A bunch of retailers, including Amazon, Target, and Walmart, pulled their listings for a line of smartphone-connected stuffed animals called CloudPets this week after they were found to be storing kids’ voice recordings online without any security measures, among other issues. The news offers them good optics, but the reality is that this security revelation came about in February of last year: it took the massive retailers over a year to remove the stuffed animals, during which time they likely sold at least some of their inventory.

The toy’s removal only happened after the Electronic Frontier Foundation and Mozilla wrote a letter this week to Walmart, Target, and Amazon requesting that the CloudPet listings be taken down. The organization writes that it also urges the stores to “consider putting in place new or improved systems to ensure that products you stock, especially those that collect the information of children, have basic practices in place to respect the trust that consumers place in them.”

Target told The Verge that it wants “to be part of this important issue alongside our vendor partners as we determine the best way to bring more connected products to our guests.” We’ve reached out to the other retailers for comment and will update when and if we hear back.

I appreciate that retailers responded to the letter, but why the delay? These vulnerabilities were discovered over a year ago. As more toys become connected, it’s worrisome that retailers have no plan in place to respond to security research and vulnerabilities. Meanwhile, eBay is “in the process” of pulling its CloudPets listings, and I found one still live. The company doesn’t allow for the sale of surveillance products that record conversations or activities of others without their knowledge, so CloudPets falls into that category, as opposed to some toy-specific rule.

A similar situation happened with the My Friend Cayla doll, which recorded kids’ conversations without parental permission. Germany literally had to ban the toy and instruct parents to destroy it to get rid of the risk.

As of right now, it’s up to parents to research the toys they’re about to buy their children. And while, sure, it probably wouldn’t hurt to do a quick search about the product, I would guess most parents don’t. (One might even assume these stores have vetted the toys before selling them to make sure that they’re safe.) It’s encouraging to see these retailers finally step in and take down these questionable listings, but it seems like these security issues will only continue to arise, and we should demand more from the places we shop.