Amazon will pay two separate penalties for privacy violations, the Federal Trade Commission announced: $25 million for allegedly failing to delete children’s data and $5.8 million for failing to restrict employees’ and contractors’ access to Ring security videos.
Amazon prevented parents from deleting their children’s voice and geolocation data obtained through the Alexa voice assistant, and stored and used the data for several years to improve Alexa’s algorithm to better understand the speech patterns and accents of children, the FTC claimed Wednesday.
This put the data “at risk of damage from unnecessary access,” according to the FTC.
The Children’s Online Privacy Protection Act (COPPA) rule “prevents companies from keeping children’s data forever for any reason, and certainly not training their algorithms,” said Samuel Levin, director of the Bureau of Protection of FTC consumers, in a statement.
Amazon said in a blog post that it disagrees with the FTC’s allegations and denies violating the law.
“We take our responsibilities to our customers and their families very seriously,” Amazon said. “We work hard to protect children’s privacy and have built robust privacy protections into our products and services for children.”
Read more: These 6 tips will help you keep your personal data private
The Federal Trade Commission (FTC) on Wednesday also imposed a $5.8 million fine against Amazon’s Ring. Ring, which was acquired by Amazon in 2018, sells video doorbells, indoor and outdoor cameras, and home security services. It has long been criticized for its privacy practices, including sharing doorbell footage with US police departments. The settlement announced Wednesday relates to allegations that it failed to restrict access to customer videos of its employees and contractors and used those videos to train its algorithms without consent.
“One employee over several months reviewed thousands of videos belonging to women using Ring cameras that monitor intimate spaces in their homes, such as their bathrooms or bedrooms. The employee was not suspended until another employee discovered the misconduct,” the FTC alleged.
Ring’s failure to “implement basic measures to monitor and detect employee video access” means the company also doesn’t know who or how many employees were accessing private videos inappropriately.
Read more: Home Security Cheat Sheet: Our top tips for keeping your home safe
The FTC alleges that Ring did not seek its customers’ consent for human review of their videos until January 2018.
Ring’s lack of security, including not offering multi-factor authentication until 2019, meant that hackers used account vulnerabilities to compromise the accounts of 55,000 U.S. customers, the complaint said. Of those 55,000 customers, 910 accounts on 1,250 devices saw the hacker take “additional invasive actions, such as accessing stored video, accessing live streaming video, or viewing a user profile,” the complaint details. In 20 cases, hackers maintained access to customers’ devices for more than a month.
“In many cases, bad actors were not just passively watching customers’ sensitive video data. Rather, bad actors took advantage of the camera’s two-way communication functionality to harass, threaten, and abuse people — including the elderly and children — whose rooms were being monitored by Ring cameras, as well as to trigger alarms and change important device settings,” the FTC complaint said.
The $5.8 million penalty will be used to refund customers, and Ring must delete data and videos if they were obtained before 2018 and “delete any work product derived from those videos.”
Ring’s statement also disagreed with the FTC’s claims. “We want our customers to know that the FTC complaint is based on issues that Ring promptly addressed on its own, long before the FTC began its investigation; mischaracterizes our security practices; and ignores the many protections we have in place for our customers,” Ring said.
How to protect your personal data
Bad actors are a threat to your security, and there are several steps you can take to help yourself. Here’s how to make sure your home Wi-Fi is secure, how to protect your home security from hacks and the best home security systems for 2023 – including the best cheap home security systems and the best DIY home security systems. You might also consider getting a password manager so your accounts are more secure, and here’s CNET’s smart home privacy guide on how to delete your Amazon, Apple, and Google voice recordings.
As companies guard more and more of your personal data, here are CNET’s tips on how to stop Facebook from tracking you, how to prevent yourself from being tracked using your Apple AirTags, and how to get Google to remove your personal data from search results.