The FTC will require Amazon to overhaul its deletion practices and implement stringent privacy safeguards to settle charges the company violated the Children’s Online Privacy Protection Act Rule (COPPA Rule) and deceived parents and users of the Alexa voice assistant service about its data deletion practices.

UNITED STATES DISTRICT COURT WESTERN DISTRICT OF WASHINGTON

UNITED STATES OF AMERICA, Plaintiff, v. AMAZON.COM, INC., a corporation, and AMAZON.COM SERVICES LLC, a limited liability company, Defendants.

CASE NO. 2:23-cv-00811-TL

COMPLAINT FOR PERMANENT INJUNCTION, CIVIL PENALTIES, AND OTHER RELIEF

Plaintiff, the United States of America, acting upon notification and authorization to the Attorney General by the Federal Trade Commission (“FTC” or “Commission”), for its Complaint alleges:

• Plaintiff brings this action under Sections 5(a)(1), 5(m)(1)(A), 13(b), and 16(a) of the Federal Trade Commission Act (“FTC Act”), 15 U.S.C. §§ 45(a)(1), 45(m)(1)(A), 53(b), and 56(a); and Sections 1303(c) and 1306(d) of the Children’s Online Privacy Protection Act of 1998 (“COPPA”), 15 U.S.C. §§ 6502(c) and 6505(d), to obtain monetary civil penalties, a permanent injunction, and other equitable relief for violations of Section 5 of the FTC Act and the Commission’s Children’s Online Privacy Protection Rule (the “Rule” or the “COPPA Rule”), 16 C.F.R. Part 312, by Defendants Amazon.com, Inc. and Amazon.com Services LLC (together “Amazon” or “Defendants”).

SUMMARY OF THE CASE

• Using Amazon's voice assistant service, Alexa, millions of Americans use Amazon's Echo smart speakers and the Alexa mobile application ("Alexa App") to access a wide range of products and services. These include playing music, audiobooks, or audio content from the internet; ordering products from the Amazon.com website; or instructing a smart TV to stream programming.

• These products include voice-activated services aimed at children under 13 years old, such as the Echo Dot Kids smart speaker, "FreeTime on Alexa" (a personalized service that allows parents to control how their child accesses and uses Alexa), and "Free Time Unlimited on Alexa" (which offers children's audiobooks and audio-based Alexa applications such as voice-controlled games, stories, jokes, and educational tools). More than 800,000 children under 13 years old have their own Alexa profiles. These profiles link to a parent's profile and include the child's name, birth date, and gender.

• A child (or adult) activates Amazon's smart speaker by simply saying "Alexa," followed by the substance of the request, for example, "what time is it?" or "tell me a joke." Alexa saves the voice recording of the request and creates a written transcript. Alexa's default settings save these voice recordings and transcripts indefinitely, even if the user stops using the account for months or even years. This applies to both child and adult users. Amazon uses the voice recordings and transcripts it saves not only to fulfill the adult's or child's request to Alexa but also to train and improve the Alexa product for all users.

• Similarly, a user of the Alexa App is prompted to give Alexa access to the geolocation of the user's device, ostensibly to respond more accurately to user requests based on where the mobile device is located.

• Amazon's privacy disclosures claim that Alexa was designed with privacy in mind, promising that Amazon would delete users' voice and geolocation data (including children's voice data) upon request, and that access to voice data is carefully limited. However, until September 2019, Amazon retained children's voice recordings and transcripts indefinitely unless a parent actively deleted them. Alexa's default settings still save children's (and adults') voice recordings and transcripts indefinitely, even when a child no longer uses their Alexa profile and it has been inactive for years. This practice has resulted in Amazon retaining the personal information of thousands of children who no longer use their Alexa accounts, in violation of COPPA's prohibition on retaining children's personal information longer than reasonably necessary to fulfill the purposes for which it was collected.
• Amazon also failed, for a significant period, to honor parents' requests to delete their children's voice recordings by continuing to retain transcripts of those recordings, without disclosing this to the parents, which also violates COPPA. Additionally, Amazon failed to delete users' voice and geolocation information upon request, instead retaining this data for its own potential use. These unfair and deceptive practices violate Section 5 of the FTC Act.

JURISDICTION AND VENUE

• This Court has subject matter jurisdiction pursuant to 28 U.S.C. §§ 1331, 1337(a), and 1345.
• Venue in the Western District of Washington is proper under 15 U.S.C. § 53(b) and 28 U.S.C. §§ 1391(b)(1), (b)(2), (c)(2), and (d).

DEFENDANTS

• Defendant Amazon.com, Inc. is a Delaware corporation, with its principal place of business at 410 Terry Avenue, Seattle, Washington 98109. Amazon.com, Inc. is a U.S. public holding company that conducts its business through subsidiaries, including Defendant Amazon.com Services LLC (collectively, “Amazon”).

• Amazon.com, Inc. transacts or has transacted business in this District and throughout the United States.

• Defendant Amazon.com Services LLC (“Amazon.com Services”) is a Delaware corporation, with its principal place of business at 410 Terry Avenue, Seattle, Washington 98109. Amazon.com Services is a wholly owned subsidiary of Amazon.com, Inc. that provides services related to the processing of Alexa voice and location data to Amazon.com, Inc.

• Amazon.com Services transacts or has transacted business in this District and throughout the United States.

• At all times material to this Complaint, acting alone or in concert with others, Amazon has advertised, marketed, distributed, or sold voice-enabled smart speakers, including smart speakers directed to children under 13 years of age, and related mobile applications to consumers throughout the United States.

COMMERCE

• At all times material to this Complaint, Defendants have maintained a substantial course of trade in or affecting commerce, as “commerce” is defined in Section 4 of the FTC Act, 15 U.S.C. § 44.

AMAZON’S BUSINESS PRACTICES

• Amazon is a multinational technology company with more than 1.4 million employees and annual revenues exceeding $380 billion.

