Opinion
2:23-cv-00811-TL
07-19-2023
UNITED STATES OF AMERICA, Plaintiff, v. AMAZON.COM, INC., a corporation, and AMAZON.COM SERVICES LLC, a limited liability company, Defendants.
FOR PLAINTIFF THE UNITED STATES OF AMERICA BRIAN M. BOYNTON Principal Deputy Assistant Attorney General Civil Division ARUN G. RAO Deputy Assistant Attorney General AMANDA LISKAMM Director Consumer Protection Branch LISA K. HSIAO Assistant Director By: RACHAEL L. DOUD Assistant Director JAMES T. NELSON Senior Trial Attorney Consumer Protection Branch U.S. Department of Justice KAYLA C. STAHMAN, CA #228931 Assistant United States Attorney OF COUNSEL: FOR THE FEDERAL TRADE COMMISSION BENJAMIN WISEMAN Acting Associate Director Division of Privacy & Identity Protection ELISA JILLSON ANDREW HASTY JULIA HORWITZ Attorneys Division of Privacy & Identity Protection FOR DEFENDANTS AMAZON.COM, INC. AND AMAZON.COM SERVICES LLC: Andrew C. DeVore Title: Authorized Representative for Amazon.com, Inc. and Amazon.com Services LLC Laura Kim (pro hac vice forthcoming) Nikhil Singhvi (pro hac vice forthcoming) Covington & Burling LLP Lindsey Tonsager (pro hac vice forthcoming) Covington & Burling LLP Jeanne Jeong (pro hac vice forthcoming) Covington & Burling LLP Karen Dunn (pro hac vice forthcoming) Jeannie Rhee (pro hac vice forthcoming) Paul, Weiss, Rifkind, Wharton & Garrison LLP Meredith Dearborn (pro hac vice forthcoming) Paul, Weiss, Rifkind, Wharton & Garrison LLP Carter E. Greenbaum Dated: 5/24/2023 Carter E. Greenbaum (pro hac vice forthcoming) Paul, Weiss, Riskind, Wharton & Garrison LLP Counsel for Defendants
FOR PLAINTIFF THE UNITED STATES OF AMERICA BRIAN M. BOYNTON Principal Deputy Assistant Attorney General Civil Division ARUN G. RAO Deputy Assistant Attorney General AMANDA LISKAMM Director Consumer Protection Branch LISA K. HSIAO Assistant Director By: RACHAEL L. DOUD Assistant Director JAMES T. NELSON Senior Trial Attorney Consumer Protection Branch U.S. Department of Justice KAYLA C. STAHMAN, CA #228931 Assistant United States Attorney
OF COUNSEL: FOR THE FEDERAL TRADE COMMISSION BENJAMIN WISEMAN Acting Associate Director Division of Privacy & Identity Protection ELISA JILLSON ANDREW HASTY JULIA HORWITZ Attorneys Division of Privacy & Identity Protection
FOR DEFENDANTS AMAZON.COM, INC. AND AMAZON.COM SERVICES LLC: Andrew C. DeVore Title: Authorized Representative for Amazon.com, Inc. and Amazon.com Services LLC
Laura Kim (pro hac vice forthcoming) Nikhil Singhvi (pro hac vice forthcoming) Covington & Burling LLP Lindsey Tonsager (pro hac vice forthcoming) Covington & Burling LLP Jeanne Jeong (pro hac vice forthcoming) Covington & Burling LLP Karen Dunn (pro hac vice forthcoming) Jeannie Rhee (pro hac vice forthcoming) Paul, Weiss, Rifkind, Wharton & Garrison LLP Meredith Dearborn (pro hac vice forthcoming) Paul, Weiss, Rifkind, Wharton & Garrison LLP Carter E. Greenbaum Dated: 5/24/2023 Carter E. Greenbaum (pro hac vice forthcoming) Paul, Weiss, Riskind, Wharton & Garrison LLP Counsel for Defendants
STIPULATED ORDER FOR PERMANENT INJUNCTION, CIVIL PENALTY JUDGMENT, AND OTHER RELIEF
Tana Lin United States District Judge
Plaintiff, the United States of America, acting upon notification and authorization to the Attorney General by the Federal Trade Commission (“Commission”), filed its Complaint for Civil Penalties, Permanent Injunction, and Other Relief (“Complaint”) in this matter, pursuant to Sections 13(b), 16(a)(1), and 19 of the Federal Trade Commission Act (“FTC Act”), 15 U.S.C. §§ 53(b), 56(a)(1), and 57b, the Children's Online Privacy Protection Act, 15 U.S.C. §§ 6502(c) and 6505(d), and the Commission's Children's Online Privacy Protection Rule (“COPPA Rule”), 16 C.F.R. Part 312. Defendants have waived service of the summons and the Complaint. Plaintiff and Defendants stipulate to the entry of this Stipulated Order for Permanent Injunction and Civil Penalty Judgment (“Order”) to resolve all matters in dispute in this action between them.
