Amazon on Wednesday agreed to pay a $25 million civil fine to settle federal charges that it has kept children’s sensitive information, including their precise locations and voice recordings, for years in violation of a children’s online privacy law.
It was the latest legal action in an increasing regulatory effort to require some of the world’s largest technology platforms to better protect their younger users.
The case, brought by the Federal Trade Commission and the Department of Justice, centers on Amazon’s handling of the personal data it collected from children who spoke to Alexa, the company’s voice-activated virtual assistant.
In a legal complaint filed in U.S. District Court for the Western District of Washington, regulators said the tech giant had indefinitely retained Alexa voice recordings of young people and used the data for business purposes, such as training its algorithm to help children understand, violating the federal Children’s Online Privacy Protection Act.
That law, known as COPPA, requires online services aimed at people under the age of 13 to have parental consent before collecting a child’s personal information and that parents have consent to have their children’s data deleted. But even after parents tried to delete their children’s voice recordings, Amazon failed to remove transcripts of the children’s conversations with Alexa from all of its databases, regulators said.
“Amazon’s history of deceiving parents, indefinitely retaining children’s recordings and ignoring parent takedown requests violated” children’s online privacy law and “sacrificed privacy for profit,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection, in a statement. “COPPA will not allow companies to keep children’s data forever for any reason, and certainly not to train their algorithms.”
The complaint also accused Amazon of defrauding consumers, including parents, by repeatedly assuring users that they could delete data, such as their Alexa voice recordings, but did not adequately honor users’ deletion requests.
While Amazon agreed to settle the suit, it said it disagreed with the FTC’s claims and denied violating the children’s law.
“We built Alexa with strong privacy protections and customer controls,” the company said in a statement. The statement added that the company had designed Amazon Kids, a service that allows parents to manage games, books and other content for their children, to comply with children’s online privacy laws, and that Amazon had worked with the FTC before releasing the content. expanded for children. service to include Alexa.
Under the terms of the proposed settlement agreement, Amazon would be required to delete children’s voice recordings and precise location data, as well as children’s inactive Alexa accounts. The proposed agreement also prohibits Amazon from misrepresenting how it handles user voice recordings, precise location data, and children’s data.
A federal court must approve the settlement decision.
The Amazon case comes at a time of heightened public concern about how some prominent social networks, video game services and device manufacturers are treating their younger users. It highlights the stepping up of the Federal Trade Commission’s efforts to force major technology platforms to strengthen the protection of sensitive information, such as precise location or personal health data, the disclosure of which could pose privacy or physical risks to adult consumers and children.
Last December, Epic Games, the maker of Fortnite, agreed to pay $520 million to settle allegations from the FTC that it illegally collected data from players under the age of 13 and, separately, directed millions of users to make unwanted payments. to do. In 2019, Google agreed to pay a $170 million fine to face charges filed by the FTC and the New York Attorney General that it violated children’s privacy on YouTube.
The increasing regulatory burden to protect children online is not limited to the United States. Last September, Irish regulators announced they would fine Meta approximately $400 million for handling children’s information on Instagram. Meta said she disagreed and planned to appeal.
In a separate case on Wednesday, the FTC accused Ring, the home security camera service, of committing “flagrant violations” of user privacy, saying that privacy and security flaws at the company had allowed employees to illegally contact customers. spying on and had enabled hackers to hijack user accounts.
Regulators said Ring, which Amazon acquired in 2018, had “unreasonable” data security and privacy practices from at least 2016 through January 2020.
For example, in 2017, a Ring employee viewed thousands of videos of dozens of female customers, including in sensitive locations such as women’s bedrooms and bathrooms, the agency said in a legal complaint filed in U.S. District Court for the District of Columbia.
The proposed settlement order would require Amazon to pay $5.8 million in consumer refunds, implement strict security measures, and remove algorithms or other data products derived from illegally viewing consumer videos.
In a statement, Amazon said Ring addressed security and privacy issues before the FTC began its investigation.