Amazon to Pay $30M for Ring and Alexa Privacy Violations: Tips for Protecting Your Smart Home Data

Amazon will pay two separate penalties for privacy violations, the Federal Trade Commission has announced: $25 million for allegedly not deleting children's data and $5.8 million for failing to restrict employee and contractor access to Ring security videos.

Amazon prevented parents from deleting their children's voice and geolocation data acquired through the Alexa voice assistant, and stored and used the data for several years to improve the Alexa algorithm to better understand children's speech patterns and accents, the FTC alleged Wednesday.

This put the data "at risk of harm from unnecessary access," according to the FTC. 

The Children's Online Privacy Protection Act Rule "does not allow companies to keep children's data forever for any reason, and certainly not to train their algorithms," said Samuel Levine, director of the FTC's Bureau of Consumer Protection, in a statement. 

Amazon said in a blog post that it disagrees with the FTC's claims and denies violating the law.

"We take our responsibilities to our customers and their families very seriously," Amazon said. "We work hard to protect children's privacy, and we have built robust privacy protections into our children's products and services."

Read more: These 6 Tips Will Help Keep Your Personal Data Private

The FTC on Wednesday also leveled a $5.8 million penalty against Amazon's Ring. Ring, which was acquired by Amazon in 2018, sells video doorbells, indoor and outdoor cameras and home security services. It has long been criticized for its privacy practices, including sharing doorbell footage with police departments across the US. The settlement announced Wednesday related to allegedly failing to restrict access to customers' videos across its employees and contractors, and using those videos to train its algorithms without consent.

"One employee over several months viewed thousands of video recordings belonging to female users of Ring cameras that surveilled intimate spaces in their homes such as their bathrooms or bedrooms. The employee wasn't stopped until another employee discovered the misconduct," the FTC alleges. 

Ring's failure to "implement basic measures to monitor and detect employees' video access" meant the company also didn't know who or how many employees accessed private videos inappropriately. 

Read more: Home Security Cheat Sheet: Our Best Tips for Keeping Your Home Safe

Ring didn't seek customer consent for human review of their videos until January 2018, the FTC alleged.

The lack of security, including not offering multifactor authentication until 2019, meant hackers exploited account vulnerabilities to compromise 55,000 customers' accounts in the US, the complaint says. Of those 55,000 customers, 910 accounts across 1,250 devices saw the hacker take "additional invasive actions, such as accessing a stored video, accessing a live stream video or viewing a customer's profile," the complaint details. In 20 instances, the hackers maintained access to customer devices for over a month.

"In many instances, the bad actors were not just passively viewing customers' sensitive video data. Rather, the bad actors took advantage of the camera's two-way communication functionality to harass, threaten, and insult individuals -- including elderly individuals and children -- whose rooms were monitored by Ring cameras, and to set off alarms and change important device settings," the FTC's complaint says.

The $5.8 million penalty will be used to refund customers, and Ring is required to delete data and videos if obtained prior to 2018 and "delete any work products it derived from these videos."

Ring's statement likewise disagreed with the FTC's claims. "We want our customers to know that the FTC complaint draws on matters that Ring promptly addressed on its own, well before the FTC began its inquiry; mischaracterizes our security practices; and ignores the many protections we have in place for our customers," Ring said.

How to protect your private data

Bad actors are a threat to your security, and there are a number of steps you can take to help yourself. Here's how to make sure your home Wi-Fi is secure, how to protect your home security against hacks and the best home security systems of 2023 -- including the best cheap home security systems and the best DIY home security systems. You could also look at getting a password manager so your accounts are safer, and here's CNET's smart home privacy guide on how to delete your voice recordings across Amazon, Apple and Google.

As companies are keeping more and more of your personal data, here are CNET's tips on how to keep Facebook from tracking you, how to prevent yourself from being tracked via your Apple AirTags and how to get Google to remove your personal data from search results.