Amazon to pay $25 million to settle child privacy violation charges

In an agreement reached on Wednesday, Amazon agreed to pay a $25 million civil penalty to settle Federal Trade Commission allegations it violated a child privacy law and deceived parents by keeping years of data for voice and location kids’ recorded by its popular Alexa voice assistant. 

The company also agreed to pay an additional $5.8 million in customer refunds for alleged privacy violations involving its doorbell camera Ring.

Parents relied on a 1998 law designed to shield children from online harms but Amazon skirted that law. 

The Federal Trade Commission accused Amazon of violating the Children’s Online Privacy Protection Act. FTC Commissioner Alvaro Bedoya said in a statement that “when parents asked Amazon to delete their kids’ Alexa voice data, the company did not delete all of it.”

Instead, Amazon kept the kids’ data to refine its voice recognition algorithm, the artificial intelligence behind Alexa, which powers Echo and other smart speakers. 

The agency ordered the company to delete inactive child accounts as well as certain voice and geolocation data.  

Samuel Levine, the FCT consumer protection chief, said in a written statement, “Amazon’s history of misleading parents, keeping children’s recordings indefinitely, and flouting parents’ deletion requests violated COPPA (the Child Online Privacy Protection Act) and sacrificed privacy for profits.”

Amazon has also been ordered to overhaul its data deletion practices and impose stricter, more transparent privacy measures. The tech giant must also delete certain data collected by its internet-connected digital assistant, which people use for everything from checking the weather to playing games and queueing up music.

Commenting on Amazon’s actions, Denise Bergstrom, chair of Franklin University’s cybersecurity program said, “Using it to inform their (artificial intelligence) was the purpose, but it still is something that they should have known better.” 

Bergstrom went on to say that companies as large as Amazon should have layers of accountability in place to protect user data, but there are real safety concerns if the data ends up in the wrong hands. “That could allow someone to stalk your child if it got out — if those pieces of information are put together, they’re breadcrumbs that could help a perpetrator to identify and target your kid,” she said.

Following the FTC’s announcement, Amazon released a statement that it takes its “responsibilities to [its] customers and their families very seriously” and designed Amazon Kids to comply with child privacy laws. “While we disagree with the FTC’s claims and deny violating the law, this settlement puts the matter behind us. As part of the settlement, we agreed to make a small modification to our already strong practices, and will remove child profiles that have been inactive for more than 18 months unless a parent or guardian chooses to keep them.”

The FTC went on to say that Amazon’s home security camera subsidiary let employees and contractors access consumers’ private videos and provided lax security practices that enabled hackers to take control of some accounts. Amazon bought California-based Ring in 2018, and many of the violations alleged by the FTC predate the acquisition. Under the FTC’s order, Ring is required to pay $5.8 million that would be used for consumer refunds. The order also requires Amazon to create a privacy program for its use of geolocation information.

The proposed orders must be approved by federal judges.