THEREFORE, IT IS ORDERED as follows:
FINDINGS
1. This Court has jurisdiction over this matter.
2. The Complaint charges that Defendants violated the COPPA Rule and the FTC Act with respect to Alexa by misrepresenting that they would delete voice transcripts and geolocation information of users of their Alexa voice assistant service upon request and limit employees' access to Alexa users' voice information; by failing to delete children's personal information at the request of parents; and by retaining children's personal information longer than reasonably necessary to fulfill the purpose for which the information was collected.
3. Defendants neither admit nor deny any of the allegations in the Complaint, except as specifically stated in this Order. Only for purposes of this action, Defendants admit the facts necessary to establish jurisdiction.
4. Defendants waive any claim that they may have under the Equal Access to Justice Act, 28 U.S.C. § 2412, concerning the prosecution of this action through the date of this Order, and agree to bear their own costs and attorney fees.
5. Defendants and Plaintiff waive all rights to appeal or otherwise challenge or contest the validity of this Order. Notwithstanding this waiver, such waiver shall not extend to any right to appeal or otherwise challenge or contest the validity of any court or administrative action arising out of this Order.
DEFINITIONS
For the purpose of this Order, the following definitions apply:
A. “Alexa” means the Alexa voice assistant service or any comparable successor or replacement service Amazon may offer by another name.
B. “Alexa App” means the Amazon Alexa mobile application available to consumers through which any Defendant collects any Voice Information or Geolocation Information from Alexa users.
C. “Alexa App Geolocation Information” means Geolocation Information collected via the Alexa App for the provision of Alexa services; provided, however, that any such record shall not be considered Alexa App Geolocation Information if such record (1) does not contain, is not stored with, and is not otherwise reasonably linkable to any other element of Personal Information and (2) has less than three decimal places of precision.
D. “Child” or “Children” means an individual or individuals under the age of 13.
E. “Child Profile” means any user profile created for use by a Child and for which Amazon has actual knowledge that the user is a Child.
F. “Clear(ly) and Conspicuous(ly)” means that a required disclosure is difficult to miss (i.e., easily noticeable) and easily understandable by ordinary consumers, including in all of the following ways:
1. In any communication that is solely visual or solely audible, the disclosure must be made through the same means through which the communication is presented.
2. A visual disclosure, by its size, contrast, location, the length of time it appears, and other characteristics, must stand out from any accompanying text or other visual elements so that it is easily noticed, read, and understood.
3. An audible disclosure, including by streaming video must be delivered in a volume, speed, and cadence sufficient for ordinary consumers to easily hear and understand it.
4. In any communication using an interactive electronic medium, such as the Internet or software, the disclosure must be designed to be prominent and easily noticeable.
5. The disclosure must use diction and syntax understandable to ordinary consumers and must appear in each language in which the representation that requires the disclosure appears.
6. The disclosure must comply with these requirements in each medium through which it is received, including all electronic devices and face-to-face communications.
7. The disclosure must not be contradicted or mitigated by, or inconsistent with, anything else in the communication in which the disclosure is made.
8. When the representation or sales practice targets a specific audience, such as children, the elderly, or the terminally ill, “ordinary consumers” includes ordinary members of that group.