• Since 2014, Amazon has developed, manufactured, and sold Internet-connected speakers, branded as Amazon “Echo” devices, controlled by Amazon’s proprietary cloud-based voice assistant service, Alexa. To date, Amazon has sold well over 100 million Echo devices globally, earning billions of dollars in revenue from sales of these devices and related services.

• Amazon’s Alexa-powered Echo devices listen for and respond to users’ oral requests. When an Echo detects someone saying the device’s “wake” word (usually, “Alexa,” “Amazon,” “Echo,” or “Computer”), Alexa begins recording what it hears in two formats: an audio file and a text file. Alexa then responds to the request by, for example, playing music, setting alarms, providing information, remembering facts, making to-do lists, streaming podcasts, or buying products.

• Users can also interact with their Echo devices through Amazon’s free Alexa mobile application. The Alexa App allows a user to set up Echo devices and perform other functions, such as establishing settings for Alexa and obtaining weather and news updates. Users of the Alexa App are prompted to enable location services that allow the app to collect users’ geolocation information so that it can provide location-based information, such as local weather or nearby restaurants.

• Amazon’s policies recognize that privacy is an important consideration for many Alexa users and Echo purchasers, touting privacy as a core feature of Alexa and Echo devices.

• Amazon maintains a dedicated “Alexa Privacy” webpage within its online “Alexa Privacy Hub” on the Amazon.com website that asserts: “Alexa and Echo devices are designed to protect your privacy.”

• That webpage also states that “Alexa and Echo devices provide transparency and control.” Similarly, the Alexa Privacy Settings webpage tells users: “You have control over your Alexa experience” and provides an option to “[v]iew, hear, and delete your voice recordings.”

Alexa Collects Sensitive Data from Children

• Alexa collects voice data from both adults and children under the age of 13.

• In May 2018, Amazon launched several Alexa-enabled offerings designed specifically for children:

  • A smart speaker called the “Echo Dot Kids Edition,” which cost approximately $70.
  • A free personalized service called “FreeTime on Alexa,” which enables parents to control the content their children can access through Alexa and how their children can use compatible Echo devices.
  • A paid content subscription service, “FreeTime Unlimited on Alexa,” providing access to child-oriented audiobooks, character alarms, and “kid skills” such as voice-controlled games, stories, jokes, and educational tools.

• A one-year subscription to FreeTime Unlimited has been included with the purchase of an Echo Dot Kids Edition.

• To use these products, a parent creates a profile for their child that links to the parent’s profile and contains the child’s name, birth date, and gender. More than 800,000 children interact directly with Alexa using their own Amazon profiles.

• Amazon saves children’s voice recordings as audio and text files and uses persistent identifiers to connect these audio and text files to the child’s Amazon profile.

• Amazon saves various "memories" through a feature initially called “Remember This” and then called “Notes,” which includes content that children instruct Alexa to remember.

• Children’s unique speech patterns and accents differ from adults, providing Amazon with valuable data for training the Alexa algorithm to understand children.

Amazon’s Default Settings Retain Children’s Voice Recordings Indefinitely

• Since launching its first Echo smart speaker, Amazon has set its default settings to retain users’ voice recordings indefinitely.

• Until September 2019, a parent who sought to delete their child’s voice recordings had to navigate Amazon’s online deletion options or contact Amazon customer service.

• In September 2019, two months after receiving an initial Civil Investigative Demand from the FTC, Amazon offered a new feature that allowed users to auto-delete voice recordings at regular intervals of three- or eighteen-months, while still retaining the indefinite retention default setting.

• Amazon claims that it retains children’s voice recordings in perpetuity for three reasons:

  • To respond to children’s voice commands.
  • To enable parents to review their children’s old voice recordings.
  • To improve Alexa’s speech recognition and processing capabilities.

• For Alexa to recognize and process a child’s voice request, it is not reasonably necessary to retain that child’s voice recordings indefinitely. Amazon only needs to retain a voice recording for a few seconds to respond to the request that the child has made.

• While parents may wish to review and supervise their child’s interactions with Alexa by accessing the stored recordings, storing those recordings indefinitely is not reasonably necessary for that purpose.

• The indefinite retention of children’s voice recordings is also not reasonably necessary for Amazon to continue improving Alexa’s speech recognition and processing capabilities.

Amazon Misled Alexa Users About Their Ability to Delete Voice Recordings Collected by Alexa

• Amazon assured parents that they could delete their child’s personal information at any time, specifically their voice recordings.

• Amazon provides a "Children’s Privacy Disclosure" to parents who set up a child account, directing them to customer service or the “Manage Parental Consent” page for deletion options.

• The Alexa Privacy Settings webpage tells users they can view, hear, and delete their voice recordings at any time, and Amazon's Frequently Asked Questions reinforce this assertion.

• However, until mid-2019, Amazon would delete the voice recordings as requested, but retained the written transcripts of those recordings in residual data stores.

• When users or parents requested deletion of voice recordings, Amazon deleted the audio files but continued to keep and use the transcripts for product improvement, without notifying the user or parent.

• In many instances, Amazon continued using both the audio files and the transcripts of children's recordings to improve Alexa’s voice recognition and natural language processing capabilities.

• Between August 2018 and September 2019, Amazon allowed 30,000 employees, many of whom had no business need for access, to access users' voice recordings, violating Amazon’s “least permission” policy.

Amazon Misled Alexa App Users About Their Ability to Delete Geolocation Information

• The Alexa App purportedly allows users to control Amazon’s collection, use, and storage of their geolocation information, and Amazon claimed users could delete this data using its "Manage Your Content and Devices" feature.

• However, Amazon did not fully delete the geolocation information of Alexa App users who requested it.

• Between January 2018 and early 2022, Amazon retained some geolocation data in secondary storage locations insulated from users' deletion requests.

• Amazon discovered this issue multiple times from February 2018 to early 2022 but failed to correct it promptly, repeatedly storing Alexa App users' geolocation information contrary to their deletion requests.

• Amazon has never informed users that it retained geolocation data they tried to delete.

