Amazon settled two different privacy cases with the Federal Trade Commission for just under $31 million Wednesday, agreeing to penalties for violating children’s privacy with its Alexa smart speakers and exposing Ring smart doorbell users videos to every employee at the company.
According to the FTC’s lawsuit against Ring, the company gave every single employee unrestricted access to users’ videos, including third-party contractors with no special training about handling the sensitive content. Thanks to the lax approach, the FTC says Ring users were subjected to voyeurism and peeping toms. In the Alexa case, the FTC said Amazon kept a hoard of kids’ Alexa voice recordings and geolocation for years, deceiving parents about its data deletion practices.
Amazon agreed to pay $5.8 in the Ring case $25 million for the Alexa problems. Both settlements must first be approved by a judge.
“Our devices and services are built to protect customers’ privacy, and to provide customers with control over their experience,” said Mai Nguyen, a Ring spokesperson. “While we disagree with the FTC’s claims regarding both Alexa and Ring, and deny violating the law, these settlements put these matters behind us.”
According to the FTC’s complaint, Ring had zero technical or procedural protections for users’ videos until 2017, giving employees and contractors unrestricted access to watch, download, and share the footage — even if the videos had nothing to do with particular employee’s jobs.
“Ring’s disregard for privacy and security exposed consumers to spying and harassment,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection, in a press release. “The FTC’s order makes clear that putting profit over privacy doesn’t pay.”
The risks aren’t hypothetical. For example, the lawsuit says one Ring employee watched thousands of videos from at least 81 female Ring users, including both customers and company employees. The unnamed voyeur searched for cameras labeled with names including “Master Bedroom,” “Master Bathroom,” or “Spy Cam.” Reports in outlets including the Intercept and the Information found similar problems when investigations found Ukrainian contractors had similar access. Amazon previously said it fired four employees for inappropriately watching user videos.
“Our focus has been and remains on delivering products and features our customers love, while upholding our commitment to protect their privacy and security,” Nguyen said. “Ring promptly addressed these issues on its own years ago, well before the FTC began its inquiry.”
Unsatisfied with a single Amazon privacy lawsuit, the FTC announced a second case against Amazon the same day, this one focused on Alexa.
According to the complaint, Amazon lied to parents about its children’s privacy practices, keeping the kiddie data forever, using it for ulterior purposes and exposing kids to potential data breaches. The FTC says Amazon made loud and repeated promises to users about how easy it was to delete Alexa data. But even after parents went through and asked the company to erase the voice data, Amazon allegedly held onto transcripts of what kids were saying.
The government says these practices constitute a violation of the Children’s Online Privacy Protection Act (COPPA), one of the very few federal privacy laws on the books.
“Amazon’s history of misleading parents, keeping children’s recordings indefinitely, and flouting parents’ deletion requests violated COPPA and sacrificed privacy for profits,” Levine said in a press release. “COPPA does not allow companies to keep children’s data forever for any reason, and certainly not to train their algorithms.”
The proposed order requires Amazon to delete its hoard of underaged data and bans the company from using kids’ information to train its algorithms going forward.
“We built Alexa with strong privacy protections and customer controls, designed Amazon Kids to comply with COPPA, and collaborated with the FTC before expanding Amazon Kids to include Alexa,” Nguyen said. “As part of the settlement, we agreed to make a small modification to our already strong practices, and will remove child profiles that have been inactive for more than 18 months unless a parent or guardian chooses to keep them.”
The Alexa problem marks the FTC’s second COPPA settlement this month. Just over a week ago, the FTC reached a settlement with Edmodo, a defunct education technology company that used kids data for advertising, according to the lawsuit.
$31 million dollars is a laughably small sum for Amazon, a company that purchased Ring for $1.8 billion five years ago and reported $524.89 billion dollars of revenue in 2022. But it’s part of an ongoing effort at the FTC in recent months to bring landmark privacy cases and establish precedent for the rest of the tech business.
The FTC is racking up privacy settlements with technology companies in 2023. One was GoodRX, which used prescription data for ads without consent. Another was the fertility app Premom, which did the same with data about people’s menstrual cycles. In both of those cases, the companies faced paltry fines that will have little effect on their businesses. In the Edmodo case, the company actually shut down during the FTC’s investigation, meaning there is no money for the government to collect.
In a statement about the Alexa settlement, FTC commissioner Alvaro Bedoya said the case is about sending a message.
“Machine learning is no excuse to break the law,” Bedoya said. “The data you use to improve your algorithms must be lawfully collected and lawfully retained. Companies would do well to heed this lesson.”
Update, May 31, 2023, 5:11 pm ET: This story has been updated with an additional comment from Amazon.
Update, May 31, 2023, 4:19 pm ET: This story has been updated with a comment from Amazon.
Update, May 31, 2023, 4:06 pm ET: This story has been updated with information about a second Amazon privacy settlement.