Amazon agreed to pay a $25 million civil penalty as part of a settlement with the Justice Department and the FTC to resolve allegations the ecommerce giant’s Alexa voice assistant violated a U.S. children’s privacy law, the DOJ announced. Under the terms of the settlement, Amazon also is required to change its practices relating to the alleged violations and inform consumers of its practices.
According to a complaint filed in May by the DOJ on behalf of the FTC, Amazon prevented parents from exercising their deletion rights under the Children’s online Privacy Protection Act Rule (COPPA Rule) and kept sensitive voice and geolocation data for years and used it for its own purposes “while putting data at risk of harm from unnecessary access.”
Since May 2018, the U.S. government alleged in a lawsuit filed in federal district court in Washington, Amazon’s Alexa-related offerings have included voice-activated products and services directed toward children under 13 years of age — in violation of COPPA, the COPPA Rule and the FTC Act. When a user makes a verbal request of an Alexa-enabled device, Amazon saves the voice recording of the request and creates a written transcript of it. The complaint alleged that Amazon retained children’s voice recordings indefinitely by default, in violation of COPPA’s requirement that these recordings be retained only as long as “reasonably necessary” to fulfill the purposes for which they were collected.
Other alleged violations include Amazon making deceptive representations that Alexa users could delete their or their children’s voice recordings — including audio files and transcripts and their geolocation information — when in fact Amazon on some occasions failed to delete all such information at users’ request. The complaint also alleged Amazon engaged in unfair privacy practices with respect to Alexa users’ geolocation information and voice recordings, including in some instances by failing to honor users’ deletion requests and failing to notify consumers that it had not done so.
Amazon reached a provisional agreement to settle to case on May 31. Reached for comment, a company spokesperson referred to its statement issued at the time: “We take our responsibilities to our customers and their families very seriously. We have consistently taken steps to protect customer privacy by providing clear privacy disclosures and customer controls, conducting ongoing audits and process improvements, and maintaining strict internal controls to protect customer data.”
The stipulated order entered Wednesday by the federal district court requires Amazon to pay $25 million in civil penalties. In addition, the order imposes requires Amazon to “identify and delete inactive child profiles” (those that have not been used for 18 months) unless a parent requests that they be retained. Amazon also will notify parents whose children have accounts of the change to its policies.
The order further “prohibits Amazon from making misrepresentations about Amazon’s retention, access to or deletion of geolocation information or voice information, including children’s voice information, and mandates deletion of geolocation information, voice information and children’s personal information upon the request of the user or parent, respectively,” the agencies said.
Finally, the order requires Amazon to make disclosures to consumers relating to its retention and deletion practices regarding Alexa App geolocation information and voice information.
“Today’s settlement reflects the department’s dedication to protecting children online,” Brian Boynton, principal deputy assistant attorney general and head of the Justice Department’s Civil Division, said in a July 19 statement. “The department and the FTC are committed to working together to ensure that companies do not misrepresent to parents how children’s personal information is handled, retained, or deleted and do not retain that information for longer than reasonably necessary.”
Pictured above: Alexa-enabled Amazon Echo smart speaker