Amazon is set to pay more than $30 million comprised of a civil penalty and consumer refunds to resolve two separate cases alleging privacy violations regarding its Alexa voice assistant service and Ring doorbell subsidiary.
The Federal Trade Commission (FTC) and Department of Justice (DOJ) proposed Amazon pay a $25 million penalty for allegedly collecting and retaining children’s voice recordings and location data via Alexa. In a separate action, the FTC proposed Ring refund $5.8 million to resolve accusations it illegally surveilled customers.
The proposed orders must be approved by federal courts before becoming final.
The details: In the Alexa case, the agencies’ complaint, filed Wednesday in U.S. District Court for the Western District of Washington, alleged Amazon’s Alexa service violated the Children’s Online Privacy Protection Act (COPPA) Rule, including by not allowing parents to delete their children’s voice recordings and geolocation data.
Amazon led parents to believe it was possible for them to delete the data but held onto it in some cases, sometimes for years, according to the agencies. Amazon used the data to “train” Alexa to better understand children’s speech, the complaint said.
COPPA requires online services and websites obtain permission from parents of children under 13 before any of their personal data is collected. Services are not able to hold onto the data for any time beyond what is reasonably necessary. Parents must be given the option to delete the data at any time.
“Amazon’s history of misleading parents, keeping children’s recordings indefinitely, and flouting parents’ deletion requests violated COPPA and sacrificed privacy for profits,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection, in a press release.
In addition to the penalty, the proposed order against Amazon would prohibit the company from continuing to use children’s voice recordings and location data requested to be deleted. Amazon would also have to notify users how they can delete their data.
The company would have to create and put into place a privacy program for how it handles location data of users.
The FTC voted 4-0 to refer its complaint to the DOJ.
In the Ring case, the FTC alleged the company didn’t safeguard consumers’ private videos and that, as a result, Ring employees and contractors could access them. The cameras were also vulnerable to multiple hacks that occurred over a span of several years, the FTC said in its complaint, filed in U.S. District Court for the District of Columbia.
One Ring employee accessed thousands of video recordings of female users in their bedrooms and elsewhere in their homes, according to the complaint.
The company had such poor internal controls over the private videos of consumers it had no idea how many other employees might have accessed similar footage, according to the complaint. Ring didn’t start obtaining consumer consent for its employees to review videos for research and development purposes until January 2018, according to the complaint.
The FTC’s proposed order against Ring would require the company to delete products that were created by alleged illegal access to consumers’ data and videos.
Ring would have to create a privacy program that includes controls, such as multifactor authentication, to limit access to consumer videos by individuals within and outside the company.
Company response: “While we disagree with the FTC’s claims regarding both Alexa and Ring, and deny violating the law, these settlements put these matters behind us,” Amazon said in an emailed statement.
“Ring promptly addressed the issues at hand on its own years ago, well before the FTC began its inquiry,” Amazon said. “Our focus has been and remains on delivering products and features our customers love while upholding our commitment to protect their privacy and security.”
No comments yet