Amazon’s Privacy Practices Are Unfair

• Amazon has engaged in several unreasonable privacy practices related to its storage of Alexa users’ sensitive geolocation and voice information, including children’s voice information. These practices include:

  • Failing to ensure that children’s voice recordings are retained for no longer than reasonably necessary.
  • Collecting and maintaining sensitive geolocation data in a manner and location that insulated that information from users’ deletion requests and allowed Amazon to access that data for product improvement.
  • Failing to ensure that deletion requests related to users’ geolocation and voice recordings are honored and that system-based failures to honor such requests do not recur.
  • Failing to notify consumers that Amazon had not satisfied their requests to delete their or their children’s geolocation information or voice recordings.

• These practices caused, or were likely to cause, substantial injury to consumers that they could not reasonably avoid. Consumers rely on Amazon’s representations that its Alexa and Echo devices “are designed to protect your privacy” and “provide transparency and control.”

• Consumers are entitled to trust that when they ask Amazon to delete their or their children’s voice recordings or geolocation information, it will be done.

• When Amazon fails to fulfill its promises, retains users’ or children’s voice or geolocation information that users have expressly asked to be deleted, and allows employees access to that information, users suffer privacy injuries due to unauthorized use of their information.

• Amazon’s unlawful retention of consumers’ sensitive personal information also increases the likelihood of additional injury through unnecessary employee access to consumers’ voice recordings.

• Consumers cannot avoid such injuries, as they have no way of determining whether Amazon has fully satisfied their deletion requests, and Amazon has not notified them when it failed to do so.

• Based on the foregoing, the United States has reason to believe that Amazon has violated and will continue to violate the FTC Act and the COPPA statute and rule.

Violations of Section 5 of the FTC Act

• Section 5(a) of the FTC Act, 15 U.S.C. § 45(a), prohibits “unfair or deceptive acts or practices in or affecting commerce.”

• Misrepresentations or deceptive omissions of material fact constitute deceptive acts or practices prohibited by Section 5(a) of the FTC Act.

• Acts or practices are unfair under Section 5 of the FTC Act if they cause or are likely to cause substantial injury to consumers that consumers cannot reasonably avoid themselves and that is not outweighed by countervailing benefits to consumers or competition (15 U.S.C. § 45(n)).

Count I. Deception – Amazon Falsely Represented That Alexa App Users Could Delete Their Geolocation Information

• Paragraphs 1 through 38 are incorporated as if set forth herein.

• In connection with the advertising, marketing, promotion, offering for sale, or sale of Alexa-enabled devices and applications, Amazon regularly represents that Alexa App users may delete the geolocation information that Amazon has collected and stored from them.

• Notwithstanding Amazon’s representations, in numerous instances, Alexa App users requested that Amazon delete their geolocation information, but Amazon failed to do so.

• Amazon’s representations that it would delete users’ geolocation information at their request were false and misleading and constitute deceptive acts or practices in violation of Section 5(a) of the FTC Act, 15 U.S.C. § 45(a).

Count II. Deception – Amazon Falsely Represented That Alexa Users Could Delete Their or Their Child’s Voice Recordings

• Paragraphs 1 through 38 are incorporated as if set forth herein.

• In connection with the advertising, marketing, promotion, offering for sale, or sale of Alexa-enabled devices and applications, Amazon regularly represents that Alexa App users or parents can delete their own or their children’s voice recordings, implicitly including all audio files and transcripts.

• In numerous instances, Alexa users requested that Amazon delete their own or their children’s voice recordings, but Amazon failed to do so.

• Amazon’s representations that it would delete the voice recordings of users or their children were false and misleading and constitute deceptive acts or practices in violation of Section 5(a) of the FTC Act, 15 U.S.C. § 45(a).

Count III. Unfair Privacy Practices

• Paragraphs 1 through 38 are incorporated as if set forth herein.

• In numerous instances, as described in Paragraph 32, Amazon failed to take reasonable steps to protect the privacy of Alexa users’ geolocation and voice recordings.

• Amazon’s actions and omissions caused or are likely to cause substantial injury to consumers that they cannot reasonably avoid themselves and that is not outweighed by countervailing benefits to consumers or competition.

• Therefore, Amazon’s acts or practices as set forth in Paragraph 32 constitute unfair acts or practices in violation of Section 5 of the FTC Act, 15 U.S.C. § 45(a), (n).

Violations of the Children’s Online Privacy Protection Act Rule (COPPA)

• Congress enacted COPPA in 1998 to protect the safety and privacy of children online by prohibiting the unauthorized or unnecessary collection of children's personal information by operators of Internet websites and online services. COPPA directed the Federal Trade Commission (FTC) to promulgate a rule implementing COPPA. The FTC issued the COPPA Rule, 16 C.F.R. Part 312, on November 3, 1999, under Section 1303(b) of COPPA, 15 U.S.C. § 6502(b), and Section 553 of the Administrative Procedure Act, 5 U.S.C. § 553. The rule went into effect on April 21, 2000, with revisions that went into effect on July 1, 2013. Under Section 1303(c) of COPPA, 15 U.S.C. § 6502(c), and Section 18(d)(3) of the FTC Act, 15 U.S.C. § 57(a)(d)(3), a violation of the COPPA Rule constitutes an unfair or deceptive act or practice in or affecting commerce, which is a violation of Section 5(a) of the FTC Act, 15 U.S.C. § 45(a).
• The COPPA Rule applies to any operator of a commercial website or online service directed to children under 13 years of age, which includes operators of online services with actual knowledge that they are collecting personal information directly from users of another website or online service directed to children. It also applies to any operator that has actual knowledge that it is collecting or maintaining personal information from a child under 13 years of age. The definition of "personal information" under COPPA includes a first and last name, a persistent identifier used to recognize a user over time and across different websites or online services (such as a customer number in a cookie, an Internet Protocol (IP) address, a device serial number, or unique device identifier), an audio file that contains a child’s voice, and information concerning the child or the parents of that child, combined with a persistent identifier described in the COPPA Rule.
• Among other things, the Rule requires subject operators to meet specific requirements related to collecting, using, or disclosing personal information from children, including but not limited to:

  • Providing a notice on their website or online service that, along with other required content, states parents may have deleted their child's personal information, and the procedures for doing so (16 C.F.R. § 312.4(d)(3))—which notice must be clearly and understandably written, complete, and must contain no unrelated, confusing, or contradictory materials (16 C.F.R. § 312.4(a));

  • Providing the parent with the opportunity at any time to delete the child's personal information (16 C.F.R. § 312.6(a)(2)); and

  • Retaining personal information collected from children online only as long as is reasonably necessary to fulfill the purpose for which the information was collected (16 C.F.R. § 312.10).

