Amazon unit settles privacy lawsuit

Web browsing company Alexa will pay up to $1.9 million to its customers to settle a class-action lawsuit accusing the company of providing confidential information without their consent.

3 min read
Amazon.com's Alexa Internet subsidiary said Friday it will pay up to $1.9 million to its customers to settle a class-action lawsuit.

San Francisco-based Alexa said it will destroy some of the personally identifiable records in its database as part of the settlement, and pay up to $40 per person to customers whose records are found in the database.

"We don't think we did anything wrong," Alexa Chief Executive Brewster Kahle said. "But instead of going all the way through the legal process, we thought this was the easiest way to go on with our business."

Lawyers for the Alexa users who sued the company did not return phone calls seeking comment. Amazon representatives declined to comment, directing inquiries to Alexa.

At least five different suits were filed against Alexa and Amazon, beginning in January 2000. The suits accuse Alexa of sending confidential information about Alexa users to Amazon without their consent.

The lawsuits came after a privacy complaint filed with the Federal Trade Commission by computer security expert Richard Smith. Smith alleged that the company was collecting more personal data than Amazon acknowledged. Smith's complaints led to an FTC inquiry that Kahle said is "ongoing."

Alexa makes a program that works in conjunction with a Web browser, monitoring people's surfing habits and then suggesting related Web pages.

Alexa has never looked at the personal information within its database, Kahle said. "We don't know who our users are and (it) isn't important for us to know," he said.

But Jason Catlett, president of privacy advocate Junkbusters, noted that Kahle had previously said the company did not permanently store personal information, which appears to contradict what the company acknowledged in its settlement.

"It sounds like they collected information that they didn't say they were collecting and stored information that they didn't say they were storing, and that's why they have to pay now," Catlett said. "If (Amazon) cannot be relied upon to say what they do with the information they collect, it's very harmful to privacy."

As part of the settlement, which was preliminarily approved by U.S. District Court for the Western District of Washington on April 20, Alexa agreed to delete the last four numbers of the IP address in its database and any characters after a "?", "#", or "@" in a URL within 30 days for most data collected before Nov. 2, 2000. The company also agreed to add a list of frequently asked questions about its privacy policy to its Web site and provide additional links to the full text of its privacy policy.

Alexa also agreed to require customers to opt-in to having their data collected before they can download the company's software.

Amazon has faced scrutiny over its own privacy measures after it changed its policy last fall. The change would allow the company to sell the personal information it has collected if Amazon is acquired or goes out of business.

Amazon bought Alexa in April 1999 as part of a $645 million spending spree that included acquisitions of Exchange.com and Accept.com.