Stop that! Moms and dads may need to repeat this instruction to their children, but when parents told Amazon in an effort to get the company to delete children’s voice data obtained through its Alexa voice assistant, Amazon should have honored these requests immediately. But according to a lawsuit filed by the Justice Department on behalf of the FTC, Amazon responded by deleting files in some databases while retaining them elsewhere, meaning the information was available for Amazon to use at its own ends. The lawsuit alleges that Amazon violated the Children’s Online Privacy Protection Act Rule by flouting parental deletion requests, retaining children’s voice recordings indefinitely, and failing to give parents a clear history of its data deletion practices. Amazon also allegedly violated FTC law by falsely stating that users of the Alexa app could delete their geolocation information and voice recordings and by engage in unfair privacy practices related to deletion, retention, and employee access to data. The $25 million settlement with Amazon sends a clear message about the consequences of putting profits before privacy.

In addition to the massive amount of other customer information Amazon collects, the company has found a direct path to millions of consumer homes through its Alexa-powered devices, which respond to users’ voice requests. First, some information on how consumers of all ages are interacting with Alexa technology. When Alexa devices detect someone saying the wake word, Alexa begins recording what they hear in two formats: an audio file and a text transcript. Alexa then responds by performing the requested tasks.

Since Alexas has access to so much highly personal data, privacy is an important consideration for many Alexa users. Unsurprisingly, Amazon has made privacy a centerpiece of its marketing. For example, on Amazon.com Alexa Privacy Hub, the company claimed that Alexa and Echo devices are designed to protect your privacy and that Alexa and Echo devices provide transparency and control.

Users can also interact through the Alexa app, which can collect their geolocation information. Amazon has repeatedly assured users of the Alexa app that they could delete their geolocation information. But even when consumers clicked the appropriate delete buttons, the FTC says Amazon deleted data from some locations but retained it. data elsewhere, in direct violation of its promise of confidentiality. Amazon first discovered the problem early 2018, but the FTC says it wasn’t until September 2019 that Amazon finally took corrective action. Some being the key word here, because as the complaint claims, due to faulty patches and process fiascos, it wasn’t until early 2022 that Amazon finally got the problem under control.

Amazon made similar promises Alexa users could see, hear and delete [their] voice recordings. . . at any time. But as the complaint explains, once again Amazon deleted the files in some places but kept the transcripts of the recordings elsewhere in a form the company could use for product development. Adding insult to injury, for at least a year Amazon gave 30,000 employees access to voice recordings of Alexa users, even though many of those employees had no business needs. files.

Now let’s move on to how the FTC says Amazon’s misrepresentations and compliance failures resulted in COPPA violations. Given the presence of Alexas in consumers’ homes and Amazon’s sale of kid-centric products like the Echo Dot Kids Edition, FreeTime on Alexa, and FreeTime Unlimited on Alexa, many tech users are under the age of 13. years. In fact, over 800,000 children interact directly with Alexa using her own Amazon profile, which links to her parent’s profile and contains the child’s name, date of birth and gender. As with adults, Amazon saved the children’s voice recordings as audio and text files and used persistent identifiers to connect these files to the child’s Amazon profile.

The complaint alleges three ways Amazons is exercising parents’ usurped rights under COPPA to maintain control over their children’s personal data. First, Amazon programmed Alexa to keep children’s recordings forever, a practice that violated Section 312.10 of the COPPA rule. This provision states that companies may only retain children’s data for as long as reasonably necessary to fulfill the purpose for which the information was collected. After that, according to the plain language of the rule, they should safely delete it.

Second, Section 312.6 of COPPA gives parents the option at any time. . . ask the operator to delete the child’s personal information. But according to the complaint, the children’s voice recordings were subject to the same ineffective deletion procedures as the adult recordings. So even when parents asked Amazon to delete these files, Amazon kept the transcripts stored with persistent identifiers tied to the child’s account.

Another fundamental COPPA privacy protection is Section 312.4s the requirement that companies provide notice and obtain verifiable parental consent before collecting, using or disclosing personal information about children. By failing to follow its stated practices, Amazon has failed to provide parents with full and truthful advice about their ability to have their children’s personal information deleted beyond what COPPA requires.

In addition to imposing a $25 million civil penalty, the proposed settlement prohibits Amazon from making false claims about geolocation and voice information. The company also may not use geolocation, voice information, and children’s information for the creation or improvement of any data product after customers request Amazon to delete such data. In addition, Amazon should delete children’s inactive Alexa accounts, notify users of the FTC-DOJ lawsuit, and implement a privacy program specifically focused on the company’s use of geolocation information.

Here are some insights other companies can take from the action against Amazon.

COPPA compliance requires ongoing vigilance. For companies covered by COPPA, compliance is not a single set of technical details. Rather, the rule creates substantive rights for parents and imposes ongoing legal responsibilities on businesses. A single example is the requirement that companies clearly explain to parents from the outset their right to have their children’s information deleted and the resulting obligation to honor such requests. But even if parents don’t exercise their deletion rights, companies can’t retain data just because. Once the purpose for which they were collected has passed, companies should securely delete them. And for both specific parental requests and general COPPA data deletion requirements, be sure to also delete relevant files stored in backups, separate databases, or other locations.

Voice recordings are biometric data that deserves scrupulous care. Like FTC May 2023 Biometric Information Policy Statement establishes, voice recordings and transcriptions of recordings fall into the category of data derived from biometric sources that raise significant privacy and data security concerns for consumers. Now consider the biometrics of children and these concerns are brought to the fore nth degree.

Don’t secretly use customers’ personal information, especially child data, to power your algorithms. Through this enforcement action and proposed settlement with Ring, the FTC sends a clear message to companies developing AI: you cannot appease consumers with promises of privacy when you intend to use their data for other purposes. This principle takes on increased importance in the context of children. Children’s speech patterns are markedly different from those of adults, so the Alexas voice recordings gave Amazon a valuable data set for training the Alexa algorithm and Amazon’s commercial interest in it. development of new products. That’s just one reason why Amazon’s hollow promise to honor parental removal requests was particularly troubling.