The tale of Charlotte and Roby

Reading time: 6 minutes

Jetzt lesen

Charlotte, covered in a scarf and coat, makes the tiresome trip to the city's department stores shortly before Christmas Eve in order to run the last errands in the name of Santa Clause. Her gaze encounters oversized shelves piled high with toys of all kinds, secretly mocking her poor planning. If only she had done all this sooner, she grumbles quietly to herself. Her sleepy eyes widen when they discover a talking robot named Roby who can tell jokes and help the children waiting anxiously at home with their next drawing lesson. Smart toy, now with even more features, is written in big colorful letters on the plastic packaging. Wiping away the beads of sweat on her forehead, Charlotte meanders to the checkout to put her children's new best friend on the checkout conveyor in time before the store closes.

Unsurprisingly, the train on the way home is largely empty, so she quickly finds an open seat. Just as she is making herself comfortable by the cool window glass, the term "smart toy" suddenly comes back to Charlotte's mind. Now that she thinks about it, she doesn't really know what it actually means. She pulls out her smartphone and starts searching for answers. So, smart toys can react to the behavior of their users through their integrated software, she reads. A distinction can be made between disconnected and connected smart toys. Disconnected toys perceive the activities of people playing with them by means of sensors, microphones and cameras and react independently through their implemented software. They have no connection to an external server. Connected toys, on the other hand, are very much capable of linking up with other devices or Internet-based platforms. To process the collected data, they are sent to external servers. In addition to the smart robot Roby, intelligent toys include learning tablets, dolls, intelligent pacifiers and audio boxes. Left wondering about all this new technology, Charlotte puts her phone in her coat pocket and steps off the train into a surprisingly mild December night.

On arrival at home, she sneaks the gift she bought at the last minute under the lavishly decorated Christmas tree, where it is removed again a few hours later by impatient children's hands. Now the time has come to make Roby actually smart. To do this, the toy must be connected to an available WIFI network and the associated app on her smartphone after charging. As Charlotte has learned, this is why it is a connected smart toy. To complete the process, all that's left is to enter the children's name, age, gender and hobbies for personalized content. Done, Charlotte thinks to herself, leans back and falls asleep to the glow of electric candlelight.

The next morning, she is awakened by the tinkling sound of a push message popping up. Her eyes, still squinted from fatigue, read a single line of text on the large smartphone screen: the audio recordings are now ready for listening. Puzzled, she opens the app and discovers, to her horror, that audio tracks of her children playing with robot Roby have been stored in the app. Feeling uneasy about the matter, she searches the Internet for information. With each additional link clicked, the harmless-looking robot and his kin turn increasingly into little spies. First and foremost, Cayla, a smart doll from the company Genesis, caused a stir when it was banned by the German Federal Network Agency in 2017. It is a toy that poses the risk of secret image and sound recordings due to its broadcasting capability and hidden camera and microphone. More generally, such devices can have gross security vulnerabilities. This does not require hacking skills or physical control over the toys. If there are dangerous persons near the device, a simple, unsecured Bluetooth connection is sufficient to get in contact with the children.

Charlotte deletes the recordings, shaking her head. She looks over to the charging station and wonders what other data her clever friend is collecting. A cup of coffee later, Charlotte realizes that there are quite a few. In addition to the names, ages and genders entered yesterday, the long list of data also includes the name of the smartphone provider, the smartphone ID, the device's location, pictures, and the children's play and usage behavior. Charlotte thinks to herself that this can't simply be lawful. She knows from newspaper articles about high fines that the GDPR applies in the EU. But what is it all about? Well, here it is: GDPR stands for the General Data Protection Regulation. It has been applied since May 25, 2018 and ensures that natural persons are protected when their personal data is processed. Personal data is all information that relates to identified or identifiable natural persons. In my case, that would have to be the name, age and gender of the children as well as the smartphone ID, the location of the device, image and sound recordings and usage behavior, Charlotte thinks to herself. But in order for this data to be processed, she reads that the users' consent is required.

Charlotte is about to close the website when she notices a strange combination of letters on the left-hand side of the screen: TTDSG. The link leads her to a YouTube video that translates TTDSG as Telecommunications Telemedia Data Protection Act. This law has been in effect across Germany since December 2021 and protects the privacy of terminal equipment, those devices that communicate via public telecommunications services. These services include LAN, WIFI and LTE, among others. Charlotte remembers connecting her smart friend to her apartment's WIFI during the installation process. This means that her smart gaming robot is also worth protecting. In addition, smart washing machines, security cameras, smart watches and many other connected devices are included in the terminal equipment protection. Protection means, the video's computer voice goes on to explain, that no information may be stored on or collected from end devices without the users* consent.

Consent, that word again. It seems to be very important in the context of smart devices. Yet she can't even remember giving her consent to the collection and processing of the data. Obtaining consent, it booms from her smartphone, requires an internally or externally implemented technical solution that is integrated into the manufacturer's device. The process of obtaining, enforcing and managing consent is called consent management. Consent screens can be used to make individual decisions about each individual service. A service means the purpose of data processing and can include marketing, statistics or optimization. The integrated solution ensures that only the data selected by the user is sent to the company. I'd like that, Charlotte thinks to herself, closes her smartphone and reaches for the last chocolate treat in the lower right corner of the Christmas tree.

APOCRAT offers a consent management platform that makes Charlotte's wish come true as easy as pie. APOCRAT's platform relieves smart home companies of the tedious process of obtaining, enforcing, managing and reporting consent for all product categories (toys, wearables, security, entertainment, appliances) through a software-as-a-service solution. This saves internal resources, avoids penalties and builds trust with customers. For more information, please contact us using the information below or visit our website.


Partner & Sales Manager: Alexander Jürgens
E-Mail: office@apocrat.at
Mobile: +43 676 4025255