Amazon Privacy News

The Luxembourg Administrative Tribunal upheld the record €746 million GDPR fine against Amazon, rejecting the company's appeal and confirming the CNPD's original 2021 decision. The court backed the regulator's findings that Amazon violated EU rules on cookie consent, transparency, and data subject rights including the rights to correction, deletion, and objection under GDPR Articles 15-17 and 21. Amazon stated it was considering further appeal options.

The FTC began sending $5.6 million in refunds to Ring customers affected by the company's privacy and security failures documented in the 2023 enforcement action. Over 117,000 customers who had their Ring accounts compromised by hackers or whose videos were improperly accessed by Ring employees between 2017 and 2020 were eligible for refunds via PayPal or check. The refunds marked the tangible consumer restitution phase of the FTC's landmark action against Ring.

Amazon abandoned its $1.7 billion acquisition of iRobot (maker of Roomba) after the FTC and EU regulators raised antitrust and privacy concerns about Amazon gaining access to detailed home mapping data collected by robot vacuums. Privacy advocates had argued that 'there is no more private space than the home' and that Amazon would gain access to intimate spatial data not available through other means. The deal's collapse led iRobot to lay off over 40% of its workforce and eventually file for bankruptcy.

Amazon's Ring ended its 'Request for Assistance' program that had allowed over 2,100 police departments to solicit doorbell camera footage directly from users through the Neighbors app. Starting in February 2024, law enforcement would need to submit formal legal requests such as warrants or subpoenas to obtain video footage. The EFF called it 'unquestionably a victory,' though noted that Amazon retained the ability to share footage directly with police in cases involving 'imminent danger of death or serious physical injury.'

The FTC charged Amazon's Ring division with failing to restrict employees' and contractors' access to customers' private video recordings, resulting in a $5.8 million settlement. The complaint revealed that a Ring employee viewed thousands of videos from at least 81 female users' bedroom and bathroom cameras, and that over 55,000 U.S. customers suffered credential-stuffing attacks between 2019 and 2020 due to Ring's failure to implement basic security measures like multi-factor authentication. Hackers used compromised cameras to racially harass children and threaten families.

Amazon discontinued its Halo health and fitness wearable line, effective July 31, 2023, ending the controversial product that collected body- scan images, continuous voice tone analysis, and biometric health data. Amazon refunded all purchases made in the prior 12 months and committed to deleting stored health data. The discontinuation removed a significant source of invasive biometric data collection, though critics noted the precedent it set for tech companies harvesting intimate health information.

A class action lawsuit was filed against Amazon alleging violations of New York City's Biometric Identifier Information Law at Amazon Go cashierless stores. The complaint alleged that Amazon collected customers' biometric data — including palm prints and facial geometry — through its 'Just Walk Out' technology without providing the legally required signage or disclosures. The lawsuit highlighted the tension between Amazon's frictionless retail ambitions and local biometric privacy protections.

Amazon's Twitch streaming platform suffered a massive data breach when an anonymous hacker leaked 125 GB of internal data on 4chan, including the platform's entire source code with commit history, proprietary SDKs, internal AWS services, creator payout reports from 2019 onward, and internal security tools. The breach was caused by a server misconfiguration that exposed Twitch's internal systems. While passwords and financial data were reportedly not compromised, the leak represented one of the largest source code exposures in history.

Luxembourg's data protection authority (CNPD) imposed a record €746 million GDPR fine on Amazon Europe Core S.à.r.l. for violations related to its advertising targeting system. The complaint, filed by French civil society group La Quadrature Du Net with over 10,000 co- signatories in 2018, alleged that Amazon processed personal data for targeted advertising without valid consent. The fine remained the largest GDPR penalty ever imposed, and in March 2025 a Luxembourg court upheld the decision after Amazon's appeal.

Amazon admitted to U.S. senators that it had provided Ring doorbell camera footage to law enforcement at least 11 times without user consent or a warrant, citing 'imminent danger of death or serious physical injury' as justification. The revelation intensified ongoing concerns about Ring's role as an extension of police surveillance, particularly given that over 2,100 law enforcement agencies were enrolled in Ring's Neighbors app — a five-fold increase since 2019.

Amazon Sidewalk launched in the United States, automatically opting in all Echo and Ring devices to share a portion of users' home internet bandwidth with nearby Amazon devices to create a neighborhood- wide mesh network. The opt-out-by-default approach drew sharp criticism from privacy advocates, the former FTC chief technologist, and Connecticut Attorney General William Tong, who recommended users disable the feature. Critics argued that sharing internet with strangers without explicit consent set a dangerous precedent.

Amazon began requiring its approximately 75,000 delivery drivers to consent to AI-powered biometric surveillance cameras in their delivery vans or lose their jobs. The Netradyne Driveri cameras collected face images and biometric information to verify driver identity and monitor driving behaviors, with data retained for up to 30 days. The EFF called the program 'dystopian,' arguing that a 'consent or be fired' ultimatum does not constitute meaningful consent.

Ring announced the rollout of end-to-end encryption for its wired video doorbells and cameras as a technical preview, later expanding to battery-powered devices in September 2022. With E2EE enabled, video footage could only be viewed on the owner's enrolled mobile device, preventing Amazon, law enforcement, or hackers from accessing the content. However, the feature was opt-in rather than default and came with trade-offs including loss of video previews and shared user access.

Amazon launched Amazon One, a contactless palm-scanning payment system at its Go cashierless stores, later expanding it to all 500+ Whole Foods locations by 2023. The system captured palm prints and underlying vein structures to create biometric identifiers. Human rights groups raised concerns about potential data sharing with law enforcement and the irreplaceable nature of biometric data if breached. Amazon faced a class action lawsuit in New York City for allegedly failing to provide adequate notice under the city's biometric surveillance law.

Amazon launched the Halo fitness band, which used body-scanning technology to estimate body fat percentage and continuously listened to the wearer's voice to analyze emotional tone. The device raised significant privacy concerns due to the unprecedented scope of health and biometric data collected, prompting Senator Amy Klobuchar to write to the Department of Health and Human Services about security and antitrust implications. Mozilla's Privacy Not Included project flagged the device for its invasive data collection practices.

Following the murder of George Floyd and nationwide protests against police brutality, Amazon announced a one-year moratorium on police use of its Rekognition facial recognition technology. Researchers had long demonstrated that Rekognition produced inaccurate results for people with darker skin tones and women, raising concerns about racial profiling and mass surveillance. Amazon later extended the ban indefinitely in May 2021.

Capital One disclosed a massive data breach affecting approximately 100 million customers in the US and 6 million in Canada, caused by a former AWS engineer exploiting a misconfigured web application firewall on Amazon Web Services infrastructure. The breach exposed approximately 140,000 Social Security numbers, 80,000 bank account numbers, and personal information dating back over a decade. The attacker, Paige Thompson, was later convicted on seven federal charges.

Bloomberg reported that Amazon employs thousands of workers worldwide to listen to voice recordings captured by Echo speakers in order to improve Alexa's speech recognition. Workers in offices across Boston, India, Romania, and Costa Rica transcribed and annotated up to 1,000 audio clips per shift, with some clips containing sensitive personal conversations. Amazon had not explicitly disclosed that humans — not just algorithms — reviewed Alexa recordings, and a follow-up report revealed reviewers could also access customers' home addresses.