FTC Fines Amazon $30.8 Million for Multiple Privacy Violations
The U.S. Federal Trade Commission (FTC) and the Department of Justice (DOJ) ordered Amazon to pay a $25 million fine for deceiving parents about the company’s data deletion practices, especially with the use of the Alexa voice assistant. The company has also reached a separate settlement agreement over allowing employees to have access to data from Ring cameras.
Regulators claim that Amazon violated the Children’s Online Privacy Protection Act Rule (COPPA Rule), along with other privacy violations linked to the Alexa app.
“In many instances Amazon kept users’ or children’s written transcripts after users or parents requested deletion of the voice recordings associated with those transcripts and did not inform Alexa users or parents that it had done so,” the FTC complaint said.
On top of the financial penalty to be paid to the FTC, the agencies have ordered Amazon to change its deletion practices and to implement stricter privacy safeguards.
“Children’s speech patterns and accents differ from those of adults, so the unlawfully retained voice recordings provided Amazon with a valuable database for training the Alexa algorithm to understand children, benefitting its bottom line at the expense of children’s privacy,” the agency noted.
However, the COPPA Rule does not allow companies to retain children’s data indefinitely for any reason, according to an FTC press release.
Investigators also alleged that “Amazon did not delete all of the geolocation information of Alexa app users who requested it,” according to the complaint. Although the company repeatedly “discovered” that it was retaining the information in secondary data storage locations, the issue was not corrected until early 2022.
“To date, Amazon has never informed Alexa App users that it retained geolocation data that they tried to delete,” the complaint noted.
Other FTC requirements include that the company must delete inactive Alexa accounts of children, notify users about the regulatory action against Amazon, create and implement a privacy program related to how it uses geolocation information, and notify users about its retention and deletion policies and controls. Amazon is also prohibited from misrepresenting its privacy policies when it comes to children’s voice data and geolocation. (United States v. Amazon.com, et al., U.S. District Court for the Western District of Washington, No. 2:23-cv-00811, 2023)
The FTC separately charged Ring—the home security company owned by Amazon since 2018—with endangering customers’ privacy because any company employee or contractor could access private videos. Ring also allegedly compromised customer privacy “by failing to implement basic privacy and security protections, enabling hackers to take control of consumers’ accounts, cameras, and videos,” according to an FTC press release.
The company agreed to a $5.8 million settlement after the FTC found that a former Amazon employee was using the Ring security cameras to spy on female customers for months in 2017, Al Jazeera reported. The cameras had been placed in bedrooms and bathrooms.
The settlement was filed on 31 May in a federal court.
“Despite promising greater security as its products’ core feature, Ring ignored information security considerations when management believed they would interfere with growth,” court documents said. “…Ring gave every employee—as well as hundreds of Ukraine-based third-party contractors—full access to every customer video, regardless of whether the employee or contractor actually needed that access to perform his or her job function.”
Court documents also noted that employees could also download, view, share, and disclose these videos up until July 2017. The company also lacked proper security or sensitivity training until May 2018.
The employee mentioned above—who was focused on cameras of female users in intimate spaces for an hour or more every day for months—was discovered by a female coworker who reported his actions to her supervisor.
“Initially, the supervisor discounted the report, telling the female employee that it is ‘normal’ for an engineer to view so many accounts. Only after the supervisor noticed that the male employee was only viewing videos of ‘pretty girls’ did the supervisor escalate the report of misconduct,” according to the court documents. At that point, Ring reviewed the employee’s activity and subsequently terminated his employment.
Although the company did initiate some changes regarding the access customer service agents had to the videos, it maintained a “culture of overly broad access to sensitive information,” the FTC claimed, as evidenced by other incidents.
The FTC ordered Ring to pay $5.8 million for consumer refunds. The regulator filed an order in a U.S. district court that, if approved, would require Ring to delete data products from unlawfully reviewed videos, plus implement a privacy and security program with strict parameters on human review of users’ videos plus additional security controls. (Federal Trade Commission v. Ring LLC, U.S. District Court for the District of Columbia, No. 1:23-cv-01549, 2023)
