An FTC one-two punch leaves Amazon and Ring with a $30 million fine

The company and its home surveillance subsidiary are under fire for children's privacy law violations and mishandling data.
Federal Trade Commission building exterior
The FTC is continuing to put the pressure on Amazon's business practices. Deposit Photos

The Federal Trade Commission’s ongoing attempt to rein in Amazon entered a new phase this week, with the regulatory organization recommending both the company and its home surveillance system subsidiary Ring receive multimillion dollar fines in response to alleged monopolistic practices and data privacy violations.

According to an FTC statement released on Wednesday, Amazon disregarded children’s privacy laws by allegedly illegally retaining personal data and voice recordings via its Alexa software. Meanwhile, in a separate, same-day announcement, the commission claims Ring employees failed to stop hackers from gaining access to users’ cameras, while also illegally surveilling customers themselves.

Amazon relies on its Alexa service and Echo devices to collect massive amounts of consumer data, including geolocation data and voice recordings, which it then uses to both further train its algorithms as well as hone its customer profiles. Some of Amazon’s Alexa-enabled products marketed directly to children and their parents collect data and voice recordings, which the company can purportedly retain indefinitely unless parents specifically request the information be deleted.  According to the FTC, however, “even when a parent sought to delete that information … Amazon failed to delete transcripts of what kids said from all its databases.”

[Related: End-to-end encryption now available for most Ring devices.]

Regulators argued these privacy omissions are in direct violation of the Children’s Online Privacy Protection Act (COPPA) Rule. First established in 1998, the COPPA Rule requires websites and online services aimed at children under 13-years-old to notify parents about the information collected, as well as obtain their consent.

According to the complaint, Amazon claimed children’s voice recordings were retained to help Alexa respond to vocal commands, improve its speech recognition and processing abilities, and allow parents to review them. “Children’s speech patterns and accents differ from those of adults, so the unlawfully retained voice recordings provided Amazon with a valuable database for training the Alexa algorithm to understand children, benefitting its bottom line at the expense of children’s privacy,” argues the FTC.

“Amazon’s history of misleading parents, keeping children’s recordings indefinitely, and flouting parents’ deletion requests violated COPPA and sacrificed privacy for profits,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, in Wednesday’s announcement. “COPPA does not allow companies to keep children’s data forever for any reason, and certainly not to train their algorithms.”

[Related: Amazon’s new warehouse employee training exec used to manage private prisons.]

The FTC’s proposed order includes deleting all relevant data alongside a $25 million civil penalty. Additionally, Amazon would be prohibited from using customers’ (including children’s) voice information and geolocations upon consumers’ request. The company would also be compelled to delete inactive children’s Alexa accounts, prohibit them from misrepresenting privacy policies, as well as mandate the creation and implementation of a privacy program specifically concerning its usage of geolocation data.

Meanwhile, the FTC simultaneously issued charges against Amazon-owned Ring, claiming the smart home security company allowed “any employee or contractor” to access customers’ private videos, and failed to implement “basic privacy and security protections” against hackers. In one instance offered by the FTC, a Ring employee “viewed thousands” of videos belonging to female Ring camera owners set up in spaces such as bathrooms and bedrooms. Even after imposing restrictions on customer video access following the incident, the FTC alleges the company couldn’t determine how many other workers engaged in similar conduct “because Ring failed to implement basic measures to monitor and detect employees’ video access.”

[Related: Serial ‘swatters’ used Ring cameras to livestream dangerous so-called pranks.]

The FTC’s proposed order against Ring would require the company to pay $5.8 million in fines to be directed towards consumer refunds. The company would also be compelled to delete any data, including facial information, amassed prior to 2018.

Amazon purchased Ring in 2018, and has since vastly expanded its footprint within the home surveillance industry. In that time, however, the company has found itself under fire on numerous occasions for providing video files to law enforcement entities without consumers’ knowledge, lax security, as well as promoting products via its much-criticized found footage reality TV show, Ring Nation.