Amazon to Pay More than $30M to Settle Two FTC Suits

The FTC alleges privacy violations with Amazon’s Ring security system and Alexa.

In two separate cases, Amazon has reached a settlement of more than $30 million with the Federal Trade Commission which sued the ecommerce giant for privacy violations for its Ring and Alexa services. The FTC alleges that, in multiple instances, Ring and Alexa violated their customers’ privacy by not securing access to data and not deleting data, both of which had wide repercussions for Ring and Alexa customers.

FTC vs. Ring

In one case, the FTC filed a complaint that alleged that Amazon-owned Ring, a home security camera company, violated their customers’ privacy by allowing employees and contractors access to customers’ private videos without first implementing basic privacy and security protections.

According to the FTC, this lack of care gave hackers the ability to take control of customer accounts, cameras and videos. Despite warnings from internal and external sources, Ring did not protect their customers from “credential stuffing” and “brute force” attacks by bad actors. Hackers viewed customer videos and, through the cameras’ two-way functionality, harassed, threatened and insulted customers, according to the FTC. Approximately 55,000 customers were vulnerable to multiple credential stuffing attacks in 2017 and 2018. In 2019, Ring implemented safeguards like multifactor authentication.

In another security breach, a Ring employee viewed thousands of video recordings of female customers when they were in intimate spaces such as their bedrooms and bathrooms. This conduct occurred over several months and wasn’t stopped until another Ring employee discovered the behavior and reported it. After the report was made, Ring was not able to tell how many employees inappropriately accessed private videos.

In a settlement with the FTC, Ring will pay $5.8 million which will be used for customer refunds. In addition, Ring has been ordered to delete any customer videos and data collected including face embeddings prior to 2018. Ring must also delete any work products derived from the misused videos and will be required to notify the FTC if unauthorized access or exposure of customer videos occurs again.

“Ring’s disregard for privacy and security exposed consumers to spying and harassment,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, in a May 31, 2023 news release. “The FTC’s order makes clear that putting profit over privacy doesn’t pay.”

Ring security products are sold individually and in bundles, and customers can opt to subscribe to Ring Protect plans to get notifications, in-app arming and disarming, and other features. The Basic plan is $3.99 a month or $39.99 a year. The Plus plan is $10 a month or $100 a year. The Pro plan is $20 a month or $200 a year.

Copyright © 2023 Authority Media Network, LLC. All rights reserved. Reproduction without permission is prohibited.

FTC vs. Amazon and Alexa

In a separate action, the FTC filed a complaint against Amazon for allegedly violating the Children’s Online Privacy Protection Act (COPPA) by ignoring parents’ requests to delete their children’s information and voice recordings obtained from Alexa and for not being transparent with parents about their data deletion policies. Amazon also violated the FTC Act by misrepresenting how Alexa app users could delete their geolocation data and voice recordings, the FTC alleges. Amazon has agreed to a $25 million settlement in this action.

Among the FTC’s concerns is the fact that Alexa retains a lot of private data from customers. Though customers have some control over their data, even when they tried to delete it, the data was deleted in some places but still retained in others. Transcripts of recordings were also saved for “product development” purposes.

According to the FTC, Amazon first identified the problem in early 2018, but did not make changes until September 2019. Those changes did not completely solve the problem, however. In early 2022, Amazon finally corrected the problem, says the FTC. The FTC also alleges that 30,000 Amazon employees had access to Alexa users’ voice recordings, even though those staff had no reason to use or access those files.

The FTC says more than 800,000 children use Alexa through their own Amazon profiles via products like Echo Dot Kids Edition, FreeTime on Alexa, and FreeTime Unlimited on Alexa, a subscription service. These profiles link to their parents’ profiles and the information obtained includes the child’s name, date of birth and gender. Amazon saved voice recordings from children as both audio and text files.

Amazon violated COPPA in three ways, undermining parents’ right to control their children’s data, the FTC alleges:

Amazon programmed Alexa to keep kids’ recordings forever. COPPA only allows data to be saved only as long as is “reasonably necessary” and only for the purpose for which the information was obtained.
Though Amazon said parents could delete their child’s personal information, the information was deleted only in some places but kept in others. Even when the audio recordings were deleted, Amazon retained text transcripts of those recordings.
Amazon did not give parents “complete and truthful notice” about how and when they could have their children’s personal data deleted.

Amazon’s Alexa offers several subscription products, including FreeTime Unlimited on Alexa, a monthly premium subscription to Alexa Skills, Alexa Together, Ring, Blink and more. Amazon’s Alexa division is among those subject to layoffs.

Alexa, Smart speaker and virtual assistant from Amazon company connected to smartphone app. Wooden background. Rio de Janeiro, RJ, Brazil. September 2021. — *Source: Adobe Stock*

Insider Take

Amazon’s behavior in terms of data privacy is horrifying, particularly when it involves the harassment of customers and the misuse of children’s data. A $30 million settlement amounts to a slap on the wrist for a company that had net sales of $127.4 billion in the first quarter of 2023 alone. They are essentially asking for forgiveness for failing to do their job and protect their customers.

The FTC offered three takeaways to help other companies avoid a similar fate:

To be compliant with COPPA, companies must be constantly vigilant. They must be aware of COPPA and its many intricacies to ensure they aren’t violating COPPA. Larger companies should have a compliance team in place. Smaller companies should at least have a compliance officer or outsource the function to qualified experts.
Voice recordings are biometric data and should be handled with “scrupulous care.” This is true of adults, but particularly of children who are more vulnerable to the misuse of data and personal information.
Employees should not have access, knowingly or unknowingly, to access private customer information unless there is a justifiable business reason for it. As the use of AI becomes more prevalent, companies must walk the walk. They can’t tout privacy when they plan to use customer data for purposes other than those stated and if they haven’t appropriately limited access to private data.

Copyright © 2023 Authority Media Network, LLC. All rights reserved. Reproduction without permission is prohibited.

Filed in News, Regulation and Compliance, SaaS and Cloud Services, Subscription Apps

Dana E. Neuts

Dana Neuts is Subscription Insider's Editorial Director, covering our daily subscription news as well as member features, case studies, premium content, and reports. Dana is also a writer, editor, marketer and communications professional. Her work has appeared in AARP Bulletin, The Seattle Times, Seattle Business, 425 Business, 425 Magazine, South Sound Magazine, Northwest Travel and more. Her specialties include business writing, community news, senior issues, travel and, of course, subscriptions!