The Federal Trade Commission (“FTC”) entered into a $25 million settlement with Amazon.com, Inc. and Amazon.com Services LLC (together, “Amazon”) to resolve allegations that Amazon unlawfully retained children’s voice recordings and other information via its voice assistant service, Alexa, and did not abide by parents’ requests to delete the recordings and other data despite public disclosures to the contrary, in violation of the Children’s Online Privacy Protection Act of 1998 (“COPPA”), 15 USC §§ 6502(c) and 6505(d), and the COPPA Rule promulgated thereunder, 24 16 CFR Part 312. The complaint also alleges that Amazon deceptively misrepresented material facts regarding its privacy practices, in violation of section 5(a) of the FTC Act, 15 USC §45(a).
Per the complaint filed on its behalf by the Department of Justice, the FTC alleged that Amazon violated the COPPA Rule by retaining the voice requests and instructions of child users “indefinitely,” and in any case, for far longer than reasonably necessary to fulfil the purposes for which the personal information was collected. Moreover, Amazon’s privacy disclosures describe how users (and the parents of child users) may request the deletion of the voice recordings; however, until September 2019, Amazon failed to honor such deletion requests, and instead required users to manually delete the recordings. The FTC also alleges that Amazon failed to notify users that their children’s voice recordings had not been deleted despite requests to do so, and that the transcripts of voice requests were used to train future iterations of the Alexa App without disclosing the practice in its privacy policy, each a deceptive practice in violation of the FTC Act.
In addition to the civil penalty, the Stipulated Order enjoins Amazon from making misrepresentations about the privacy of geolocation information and voice information, and requires Amazon to:
- Implement a process within six months to identify inactive Alexa child profiles, and to delete any personal information from a child associated with such profiles within 90 days;
- Implement a privacy program related to the company’s use of geolocation information (including annual risk assessments);
- Delete all information pursuant to a user’s request, and prohibiting the use of the deleted information for the creation or improvement of its products; and
- Clearly and conspicuously provide notice of its retention and deletion practices, and the mechanism whereby users may request deletion of the information.
Amazon must also post in a prominent and accessible location a notice about the settlement for a period of six months, and must annually certify compliance with the order for ten years.
FTC press release | Complaint | Stipulated order