• Amazon is an "operator" subject to the Rule, 16 C.F.R. § 312.2. Amazon operates the online services Echo Dot Kids Edition with FreeTime on Alexa and FreeTime Unlimited, both of which are directed to children under 13. Through the Echo Dot Kids Edition with FreeTime on Alexa and/or FreeTime Unlimited, Amazon collects personal information as defined in the COPPA Rule from children under 13, including voice recordings and transcripts concerning the child combined with a persistent identifier.

Count IV. COPPA – Amazon Failed to Provide Complete, Truthful Notice to Parents, Failed to Give Parents an Effective Opportunity to Delete Children’s Voice Recordings, and Retained Children’s Voice Recordings Indefinitely

• In numerous instances, in connection with the acts and practices described above, Defendants collected, used, and/or disclosed personal information from children in violation of the Rule, including by:
  • Retaining children’s voice recordings for longer than reasonably necessary to fulfill the purpose for which the information was collected, in violation of Section 312.10 of the Rule, 16 C.F.R. § 312.10;
  • Failing to provide parents with complete and truthful notice regarding parents’ ability to have their children’s personal information deleted, in violation of Section 312.4 of the Rule, 16 C.F.R. §§ 312.4(a), 312.4(d)(3); and
  • Failing, when parents requested to delete their children’s voice recordings, to also delete the written transcripts of those voice recordings, in violation of Section 312.6(a)(2) of the Rule, 16 C.F.R. § 312.6(a)(2).

Pursuant to Section 1303(c) of COPPA, 15 U.S.C. § 6502(c), and Section 18(d)(3) of the FTC Act, 15 U.S.C. § 57a(d)(3), a violation of the Rule constitutes an unfair or deceptive act or practice in or affecting commerce, in violation of Section 5(a) of the FTC Act, 15 U.S.C. § 45(a).

Consumer Injury

Consumers are suffering, have suffered, and will continue to suffer substantial injury as a result of Amazon’s violations of the FTC Act and the COPPA Rule. Absent injunctive relief by this Court, Amazon is likely to continue to injure consumers and harm the public interest.

Prayer for Relief

Wherefore, Plaintiff requests that the Court:

• Enter a permanent injunction to prevent future violations of the FTC Act and the COPPA Rule by Amazon;
• Award Plaintiff monetary civil penalties from Amazon for each violation of the COPPA Rule alleged in this Complaint; and
• Award any additional relief as the Court may determine to be just and proper.

Respectfully submitted,
Dated: May 31, 2023

FOR PLAINTIFF THE UNITED STATES OF AMERICA
FOR THE FEDERAL TRADE COMMISSION

• Brian M. Boynton
  Principal Deputy Assistant Attorney General
  Civil Division

• Arun G. Rao
  Deputy Assistant Attorney General
  Consumer Protection Branch

• Lisa K. Hsiao
  Assistant Director

By:

• Rachael L. Doud
  Assistant Director
  James T. Nelson
  Senior Trial Attorney
  Consumer Protection Branch
  U.S. Department of Justice
  P.O. Box 386
  Washington, D.C. 20044
  Phone: (202) 305-4499

• Kayla C. Stahman
  Assistant United States Attorney
  United States Attorney’s Office
  700 Stewart Street, Suite 5220
  Seattle, Washington 98101-1271
  Phone: (206) 553-7970
  Email: kayla.stahman@usdoj.gov

STIPULATED ORDER FOR PERMANENT INJUNCTION, CIVIL PENALTY JUDGMENT, AND OTHER RELIEF

Plaintiff, the United States of America, acting upon notification and authorization to the Attorney General by the Federal Trade Commission ("Commission"), filed its Complaint for Civil Penalties, Permanent Injunction, and Other Relief ("Complaint") in this matter, pursuant to Sections 13(b), 16(a)(1), and 19 of the Federal Trade Commission Act ("FTC Act"), 15 U.S.C. §§ 53(b), 56(a)(1), and 57b, the Children's Online Privacy Protection Act, 15 U.S.C. §§ 6502(c) and 6505(d), and the Commission's Children's Online Privacy Protection Rule ("COPPA Rule"), 16 C.F.R. Part 312. Defendants have waived service of the summons and the Complaint.

Plaintiff and Defendants stipulate to the entry of this Stipulated Order for Permanent Injunction and Civil Penalty Judgment ("Order") to resolve all matters in dispute in this action between them.

THEREFORE, IT IS ORDERED as follows:

FINDINGS

• This Court has jurisdiction over this matter.

• The Complaint charges that Defendants violated the COPPA Rule and the FTC Act with respect to Alexa by misrepresenting that they would delete voice transcripts and geolocation information of users of their Alexa voice assistant service upon request and limit employees' access to Alexa users' voice information; by failing to delete children's personal information at the request of parents; and by retaining children's personal information longer than reasonably necessary to fulfill the purpose for which the information was collected.

• Defendants neither admit nor deny any of the allegations in the Complaint, except as specifically stated in this Order. Only for purposes of this action, Defendants admit the facts necessary to establish jurisdiction.

• Defendants waive any claim that they may have under the Equal Access to Justice Act, 28 U.S.C. § 2412, concerning the prosecution of this action through the date of this Order, and agree to bear their own costs and attorney fees.

