The warning was issued by the German Federal Network Agency (Bundesnetzagentur), which oversees telecommunications, Joinfo.com reports with reference to the BBC.
Researchers say hackers can use an insecure bluetooth device embedded in the toy to listen and talk to the child playing with it.
Manufacturer Genesis Toys has not yet commented on the German warning.
The Vivid Toy group, which distributes My Friend Cayla, has previously said that examples of hacking were isolated and carried out by specialists. However, it said the company would take the information on board as it was able to upgrade the app used with the doll.
But experts have warned that the problem has not been fixed.
The Cayla doll can respond to a user’s question by accessing the internet. For example, if a child asks the doll “what is a little horse called?” the doll can reply “it’s called a foal”.
A vulnerability in Cayla’s software was first revealed in January 2015.
Complaints have been filed by US and EU consumer groups.
In addition to the data protection concerns, a hack allowing strangers to speak directly to children via the My Friend Cayla doll has been shown to be possible.
Under German law, it is illegal to sell or possess a banned surveillance device. A breach of that law can result in a jail term of up to two years, according to German media reports.
The warning by Germany’s Federal Network Agency came after student Stefan Hessel, from the University of Saarland, raised legal concerns about My Friend Cayla.
Mr Hessel, quoted by the German website Netzpolitik.org, said a bluetooth-enabled device could connect to Cayla’s speaker and microphone system within a radius of 10m (33ft). He said an eavesdropper could even spy on someone playing with the doll “through several walls”.
A spokesman for the federal agency told Sueddeutsche Zeitung daily that Cayla amounted to a “concealed transmitting device”, illegal under an article in German telecoms law (in German).
“It doesn’t matter what that object is – it could be an ashtray or fire alarm,” he explained.
Germany has strict privacy laws to protect against surveillance. In the 20th Century Germans experienced abusive surveillance by the state – in Nazi Germany and communist East Germany.