Connected toys (Wi-Fi/Bluetooth): privacy and security

Connected toys (Wi-Fi/Bluetooth): privacy and security for parents

What are "connected toys" (and why do they require more care)?

Connected toys are those that communicate with:

cell phone/tablet via Bluetooth
Internet via Wi-Fi (or through the app)
Sometimes they include a microphone, speaker, camera, GPS, and cloud.

This brings benefits (activities, updates, personalization), but it also implies personal data and digital risks .

Data protection authorities have already published specific guidelines for this type of product, because they can collect data and even capture information from third parties in unpredictable ways.

Before you buy: 10 essential questions (buyer checklist)

Does it work without internet? (offline mode)
Do you really need a microphone/camera? (fewer sensors = less risk)
Does the brand have regular updates ?
Does the app request too many permissions? (contacts/location without reason)
Are there parental controls (PIN, profiles, limits)?
Is it possible to erase data and reset settings?
Does it clearly explain where the data is stored (mobile phone vs. cloud)?
Is the Bluetooth pairing secure (PIN / confirm on screen)?
Do you have CE certification and clear documentation/instructions?
Is there genuine customer support (PT/EN) and an accessible privacy policy?

Secure setup in 15 minutes (step-by-step)

Step 1: Create a “digital environment” for the child.

If your router allows it, use the guest Wi-Fi network for toys/IoT only.
Avoid connecting toys to the main network where you have computers and work data.

Step 2: Install the app and limit permissions.

On your cell phone:

Disable location services if they are not needed.
Block access to contacts/photos if it doesn't make sense.
If there is a microphone/camera, activate it only when you are using it.

Step 3: Change passwords and disable "default" settings.

If the toy/app creates an account:

Use a strong password.
Enable 2FA if it exists.

Step 4: Update firmware/app

Updates fix flaws. The ETSI EN 303 645 standard (European reference for consumer IoT security) specifically addresses basic requirements to reduce common flaws and improve data security and protection.

Step 5: Review recordings and data

If the toy records voice/image:

check where it is stored
Clears history periodically.
Disable automatic recording, if available.

What has changed in the EU: stricter cybersecurity requirements for radio equipment.

Many connected toys use radio (Bluetooth/Wi-Fi). The EU has cybersecurity requirements linked to the Radio Equipment Directive (RED). The application of these requirements was postponed and is now effective from August 1, 2025, by a regulation that amended the previous delegated act.

What this means for parents (in practice):

more pressure on manufacturers to improve security and privacy
However, it still requires a checklist and setup.

And what about the future of toy safety in the EU?

The new Regulation (EU) 2025/2509 will enter into general application from 1 August 2030 , with some provisions applying from 1 January 2026 .
In practice, the trend is clear: more traceability, more rules for online use, and more focus on connected toys .

Warning signs (best to avoid)

App without a clear privacy policy.
"Cheap" toy with microphone/camera and no known brand.
There haven't been any updates in a long time.
Pairs via Bluetooth “without confirmation”
It requests strange permissions (SMS, contacts, location) for no reason.

FAQ

1) Is a toy with Bluetooth always dangerous?
No. But it requires good practices: secure pairing, updates, and minimal permissions.

2) Which is better: Wi-Fi or Bluetooth?
Bluetooth is usually simpler, but both require setup and control.

3) Can the toy always "hear"?
Some may have an active microphone. Check the settings and disable automatic recording.

4) How do I reduce risks without being "technical"?
Guest network + minimum permissions + updates + strong passwords.

Previous article Next article