The Federal Trade Commission (“FTC”) entered into a $25 million settlement with Amazon.com, Inc. and Amazon.com Services LLC (together, “Amazon”) to resolve allegations that Amazon unlawfully retained children’s voice recordings and other information via its voice assistant service, Alexa, and did not abide by parents’ requests to delete the recordings and other data despite public disclosures to the contrary, in violation of the Children’s Online Privacy Protection Act of 1998 (“COPPA”), 15 USC §§ 6502(c) and 6505(d), and the COPPA Rule promulgated thereunder, 24 16 CFR Part 312. The complaint also alleges that Amazon deceptively misrepresented material facts regarding its privacy practices, in violation of section 5(a) of the FTC Act, 15 USC §45(a).
In addition to the civil penalty, the Stipulated Order enjoins Amazon from making misrepresentations about the privacy of geolocation information and voice information, and requires Amazon to:
- Implement a process within six months to identify inactive Alexa child profiles, and to delete any personal information from a child associated with such profiles within 90 days;
- Implement a privacy program related to the company’s use of geolocation information (including annual risk assessments);
- Delete all information pursuant to a user’s request, and prohibiting the use of the deleted information for the creation or improvement of its products; and
- Clearly and conspicuously provide notice of its retention and deletion practices, and the mechanism whereby users may request deletion of the information.
Amazon must also post in a prominent and accessible location a notice about the settlement for a period of six months, and must annually certify compliance with the order for ten years.