Skip to content
✨ Feature

Smart Toy Privacy: What UK Parents Need to Know in 2026

β€’AIToys Editorial Teamβ€’13 min read
Smart Toy Privacy: What UK Parents Need to Know in 2026

Affiliate disclosure: AIToys.co.uk earns a commission on qualifying purchases made through links on this page, at no extra cost to you.

Your child's new AI robot toy is impressive β€” it recognises their voice, remembers their name, adapts to their learning style, and keeps them entertained for hours. But have you ever stopped to wonder: where does all that data go?

Smart toys and AI-powered robots are no longer simple electronic gadgets. They're connected devices with microphones, cameras, Wi-Fi modules, and cloud processing capabilities. In 2026, the line between "toy" and "IoT device" has all but disappeared β€” and that raises serious questions about child data privacy.

This guide explains exactly what smart toys collect, what UK law requires, which products have raised red flags, and practical steps to protect your family without giving up the benefits of educational tech.

What Data Do Smart Toys Actually Collect?

The answer varies significantly by product, but here's what the most common AI toys and connected robots collect:

Voice Data

Any toy with a microphone and voice recognition β€” from Amazon's Echo Dot Kids to interactive AI companions like Miko 4 β€” records audio. The question is: what happens to those recordings?

  • Some toys process voice locally (on-device) β€” much safer
  • Others stream audio to cloud servers for processing
  • A few store voice recordings indefinitely, potentially for AI training purposes

Behavioural & Usage Data

AI toys that adapt to your child are tracking their behaviour to do so. This can include:

  • Which activities your child engages with most
  • How long they play each session
  • Learning progress and assessment results
  • Location data (in GPS-enabled toys or through home Wi-Fi triangulation)

Personal Information

At account creation, most connected toys collect:

  • Child's name and date of birth
  • Parent's email address
  • Home Wi-Fi network details (SSID)
  • Device identifiers (MAC address, IP address)

Camera Data

Toys with cameras β€” like some iterations of the Cozmo robot and many drone products β€” can capture images and video. The data retention policies on this vary dramatically.

UK Law: What Protection Does Your Child Have?

The UK has among the strongest child data protection laws in the world. Here's what applies to smart toys sold in Britain:

UK GDPR and the Data Protection Act 2018

Under UK GDPR, children's data is classified as requiring heightened protection. Companies must:

  • Use plain, child-friendly language in privacy policies when children are the primary users
  • Obtain verifiable parental consent for processing children's data (under 13)
  • Minimise data collection to only what's strictly necessary
  • Provide easy mechanisms for parents to request data deletion

The reality: Many toy manufacturers technically comply with these rules while burying important details in lengthy privacy policies. Reading the small print matters.

The Children's Code (Age Appropriate Design Code)

Introduced in 2021 and enforced by the ICO (Information Commissioner's Office), the Children's Code is a game-changer. It applies to any online service "likely to be accessed by children" β€” which now includes connected toys.

Under the Children's Code, toy makers must:

  • Set privacy settings to the highest level by default for child users
  • Not use "nudge techniques" to push children towards less private settings
  • Not process children's data in ways detrimental to their wellbeing
  • Not profile children for commercial purposes (such as targeted advertising)
  • Provide "prominent and accessible" tools for parents and children to exercise their rights

The ICO has already taken enforcement action against several technology companies under the Children's Code. It's not just guidelines β€” it has real teeth.

PECR (Privacy and Electronic Communications Regulations)

These rules govern cookies and online tracking. Any toy that connects to a website or app must comply β€” meaning they can't use tracking technologies on children without consent.

Smart Toys That Have Raised Privacy Concerns

Not every toy maker has got this right. Here are notable cases that should inform your buying decisions:

CloudPets (2017 β€” Historical Warning)

The CloudPets connected stuffed animals case remains a cautionary tale. The company stored over 800,000 account credentials and 2 million voice recordings in an unsecured MongoDB database β€” and the data was discovered and held for ransom by hackers before being deleted. The company went bankrupt, but the recordings were already exposed. This demonstrates that a toy's charm means nothing if the backend security is poor.

VTech Data Breach

In 2015, toymaker VTech suffered a major breach affecting 5 million parents and over 200,000 children. The stolen data included children's names, genders, birthdays, and photos. VTech was fined $650,000 by the US FTC. More recently, their data handling practices have improved β€” but the case highlights the risk of accumulated children's data.

