Annual *Privacy Not Included holiday buyers’ guide reveals companies backsliding on privacy and security features, with children’s connected toys and gadgets among the worst offenders

Amazon and Microsoft stand out for all the wrong reasons this year, after agreeing to pay a combined $45 million to settle FTC lawsuits over alleged privacy violations

(SAN FRANCISCO, CA | NOVEMBER 15, 2023) -- They see you when you’re sleeping, they know when you’re awake: The season’s hottest connected tech gifts are lending Santa’s elves a lot of surveillance help this year, many of which are collecting and sharing more — and more intimate — personal data than ever before.

According to Mozilla’s 2023 *Privacy Not Included holiday buyers’ guide, children’s connected toys and apps — which collect and repurpose hoards of data — are among the worst in class. Products using Amazon’s Alexa, for example, got in trouble in 2023 for keeping and using children’s voice recordings for years. And Embodied Inc’s Black Mirror-esque AI Moxie Robot records and shares its “conversations” with kids with Google and ChatGPT-maker OpenAI.

Companies’ privacy policies are also getting more opaque and dishonest. Embodied Inc’s privacy policy tells parents to teach their kids not to share personal information with their Moxie learning robot — yet the product’s marketing simultaneously encourages kids to hone skills like emotional regulation and self-confidence. Other companies also often market smartwatches to parents of children too young for first phones. Researchers found many privacy concerns here, including one, the Angel Watch for kids, that tracks intimate data like location, audio, video, cellular calling, and body vitals, and doesn't even seem to have a privacy policy that covers the smart watch or app at all – amounting to one of the creepiest products *PNI has ever reviewed.

Meanwhile, many companies that Mozilla researchers previously rated positively — including Sonos, Eufy, and Bose — have earned new privacy warning labels this year. Others that already carried warning labels, like Amazon, Samsung, Wyze and Microsoft XBox got even worse on data collection, use, sharing, and security. Wyze had serious security vulnerabilities that it was slow to respond to over the past couple of years, and Bose now says it can possibly sell data on users’ head movements while using headphones. FTC charges and fines against Amazon and Microsoft have confirmed researchers’ concerns about those products’ privacy violations, especially when it comes to children’s uses.

The 2023 holiday edition of *Privacy Not Included reviews over 150 popular tech products across six categories, including Smart Home, Toys & Games, and Wearables – like the Microsoft XBox, Sonos, Garmin Fitness Trackers, Apple Watches, Fitbit, Peloton Bikes, Amazon Ring, iRobot vacuums, Tile Trackers, Bose headphones, and the Tamagotchi Uni. Mozilla researchers spend an average of eight hours researching each product in the guide, which entails scouring companies’ track records, pouring over privacy policies and regulatory filings, and contacting each company with questions.

This year’s guide details how Microsoft and Amazon were both fined by the FTC for allegedly violating a children’s online privacy law. Microsoft will pay $20 million for allegedly collecting and retaining personal information from children who signed up to its XBox gaming system without notifying or getting consent from parents. And Amazon will pay $25 million over charges that it kept sensitive information it collected from children through Alexa’s voice recordings for years. Amazon allegedly disregarded parents’ deletion requests and sometimes used the data to train its own algorithm.

Says Jen Caltrider, lead researcher for *Privacy Not Included: “The privacy and security of our favorite apps and gadgets has gotten worse across the board, but especially among children’s products. The companies that are good at privacy do it by not collecting any data in the first place. Alexa, did you catch that?”

*Privacy Not Included is a buyers’ guide focused on privacy rather than price or performance. Launched in 2017, the guide has reviewed hundreds of products and apps. It arms shoppers with the information they need to choose gifts that protect the privacy of their friends and family, while also spurring the tech industry to do more to safeguard consumers.

The sheer number of connected products now on the market makes it harder for consumers to distinguish between those that handle their personal data with care and those that don’t.

Caltrider concluded: “All in all, if you're looking to give gifts that protect and respect the privacy of your loved ones this holiday season, maybe stick to good old-fashioned books.”

The privacy and security of our favorite apps and gadgets has gotten worse across the board, but especially among children’s products...if you're looking to give gifts that protect and respect the privacy of your loved ones this holiday season, maybe stick to good old-fashioned books.

Jen Caltrider, Mozilla


Additional findings from this year’s report:

Regulators are stepping up to protect consumers. The FTC has picked up the pace in holding companies accountable for terrible privacy and security practices. Amazon, Amazon Ring, Microsoft’s Xbox, and mental health app BetterHelp have all come under fire and been held accountable by the agency.

Tech advancements mean even more data collection and sharing. Wyze’s smart home app asks for permission to read text messages. Bose headphones can track people’s head movements and might be able to sell that data. Most at-home workout devices collect detailed activity data, but Lululemon Studio takes it a step farther: It can collect audio and video recordings of workouts.

Artificial intelligence is on the rise. Kids’ toys with AI chatbots are becoming more popular, and more gifts across categories are using AI, or collecting and sharing data to train AI programs. For instance, Embodied Inc. corners parents into consenting to data collection in order for its Moxie learning robot to function. From its privacy policy: "A parent may also revoke consent in the Parent App to allow Embodied to collect their child’s data through Moxie but this will render Moxie inoperable."

There are some trustworthy products. Some good products got even better. After *Privacy Not Included alerted Garmin (maker of popular smartwatches and GPS navigators) last year that it had not ensured all users had the same right to delete data, the company changed its privacy policy to clearly state that all users, regardless of what privacy laws they live under, have the same data deletion rights. The virtual pet Tamagotchi Uni got a thumbs-up by not collecting much personal information at all — the best way to ensure privacy.

Press contacts:

North America | Helena Dea Bala, [email protected]

Europe | Tracy Kariuki, [email protected]