Amazon and Microsoft both fined millions for violating children’s data privacy

6 June 2023

Where do the tech giants stand on the data privacy of your children?

• Amazon Alexa held onto children’s data to improve its algorithm.
• Ring doorbell allowed staff unrestricted access to intimate data.
• Microsoft broke child data privacy rules with Xbox account protocols.

If a tech giant violates the data privacy of individuals, but they’re “only” children, does it cost any money?

Yes. Yes, it does.

It turns out not everything is a philosophical question meant to encourage us to question the nature of reality.

The occasional thing exists to establish boundaries of ethical behavior and, if at all possible, take a fair chunk of change off some of the leading companies in the tech space.

Both Amazon and Microsoft have been hit with multi-million dollar fines for violating children’s data privacy this week.

What’s perhaps surprising given the recent history of tech giants, data privacy cases and mega-fines is that neither of the fines (Amazon – $25 million, Microsoft – $20 million) were imposed by European regulators for breaching the terms of the GDPR (General Data Protection Regulation.

That’s what recently put Meta in the history books with the first billion-dollar data misuse fine, after all.

Instead, this is a home-grown regulator, the FTC, laying down the law on keeping children’s data for extended periods, while flagrantly not notifying anyone that you’re doing so.

“Alexa, infringe my data privacy…”

For Amazon, the damage was done by both its Alexa home assistant and its Ring smart doorbell.

Amazon failed to delete Alexa recordings at the request of parents, and then held onto the data for several years. That’s in spite of what the complaint to the FTC calls “prominent and repeated assurances to its users, including parents, that they could delete voice recordings collected” by the system.

In keeping the data for the years it did – and using the data to help improve Alexa’s algorithm (thereby effectively using live customers as guinea pigs and saving itself the added expense of a formal algorithm-training run), Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said Amazon was guilty of “misleading parents, keeping children’s recordings indefinitely, and flouting parents’ deletion requests.”

The company “sacrificed privacy for profits,” he said, in a cogent representation of the gulf between how tech giants think and how their customers believe they should behave when it comes to data privacy.

Ring – scarier than the horror movie.

Ring will actually pay out separately from the main Amazon case, to the tune of $5.8 million – a significantly smaller fine – for giving its employees unrestricted access to customers’ data.

In the case of Ring, of course, the private data shared with employees of the company related to the private spaces of the customers – including bathrooms and bedrooms.

Thousands of both registered employees and contractors of the company were able not only to view this data but to download it “for their own purposes.”

The Hollywood “obsessive, tech-assisted stalker” movie more or less writes itself.

So much so that the complaint to the FTC specifically includes one individual who viewed “thousands” of recordings of women in their bathrooms and bedrooms.

“Ring’s disregard for privacy and security exposed consumers to spying and harassment,” said Levine about the Ring complaint.

The Ring data privacy invasion feels like One Hour Photo – only automated and multiplied.

Amazon disagreed with both judgments but agreed to pay the fines, in order to “put these matters behind us.”

This is of course the way of the modern tech giant – to disagree with anyone or anything that tells them they did something wrong, but to pay them whole matching luggage sets full of cash to stop talking about it. The cost of doing continual business in the modern tech world is to pay the fine but never, ever to admit that you deserve to pay it.

Microsoft’s mea culpa technique.

Unless you’re Microsoft, which has – in stark contrast to most of the other tech giants – perfected a kind of mea culpa approach to its errors that has won it fans among any but the most cynical adherents to the school of thought that says “they’re all the same.”

Microsoft has been ordered to pay $20 million for illegally collecting data on children who signed up for Xbox accounts. It also failed to let parents know sufficient detail about its data collection policies, meaning that for the most part, parents didn’t know the scale or nature of the data that was being collected, or the use to which that data would be put.

Both of those issues represent breaches of the Children’s Online Privacy Protection Act.

The point in Microsoft’s case is that it made it a fundamental requirement of using the Xbox that people create an account to identify and link their usage. The data required to set up such an account includes full name, email address and date of birth.

In the previous set-up, it was only after obtaining all that information that the Xbox asked for parental permission.

The FTC revealed that between 2015-2020, Microsoft retained this data – and more, including profile pictures – “sometimes for years.” And crucially, while it retained the data, it also distributed it to third parties for their use.

In essence then, the retention and use of the data of minors is similar in the Amazon and Microsoft cases. The mea culpa though came from Dave McCarthy, Microsoft’s CVP of Xbox Player Services, who wrote a blog post after the fines were issued.

Moves towards doing better.

“Regrettably, we did not meet customer expectations and are committed to complying with the order to continue improving upon our safety measures… We believe that we can and should do more, and we’ll remain steadfast in our commitment to safety, privacy, and security for our community.”

There’s a degree of chutzpah in the “remain steadfast” there, to be sure, but even though Amazon also promised it would keep looking at ways to create new safety features, the tone of Microsoft’s announcement is much more strongly tinged with regret and learning than Amazon’s.

Do such cosmetic touches matter? Probably, at least in terms of fostering an image of a tech industry determined to work with its users, rather than in spite of them. Whether that adds up to simply better PR or actually better corporate governance and flexibility remains to be seen.

That said, Microsoft is currently developing new safety protocols for the data of children – including a system that auto-deletes personal data after two weeks unless parental consent is given, which is significantly more hands-on than the wording of Amazon’s promise.