Amazon Hit By $30 Million Privacy Penalty

John Lister's picture

Amazon has agreed to pay a total of $30 million in penalties for privacy violations related to its Ring and Alexa devices, according to an announcement by the Federal Trade Commission (FTC). The penalties consist of $25 million for allegedly retaining children's data without deletion and $5.8 million for failing to limit employee and contractor access to Ring security videos. (Source:

The settlements do not require Amazon to make any admission of legal wrongdoing. (Source:

Amazon Accused of Retaining Kid's Data

The FTC accused Amazon of preventing parents from deleting their children's voice and geolocation data collected through the Alexa voice assistant. This data was reportedly stored and used for several years to enhance the Alexa algorithm's understanding of children's speech patterns and accents. The FTC argued that this practice exposed the data to potential harm from unauthorized access.

Samuel Levine, director of the FTC's Bureau of Consumer Protection, emphasized that the Children's Online Privacy Protection Act Rule (COPPA Rule) prohibits companies from indefinitely retaining children's data for any purpose, including algorithm training. Amazon, however, expressed disagreement with the FTC's claims and denied any violation of the law, stating its commitment to protecting children's privacy through robust privacy measures in its products and services.

Amazon Subsidiary Ring fined $5.8M for Privacy Issues

In addition to the penalty for privacy violations involving Alexa, the FTC also imposed a $5.8 million fine on Amazon's subsidiary, Ring. Known for its video doorbells and home security products, Ring has faced criticism for its privacy practices, including sharing doorbell footage with law enforcement agencies across the United States. The settlement with Ring focused on allegations that the company failed to adequately limit access to customers' videos by its employees and contractors, and that it used the videos to train its algorithms without obtaining proper consent.

The FTC complaint revealed that an employee at Ring had viewed thousands of video recordings belonging to female users without authorization. It was only discovered when another employee uncovered the misconduct. Ring's inadequate measures to monitor and detect improper video access meant that the company had no knowledge of how many employees accessed private videos inappropriately. The FTC also noted that Ring did not seek customer consent for human review of videos until January 2018.

The lack of security measures by Ring, including the delayed implementation of multifactor authentication until 2019, allowed hackers to exploit vulnerabilities in customer accounts. The complaint stated that approximately 55,000 customer accounts in the US were compromised, with 910 accounts across 1,250 devices experiencing further intrusive actions by the hackers, such as accessing stored or live stream videos and altering device settings. (Source:

In some cases, hackers maintained access to customer devices for over a month and used the camera's two-way communication feature to harass and threaten individuals, including elderly and child occupants of monitored rooms.

As part of the settlement, the $5.8 million penalty will be used to refund affected customers, and Ring is obligated to delete any data and videos obtained prior to 2018, as well as any derived work products based on those videos. Ring's response disputed the FTC's claims, stating that the company had already addressed the mentioned issues before the FTC began its inquiry and highlighting the existing protective measures for customers.

How to Safeguard Your Data

In light of the increasing prevalence of personal data retention by companies, individuals are encouraged to take proactive measures to safeguard their privacy.

Here are some additional tips to help protect personal information. The following assumes that attackers could either be connected to your network (should a device like Ring be compromised), or attack remotely:

1. Regularly review and adjust privacy settings: Check the privacy settings on your social media accounts, smart devices, and other online platforms. Customize the settings to limit the collection and sharing of your personal data. Be mindful of the information you share publicly and consider adjusting privacy controls to restrict access to your data.

2. Use strong and unique passwords: Create strong passwords for your online accounts and avoid reusing them across multiple platforms. Consider using a password manager to securely store and generate unique passwords for each account. Two-factor authentication adds an extra layer of security by requiring a second form of verification, such as a text message code or biometric scan.

3. Be cautious with personal information sharing: Be mindful of the information you provide online, especially on social media platforms. Avoid sharing sensitive details like your address, phone number, or financial information publicly. Be cautious when filling out forms or surveys, and only provide necessary information to trusted sources.

4. Keep software and devices up to date: Regularly update the software on your devices, including operating systems, applications, and antivirus programs. Software updates often include security patches that address vulnerabilities. Enable automatic updates whenever possible to ensure you have the latest protection.

5. Encrypt and secure your WiFi network: Protect your home WiFi network by setting a strong password and enabling encryption, such as WPA2 or WPA3. This prevents unauthorized users from accessing your network and intercepting your data.

6. Be selective with third-party apps and services: Before granting permissions to third-party apps or services, carefully review their privacy policies and consider the level of access they require. Remove unnecessary or unused apps from your devices to minimize the potential exposure of your personal data.

7. Regularly review account activity: Monitor your online accounts for any suspicious activity. Keep an eye on login history, review recent transactions, and be alert for any unfamiliar or unauthorized access. If you notice anything suspicious, take immediate action by changing passwords and reporting the activity to the relevant platform or service provider.

Rate this article: 
Average: 5 (4 votes)


Focused100's picture

Regulators should take a cue from the Europeans. A Billion Dollar penalty will BEGIN to get their attention.