Cayla Doll (Germany, banned 2017)

Germany's Federal Network Agency banned the "My Friend Cayla" doll outright, classifying it as an illegal covert surveillance device. The doll connected to the internet via Bluetooth, transmitting conversations to a third-party server. Any Bluetooth device within 10 metres could have accessed the conversations. The UK took no such action, but the case shows how dramatically different regulatory approaches can be.

Amazon Echo Dot Kids (Ongoing scrutiny)

In 2023, Amazon was fined $25 million by the US FTC for retaining children's Alexa voice data indefinitely, even after parents requested deletion, and for allowing employees to access children's voice recordings. Amazon has since updated its practices, and the UK version now includes stronger parental controls β€” but it's worth reviewing your settings carefully.

Rating the Privacy Practices of Popular AI Toys

Here's how some of the most popular AI toys on the UK market handle privacy, based on their published policies and independent security research:

🟒 Better Privacy Practices

BBC micro:bit V2 No internet connection, no data collection. The micro:bit stores code locally and operates entirely offline. It's about as private as a toy can get. Perfect for younger children or privacy-conscious families.

Edison V3 Robot Similarly offline-first. Edison connects to a computer for programming but doesn't require an account or internet connection during play. No data leaves the device.

Sphero BOLT Sphero collects usage data and requires an account, but their privacy policy is clear about what's collected, data isn't sold to third parties, and EU/UK GDPR compliance is explicitly stated. Their privacy dashboard lets parents review and delete data.

🟑 Use With Caution

Miko 3 and Miko 4 Miko robots are voice-activated and AI-powered, which means significant cloud processing. Miko collects voice recordings, usage patterns, and learning data. They are COPPA and GDPR-e compliant, but the amount of data collected is extensive by nature of the product. The companion app gives parents visibility, but requires active engagement to review settings.

Loona Robot Dog KEYi Technology, Loona's maker, is a Chinese company β€” which raises additional questions about data sovereignty under UK law. Their privacy policy covers GDPR compliance for EU/UK users, but the Chinese parent company's data access policies are less clear. Works fine without cloud features enabled; consider limiting connectivity.

Amazon Echo Dot Kids Extensive parental controls via the Alexa app, but Amazon's ad-tech ecosystem means your child's usage patterns could inform broader Amazon product recommendations. Disable interest-based ads in parent dashboard settings.

πŸ”΄ Research Before Buying

Any toy from an unknown manufacturer with poor English documentation, no clear UK/EU contact address, or a privacy policy that doesn't mention GDPR should be approached with significant caution. This is particularly common with unbranded toys sold via Amazon Marketplace or AliExpress.

7 Practical Steps to Protect Your Child's Privacy

You don't have to choose between educational AI toys and your child's privacy. Here's how to have both:

1. Read the Privacy Policy (Yes, Really)

Look specifically for:

  • What data is collected
  • Whether voice recordings are stored, and for how long
  • Whether data is shared with or sold to third parties
  • Whether the company complies with UK GDPR and the Children's Code
  • How to request data deletion

If a privacy policy is under 500 words, it's probably not telling you everything. If it doesn't mention GDPR or the Children's Code at all, that's a red flag.

2. Check the ICO Register

The Information Commissioner's Office maintains a register of organisations that process personal data. You can search at ico.org.uk/esdwebpages/search. If a UK-selling toy company isn't registered β€” and they should be if they're collecting personal data β€” that's a serious concern.

3. Prefer Offline or Limited Connectivity Toys for Younger Children

For children under eight, consider whether the cloud-connected features are genuinely necessary. The BBC micro:bit, Edison V3, Botley 2.0, and Snap Circuits Jr all deliver excellent STEM education with minimal or zero data collection.

Parent tip: Many "smart" features in AI toys β€” adaptive difficulty, personalised content β€” can actually be achieved with good game design rather than cloud AI. Don't assume more connectivity means better learning outcomes.

4. Create a Dedicated Child Account, Not a Family Account

Where an account is required (Miko, Sphero, etc.), use a dedicated child email address rather than your own. This limits what data is linked back to your personal digital identity. Use a strong, unique password.

