Hello Barbie says, “Privacy breach” to plaintiffs in a lawsuit that’s testing the boundaries of security in the Internet of Things age. Mattel ( MAT ), the maker of the interactive doll, is among those being sued on grounds that the doll picks up and records the voices of the children who play with the doll, voices that it uploads and stores without parental consent. The unusual case was filed in December in Los Angeles County Superior Court. Other defendants include San Francisco-based ToyTalk, which partnered with Mattel to produce the doll; and Los Angeles-based Samet Privacy, which does business as the kidSAFE Seal Program that lists, reviews and certifies interactive and online products as compliant with the federal Children’s Online Privacy Protection Act, or COPPA. “The problem is parents and children don’t really know that ToyTalk is going to use their child’s conversation for data mining and other purposes not fully disclosed,” said Steve Teppler of the Abbott Law Group in Jacksonville, Fla. “They say they’ll protect the child of the purchasing parent’s identity, but what about friends’ children?” Abbott Law Group represents the plaintiffs in the case: Ashley Archer-Hayes of Vista, Calif., who bought the doll, and her minor child; and Charity Johnson of Chula Vista, Calif., and her minor child “on behalf of all others similarly situated,” states the suit. The children of Johnson and Archer-Hayes are friends, and they played with Hello Barbie at a Barbie-themed birthday party late last year, the suit says. The suit is one of many dealing with the untapped online frontier that is the Internet of Things, referring to products used in everyday life that are increasingly connected with the Internet and that store information online. These products range from cars to home security systems. On its website, kidSAFE describes Hello Barbie as “the first fashion doll that can have a two-way conversation with girls. The doll features speech recognition and progressive learning features that enable girls to engage with Barbie like never before. Hello Barbie features more than 8,000 lines of dialogue, inspires imagination and storytelling, plays more than 20 interactive games, and tells jokes.” Although Hello Barbie must be registered to activate, and the registration process includes information relating to privacy, plaintiffs argue that Hello Barbie will pick up voices of a child’s friends, and those voices will be uploaded and stored without parental knowledge, let alone consent. Could Hello Barbie Owners Erase The Data? Interactive toys like Hello Barbie are expected to proliferate. How can parents stay informed about the privacy policies of each toy? “That’s the problem,” Teppler said. “What are your choices? You could make the doll only perform with the registered user, but that’s not the way the toy is designed. To comply with COPPA, you’d have to have a waiver for the user of the child’s voice. We don’t know what ToyTalk’s affiliates do with this information.” Teppler raised the possibility that information stored on ToyTalk computers could become discoverable in litigation, for example, if kids start talking about their parents’ activities. “It’s an interesting evidentiary issue,” said Teppler. “The terms of service say the purchasing parents can access the recordings for two years, but can they get them erased? You could deactivate your account, but they would still have the recordings.” Mattel would not make someone available for an interview, but spokesman Alex Clark said in an email, “While we do not comment on pending litigation, I can tell you Mattel is committed to ensuring every product we make meets or exceeds all applicable laws and regulations. In addition, we are confident in the robust data security technology used in our Hello Barbie product.” For its part, kidSAFE has rated Hello Barbie as “COPPA certified.” Ben Warlick, an attorney with Morris, Manning and Martin in Atlanta, says that plaintiffs have an uphill battle to recovery because Mattel and other defendants don’t control how a child uses the toy. “Plaintiffs pointed out suggestions for what Mattel could have done, including notifying parents that the toy should not be used outside the presence of other nonregistered children,” Warlick said. “But I do not think it’s a realistic argument to tell a child not to play with a toy around other kids; that’s hard to do.” Warlick, who co-chairs his firm’s Internet of Things practice group, says that the Hello Barbie case is likely just one of the first of many that will test the bounds of privacy protection in the Internet of Things age. “We started the new practice group because we’re finding that universal notions of privacy and security don’t necessarily translate to the Internet of Things,” he said. Warlick says that an argument can be made that interactive devices should have higher security and encryption features, “but many little battery-powered devices like weather or pet monitors may not have the processing power to run encryption or robust security measures.” Similar suits have been filed against ADP home security systems and Vizio smart TV sets. “It’s a real issue for product developers in this area,” Warlick said, “about what is the right level of security and encryption for these devices.”