Data Breaches Put Spotlight on Growing Threats to Kids' Data Privacy
"Any time a child is creating data on a device, security should be the default on Day One," he said. "Any consumer that is using a device or a technology or a Barbie Doll—certainly me (the company) as the custodian of the data—should give the parent the ability to protect the data." Mobile devices and the proliferation of apps aimed at kids add another layer of complexity. In a study of some 13,500 Android mobile applications, a research group at the University of California, Riverside found that almost 9 percent connected to Websites known to serve malicious code and nearly three-quarters connected to Websites containing material not suited for children. Children do not have the skepticism to operate online and protect their privacy, and choices made during childhood could be stored by unethical companies for a lifetime, said Ted Collins, chief technology officer of kid-focused entertainment firm Playrific. "Anything you put online is a digital tattoo; it never goes away," he said. People think they "can post a photo on Snapchat, because it goes away. Wrong, other people are scraping the site and saving those pictures."Also, unlike the European Union, the United States has a patchwork of laws regulating data protection, with different laws for health care, education, business and financial sectors, Alex Bradshaw, the Ron Plesser Fellow with Center for Democracy and Technology, told eWEEK. "There is not a law for everything and no law for every sector," she said. "I wish we had a basic standard for U.S. privacy laws to make it easier for companies and better for consumers." To some degree, technology can help fill the gaps left by policy and enable greater control of data, Gemalto's Hart said. Pervasive encryption and the use of private keys, where only the parent has a key that can unlock the child's data, could allow parents to effectively delete their children's data and be confident that no one can access the information. "We can delete the key, and then the data is deleted," he said. "When I sign up any manufacturer now, surely, they can say, OK, do you want to own the padlock to the account?" In addition, consumers need to be given more notification, Hart said. Just like nutrition labels or UL certification, toys and other products that pass data to the Internet should have a label that states what data they communicate and how that data is secured, he said. "It's a long way to get there, but to be honest, with the acceleration of IOT, we need it right now," he said.
The Children's Online Privacy Protection Act (COPPA) has good defenses in place to protect children, but for the most part is aimed at online service providers. While protecting children's privacy is mandated by laws in the United States, the European Union and other jurisdictions, it is not clear whether the laws will necessarily apply to VTech, which is based in Hong Kong, Collins said.