5. Use Your Network-Level Controls

Your home router may support features that limit what connected devices can access:

  • Guest network: Put smart toys on a guest Wi-Fi network, isolated from your main devices
  • Parental controls / DNS filtering: Block known data brokers and ad trackers at the router level
  • Scheduled access: Restrict internet access to toys to specific hours

6. Exercise Your GDPR Rights

Under UK GDPR, you have the right to:

  • Access: Request a copy of all data held about your child
  • Erasure: Request deletion of your child's data (the "right to be forgotten")
  • Rectification: Correct inaccurate data
  • Restriction: Limit how data is processed

Every legitimate UK toy company must honour these requests within one month. The ICO provides template letters you can use.

7. Regularly Review and Delete Old Data

Set a reminder every six months to log in to the apps associated with your child's toys and:

  • Delete old voice recordings (Miko, Alexa)
  • Clear learning history you no longer need
  • Check whether privacy settings have reverted after an app update (this happens more often than it should)

What to Look for When Buying: A Privacy Checklist

Before adding an AI toy to your basket, ask these questions:

QuestionGreen FlagRed Flag
Where is the company based?UK, EU, US (FTC oversight)Unknown / no UK contact
Is there a clear privacy policy?Yes, easy to find, mentions GDPRNone, or vague/generic
Does it need an account?Optional, or required but with clear data rightsRequired, no data rights mentioned
Where is voice/data processed?On-device, or EU/UK serversUnknown servers
Can I request data deletion?Yes, simple process documentedNot mentioned
Any known data breaches?Clean recordBreach history with poor response
ICO registered (if UK company)?YesNot registered

The Bigger Picture: Privacy as a Feature, Not an Afterthought

The best toy manufacturers are beginning to treat privacy as a competitive advantage, not a compliance burden. Parents are increasingly aware of these issues β€” and choosing accordingly.

In the UK, the ICO's enforcement of the Children's Code has already resulted in major platforms overhauling their child-facing products. We expect that pressure to increasingly extend to connected toys as the regulator's attention broadens.

For now, the safest approach is informed buying. AI toys and coding robots can deliver genuine educational value β€” the evidence for STEM play is compelling β€” but parents who do five minutes of privacy research before buying are far better placed than those who simply trust the packaging.

The good news: many of the best educational toys in this space, from Edison V3 to BBC micro:bit, are also the most privacy-friendly. Offline-first design and strong privacy practices aren't in conflict with excellent educational outcomes. Often, they go hand in hand.

Frequently Asked Questions

Are smart toys listening all the time? Only if they have a microphone and are connected. Voice-activated toys (like Amazon Echo Dot Kids or Miko) use a "wake word" and are technically always listening for that trigger, though they should only record and transmit audio after the wake word is detected. Offline toys with no internet connection cannot listen at all.

What does the UK law actually require toy companies to do? Under UK GDPR and the Children's Code (ICO), companies must obtain verifiable parental consent for under-13s' data, minimise what they collect, set privacy to high by default, not profile children for advertising, and honour data deletion requests within one month. Violations can result in fines of up to 4% of global annual turnover.

Can I make a complaint about a toy company's data practices? Yes. If you believe a company is mishandling your child's data, you can complain directly to the ICO at ico.org.uk. Complaints are free and the ICO can investigate and take enforcement action.

Which AI toys collect the least data? Offline and screen-free toys collect virtually no data: BBC micro:bit, Edison V3, Botley 2.0, Snap Circuits Jr, and Ozobot Evo are all excellent choices for privacy-conscious families. Among connected AI companions, Sphero has among the more transparent data practices in the space.

Is it safe to let my child use voice-activated toys? Generally yes, if the toy is from a reputable manufacturer with clear GDPR compliance and parental controls. The risk is not zero, but it's comparable to allowing children to use a tablet or smart speaker. Review your privacy settings when the toy is set up, and revisit them every few months.

For more help choosing the right tech toys for your family, see our AI Toys Buying Guide 2026, our roundup of Best Screen-Free Coding Toys, and our Are AI Toys Safe? feature.

Our Top Pick for Privacy-Conscious Families

If you want a brilliant coding toy with zero data collection concerns, the BBC micro:bit V2 is our top recommendation. No account required, no internet connection, no data collected β€” just pure hands-on coding education.

Related Articles

Are AI Toys Safe for Children? A Parent's Complete Guide

Best AI Robot Toys for Smart Kids in 2026

How AI Toys Are Changing the Way Children Learn