Recent Amazon, FTC Actions
I was moderating a panel recently about data privacy & security in the enterprise, and an audience member asked the question whether it was a trend, and whether it would fade away.
In a way, that question reflects the sense that a baseline business model is one that ignores the requirements of data privacy, and that at some point, we’ll return to the “good ole days” where “data is the new oil.”
Recent enforcement actions by the US Federal Trade Commission and the Department of Justice seem to reflect the opposite, as they enter into court orders with major companies such as Amazon for practices which appear to be foundational to those companies’ business practices. A key area concerns biometric information, as noted in these FTC cases.
Amazon Alexa
A recent case concerns Amazon’s smart speakers such as Alexa – where failures to delete voice recordings meant that they were retaining children’s voice data, and allegedly violating the Children's Online Privacy Protection Act by not deleting children's voice data obtained through the Alexa voice assistant as requested by parents.
In the filing against Amazon with regard to alleged violations of the COPPA Rule, the FTC notes:
“The lawsuit alleges Amazon violated the Children’s Online Privacy Protection Act Rule by flouting parents’ deletion requests, retaining kids’ voice recordings indefinitely, and not giving parents the straight story about its data deletion practices. Amazon also allegedly violated the FTC Act by falsely representing that Alexa app users could delete their geolocation information and voice recordings and by engaging in unfair privacy practices related to deletion, retention, and employee access to data. The $25 million settlement with Amazon sends a clear message about the consequences of putting profits over privacy.” (emphasis added)
The FTC states that:
“Under the proposed federal court order also filed by the DOJ, Amazon will be required to delete inactive child accounts and certain voice recordings and geolocation information and will be prohibited from using such data to train its algorithms.” (emphasis added)
The FTC and the DOJ have reached an agreement with Amazon regarding violations of the COPPA Rule and deceptive practices. Among other remedies, Amazon will be required to overhaul its deletion practices, implement privacy safeguards, and delete inactive child accounts and certain voice recordings and geolocation information.
Amazon Ring
Another example highlights the intersection of AI, biometric data, and personal privacy, as the FTC fines Amazon subsidiary Ring $5.8 million for invading customers' privacy and sharing sensitive videos without permission.
The FTC alleges that Ring's “lax” approach to data security and privacy resulted in employees misusing customer videos, including viewing videos of female users in intimate settings, and hackers using cameras' two-way communication to harass people.
The FTC says that despite the company’s claims that it took reasonable steps to ensure that Ring cameras were a secure means for consumers to monitor private areas of their homes, the company exhibited a “fast-and-loose approach to customers’ highly sensitive information.”
The FTC doesn’t pull any punches when they report:
“Creepy employees and sinister hackers weren’t the only ones who wrested control of personal data from consumers. According to the complaint, without getting consumers’ affirmative express consent, Ring exploited their videos to develop image recognition algorithms – putting potential profit over privacy. Hiding its conduct in a dense block of legalese, Ring simply told people it might use their content for product improvement and development and then extrapolated purported “consent” from a check mark where consumers acknowledged they agreed to Ring’s Terms of Service and Privacy Policy.”
The order prohibits Ring from making misrepresentations about the extent to which the company or its contractors can access customers’ videos, payment information, and authentication credentials. In addition, for the period when Ring had inadequate procedures for getting consumers’ consent, the company must delete all videos used for research and development and all data – including models and algorithms – derived from those videos.
Amazon Prime
Photo by Krisztina Szerovay
And in yet another FTC order vis a vis Amazon’s seemingly standard business practices, Amazon has used "manipulative, coercive or deceptive user-interface designs known as 'dark patterns' to trick consumers into enrolling in automatically renewing Prime subscriptions," the FTC said as it seeks civil penalties and a permanent injunction to prevent future violations.
The lawsuit said that under substantial pressure from the FTC, Amazon changed its cancellation process in April but that "violations are ongoing" and that it still "requires five clicks on desktop and six on mobile for consumers to cancel from Amazon.com."
In their complaint, the FTC charges that Amazon has “knowingly duped millions of consumers into unknowingly enrolling in Amazon Prime.”
* * *
What should we take away from these three FTC actions? In my opinion, the trend towards treating data privacy as a human right, rather than some inconsequential attribute, means companies need to be thinking about data privacy and security from the ground up.
Companies need to incorporate meaningful “privacy by design” principles, including transparency, consent, and data minimization, into their foundational business practices, rather than treating privacy as merely a compliance issue.
More to come…
LEGAL DISCLAIMER:
The contents of this article are intended to convey general information only and not to provide legal advice or opinions, and should not be construed as, and should not be relied upon for, legal advice in any particular circumstance or fact situation. Nothing in this article is an offer to represent you, and is not intended to create an attorney-client relationship.