🕵️♀️ The FTC and DOJ found Amazon in violation of COPPA for retaining kids' Alexa voice for longer than necessary and not following through on parents' deletion requests. 😱 It turned out (we are sure that everyone is surprised…) that Amazon kept voice recordings and geolocation data collected by Alexa for years and used them to improve its algorithm program. 😮 And, to make matters worse, it did this EVEN when parents requested to have that data deleted. 😞
Outcome: In addition to the $25 million civil penalty, Amazon was:
🚫 Barred from using data – geolocation, children's voice data, and other voice data that have been requested to be deleted for the creation or improvement of any product
🙅♂️ Told to inactive Alexa accounts of minors
📢 Required to inform users of their retention policies and practices
🛑 Stop misrepresenting their privacy practices in their policies
Key IG takeaways:
📋 Make sure to have (and follow) data retention and deletion policies, especially for sensitive information like children's voice data, to avoid penalties and reputational harm
🎓 Train your staff on how to comply with privacy regulations (e.g., COPPA), so they can understand specific requirements and implement appropriate measures to protect personal information
📢 Regularly review your policies to make sure that you are clearly (and in plain language) informing employees and users of your products or services about how you manage data and how they can easily and effectively (and compliantly) opt-out
🔍 Develop audit mechanisms throughout the data lifecycle, that will help you to enforce and manage the retention and deletion of personal information
👪 Review your consent processes regularly to make sure that they allow you to obtain explicit consent, especially for children's data, and to enable parental control over preferences
🔍 Create a cross-functional team that allows you to practice data minimization, collecting only necessary information to reduce the risk of non-compliance. Tech, legal, and business all need to be on board!
💡 Consider what kinds of data you use for product improvement and algorithm training, addressing risks and ethical implications – and try to find solutions that do not involve using personal information wherever possible
🚀 Work on developing a compliance culture that is based on IG by design principles that proactively addresses records retention, management, privacy, disposal, etc.
And, finally, remember that privacy is not just a GDPR issue!