9. “Data Product” means any model, derived data, or other tool developed using Alexa App Geolocation Information, Voice Information, or a Child's Personal Information. Data Product includes but is not limited to any data produced via inference (manual or automated) or predictions from such Alexa App Geolocation Information, Voice Information, or Children's Personal Information, application programming interfaces that incorporate, or are improved or enhanced by, such data, or services or other products that incorporate, or are improved or enhanced by, such data.
G. “Defendants” means Defendant Amazon, Defendant Amazon Digital Services; and Defendant A2Z individually, collectively, or in any combination.
1. Defendant Amazon means Amazon.com, Inc. and its successors and assigns.
2. Defendant Amazon Digital Services means Amazon Digital Services LLC and its successors and assigns.
3. Defendant A2Z means A2Z Development Center, Inc. and its successors and assigns.
H. “Internet” means collectively the myriad of computer and telecommunication facilities, including equipment and operating software, which comprises the interconnected worldwide network of networks that employ the Transmission Control Protocol/Internet Protocol, or any predecessor or successor protocols to such protocol, to communicate information of all kinds by wire, radio, or other methods of transmission.
I. “Geolocation Information” means the location of a mobile device sourced from a GPS chip, in latitude-longitude format.
J. “Inactive Alexa Child Profile” means a Child Profile that has interacted with Alexa but that has not been used for 18 months or more. Inactive Alexa Child Profiles include profiles of individuals who are under the age of 13 when the 18 month period starts and who turn 13 before the 18 months has elapsed.
K. “Online Contact Information” means an email address or any other substantially similar identifier that permits direct contact with a person online, including but not limited to, an instant messaging user identifier, a voice over Internet protocol (VOIP) identifier, or a video chat identifier.
L. “Operator” means any Person who operates a Web site located on the Internet or an online service and who collects or maintains Personal Information from or about the users of or visitors to such Web site or online service, or on whose behalf such information is collected or maintained, or offers products or services for sale through the Web site or online service, where such Web site or online service is operated for commercial purposes involving commerce among the several States, or with one or more foreign nations; in any territory of the United States or in the District of Columbia, or between any such territory and another such territory or any State or foreign nation; or between the District of Columbia and any State, territory, or foreign nation.
M. “Parent” includes a legal guardian.
N. “Persistent Identifier” means an identifier that can be used to recognize a user over time and across different Web sites or online services. Such persistent identifier includes, but is not limited to, a customer number held in a cookie, an Internet Protocol (IP) address, a processor or device serial number, or unique device identifier.
O. “Person” means any individual, partnership, corporation, trust, estate, cooperative, association, or other entity.
P. “Personal Information” means individually identifiable information about an individual collected online, including: (1) a first and last name; (2) a home or other physical address including street name and name of a city or town; (3) Online Contact Information; (4) a screen or user name where it functions in the same manner as Online Contact Information; (5) a telephone number; (6) a Social Security number; (7) a Persistent Identifier that can be used to recognize a user over time and across different Web sites or online services. Such persistent identifier includes, but is not limited to, a customer number held in a cookie, an Internet Protocol (IP) address, a processor or device serial number, or unique device identifier; (8) a photograph, video, or audio file where such file contains a Child's image or voice; (9) Geolocation Information; or (10) information concerning the Child or the Parents of that Child that the Operator collects online from the Child and combines with an identifier described in this definition.
Q. “Voice Information” means any audio file of an individual's voice communications or audio communications collected by or through Alexa, as well as any related full-text transcripts of such audio file, provided, however, that any such record shall not be considered Voice Information if: (1) such record does not contain, is not stored with, and is not otherwise reasonably linkable to any other element of Personal Information; or (2) such record was sent to or otherwise shared with another Person by the applicable individual (e.g., a voice message sent by one user to another via Alexa).
ORDER
I. DELETION OF CHILDREN'S PERSONAL INFORMATION ASSOCIATED WITH INACTIVE ALEXA CHILD PROFILES
IT IS ORDERED that, in compliance with COPPA's requirements concerning the retention and deletion of Children's Personal Information, see 16 C.F.R. § 312.10, for as long as that provision is in effect and is therefore applicable to Defendants, A. Defendants and Defendants' officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order shall, within six (6) months of entry of this Order, implement a process to identify Inactive Alexa Child Profiles; and
B. Following identification of any Inactive Alexa Child Profile, Defendants shall delete any Personal Information collected from a Child associated with that Inactive Alexa Child Profile within 90 days, unless the Parent of the applicable Child requests that such information be retained or the applicable Child Profile becomes active again prior to such deletion.