• Defendants and Plaintiff waive all rights to appeal or otherwise challenge or contest the validity of this Order. Notwithstanding this waiver, such waiver shall not extend to any right to appeal or otherwise challenge or contest the validity of any court or administrative action arising out of this Order.

DEFINITIONS

• "Alexa" means the Alexa voice assistant service or any comparable successor or replacement service Amazon may offer by another name.

• "Alexa App" means the Amazon Alexa mobile application available to consumers through which any Defendant collects any Voice Information or Geolocation Information from Alexa users.

• "Alexa App Geolocation Information" means Geolocation Information collected via the Alexa App for the provision of Alexa services; provided, however, that any such record shall not be considered Alexa App Geolocation Information if such record (1) does not contain, is not stored with, and is not otherwise reasonably linkable to any other element of Personal Information and (2) has less than three decimal places of precision.

• "Child" or "Children" means an individual or individuals under the age of 13.

• "Child Profile" means any user profile created for use by a Child and for which Amazon has actual knowledge that the user is a Child.

• "Clearly and Conspicuously" means that a required disclosure is difficult to miss (i.e., easily noticeable) and easily understandable by ordinary consumers, including in all of the following ways:

  • In any communication that is solely visual or solely audible, the disclosure must be made through the same means through which the communication is presented.
  • A visual disclosure, by its size, contrast, location, the length of time it appears, and other characteristics, must stand out from any accompanying text or other visual elements so that it is easily noticed, read, and understood.
  • An audible disclosure, including by streaming video, must be delivered in a volume, speed, and cadence sufficient for ordinary consumers to easily hear and understand it.
  • In any communication using an interactive electronic medium, such as the Internet or software, the disclosure must be designed to be prominent and easily noticeable.
  • The disclosure must use diction and syntax understandable to ordinary consumers and must appear in each language in which the representation that requires the disclosure appears.
  • The disclosure must comply with these requirements in each medium through which it is received, including all electronic devices and face-to-face communications.
  • The disclosure must not be contradicted or mitigated by, or inconsistent with, anything else in the communication in which the disclosure is made.
  • When the representation or sales practice targets a specific audience, such as children, the elderly, or the terminally ill, "ordinary consumers" includes ordinary members of that group.

• "Data Product" means any model, derived data, or other tool developed using Alexa App Geolocation Information, Voice Information, or a Child's Personal Information. Data Product includes but is not limited to any data produced via inference (manual or automated) or predictions from such Alexa App Geolocation Information, Voice Information, or Children's Personal Information, application programming interfaces that incorporate, or are improved or enhanced by, such data, or services or other products that incorporate, or are improved or enhanced by, such data.

• "Defendants" means Defendant Amazon, Defendant Amazon Digital Services; and Defendant A2Z individually, collectively, or in any combination.

  • Defendant Amazon means Amazon.com, Inc. and its successors and assigns.
  • Defendant Amazon Digital Services means Amazon Digital Services LLC and its successors and assigns.
  • Defendant A2Z means A2Z Development Center, Inc. and its successors and assigns.

• "Internet" means collectively the myriad of computer and telecommunication facilities, including equipment and operating software, which comprises the interconnected world-wide network of networks that employ the Transmission Control Protocol/Internet Protocol, or any predecessor or successor protocols to such protocol, to communicate information of all kinds by wire, radio, or other methods of transmission.

• "Geolocation Information" means the location of a mobile device sourced from a GPS chip, in latitude-longitude format.

• "Inactive Alexa Child Profile" means a Child Profile that has interacted with Alexa but that has not been used for 18 months or more. Inactive Alexa Child Profiles include profiles of individuals who are under the age of 13 when the 18-month period starts and who turn 13 before the 18 months has elapsed.

• "Online Contact Information" means an email address or any other substantially similar identifier that permits direct contact with a person online, including but not limited to, an instant messaging user identifier, a voice over Internet protocol (VOIP) identifier, or a video chat identifier.

• "Operator" means any Person who operates a Web site located on the Internet or an online service and who collects or maintains Personal Information from or about the users of or visitors to such Web site or online service, or on whose behalf such information is collected or maintained, or offers products or services for sale through the Web site or online service, where such Web site or online service is operated for commercial purposes involving commerce among the several States, or with one or more foreign nations; in any territory of the United States or in the District of Columbia, or between any such territory and another such territory or any State or foreign nation; or between the District of Columbia and any State, territory, or foreign nation.

• "Parent" includes a legal guardian.

• "Persistent Identifier" means an identifier that can be used to recognize a user over time and across different Web sites or online services. Such persistent identifier includes, but is not limited to, a customer number held in a cookie, an Internet Protocol (IP) address, a processor or device serial number, or unique device identifier.

• "Person" means any individual, partnership, corporation, trust, estate, cooperative, association, or other entity.

• "Personal Information" means individually identifiable information about an individual collected online, including:

  • a first and last name;
  • a home or other physical address including street name and name of a city or town;
  • Online Contact Information;
  • a screen or user name where it functions in the same manner as Online Contact Information;
  • a telephone number;
  • a Social Security number;
  • a Persistent Identifier that can be used to recognize a user over time and across different Web sites or online services;
  • a photograph, video, or audio file where such file contains a Child's image or voice;
  • Geolocation Information; or
  • information concerning the Child or the Parents of that Child that the Operator collects online from the Child and combines with an identifier described in this definition.

• "Voice Information" means any audio file of an individual's voice communications or audio communications collected by or through Alexa, as well as any related full-text transcripts of such audio file, provided, however, that any such record shall not be considered Voice Information if:

  • such record does not contain, is not stored with, and is not otherwise reasonably linkable to any other element of Personal Information; or
  • such record was sent to or otherwise shared with another Person by the applicable individual (e.g., a voice message sent by one user to another via Alexa).

