Jayla, aged 4, plays with a 'My Friend Cayla' doll at Hamleys toy shop in London, England. The doll connects to smart devices using Bluetooth and can interact with users.
Jayla, aged 4, plays with a 'My Friend Cayla' doll at Hamleys toy shop in London, England. The doll connects to smart devices using Bluetooth and can interact with users. - 

Sitting on a shelf in a store, Cayla looks like a typical doll. Her hair is blond. Her eyes are blue. Her mouth is smiling. Once purchased, Cayla is supposed to be your child’s friend, a trusty doll companion. Except Cayla is not just any doll. Cayla is “connected,” allowing parents to listen in on their children via Bluetooth microphone and an app.

The problem? Parents might not be the only ones privy to those conversations.

This is why Cayla has recently been designated a spy by the Federal Network Agency, a German telecommunication watchdog. The “forbidden” toy is banned and cannot be sold, purchased or owned, according to the Wall Street Journal. Those who are harboring a Cayla in their home have been ordered to destroy it and get an official certificate saying they have done so. The certificate is to be signed by a waste-management company and sent to the agency as proof.

Parents who do not destroy their dolls could face a fine of roughly $26,500 and two years in prison.

My Friend Cayla is made by Genesis Toys and distributed in Europe by Vivid Toy Group.

“We take the safety of our products and our consumers’ experience extremely seriously — as well as, obviously, their compliance with all applicable rules and regulations in the markets in which we operate. However, the claims in the German media are factually incorrect and we are working with our German partners to resolve this issue,” Vivid Toy Group said in a statement released in February when Germany initially announced that the toy was “forbidden.” The statement went on to say that the toy is “perfectly safe to own and use when following the user instructions.”

The toy’s vulnerabilities were first exposed in 2015, when a security researcher from Pen Test Partners hacked the doll. The fear is that by hacking the doll, someone could communicate with children and obtain sensitive information. Researchers found that a phone with the right app can access a Cayla doll at 50 feet.

It’s not just German regulators who are concerned about Cayla’s vulnerabilities  

Privacy experts, including organizations like Campaign for a Commercial Free Childhood, the Center for Digital Democracy and Consumers Union, have called on the Federal Trade Commission to better regulate the industry. In a complaint filed in early December, they alleged that Genesis Toys violated U.S. privacy laws and asked that the FTC investigate their claims.

“With the growing Internet of Things, American consumers face unprecedented levels of surveillance in their most private spaces, and young children are uniquely vulnerable to these invasive practices,“ said Claire T. Gartland, director of the Electronic Privacy Information Center’s Consumer Privacy Project, which also signed the petition. “The FTC has an obligation here to step in and safeguard the privacy of young children against toys that spy and companies that exploit their very voices for corporate gain.”

According to Gartland, children who think of Cayla as a friend might say all kind of personal things in front of it — things that are recorded and then distributed to third parties.

There are some legal protections for children’s privacy in place in the U.S. Under Children's Online Privacy Protection Act (COPPA), any company operating online services aimed at children under 13 years old has to post its privacy policy and inform parents of its collection practices and obtain their consent before collecting any data. The petition filed on Dec. 6 alleges that makers of Cayla did not meet these requirements and thus violated COPPA.

Follow Jana Kasperkevic at @kasperka