II. PROHIBITION AGAINST MISREPRESENTATIONS ABOUT PRIVACY OF GEOLOCATION INFORMATION AND VOICE INFORMATION
IT IS FURTHER ORDERED that Defendants, Defendants' officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, are permanently restrained and enjoined from misrepresenting, expressly or by implication:
A. The extent to which any Defendant retains, limits or permits access to, or deletes any Alexa App Geolocation Information or Voice Information;
B. The extent to which a consumer may exercise control over any Defendant's retention, deletion, or access to Alexa App Geolocation Information or Voice Information, and the steps a consumer must take to implement such controls; or
C. The extent to which a Parent may exercise control over any Defendant's retention or deletion of a Child's Voice Information, and the steps a Parent must take to implement such controls.
III. MANDATED DELETION OF INFORMATION
IT IS FURTHER ORDERED that Defendants, Defendants' officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, must:
A. Delete all Alexa App Geolocation Information and Voice Information collected from a consumer where the consumer has requested that any Defendant delete such information via a mechanism any Defendant has made available for that purpose;
B. Delete all Personal Information collected by Alexa from a Child where the Child's Parent has requested that any Defendant delete such information via a mechanism any Defendant has made available for that purpose;
C. After processing the deletion of Alexa App Geolocation Information, Voice Information, or Children's Personal Information as provided for in Sections I, IV(A) and IV(B), Defendant shall not subsequently use such information for the creation or improvement of any Data Product. For the avoidance of doubt, the foregoing provision does not limit Defendant's use of any Data Product created prior to the processing of the deletion of Alexa App Geolocation Information, Voice Information, or Children's Personal Information as provided for in Section I, IV(A) and IV(B).
IV. MANDATED NOTICE OF RETENTION AND DELETION
IT IS FURTHER ORDERED that Defendants, Defendants' officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, must, within ninety (90) days of entry of this order, document, adhere to, and make publicly available:
A. Clearly and Conspicuously, when a consumer is prompted to grant Defendant permission to access Alexa App Geolocation Information, a link to a retention and deletion disclosure for Alexa App Geolocation Information (“Geolocation Information Disclosure”), setting forth: (1) the purpose for which such information is collected, used, or maintained; and (2) the mechanisms, if any, by which consumers may request deletion of such information;
B. In the Alexa and Alexa Devices FAQs (or a similarly prominent location) a retention and deletion disclosure for Voice Information (“Voice Information Disclosure”), that includes an explanation of: (1) the purposes for which such information is collected, used, or maintained; (2) the mechanisms, if any, by which consumers may request deletion of such information; and (3) the mechanisms by which Parents of Children may request deletion of Personal Information that Alexa collects from children.
V. NOTICE TO USERS
IT IS FURTHER ORDERED that, on or before thirty (30) days after the date of the entry of this Order, Defendant Amazon must:
A. Post in the Alexa and Alexa Devices FAQs (or a similarly prominent location), which can be accessed on the Web and in the Alexa App, for a period of six (6) months after the effective date of this Order, a link to an exact copy of the notice attached hereto as Exhibit A (“Exhibit A Notice”); and
B. Post Clearly and Conspicuously on the home page of the Amazon Parent Dashboard for a period of six (6) months after the effective date of this Order, a link to an exact copy of the Exhibit A Notice.