ORDER

I. DELETION OF CHILDREN'S PERSONAL INFORMATION ASSOCIATED WITH INACTIVE ALEXA CHILD PROFILES

IT IS ORDERED that, in compliance with COPPA's requirements concerning the retention and deletion of Children's Personal Information, see 16 C.F.R. § 312.10, for as long as that provision is in effect and is therefore applicable to Defendants:

• Defendants and Defendants' officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order shall, within six (6) months of entry of this Order, implement a process to identify Inactive Alexa Child Profiles.

• Following identification of any Inactive Alexa Child Profile, Defendants shall delete any Personal Information collected from a Child associated with that Inactive Alexa Child Profile within 90 days, unless the Parent of the applicable Child requests that such information be retained or the applicable Child Profile becomes active again prior to such deletion.

II. PROHIBITION AGAINST MISREPRESENTATIONS ABOUT PRIVACY OF GEOLOCATION INFORMATION AND VOICE INFORMATION

IT IS FURTHER ORDERED that Defendants, Defendants' officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, are permanently restrained and enjoined from misrepresenting, expressly or by implication:

• The extent to which any Defendant retains, limits or permits access to, or deletes any Alexa App Geolocation Information or Voice Information.

• The extent to which a consumer may exercise control over any Defendant's retention, deletion, or access to Alexa App Geolocation Information or Voice Information, and the steps a consumer must take to implement such controls.

• The extent to which a Parent may exercise control over any Defendant's retention or deletion of a Child's Voice Information, and the steps a Parent must take to implement such controls

III. MANDATED DELETION OF INFORMATION

IT IS FURTHER ORDERED that Defendants, Defendants' officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, must:

• Delete all Alexa App Geolocation Information and Voice Information collected from a consumer where the consumer has requested that any Defendant delete such information via a mechanism any Defendant has made available for that purpose.

• Delete all Personal Information collected by Alexa from a Child where the Child's Parent has requested that any Defendant delete such information via a mechanism any Defendant has made available for that purpose.

• After processing the deletion of Alexa App Geolocation Information, Voice Information, or Children's Personal Information as provided for in Sections I, IV(A), and IV(B), Defendants shall not subsequently use such information for the creation or improvement of any Data Product. For the avoidance of doubt, the foregoing provision does not limit Defendants' use of any Data Product created prior to the processing of the deletion of Alexa App Geolocation Information, Voice Information, or Children's Personal Information as provided for in Section I, IV(A), and IV(B).

V. MANDATED NOTICE OF RETENTION AND DELETION

V. NOTICE TO USERS

IT IS FURTHER ORDERED that, on or before thirty (30) days after the date of the entry of this Order, Defendant Amazon must:

VI. MANDATED PRIVACY PROGRAM

IT IS FURTHER ORDERED that Defendants, and any business that any Defendant controls directly or indirectly, in connection with the collection, maintenance, use, or disclosure of, or provision of access to, Alexa App Geolocation Information, must, within ninety (90) days of entry of this order and for a period of twenty (20) years thereafter, establish, implement, and thereafter maintain or, if such a program already exists, maintain a comprehensive privacy program to protect the privacy of Alexa App Geolocation Information (the "Program"). To satisfy this requirement, Defendants must:

• Document in writing the content, implementation, and maintenance of the Program.
• Provide the written program and any evaluations thereof or updates to a senior officer of Defendants responsible for the Program at least once every twelve (12) months.
• Designate a qualified employee or employees to coordinate and be responsible for the Program.
• Assess and document, at least once every twelve (12) months, internal and external risks to the privacy of Alexa App Geolocation Information that could result in the:
  • unauthorized collection, maintenance, alteration, use, or disclosure of, or provision of access to, Alexa App Geolocation Information; or
  • misuse, loss, theft, alteration, destruction, or other compromise of such information.
• Design, implement, maintain, and document safeguards that control for the internal and external risks Defendants identify to the privacy of Alexa App Geolocation Information identified in response to Provision VI.D. Each safeguard must be based on the volume and sensitivity of Alexa App Geolocation Information that is at risk, and the likelihood that the risk could be realized and result in the:
  • unauthorized collection, maintenance, use, or disclosure of, or provision of access to, Alexa App Geolocation Information; or
  • misuse, loss, theft, alteration, destruction, or other compromise of such information.
  Such safeguards must also include:
  • Conducting a privacy review and producing a written report ("Privacy Review Statement") for Alexa's collection, maintenance, use, or disclosure of Alexa App Geolocation Information. The Privacy Review Statement must describe:
    • How Alexa collects, maintains, uses, or discloses Alexa App Geolocation Information.
    • For how long Alexa App Geolocation Information is retained.
    • The risks of the collection, maintenance, alteration, use, or disclosure of, or provision of access to, or the misuse, loss, theft, alteration, destruction, or other compromise of Alexa App Geolocation Information, and the safeguards in place or to be implemented that are intended to control identified risks.
    • Any other known, reasonable safeguards or other procedures that would mitigate the identified risks of the collection, maintenance, alteration, use, or disclosure of, or provision of access to, or the misuse, loss, theft, alteration, destruction, or other compromise of Alexa App Geolocation Information that were not implemented, and each reason that such alternatives were not implemented.
    • Any decision made as a result of the review (e.g., whether a practice was approved, approved contingent upon safeguards or other recommendations being implemented, or rejected).
  • Implementing controls to limit access to unencrypted Alexa App Geolocation Information only to authorized services.
  • Training of all employees whose responsibilities include access to unencrypted Alexa App Geolocation Information, at least every twelve (12) months, on how to safeguard Alexa App Geolocation Information.
  • Training of all employees whose responsibilities include deletion of Alexa App Geolocation Information, at least every twelve (12) months, on how to comply with deletion requests.
  • Implementing data access controls for all databases and assets storing unencrypted Alexa App Geolocation Information.
  • Reviewing and adjusting as appropriate at least once every twelve (12) months, employee access to unencrypted Alexa App Geolocation Information to ensure that the employee needs continued access to the Alexa App Geolocation Information to perform the employee's specific job function.
• Assess, at least once every twelve (12) months, the sufficiency of any safeguards in place to address the internal and external risks of the collection, maintenance, alteration, use, or disclosure of, or provision of access to, or the misuse, loss, theft, alteration, destruction, or other compromise of Alexa App Geolocation Information, and modify the Program as needed based on the results.
• Test and monitor the effectiveness of the safeguards at least once every twelve (12) months, and modify the Program as needed based on the results.
• With respect to service providers who may have access to or receive Alexa App Geolocation Information through or from Defendants, take reasonable efforts to select and retain service providers capable of implementing and maintaining safeguards sufficient to address the internal and external risks of the collection, maintenance, alteration, use, or disclosure of, or provision of access to, or the misuse, loss, theft, alteration, destruction, or other compromise of Alexa App Geolocation Information.
• Evaluate and adjust the Program in light of any changes to Defendants' operations or business arrangements, new or more efficient technological or operational methods that are intended to control for the risks identified in Provision VI.D of this Order, or any other circumstances that Defendants know or have reason to know may have an impact on the effectiveness of the Program. At a minimum, Defendants must evaluate the Program at least once every twelve (12) months and modify the Program based on the results as needed.

