Amazon has been hit with a substantial $30.8 million fine by the U.S. Federal Trade Commission (FTC) due to multiple privacy violations related to its Alexa assistant and Ring security cameras.
One of the penalties is a $25 million fine for violating children’s privacy laws by retaining Alexa voice recordings indefinitely and preventing parents from exercising their right to delete them. Samuel Levine from the FTC criticized Amazon for prioritizing profits over privacy and accused the company of misleading parents.
In addition to the monetary fine, Amazon is required to delete all collected information, including inactive child accounts, geolocation data, and voice recordings. The company is also prohibited from using such data to train its algorithms and must provide customers with clear information about its data retention practices.
Furthermore, Amazon has agreed to pay an extra $5.8 million in consumer refunds for infringing users’ privacy by granting broad access to private videos recorded using Ring cameras to any employee or contractor.
The FTC highlighted a specific incident where an employee viewed thousands of video recordings from female users that exposed intimate spaces such as bathrooms and bedrooms. The employee’s actions went unnoticed until another staff member discovered the misconduct.
The consumer protection agency criticized Amazon for failing to adequately notify customers or obtain their consent before using the captured recordings for product improvement. The company was also found to have insufficient security controls for Ring user accounts, which exposed users to credential stuffing and brute-force attacks. These vulnerabilities allowed unauthorized access to video streams, enabling hackers to harass and threaten individuals, including children, monitored by Ring cameras.
The proposed settlement includes Amazon purging all unlawfully obtained customer videos and facial data from before 2018 and removing any work products derived from that data.
While awaiting court approval, Amazon stated that it takes customer privacy seriously and has consistently implemented measures to protect privacy, including clear disclosures and customer controls, as well as strict internal data protection practices.
This development follows the recent accusations by the FTC against Meta for repeated privacy breaches in its Messenger Kids app. The regulator is also seeking to ban the company from profiting off children’s data. Meta has dismissed the allegations as a political stunt and claims to have a leading privacy program in place.