VI. MANDATED PRIVACY PROGRAM
IT IS FURTHER ORDERED that Defendants, and any business that any Defendant controls directly, or indirectly, in connection with the collection, maintenance, use, or disclosure of, or provision of access to, Alexa App Geolocation Information, must, within ninety (90) days of entry of this order and for a period of twenty (20) years thereafter, establish, implement, and thereafter maintain or, if such a program already exists, maintain a comprehensive privacy program to protect the privacy of Alexa App Geolocation Information (the “Program”). To satisfy this requirement, Defendants must:
A. Document in writing the content, implementation, and maintenance of the Program;
B. Provide the written program and any evaluations thereof or updates thereto to a senior officer of Defendants responsible for the Program at least once every twelve (12) months;
C. Designate a qualified employee or employees to coordinate and be responsible for the Program;
D. Assess and document, at least once every twelve (12) months, internal and external risks to the privacy of Alexa App Geolocation Information that could result in the (1) unauthorized collection, maintenance, alteration, use, or disclosure of, or provision of access to, Alexa App Geolocation Information; or the (2) misuse, loss, theft, alteration, destruction, or other compromise of such information;
E. Design, implement, maintain, and document safeguards that control for the internal and external risks Defendants identify to the privacy of Alexa App Geolocation Information identified in response to Provision VII.D. Each safeguard must be based on the volume and sensitivity of Alexa App Geolocation Information that is at risk, and the likelihood that the risk could be realized and result in the (1) unauthorized collection, maintenance, use, or disclosure of, or provision of access to, Alexa App Geolocation Information; or the (2) misuse, loss, theft, alteration, destruction, or other compromise of such information. Such safeguards must also include:
1. Conducting a privacy review and producing a written report (“Privacy Review Statement”) for Alexa's collection, maintenance, use, or disclosure of Alexa App Geolocation Information. The Privacy Review Statement must describe:
a) How Alexa collects, maintains, uses, or discloses Alexa App Geolocation Information;
b) For how long Alexa App Geolocation Information is retained;
c) The risks of the (1) collection, maintenance, alteration, use, or disclosure of, or provision of access to; or the (2) misuse, loss, theft, alteration, destruction, or other compromise of Alexa App Geolocation Information, and the safeguards in place or to be implemented that are intended to control identified risks;
d) Any other known, reasonable safeguards or other procedures that would mitigate the identified risks of the (1) collection, maintenance, alteration, use, or disclosure of, or provision of access to; or the (2) misuse, loss, theft, alteration, destruction, or other compromise of Alexa App Geolocation Information that were not implemented, and each reason that such alternatives were not implemented; and
e) Any decision made as a result of the review (e.g., whether a practice was approved, approved contingent upon safeguards or other recommendations being implemented, or rejected).
2. Implementing controls to limit access to unencrypted Alexa App Geolocation Information only to authorized services;
3. Training of all employees whose responsibilities include access to unencrypted Alexa App Geolocation Information, at least every twelve (12) months, on how to safeguard Alexa App Geolocation Information;
4. Training of all employees whose responsibilities include deletion of Alexa App Geolocation Information, at least every twelve (12) months, on how to comply with deletion requests;
5. Implementing data access controls for all databases and assets storing unencrypted Alexa App Geolocation Information; and
6. Reviewing and adjusting as appropriate at least once every twelve (12) months, employee access to unencrypted Alexa App Geolocation Information to ensure that the employee needs continued access to the Alexa App Geolocation Information to perform the employee's specific job function;
F. Assess, at least once every twelve (12) months, the sufficiency of any safeguards in place to address the internal and external risks of the (1) collection, maintenance, alteration, use, or disclosure of, or provision of access to; or the (2) misuse, loss, theft, alteration, destruction, or other compromise of Alexa App Geolocation Information, and modify the Program as needed based on the results;
G. Test and monitor the effectiveness of the safeguards at least once every twelve (12) months, and modify the Program as needed based on the results;
H. With respect to service providers who may have access to or receive Alexa App Geolocation Information through or from Defendants, take reasonable efforts to select and retain service providers capable of implementing and maintaining safeguards sufficient to address the internal and external risks of the
(1) collection, maintenance, alteration, use, or disclosure of, or provision of access to; or the (2) misuse, loss, theft, alteration, destruction, or other compromise of Alexa App Geolocation Information; and
I. Evaluate and adjust the Program in light of any changes to Defendants' operations or business arrangements, new or more efficient technological or operational methods that are intended to control for the risks identified in Provision VII.D of this Order, or any other circumstances that Defendants know or have reason to know may have an impact on the effectiveness of the Program. At a minimum, Defendants must evaluate the Program at least once every twelve (12) months and modify the Program based on the results as needed.
