The Norwegian Consumer Council (NCC) tested watches from brands including Gator and GPS for Kids.
It said it discovered that attackers could track, eavesdrop or even communicate with the wearers.
The manufacturers involved insist the problems have either already been resolved or are being addressed.
UK retailer John Lewis has withdrawn one of the named smartwatch models from sale in response.
The smartwatches tested essentially serve as basic smartphones, allowing parents to communicate with their children as well as track their location.
Some include an SOS feature that allows the child to instantly call their parents.
They typically sell for about £100.
The NCC said it was concerned that Gator and GPS for Kids' watches transmitted and stored data without encryption.
It said that meant strangers, using basic hacking techniques, could track children as they moved, or make a child appear to be in a completely different location.
Consumer rights watchdog Which? criticised the "shoddy" watches and said parents "would be shocked" if they knew the risks.
Spokeswoman Alex Neill said: "Safety and security should be the absolute priority. If that can't be guaranteed, then the products should not be sold."
John Lewis stocks a version of the Gator watch, although it is not clear whether it suffers from the same security flaws as the watches tested.
The firm said it was withdrawing the product from sale "as a precautionary measure" while awaiting "further advice and reassurance from the supplier".
GPS for Kids said it had resolved the security flaws for new watches and that existing customers were being offered an upgrade.
The UK distributor of the Gator watch said it had moved its data to a new encrypted server and was developing a new, more secure app for customers.