while safeguarding privacy.

With respect to flow of data transcending the U.S. borders, the privacy policy reads: “If information is shared in accordance with privacy policy, it may be disclosed to overseas recipients….including countries that do not have laws that protect personal information in the same manner as countries within the European Economic Area.”

With the recent ECJ ruling in Schrems, the safe harbour clauses guaranteed by the U.S. have been declared inadequate for ensuring protection of data. Against this backdrop, attempts to export data carries with it, possibilities of privacy breaches. COPPA in regard to Hello Barbie, stands as a thin piece of legislative buffer for trading information within the country. However, it cannot be overstated that since the doll can be purchased online, countries which do not have similar regulatory structures are bound to be at a more vulnerable state.