VII. CERTIFICATIONS
IT IS FURTHER ORDERED that Defendants must:
A. One year after the entry date of this Order, and each year thereafter for ten (10) years after the entry date of this Order, provide the Commission with a certification from a Vice President with oversight responsibilities involving the Alexa service, that:
(1) Defendants have established, implemented, and maintained the requirements of this Order; and (2) Defendants are not aware of any material noncompliance that has not been (a) corrected or (b) disclosed to the Commission. The certification must be based on the personal knowledge of the senior corporate manager, senior officer, or subject matter experts upon whom the signatory reasonably relies in making the certification; and
B. Unless otherwise directed by a Commission representative in writing, submit all annual certifications to the Commission pursuant to this Order via email to DEbrief@ftc.gov or by overnight courier (not the U.S. Postal Service) to Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin, “United States v. Amazon.com, Inc., FTC File No. 1923128.”
VIII. MONETARY JUDGMENT FOR CIVIL PENALTY
IT IS FURTHER ORDERED that:
A. Judgment in the amount of twenty-five million dollars ($25,000,000) is entered in favor of Plaintiff against Defendants as a civil penalty.
B. Defendants are ordered to pay to Plaintiff, by making payment to the Treasurer of the United States, twenty-five million dollars ($25,000,000), which as Defendants stipulate, its undersigned counsel holds in escrow for no purpose other than payment to Plaintiff. Such payment must be made within seven (7) days of entry of this Order by electronic fund transfer in accordance with instructions provided by a representative of Plaintiff.
C. Defendants relinquish dominion and all legal and equitable right, title, and interest in all assets transferred pursuant to this Order and may not seek the return of any assets.
D. The facts alleged in the Complaint will be taken as true, without further proof, in any subsequent civil litigation by or on behalf of the Commission to enforce its rights to any payment or monetary judgment pursuant to this Order.
E. Defendants acknowledge that their Taxpayer Identification Numbers (Employer Identification Numbers), which Defendants previously submitted to the Commission, may be used for collecting and reporting on any delinquent amount arising out of this Order, in accordance with 31 U.S.C. § 7701.
IX. ORDER ACKNOWLEDGMENTS
IT IS FURTHER ORDERED that Defendants obtain acknowledgments of receipt of this Order:
A. Defendants, within ten (10) days after the effective date of this Order, must submit to the Commission an acknowledgment of receipt of this Order sworn under penalty of perjury.
B. For ten (10) years after entry of this Order, Defendants must deliver a copy of this Order to: (1) all principals, officers, directors, and LLC managers and members of the Alexa business within the Defendant entities; (2) all employees and agents having managerial responsibilities for the deletion of Alexa App Geolocation Information or Voice Information; and (3) any business entity resulting from any change in structure as set forth in the Section titled Compliance Reporting. Delivery must occur within ten (10) days of entry of this Order for current personnel. For all others, delivery must occur before they assume their responsibilities.
C. From each individual or entity to which Defendants delivered a copy of this Order, Defendants must obtain, within thirty (30) days, a signed and dated acknowledgment of receipt of this Order.
X. COMPLIANCE REPORTING
IT IS FURTHER ORDERED that Defendants make timely submissions to the Commission:
A. One year after entry of this Order, Defendants must submit a compliance report, sworn under penalty of perjury. Defendants must: (1) identify the primary physical, postal, and email address and telephone number, as designated points of contact, which representatives of the Commission and Plaintiff may use to communicate with Defendants; (2) identify all of Defendants' businesses that collect, maintain, alter, use, or disclose, or provide access to, Alexa App Geolocation Information or Voice Information by all of their names, telephone numbers, and physical, postal, email, and Internet addresses; (3) describe the activities of each such business, including the goods and services offered, the means of advertising, marketing, and sales; (4) describe whether and how Defendants are in compliance with each Section of this Order; and (5) provide a copy of each Order Acknowledgment obtained pursuant to this Order, unless previously submitted to the Commission.
B. For ten (10) years after entry of this Order, Defendants must submit a compliance notice, sworn under penalty of perjury, within fourteen (14) days of any change in: (1) any designated point of contact; or (2) the structure of Defendants or any entity that Defendants have any ownership interest in or control directly or indirectly that may affect compliance obligations arising under this Order, including: creation, merger, sale, or dissolution of the entity or any subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order.
