SEATTLE — With the recent spate of privacy-focused investigations, government regulators may be looking to send Big Tech a message — and it's landing in Seattle's tech-fueled backyard.
Since May, the Federal Trade Commission has announced multimillion-dollar settlements with two of the Seattle area's largest employers: Amazon and Microsoft. The FTC accused both companies of failing to protect consumers' data, including from users under the age of 13.
Both companies said they've already made changes to protect consumers' digital information, but nonetheless agreed to pay millions to settle the cases. Amazon, which was involved in two of the settlements, denies violating the law in either case.
The FTC investigations include other tech giants — like Meta and Google — and may signal a new era in how the government views the technology that has become commonplace in consumers' homes.
Until now, as companies like Amazon and Microsoft have introduced devices that rely on emerging technologies, the companies have more or less been allowed to regulate themselves, under the theory that the tech changes too quickly for regulators to keep up. That may be changing as the FTC takes a closer look at the technology that is powering everything from Xbox to Alexa.
The shift comes under the direction of Lina Khan, who took over as chair of the FTC in 2021. Khan has outlined an agenda focused on children's privacy online, including stricter enforcement of long-standing laws.
The recent run of settlements shows the FTC may be starting to get "into the weeds" of compliance, said Cobun Zweifel-Keegan, the managing director of the International Association for Privacy Professionals, a nonprofit that offers resources to help organizations manage risk and protect their data.
"The FTC recognizes that as technology evolves and consumer expectations change, business practices have to keep up," Zweifel-Keegan said. "They use these types of enforcements as a way of helping to explain what not to do. ... The FTC is trying to send a message."
Privacy and consumers
For most consumers, privacy isn't top of mind when they are asking Alexa about the weather or logging in on Xbox. Norman Sadeh, a professor in Carnegie Mellon University's computer science department, said privacy is usually a "secondary task."
When consumers are focused more on the primary task (playing a fun game) than the secondary task (protecting their data), they tend to ignore long-term consequences like privacy, Sadeh said.
Companies, on the other hand, can't make privacy a secondary task, Sadeh said. It has to be baked into the design of the technology, partly because it's really hard to ask for consumers' consent after a company has already begun collecting their data.
"You think about privacy from the very, very earliest stage of the process and if you don't, you're going to shoot yourself in the foot," Sadeh said. "Privacy is one of these qualities that you just cannot slap on at the end."
In the most recent cases, the FTC accused Amazon of violating protections around children's data that it collected through the Alexa voice assistant and other technology targeting kids. The FTC found Amazon stored data longer than necessary and failed to delete the information once requested.
The FTC also alleged Amazon failed to delete customers' geolocation data from the Alexa app when consumers requested to do so and allowed more than 30,000 employees within the company to access user data from Alexa devices between August 2018 and September 2019.
Amazon said it disputes the FTC claims. "We take our responsibilities to our customers and their families very seriously," the company wrote in a blog. "We have consistently taken steps to protect customer privacy by providing clear privacy disclosures and customer controls, conducting ongoing audits and process improvements and maintaining strict internal controls to protect customer data."
Customers can view, hear and delete voice recordings and transcripts at any time, Amazon said. They can also choose to avoid saving any recordings or transcripts or to automatically delete on an ongoing basis.
Amazon said in the post it saves voice recordings for children — until parents choose to delete them — in order to improve Amazon's own services and to let parents see how their child is using the device.
Later this year, Amazon plans to remove child profiles that have been inactive for more than 18 months.
In a separate allegation, the FTC accused Ring, a home security camera company that Amazon acquired in 2018, of failing to protect consumers' data. Some of the events prompting the FTC's findings took place after Amazon acquired the company, with the agency noting some findings from 2020.
The FTC found Ring allowed all employees and third-party contractors to access customers' video data. That enabled one employee to view videos from inside women's bedrooms, the FTC alleged. The commission also found Ring failed to provide protections for consumer data, which led to more than 55,000 online attacks on Ring customers between January 2019 and March 2020. In some cases, hackers would use the two-way communication function of the security system to threaten people inside their home.