VII. CERTIFICATIONS

IT IS FURTHER ORDERED that Defendants must:

• One year after the entry date of this Order, and each year thereafter for ten (10) years after the entry date of this Order, provide the Commission with a certification from a Vice President with oversight responsibilities involving the Alexa service, that:
  • Defendants have established, implemented, and maintained the requirements of this Order.
  • Defendants are not aware of any material noncompliance that has not been (a) corrected or (b) disclosed to the Commission. The certification must be based on the personal knowledge of the senior corporate manager, senior officer, or subject matter experts upon whom the signatory reasonably relies in making the certification.
• Unless otherwise directed by a Commission representative in writing, submit all annual certifications to the Commission pursuant to this Order via email to DEbrief@ftc.gov or by overnight courier (not the U.S. Postal Service) to Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin, "United States v. Amazon.com, Inc., FTC File No. 1923128."

VIII. MONETARY JUDGMENT FOR CIVIL PENALTY

IT IS FURTHER ORDERED that:

• Judgment in the amount of twenty-five million dollars ($25,000,000) is entered in favor of Plaintiff against Defendants as a civil penalty.
• Defendants are ordered to pay to Plaintiff, by making payment to the Treasurer of the United States, twenty-five million dollars ($25,000,000), which as Defendants stipulate, its undersigned counsel holds in escrow for no purpose other than payment to Plaintiff. Such payment must be made within seven (7) days of entry of this Order by electronic fund transfer in accordance with instructions provided by a representative of Plaintiff.
• Defendants relinquish dominion and all legal and equitable right, title, and interest in all assets transferred pursuant to this Order and may not seek the return of any assets.
• The facts alleged in the Complaint will be taken as true, without further proof, in any subsequent civil litigation by or on behalf of the Commission to enforce its rights to any payment or monetary judgment pursuant to this Order.
• Defendants acknowledge that their Taxpayer Identification Numbers (Employer Identification Numbers), which Defendants previously submitted to the Commission, may be used for collecting and reporting on any delinquent amount arising out of this Order, in accordance with 31 U.S.C. § 7701.

IX. ORDER ACKNOWLEDGMENTS

IT IS FURTHER ORDERED that Defendants obtain acknowledgments of receipt of this Order:

• Defendants, within ten (10) days after the effective date of this Order, must submit to the Commission an acknowledgment of receipt of this Order sworn under penalty of perjury.
• For ten (10) years after entry of this Order, Defendants must deliver a copy of this Order to:
  • all principals, officers, directors, and LLC managers and members of the Alexa business within the Defendant entities.
  • all employees and agents having managerial responsibilities for the deletion of Alexa App Geolocation Information or Voice Information.
  • any business entity resulting from any change in structure as set forth in the Section titled Compliance Reporting. Delivery must occur within ten (10) days of entry of this Order for current personnel. For all others, delivery must occur before they assume their responsibilities.
• From each individual or entity to which Defendants delivered a copy of this Order, Defendants must obtain, within thirty (30) days, a signed and dated acknowledgment of receipt of this Order.

X. COMPLIANCE REPORTING

IT IS FURTHER ORDERED that Defendants make timely submissions to the Commission:

• One year after entry of this Order, Defendants must submit a compliance report, sworn under penalty of perjury. Defendants must:

  • Identify the primary physical, postal, and email address and telephone number, as designated points of contact, which representatives of the Commission and Plaintiff may use to communicate with Defendants.
  • Identify all of Defendants' businesses that collect, maintain, alter, use, or disclose, or provide access to, Alexa App Geolocation Information or Voice Information by all of their names, telephone numbers, and physical, postal, email, and Internet addresses.
  • Describe the activities of each such business, including the goods and services offered, the means of advertising, marketing, and sales.
  • Describe whether and how Defendants are in compliance with each Section of this Order.
  • Provide a copy of each Order Acknowledgment obtained pursuant to this Order, unless previously submitted to the Commission.

• For ten (10) years after entry of this Order, Defendants must submit a compliance notice, sworn under penalty of perjury, within fourteen (14) days of any change in:

  • Any designated point of contact.
  • The structure of Defendants or any entity that Defendants have any ownership interest in or control directly or indirectly that may affect compliance obligations arising under this Order, including: creation, merger, sale, or dissolution of the entity or any subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order.

• Defendants must submit to the Commission notice of the filing of any bankruptcy petition, insolvency proceeding, or similar proceeding by or against Defendants within fourteen (14) days of its filing.

• Any submission to the Commission required by this Order to be sworn under penalty of perjury must be true and accurate and comply with 28 U.S.C. § 1746, such as by concluding: "I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on: " and supplying the date, signatory's full name, title (if applicable), and signature.

• Unless otherwise directed by a Commission representative in writing, all submissions to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin, "United States v. Amazon.com, Inc., FTC File No. 1923128."

