FTC fines Amazon $30.8M over privacy violations involving Alexa and Ring
Amazon will have to pay $30.8 to the Federal Trade Commission (FTC) after it was found guilty of two cases of privacy violations.
The first case comprises a $25 million penalty and involves Alexa Assistant. Amazon was found to have unlawfully kept recordings of children's voices captured by Alexa indefinitely and also failed to comply with requests from the children’s parents to delete the data.
"Amazon's history of misleading parents, keeping children's recordings indefinitely, and flouting parents' deletion requests violated COPPA and sacrificed privacy for profits," FTC's Samuel Levine said.
Amazon has been ordered by the court to delete the collected data including inactive children's accounts, geolocation information, and voice recordings. It has also been prohibited from collecting this type of data to train its algorithms and will be required to notify customers of its data retention practices.
The second case comprises a $5.8 million penalty and involves Amazon’s Ring security cameras. The company was found guilty of allowing an employee/contractor to access private videos recorded with Ring with no restrictions.
"For example, one employee over several months viewed thousands of video recordings belonging to female users of Ring cameras that surveilled intimate spaces in their homes such as their bathrooms or bedrooms," the FTC said.
FTC noted that Amazon lacks adequate security controls to protect Ring user accounts and thus exposing the users to cybersecurity threats such as credential stuffing and brute-force attacks.
"Bad actors not only viewed some customers' videos but also used Ring cameras' two-way functionality to harass, threaten, and insult consumers—including elderly individuals and children—whose rooms were monitored by Ring cameras, and to change important device settings," FTC explained.
"Hackers taunted several children with racist slurs, sexually propositioned individuals, and threatened a family with physical harm if they didn't pay a ransom."
It is estimated that over 55,000 US customers were victims of account takeovers between January 2019 and March 2020.
The court has ordered Amazon to delete all customer videos and facial data it collected without consent prior to 2018 and also take down any work products it created using the videos.
Responding to the two cases Amazon says that it takes its user privacy seriously and has implemented all the correct protective measures.
The case comes weeks after FTC accused Meta of "repeatedly" violating its privacy promises and misleading parents about their ability to control with whom their children communicated through its Messenger Kids app between late 2017 and mid-2019.