More Alexa Eavesdropping Allegations

Happy Thursday everybody. I don’t know about you, but when I read that Alexa users are suing Amazon over its alleged collection of Alexa voice data, I thought: yeah, that’s no surprise.

Amazon has always been clear that if you make a purchase through Alexa, then that purchase data will be used to inform which ads it will show you. However, the lawsuit seems to suggest that Alexa is collecting and analyzing voice data from all interactions, not just purchases, and distributing that to ad tech vendors. Amazon stated that “In their complaint, plaintiffs conspicuously never allege facts showing that Amazon uses Alexa recordings to serve interest-based ads (because they have no good-faith basis for that allegation.”

This isn’t the first time that Amazon has been accused of eavesdropping through Alexa devices. In fact, a report from earlier this year by researchers affiliated with the University of Washington, UC Davis, UC Irvine, and Northeastern University concluded that Amazon does indeed collect voice data from interactions, much like this lawsuit alleges. 

The researchers found that Amazon collected data through Alexa smart speakers and shared it with as many as 41 advertising partners, a practice that would be inconsistent with its privacy policy. Amazon denied the report’s findings and insisted, again, that only purchase-related data was used for targeted advertising purposes.

There simply isn’t a great deal of transparency over how these devices collect, handle, and disseminate user data. For companies with less-than-perfect data privacy track records, asking customers to trust their smart speakers and other internet-of-things (IoT) devices might be asking too much. Total transparency could be key to winning this trust, but it could also reduce these companies’ competitive advantage. So long as the tension between transparency and competitive advantage exists, it seems unlikely that consumers will ever gain widespread trust in IoT devices.

Best,
Arlo

P.S. If you own an Alexa yourself, don’t forget to check out your Alexa privacy settings. If you use third-party skills, you’ll have to go to the developers’ website to manage your preferences from there.

FTC extends comment period for potential rules regulating commercial surveillance
The Federal Trade Commission (FTC) announced a one-month extension for the public to submit comments on commercial surveillance and lax data security practices. The current deadline for comment submission is now November 21. The purpose of the FTC’s comment-seeking period (known as an Advanced Notice of Proposed Rulemaking, or ANPR) is to explore the harm caused by commercial surveillance and determine whether the FTC should issue new rules regulating these practices.

“Firms now collect personal data on individuals at a massive scale and in a stunning array of contexts,” said FTC Chair Lina M. Khan in the initial ANPC announcement. “The growing digitization of our economy—coupled with business models that can incentivize endless hoovering up of sensitive user data and a vast expansion of how this data is used—means that potentially unlawful practices may be prevalent.”
Read more

David Flaherty’s influence, death marks ‘chapter in modern privacy law’
Former Information and Privacy Commissioner David Flaherty passed away on October 11th, 2022. Flaherty pioneered the study of privacy law and served as British Columbia’s first Information and Privacy Commissioner.
Read more

Alexa users claim Amazon is using voice recordings to target ads
Alexa users are suing Amazon, claiming that the voice assistant product is targeting users with ads based on their recorded conversations. The plaintiffs allege that Amazon used “Alexa-collected voice data” for ad targeting, violating user privacy and engaging in misleading and unfair conduct.
Read more

CPPA publishes first modifications of CPRA draft regulations
The California Privacy Protection Agency (CPPA) released updated California Privacy Rights Act draft regulations, marking the first updates to the initial draft rules released on May 31st. These rules cover select topics under the CPRA, including personal data collection and use restrictions, mandatory user opt-out signal acknowledgment, and privacy notice requirements.
Read more

Third Circuit: Risk of future harm from data breaches grounds for Article III standing
The U.S. Court of Appeals for the Third Circuit recently held in the Clemens v. ExecuPharm Inc. case that data breaches exposing an individual’s personal data create enough increased risk for that individual that they meet what’s called “Article III standing.” In essence, Article III standing means that an individual may bring a lawsuit in federal court, as opposed to lower court systems. The finding has implications for the number of legal risk businesses face following a data breach.
Read more

New kids’ privacy app teaches digital privacy while blocking trackers
The Do Not Track Kids app from the security firm Disconnect blocks trackers across the device it’s installed upon while simultaneously teaching kids about privacy through comic-book-style explainers. Collecting data on children violates COPPA, the Children’s Online Privacy Protection Act, but the law features significant loopholes that permit data collection regardless. One estimate found that digital ad firms collect 72 million data points about children before the age of 13, the age at which data collection first becomes legal. 
Read more

Checklist: Set up a scalable, repeatable DSAR process
More and more data privacy laws come online every year, and consumers are becoming increasingly aware of their rights—that’s why it’s essential to develop a data subject access request (DSAR) workflow that keeps you compliant at scale.

Follow Osano’s checklist to set up a scalable DSAR process to avoid noncompliance and minimize interruptions to your workday.
Download the checklist

Interested in working at Osano? Check out our Careers page! We might have the perfect opportunity for you.