The Federal Trade Commission and the Department of Justice will require Amazon to overhaul its deletion practices and implement stringent privacy safeguards to settle charges the company violated the Children’s Online Privacy Protection Act Rule (COPPA Rule) and deceived parents and users of the Alexa voice assistant service about its data deletion practices.
According to a complaint filed by the Department of Justice on behalf of the FTC, Amazon prevented parents from exercising their deletion rights under the COPPA Rule, kept sensitive voice and geolocation data for years, and used it for its own purposes, while putting data at risk of harm from unnecessary access.
“Amazon’s history of misleading parents, keeping children’s recordings indefinitely, and flouting parents’ deletion requests violated COPPA and sacrificed privacy for profits,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “COPPA does not allow companies to keep children’s data forever for any reason, and certainly not to train their algorithms.”
Under the proposed federal court order also filed by DOJ, Amazon will be required to delete inactive child accounts and certain voice recordings and geolocation information and will be prohibited from using such data to train its algorithms. The proposed order must be approved by the federal court to go into effect.
According to the complaint, Amazon prominently and repeatedly assured its users, including parents, that they could delete voice recordings collected from its Alexa voice assistant and geolocation information collected by the Alexa app. The company, however, failed to follow through on these promises when it kept some of this information for years and used the data it unlawfully retained to help improve its Alexa algorithm, according to the complaint.
Amazon, one of the world’s biggest retailers, collects vast amounts of data about consumers ranging from their geolocation data via the company’s Alexa app to their voice recordings collected by Amazon’s Alexa voice assistant service. The company claims that its Alexa service and Echo devices are “designed to protect your privacy” and that parents and other users can delete geolocation data and voice recordings.
Amazon also offers Alexa-enabled devices and services targeted to children and collects personal data, including voice recordings, from children. Amazon retained children’s recordings indefinitely—unless a parent requested that this information be deleted, according to the complaint. And even when a parent sought to delete that information, the FTC said, Amazon failed to delete transcripts of what kids said from all its databases.
The COPPA Rule requires, among other things, that an operator of a commercial website or online service directed to children under 13 years of age notify parents about the information they collect from children, obtain parents’ consent for the collection of that data, and allow them to delete that information at any time. In addition, such a service is prohibited from retaining the information collected from children under 13 for longer than is reasonably necessary to provide the service.
Amazon claimed it retained children’s voice recordings in order to help it respond to voice commands, allow parents to review them, and to improve Alexa’s speech recognition and processing capabilities, according to the complaint. Children’s speech patterns and accents differ from those of adults, so the unlawfully retained voice recordings provided Amazon with a valuable database for training the Alexa algorithm to understand children, benefitting its bottom line at the expense of children’s privacy.
The FTC said the company failed to put in place an effective system to ensure that it honored users’ data deletion requests and to give parents meaningful notice about deletion. Even when Amazon discovered its failures to delete geolocation data, the FTC said that Amazon repeatedly failed to fix the problems.
In addition to the data deletion requirement in the proposed order, Amazon will be required to pay a $25 million civil penalty. Other provisions of the proposed order:
- Prohibit Amazon from using geolocation, voice information, and children’s voice information subject to consumers’ deletion requests for the creation or improvement of any data product;
- Require the company to delete inactive Alexa accounts of children;
- Require Amazon to notify users about the FTC-DOJ action against the company;
- Require Amazon to notify users of its retention and deletion practices and controls;
- Prohibit Amazon from misrepresenting its privacy policies related to geolocation, voice and children’s voice information; and
- Mandate the creation and implementation of a privacy program related to the company’s use of geolocation information.
The Commission voted 4-0 to refer the complaint to the Department of Justice for filing. The Commission vote closed on a date prior to Commissioner Christine S. Wilson’s departure from the agency. She issued a concurring statement on the matter before departing the agency. Commissioner Alvaro Bedoya also issued a separate statement, joined by FTC Chair Lina M. Khan and Commissioner Rebecca Kelly Slaughter.
The Department of Justice filed the complaint and the stipulated order in the U.S. District Court for the Western District of Washington.
NOTE: The Commission authorizes the filing of a complaint when it has “reason to believe” that the named defendant is violating or is about to violate the law and it appears to the Commission that a proceeding is in the public interest. Stipulated orders have the force of law when approved and signed by the District Court judge.
The lead staff attorneys on this matter are Elisa Jillson, Andy Hasty, and Julia Horwitz from the FTC’s Bureau of Consumer Protection.
Today’s announcement underscores the FTC’s commitment to protecting not only children’s privacy but the privacy of all consumers. Earlier today, the FTC announced an action against Amazon’s subsidiary, Ring, over charges that the home security camera company compromised its customers’ privacy by allowing any employee or contractor to access consumers’ private videos and by failing to implement basic privacy and security protections, enabling hackers to take control of consumers’ accounts, cameras, and videos.