Hackable smart toys
If you’re worried about a smart children’s toy which you’ve heard in the press has the potential to be hacked, it’s understandable that you might wish to return it rather than take a risk.
Your first step should be to follow our top tips below to stay safe while you decide whether you would like to return the connected children’s toy and how you go about doing this.
If you bought it recently, it might be easier to return it as an unwanted item - see steps 2 and 3.
But if you bought it a while ago or the retailer’s store returns policy doesn’t allow unwanted-item returns, you could still try to make a claim under the Consumer Rights Act. We outline how to do this in step 4.
Importantly, if you’re concerned a smart children’s toy has actually been hacked and is now compromised, read our advice on how to get a refund, repair or replacement in step 5.
Does my smart toy have security flaws?
If you’re not sure whether your smart toy has inherent security flaws which allow it to be easily hacked, you can check the list of smart toys Which? has tested and we think are unsafe.
Please note that we are testing products all the time and that this list is not exhaustive.
We would urge caution if you are considering buying a connected children’s toy and advise reading our tips on how to buy a smart (connected) toy.
If you aren’t convinced a smart toy or connected device will keep your children’s personal information safe, then don’t use it.
1 Top safety tips when setting up a smart toy
If you’ve already purchased one of the toys on our list, or another connected toy, don’t panic. Follow these tips to stay safe.
- When setting up the toy for your child, only submit the minimal amount of personal data. This way not too much data is exposed if things do go wrong
- Enable any security features that are available (usually in the settings)
- Download any available security updates for the app or toy to make sure you’re protected by the most recent security developments
- Mostly importantly, keep an eye on your child when they’re playing with the toy, particularly if the toy can send or receive messages
- When they’re not playing with it, make sure you turn it off
2 If you purchased it online recently, act quickly
If you recently bought the potentially hackable toy online and have since become concerned of security flaws which may allow it to be hacked in the future, you may be able to return it.
According to the Consumer Contracts Regulations, your rights to cancel an order and get a refund start from the moment you enter the contract by paying for the item and ends 14 days after your order has been delivered to you, your nominated neighbour or dedicated safe place.
You can notify the retailer within this time frame that you would like to cancel your purchase. Following you notifying them, you then have a further 14 days to return the item to them.
See our advice on returning unwanted items purchased online for more information.
3 If you purchased it in store, check the returns policy
If you purchased the smart toy in store, check the retailer’s store returns policy to see if you can return unwanted items and how long you have to do this.
Retailers aren’t obliged to accept returns for unwanted items, but if they have it stated in their returns policy, then they must stick to this.
Retailers have become more generous in accepting returns for unwanted items bought in store and tend to extend this generosity further around Christmas time.
Read our advice on how to return items bought in store for more guidance.
4 Make a claim
If you’re unable to return the smart toy you’re concerned about as an unwanted item, you could still try to return it as a faulty good under the Consumer Rights Act.
While it hasn’t been legally determined by the courts as yet that a smart toy with the potential to be hacked due to inherent security flaws is a faulty good, Which? believes that it should be regarded as one and we would encourage you to make a claim.
If sufficient number of consumers reject a product that doesn’t protect children’s security, then eventually developers and retailers will get the message and do better to safeguard children’s security in the future.
Complain to the retailer that you’ve discovered it is insecure and name the source of this belief (eg a Which? or other press article).
The Consumer Rights Act states that all products must be of satisfactory quality, fit for purpose and as described. So all products - whether physical or digital - must meet the following standards:
- Satisfactory quality Goods shouldn't be faulty or damaged when you receive them. You should ask what a reasonable person would consider satisfactory for the goods in question. For example, you would expect the safety features of a toy for a child to be well considered.
- Fit for purpose The goods should be fit for the purpose they are supplied for, as well as any specific purpose you made known to the retailer before you agreed to buy the goods. For example, a smart toy that could be hacked and thereby compromise security would not, in our view, be fit for the purpose of entertaining your child.
- As described The goods supplied must match any description given to you, or any models or samples shown to you at the time of purchase.
5 Get a refund, repair or replacement
If you believe your smart toy has been hacked and is now compromised, you should return it to the retailer and ask for a refund, repair or replacement. You should also keep written details of the potential breach and impact it has had, in the event that you choose to make a separate data protection claim as against the manufacturer.
If you are no longer in control of the toy and it is no longer safe for your child to play with it, then in our view the smart toy is no longer fit for the purpose it was supplied for.
A product not fit for purpose is regarded as a faulty good under the definitions of the Consumer Rights Act, which states that all products must be of satisfactory quality, fit for purpose and as described.
We can help you make a tailored letter to send to the retailer.