Question to the Department for Digital, Culture, Media & Sport:

To ask Her Majesty’s Government, further to the Written Answer by Lord Price on 6 March (HL5447), what assessment they have made of concerns for child security and privacy presented by the marketing of My Friend Cayla dolls in the UK.

The Government is aware of reports that some internet-connected children’s toys potentially pose a risk in terms of cybersecurity. As with all internet connected devices, the quality of these products varies.

The cyber security of the UK is a top priority for the Government. Manufacturers of internet-connected devices should ensure those devices have appropriate security measures built in and seek to ensure emerging technologies are secure by default.

Where internet-connected products are collecting personal data, organisations that process that personal data in the UK must comply Data Protection Act’s (DPA) eight data protection principles.

These include requiring personal data to be processed fairly and lawfully; to be accurate and up-to-date; not to be kept for longer than is necessary; and to be processed in accordance with the rights of the data subjects under the DPA. Failure to comply with the Act is an offence. Further information about these obligations can be found on the ICO’s website at:

https://ico.org.uk/for-organisations/guide-to-data-protection/