Amazon has reached a settlement agreement to pay more than $30 million in two separate federal lawsuits concerning privacy violations related to its Alexa voice assistant and Ring doorbell cameras. The settlements, announced on Wednesday, were made with the Federal Trade Commission (FTC) and address allegations that Amazon unlawfully retained Ring videos, Alexa voice recordings, and geolocation information without proper consent and despite consumers' requests for deletion.
The FTC accused Amazon of having lax data policies that allowed unauthorized access to the collected information, particularly in the case of Ring doorbell footage. In response to the settlements, Amazon issued a statement denying any wrongdoing but acknowledged that the agreements would resolve the matters. The tech giant stated that it disagreed with the FTC's claims regarding both Alexa and Ring.
Amazon's acquisition of Ring in 2018 enabled the company to enter the home security market, expanding its offerings beyond e-commerce. Alongside video doorbells, Ring produces indoor and outdoor security cameras, as well as alarm systems.
The FTC complaint accompanying the settlement with Ring alleged that the company granted employees unrestricted access to customers' home security system videos. The complaint detailed an incident in which a Ring employee viewed thousands of video recordings from at least 81 female users, including footage from cameras placed in bathrooms and bedrooms. The complaint further stated that an initial report of misconduct by a fellow employee was not taken seriously until a supervisor noticed that the male employee was selectively viewing videos of "pretty girls." Only then did Ring review the employee's activity and terminate his employment.
The complaint also highlighted instances of hacked cameras, leading to malicious actors speaking to victims and causing distress. The FTC alleged that Amazon's failure to enforce strong password protections contributed to successful guessing of user passwords, enabling these attacks. The complaint indicated that between January 2019 and March 2020, more than 55,000 U.S. customers experienced credential stuffing and brute force attacks that compromised Ring devices. As a result, bad actors gained access to hundreds of thousands of videos from consumers' homes, including bedrooms and children's bedrooms, compromising the privacy and security that Ring had promised to enhance.
Under the proposed settlement, Ring will pay $5.8 million and implement a new data security program.
Responding to the allegations, Amazon stated that Ring had already addressed the issues independently years ago, well before the FTC's inquiry began. Ring echoed this sentiment in their statement to CNN, expressing disagreement with the FTC's allegations but confirming their commitment to resolve the matter through the settlement.
Separately, Amazon agreed to pay $25 million to settle allegations related to its Alexa voice assistant. The FTC complaint alleged that Amazon violated the Children's Online Privacy Protection Act (COPPA), which prohibits the collection of personal information from children under 13 without parental consent. The FTC claimed that Amazon retained Alexa voice recordings of children indefinitely unless specifically instructed to delete them, and sometimes failed to honor deletion requests, keeping the data for its potential use.
The proposed settlement requires Amazon to delete voice recordings and geolocation data in compliance with consumer requests, including those involving children. Furthermore, Amazon will be prohibited from using the data for training its algorithms. The company also agreed to inform consumers about the FTC settlement and implement a privacy program for geolocation data.
Amazon defended its practices, stating that it designed Alexa with robust privacy protections and customer controls and ensured that Amazon Kids complied with COPPA. The company added that it had collaborated with the FTC before expanding Amazon Kids to include Alexa. As part of the settlement, Amazon will make a slight modification to its existing practices, removing child profiles inactive for over 18 months unless parents or guardians choose to retain them.