XI. RECORDKEEPING

IT IS FURTHER ORDERED that Defendants must create certain records for ten (10) years after entry of the Order, and retain each such record for five (5) years. Specifically, Defendants must create and retain the following records:

• Personnel records showing, for each person having managerial responsibility for the deletion of Alexa App Geolocation Information or Voice Information, whether as an employee or otherwise, that person's: name; job title or position; and dates of service.

• Records of all consumer complaints and refund requests related to collection, retention, or deletion of Alexa App Geolocation Information or Voice Information received through Defendants' customer service channels, and any response thereto based on a reasonable search criteria that accounts for the volume of such communications Defendants receive through its customer service channels.

• Records of all deletion requests made by individuals or Parents regarding the deletion of Alexa App Geolocation Information or Voice Information via a mechanism or mechanisms that any Defendant has made available for that purpose; the response to such requests; and any actions taken in response to such requests based on reasonable search criteria that account for the volume of such communications or requests Defendants receive through appropriate channels.

• All records necessary to demonstrate material compliance with this Order, including all submissions to the Commission.

• A copy of each unique advertisement or other marketing material related to collection, retention, or deletion of Alexa App Geolocation Information or Voice Information.

XII. COMPLIANCE MONITORING

IT IS FURTHER ORDERED that, for the purpose of monitoring Defendants' compliance with this Order:

• Within thirty (30) days of receipt of a written request from a representative of the Commission or Plaintiff, Defendants must:

  • Submit additional compliance reports or other requested information, which must be sworn under penalty of perjury.
  • Produce documents for inspection and copying.

• For matters concerning this Order, the Commission and Plaintiff are authorized to communicate directly with Defendants. Defendants must permit representatives of the Commission and Plaintiff to interview any employee or other person affiliated with Defendants who has agreed to such an interview. The person interviewed may have counsel present.

• The Commission and Plaintiff may use all other lawful means, including posing, through their representatives, as consumers, suppliers, or other individuals or entities, to Defendants or any individual or entity affiliated with Defendants, without the necessity of identification or prior notice. Nothing in this Order limits the Commission's lawful use of compulsory process, pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b-1.

XIII. RETENTION OF JURISDICTION

IT IS FURTHER ORDERED that this Court retains jurisdiction of this matter for purposes of construction, modification, and enforcement of this Order.

SO ORDERED this 19th day of July, 2023.

Tana Lin
United States District Judge

SO STIPULATED AND AGREED:

FOR PLAINTIFF THE UNITED STATES OF AMERICA FOR THE FEDERAL TRADE COMMISSION

• Brian M. Boynton
  Principal Deputy Assistant Attorney General, Civil Division

• Arun G. Rao
  Deputy Assistant Attorney General

• Amanda Liskamm
  Director, Consumer Protection Branch

By:
s/ Rachael L. Doud
Rachael L. Doud
Assistant Director
U.S. Department of Justice
P.O. Box 386
Washington, D.C. 20044

s/ Kayla C. Stahman
Kayla C. Stahman, CA #228931
Assistant United States Attorney
United States Attorney’s Office
700 Stewart Street, Suite 5220
Seattle, Washington 98101-1271

FOR DEFENDANTS AMAZON.COM INC. AND AMAZON.COM SERVICES LLC:

• s/ Andrew C. DeVore
  Authorized Representative for Amazon.com, Inc. and Amazon.com Services LLC
  Dated: 5/24/2023

Counsel for Defendants:

• Laura Kim (pro hac vice forthcoming)
• Nikhil Singhvi (pro hac vice forthcoming)
  Covington & Burling LLP
  One CityCenter, 850 Tenth Street, NW, Washington, DC 20001-4956
  Telephone: (202) 662-6000
• Karen Dunn (pro hac vice forthcoming)
• Jeannie Rhee (pro hac vice forthcoming)
  Paul, Weiss, Rifkind, Wharton & Garrison LLP
  2001 K Street, NW, Washington, D.C. 20006-1047
  Telephone: (202) 223-7300
• Lindsey Tonsager (pro hac vice forthcoming)
  Covington & Burling LLP
  Salesforce Tower, 415 Mission Street, Suite 5400, San Francisco, CA 94105-2533
  Telephone: (415) 591-6000
• Meredith R. Dearborn (pro hac vice forthcoming)
  Paul, Weiss, Rifkind, Wharton & Garrison LLP
  535 Mission Street, 24th Floor, San Francisco, CA 94105
  Telephone: (628) 432-5100
• Jeanne Jeong (pro hac vice forthcoming)
  Covington & Burling LLP
  The New York Times Building, 620 Eighth Avenue, New York, NY 10018-1405
  Telephone: (212) 841-1062
• Carter E. Greenbaum (pro hac vice forthcoming)
  Paul, Weiss, Rifkind, Wharton & Garrison LLP
  1285 Avenue of the Americas, New York, NY 10019-6064
  Telephone: (212) 373-3000

Exhibit A:

Alexa and Alexa Devices FAQs

In May 2023, the United States and Amazon settled United States v. Amazon, Case No. XXXX (W.D. Wash.), a civil lawsuit relating to data collected by Amazon's Alexa service. As part of the settlement, Amazon is changing its policies regarding the retention of children's personal information. The services and devices affected include the Echo Dot Kids Edition and Amazon Kids on Alexa.

Specifically, by November __, 2023, Amazon will make the following changes:

• Amazon will design and implement a process to identify Alexa profiles created for children under 13 (child profiles) that have been inactive, meaning they have not been accessed or used by anyone for a period of 18 months or more.

• After Amazon identifies an inactive child profile, Amazon will notify the parent or guardian that Amazon plans to delete the personal information collected from the user of that profile.

  • If the parent or guardian wants Amazon to retain that personal information, they will have 30 days to inform Amazon to prevent its deletion.

  • In addition, if the child begins using their profile again before Amazon performs the deletion, Amazon may continue to retain the personal information associated with that profile as permitted by the retention settings set by the child's parent or guardian.