Beware the holiday 'smart toys' that spy on your kids

Children talk to their toys as if they're really listening, sometimes confiding in dolls and stuffed animals.

Now toys are actually listening. And remembering.

Shoppers can now buy "smart toys," internet-connected playthings equipped with microphones, cameras and the ability to collect reams of data about children.

Consumer advocates warn the toys pose privacy and cybersecurity risks for kids. Security experts have shown smart toys can be easily hacked, and toy makers have taken heat for major data breaches and sharing personal information with third parties.

Examples include a doll banned in Germany for recording children and a teddy bear with a hackable camera. Even tablets are a concern to experts because they collect usage data.

"Toys are basically the poster child for bad security in [the internet of things]," said Bree Fowler, cybersecurity editor at Consumer Reports. "Nest and Google, they have huge security departments. They can actually sink some cash into security when they build things if they choose to. Toys don't really have that background. They're not tech companies."

The FBI warned consumers last year that smart toys raise "concerns for privacy and physical safety" of children.

It was the FTC's first children's privacy and security case involving connected toys. And kids might not know the full ramifications of smart-toy data breaches until they apply for loans later in life and learn their identity has been stolen, experts said.

Internet-connected smart toys are growing in popularity, with the $6 billion market expected to expand to $18 billion by 2023, according to Juniper Research.

Federal law requires companies to get parental permission before collecting and sharing data of children under 13. The Children's Online Privacy Protection Act also mandates clear privacy policies. It gives parents access to their children's data, and enables parents to have the personal information deleted, among other rules.