Amazon.com agreed Wednesday to pay $30.8 million to settle claims that it improperly retained children’s Alexa voice recordings and allowed employees of its Ring video doorbell unit to surveil customers.
One Ring employee viewed thousands of video recordings of female users of security cameras that surveilled bedrooms and other intimate spaces in their homes, the Federal Trade Commission said in a complaint.
Ring also failed to implement standard security measures to protect consumers’ information from two well-known hacking attacks, the FTC said, despite warnings from employees, outside security researchers and media reports.
Amazon agreed to pay $5.8 million to settle the Ring complaint, the FTC said.
Separately, Amazon agreed to pay a $25 million penalty for keeping children’s voice and geolocation data for years in violation of the federal Children’s Online Privacy Protection Act, known as COPPA, the FTC said.
“While we disagree with the FTC’s claims regarding both Alexa and Ring, and deny violating the law, these settlements put these matters behind us,” Amazon said in a statement. “As part of the settlement, we agreed to make a small modification to our already strong practices, and will remove child profiles that have been inactive for more than 18 months unless a parent or guardian chooses to keep them.”
The FTC commissioners warned other companies against improperly retaining data as they race to keep up in the development of machine learning and artificial intelligence.
“Today’s settlement sends a message to all those companies: Machine learning is no excuse to break the law,” the commissioners said.
According to the children’s privacy complaint, Amazon assured its users, including parents, that they could delete voice recordings and geolocation information collected through its Alexa voice assistant and app.
But the company failed to follow through on those promises and kept some of the information for years, using it to help improve its Alexa algorithm, the complaint said.
The settlement will require Amazon to delete inactive child accounts and certain voice recordings and geolocation information, and will be prohibited from using such data to train its algorithms or improve its products.
Both settlements will require approval by a federal judge.
Under the Ring settlement, the company will be required to delete data derived from videos it unlawfully reviewed. It also will be required to implement a new privacy and security program that includes multifactor authentication for both employee and customer accounts.
Ring, acquired by Amazon in 2018, sells internet-connected home-security cameras and related services. The company has claimed that its products offer greater home security and provide its users with peace of mind.
In the complaint, the FTC said Ring deceived its customers by failing to restrict employees’ and contractors’ access to its customers’ videos. Improper access continued even after the company learned that an employee had gained access to video recordings belonging to female users, the complaint said.
Ring also failed to implement standard security measures to protect consumers’ information from two well-known types of hacking attacks, despite warnings from employees, outside security researchers and media reports.