In the wake of the holiday season, it seems that even toys are not immune from privacy and security pitfalls. Two “connected” toys, Genesis Toys’ My Friend Cayla and i-Que robot, have been accused of violating U.S. and European privacy, security and advertising laws.

The toys at issue provide children with an interactive experience via a microphone, speech recognition software, the internet, and speakers. The toys are able to verbally interact with children, play games, make jokes, and more. While children interact with the toys, much of the interactions are recorded and subsequently shared with third parties.

On December 6, 2016, public interest organizations in the United States and the European Union (EU) submitted complaints to the Federal Trade Commission (FTC) and the EU Data Protection Authorities (DPAs) alleging a number of privacy and security weaknesses. For example, the complaints include allegations stemming from the toys’ alleged failure to obtain consent from parents for the processing of minors’ personal data as well as allegations that the toys’ weak security safeguards allow the toys to be easily hacked.

While “connected” toys may offer state-of-the-art play experiences for children, they have been a hotbed of complaints related to privacy and security and as such, thoughtful attention to consumer protection obligations is undoubtedly necessary for manufacturers of “connected” products.