Amazon to cough up more than US$30 million and Microsoft US$20 million to FTC over Ring, Alexa, and Xbox privacy violations

Amazon and Microsoft have independently found themselves coughin up millions of dollars in Federal Trade Commission (FTC) settlements over privacy violations. While Amazon's privacy lapses pertain to Alexa and Ring systems, Microsoft is facing the heat for storing children's personal information on Xbox for far longer than permissible and sharing the data with third parties without parents' knowledge.

Amazon employee spied on users' private moments with Ring cameras

According to a court filing submitted last week, the FTC said that Amazon employees and third-party contractors in Ukraine who had access to Ring footage could download all customer videos without restrictions before July 2017.

According to the FTC, an Amazon employee spent several months in 2017 watching thousands of video recordings of people, mostly in "intimate spaces" in their homes. The filing alleges that this inappropriate act had impacted at least 81 female Ring users and fellow employees in the Ring unit at Amazon.

The employee's condemnable act was first noticed by a colleague who then escalated it to her supervisor. The supervisor initially discounted the concern citing that it's normal for engineers to peruse footage, but soon realized that the offending employee was mainly viewing videos of "pretty girls".

The said employee has since been terminated, but Amazon did not have any mechanism before February 2019 to monitor such privacy breaches from its own staff. Thus, it had no way of knowing how many employees could have abused private video from Ring cameras.

The FTC sought US$5.8 million in damages from Ring, which will be refunded to impacted users. Amazon is also required to delete any videos and data collected from an individual's face obtained prior to 2018 along with any work products derived from these videos.

Amazon's Alexa division, too, found itself in hot waters in a separate US$25 million suit that alleges violation of the FTC Act and Children's Online Privacy Protection Act (COPPA). The complaint, which was filed by the Department of Justice (DOJ), alleges that Alexa retained voice and geolocation information associated with thousands of children for many years while not providing a way for parents to delete their kids' data.

Since kids' speech patterns are different from those of adults, Amazon uses this data to train Amazon Kids on Alexa for Echo products. If approved by the court, Amazon will have to cough up US$25 million in civil penalties apart from requiring deleting inactive child accounts on Alexa and prohibition in using children's voice and location data.

Amazon has since clarified that Amazon Kids is built to comply with COPPA and that the Ring system has addressed privacy concerns before the FTC had started its investigation.

Microsoft found violating COPPA too

The DOJ also launched a lawsuit against Microsoft on behalf of the FTC, seeking a US$20 million payment for COPPA violations. The DOJ alleged that the company retained personal information of kids who signed up for the Xbox service for far longer than necessary. 

According to the FTC, until late 2021, Microsoft required certain personal information from an under-13 Xbox user before involving the parent for creating the account. However, the company retained such information for many years even if the parent left the signup process incomplete.

The complaint alleges that children, after successful signup, can create a profile that includes their "gamertag" and upload a picture and avatar representing them, which then get combined with a unique persistent identifier. This information can be shared with third-party games and apps by children themselves. Parents are left out of the loop and will have to manually opt-out of such services if necessary. 

The long retention of children's profiles and failure to disclose all collected information to parents is in violation of COPPA's provisions.

Apart from coughing up the fine, Microsoft will also have to take additional steps including obtaining a re-consent from parents for accounts created before May 2021 if the account holder is still a child, deleting all collected personal information for parental consent within two weeks from collection date, and informing third-party publishers that the user is a child while disclosing personal information to them.

In a blog post on Xbox Wire, Microsoft admitted to not meeting customer expectations and agreeing to an FTC settlement. The company detailed the various changes and remedial steps it is taking to address the issue in accordance with FTC and COPPA requirements. It also clarified that account creation data for child accounts wasn't deleted due to a "technical glitch". The problem has since been rectified and the said data was never used, shared, or monetized, according to the company.

Buy the Xbox Series X on Amazon