Smart Toy Privacy UK 2026: What Parents Need to Know

Smart toys — connected dolls, AI robots, voice-activated playmates, and app-linked gadgets — are now a mainstream part of childhood. But with connectivity comes data collection, and many parents have legitimate questions about what these toys actually know about their children, where that information goes, and how well it's protected.

This guide explains what UK parents need to know about smart toy privacy in practical, straightforward terms.

What Data Can Smart Toys Collect?

Not all smart toys collect the same types of data, and many collect far less than parents fear. Understanding the different categories helps you assess any specific toy accurately.

Voice and Audio Data

Toys with microphones — including voice-activated assistants, walkie-talkie style toys, and AI conversational toys — may record and transmit audio. The key questions are:

• Is audio processed locally on the device, or sent to remote servers?
• Is audio stored after processing, or immediately deleted?
• Who has access to stored audio data?

Some toys process voice commands locally (no data leaves the device). Others send audio to cloud servers for processing, which is where privacy concerns become more significant.

Location Data

GPS-enabled toys and companion apps may collect location data. This is most common in smartwatches for children, tracking devices, and some outdoor play gadgets. Location data is among the most sensitive types, as it can reveal home addresses, schools, and daily routines.

Behavioural and Play Data

App-connected toys often collect data about how, when, and how long a child plays — which games they choose, how quickly they progress, which features they use. This data is typically used for product improvement but may also be shared with third parties.

Personal Information

During account setup or app registration, parents are often asked for:

• Child's name and age
• Parent email address
• Payment information (for subscriptions)
• Device identifiers

Some toys ask for additional information like a child's photo or voice sample for personalisation features.

UK Legal Protections: What the Law Says

UK GDPR and the Children's Code

Since Brexit, the UK operates under UK GDPR rather than EU GDPR, but the protections are substantively equivalent. Crucially for children's toys, the UK Children's Code (formally the Age Appropriate Design Code) came into effect in 2021 and places specific requirements on digital services likely to be accessed by children under 18:

• Privacy by default: Privacy settings must default to high, not low
• Data minimisation: Only data strictly necessary for the service may be collected
• No nudge techniques: Services cannot use manipulative design to encourage children to share more data
• Profiling restrictions: Children's data cannot be used for profiling for marketing purposes
• Geolocation off by default: Location tracking must be switched off by default

Any connected toy sold in the UK or marketed to UK children should comply with these requirements. The ICO (Information Commissioner's Office) enforces the Children's Code and has the power to issue significant fines.

COPPA (US Law — Still Relevant)

Many popular smart toys are made by US companies and originally designed to comply with COPPA (Children's Online Privacy Protection Act). COPPA requires verifiable parental consent before collecting data from children under 13. While COPPA is US law, it often applies to US companies' products sold internationally. UK parents benefit from COPPA protections when using US-made toys, in addition to UK GDPR.

What This Means in Practice

If a toy is sold legally in the UK by a reputable company, you can generally expect:

• A privacy policy explaining what data is collected
• Parental consent mechanisms for account creation
• The right to request deletion of your child's data
• Basic security measures for stored data

However, legal compliance doesn't mean zero data collection — it means data collection within defined limits.

How to Assess a Smart Toy's Privacy Practices

Read the Privacy Policy (The Key Sections)

You don't need to read the entire policy. Focus on:

• What data is collected (look for microphone, camera, location)
• Where data is stored (UK/EU servers vs US vs other)
• Who data is shared with (third-party partners, advertisers)
• How long data is retained
• How to request deletion

If the privacy policy is missing, inaccessible, or written entirely in legalese with no plain-language summary, treat this as a red flag.

Check the App Store Ratings and Privacy Labels

Both the Apple App Store and Google Play now display privacy labels showing what data an app collects and whether it's linked to your identity. These aren't perfect but provide a quick overview before downloading a companion app.

Look for Independent Reviews and Security Research

Organisations like Which? regularly test smart toys for security vulnerabilities and data practices. The ICO website publishes guidance on children's products. Security researchers occasionally audit connected toys and publish findings — a quick web search for "[toy name] privacy" or "[toy name] security" often turns up useful information.

Genuinely Privacy-Conscious Smart Toy Brands

Some brands have built their products with privacy as a genuine design priority:

Toniebox and Tonies: The Toniebox audio player uses NFC-chip figurines (called Tonies) and plays audio content. The device itself has no microphone, no camera, and no internet connectivity for the main device (management is done through the companion app by parents). This is one of the most privacy-respecting connected toy systems available.

Osmo: Osmo's tablet-based learning toys use the device's camera for game interaction but process everything locally. Osmo has a clear, parent-focused privacy policy.

Sphero: The programmable robot range collects minimal data and doesn't require account creation for basic use.

Yoto Player: Similar to Toniebox, uses physical cards for content access with no microphone or camera on the main device.

Red Flags to Watch For

Be cautious if a smart toy or its companion app:

• Requires a microphone for features where one isn't obviously necessary
• Asks for a child's photo, voice sample, or detailed personal information
• Has no clearly accessible privacy policy
• Connects directly to social media platforms
• Is made by a company with no clear UK or EU presence or address
• Has poor or no security update history
• Requires account creation without parental consent mechanisms

Practical Steps for Parents

• Register and set up toys yourself before giving to your child — review all settings and privacy choices before your child starts using the device.

• Use a separate email address for children's toy accounts — this limits exposure if there's ever a data breach.

• Connect toys through your home Wi-Fi, not guest networks or mobile hotspots — your home router gives you more visibility and control.

• Check for firmware updates — toy manufacturers patch security vulnerabilities through updates. Enable automatic updates or check regularly.

• Review what's connected to companion apps periodically — revoke any permissions that seem unnecessary.

• Know how to delete your account before you buy — if you stop using a toy, you should be able to request deletion of all associated data.

• Explain data to older children — children aged 8 and up can begin to understand why personal information matters and how to make smart choices online.

Conclusion

Smart toys in the UK in 2026 are significantly better regulated than they were five years ago, and the majority of reputable brands comply with UK GDPR and the Children's Code. However, "legally compliant" isn't the same as "minimal data collection," and parents who care about privacy should take a few minutes to research any connected toy before purchasing.

The safest smart toys are those designed for minimal connectivity — like Toniebox or Yoto — while still delivering excellent child-oriented experiences. For toys with more connectivity, the key questions are always: what data is collected, where does it go, and how is it protected?

Asking these questions, and choosing brands with clear, honest answers, is the most effective thing UK parents can do to protect their children's privacy in a connected world.