Ring said in a blog post the FTC complaint focuses on matters the company "promptly addressed on its own," "mischaracterizes our security practices; and ignores the many protections we have in place for our customers."
The company added that it has policies and controls in place to restrict employee access to customers' stored videos.
Days after the Amazon settlement, Microsoft agreed to pay $20 million to settle a claim from the FTC that the company illegally collected data from children who signed up to use its Xbox gaming system. The company required anyone using the Xbox Live service to register with a name, email address and age information. Microsoft continued to collect and retain data even when it was aware of users under the age of 13, according to the FTC.
Microsoft blamed a "technical glitch" where its systems did not delete account creation data for children, going against its policy to save that information for only 14 days. The company now plans to test new methods to validate a consumer's age.
Dave McCarthy, corporate vice president for Xbox Player Services, said in a blog post Microsoft is "innovating on next-generation identity and age validation — a convenient, secure, one-time process for all players that will allow us to deliver customized, safe, age-appropriate experiences."
"The long term benefits will be felt by all players, especially children and their families," he added.
Children and technology
Lawmakers have been regulating how to keep children safe online since 1998, when Congress passed the Children's Online Privacy Protection Act, or COPPA. That law, which went into effect in 2000, prohibits companies from "unauthorized and unnecessary" collection of children's personal information online.
The FTC cited violations of COPPA in two of the recent settlements with Amazon and Microsoft.
"Children deserve private places to play," said Leah Plunkett, a faculty member at Harvard Law School and author of "Sharenthood: Why We Should Think Before We Talk About Our kids Online."
Beyond just playing video games safely, Plunkett said children need to be able to experiment without a company tracking them, which could expose them to threats or be used to make predictions about them that alter their futures.
Though COPPA has been in place for more than 20 years, interest in children's digital safety has increased in the past year, said Justin Brookman, the director of tech policy at Consumer Reports. He pinned the change to whistleblower Frances Haugen, a former Facebook employee who alleged the company prioritized profits over safety on its social platform.
With the most recent settlements, Microsoft and Amazon are among dozens of companies penalized by the FTC for collecting data on children without parental consent. Meta's Facebook, Alphabet's Google and ByteDance's TikTok have faced FTC scrutiny as well.
COPPA gives the FTC authority to act faster than it could if it finds other violations, Brookman said. Under COPPA's authority, the FTC only has to prove a single misstep before issuing a fine.
Now, two U.S. senators — Democrat Edward Markey of Massachusetts and Republican Bill Cassidy of Louisiana — have introduced COPPA 2.0 to update the online privacy rules. It would ban targeted advertising to kids and teens, create an eraser button to delete personal information, and limit the collection of personal information of teens.
"I don't feel like the backlash against tech companies is running out of steam anytime soon," said Brookman.
Companies are starting to take note and make changes, he added. "It's changing a lot of companies' calculus," Brookman said.
"Moving the needle"
The FTC puts the responsibility on platform providers to keep children safe online, said Zweifel-Keegan, from the International Association of Privacy Professionals.
When a company asks a user to verify their age, they're doing so to make sure the user sees the right version of their product. But since it is easy for people to lie and get around the "age-gating," companies are on the hook to disincentivize kids from faking their age, Zweifel-Keegan said.
Both Microsoft and Amazon already had standards in place for children's data, but the FTC founds gaps in compliance, he said. For Amazon, he added, it may not have been clear if the company had to delete both the audio file and the written transcript of a conversation with Alexa.
"Some of the charges in these cases are moving the needle a little bit on what the expectations are from the regulator," Zweifel-Keegan said.
As privacy concerns heighten and technology evolves, Zweifel-Keegan expects to see more thorny enforcement actions. He pointed to three big fronts: biometric data, reproductive health information and anything related to AI.
Sadeh, the Carnegie Mellon University professor, expects AI will take center stage. The current regulatory environment reminds him of the 1990s, when the internet was first coming online. At that time, the technology was changing so fast regulations couldn't keep up. Government regulators essentially threw their hands up and left it to the tech companies, Sadeh said. That lasted for a while before they reconsidered.
Now, Sadeh predicts a similar approach to regulating AI. But, he added, "historically, the industry doesn't have a great record."