C. Defendants must submit to the Commission notice of the filing of any bankruptcy petition, insolvency proceeding, or similar proceeding by or against Defendants within fourteen (14) days of its filing.
D. Any submission to the Commission required by this Order to be sworn under penalty of perjury must be true and accurate and comply with 28 U.S.C. § 1746, such as by concluding: “I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on: ” and supplying the date, signatory's full name, title (if applicable), and signature.
Unless otherwise directed by a Commission representative in writing, all submissions to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin, “United States v. Amazon.com, Inc., FTC File No. 1923128.”
XI. RECORDKEEPING
IT IS FURTHER ORDERED that Defendants must create certain records for ten (10) years after entry of the Order, and retain each such record for five (5) years. Specifically, Defendants must create and retain the following records:
A. Personnel records showing, for each person having managerial responsibility for the deletion of Alexa App Geolocation Information or Voice Information, whether as an employee or otherwise, that person's: name; job title or position; and dates of service;
B. Records of all consumer complaints and refund requests related to collection, retention or deletion of Alexa App Geolocation Information or Voice Information received through Defendants' customer service channels, and any response thereto based on a reasonable search criteria that accounts for the volume of such communications Defendants receive through its customer service channels;
C. Records of all deletion requests made by individuals or Parents regarding the deletion of Alexa App Geolocation Information or Voice Information via a mechanism or mechanisms that any Defendant has made available for that purpose; the response to such requests; and any actions taken in response to such requests based on reasonable search criteria that account for the volume of such communications or requests Defendants receive through appropriate channels;
D. All records necessary to demonstrate material compliance with this Order, including all submissions to the Commission; and
E. A copy of each unique advertisement or other marketing material related to collection, retention or deletion of Alexa App Geolocation Information or Voice Information.
XII. COMPLIANCE MONITORING
IT IS FURTHER ORDERED that, for the purpose of monitoring Defendants' compliance with this Order:
A. Within thirty (30) days of receipt of a written request from a representative of the Commission or Plaintiff, Defendants must: submit additional compliance reports or other requested information, which must be sworn under penalty of perjury; and produce documents for inspection and copying.
B. For matters concerning this Order, the Commission and Plaintiff are authorized to communicate directly with Defendants. Defendants must permit representatives of the Commission and Plaintiff to interview any employee or other person affiliated with Defendants who has agreed to such an interview. The person interviewed may have counsel present.
C. The Commission and Plaintiff may use all other lawful means, including posing, through their representatives, as consumers, suppliers, or other individuals or entities, to Defendants or any individual or entity affiliated with Defendants, without the necessity of identification or prior notice. Nothing in this Order limits the Commission's lawful use of compulsory process, pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b-1.
XIII. RETENTION OF JURISDICTION
IT IS FURTHER ORDERED that this Court retains jurisdiction of this matter for purposes of construction, modification, and enforcement of this Order.
SO ORDERED this 19th day of July, 2023.
SO STIPULATED AND AGREED:
Exhibit A
Alexa and Alexa Devices FAQs
In May 2023, the United States and Amazon settled United States v. Amazon, Case No. XXXX (W.D. Wash.), a civil lawsuit relating to data collected by Amazon's Alexa service. As part of the settlement, Amazon is changing its policies regarding the retention of children's personal information. The services and devices affected include the Echo Dot Kids Edition and Amazon Kids on Alexa.
Specifically, by [November ] 2023, Amazon will make the following changes:
1. Amazon will design and implement a process to identify Alexa profiles created for children under 13 (child profiles) that have been inactive-meaning they have not been accessed or used by anyone-for a period of 18 months or more.
2. After Amazon identifies an inactive child profile, Amazon will notify the parent or guardian that Amazon plans to delete the personal information collected from the user of that profile.
1. If the parent or guardian wants Amazon to retain that personal information, they will have 30 days to tell Amazon in order to prevent its deletion.
2. In addition, if the child begins using their profile again before Amazon performs the deletion, Amazon may continue to retain the personal information associated with that profile as permitted by the retention settings set by the child's parent or guardian.