Amazon has allegedly been “surreptitiously tracking and selling California residents’ sensitive movements and locations,” according to a class-action lawsuit filed against the company on January 29, 2025, in U.S. District Court in San Francisco.
The lawsuit reads like spy tales, allegations that Amazon collects fingerprint information and precise, timestamped latitude and longitude geolocations of consumers from their smartphones or other devices. The lawsuit alleges that such information creates identifiable profiles, a window into a person’s personal life, including medical care, religious worship, and other sensitive information that may expose them to potential harm, in cases where a client may be a domestic violence survivor or a member of another at-risk population.
“Amazon developed and disseminated a software development kit called the Amazon Ads SDK that enables backdoor access to consumers’ devices and opens a direct data collection pipeline to Amazon and its advertising partners. On information and belief, tens of thousands of app developers have embedded Amazon’s Ads SDK into their mobile apps, allowing Amazon to siphon data from consumers.” The lawsuit, filed through California resident Felix Kolotinsky, “on behalf of all others similarly situated,” further states, “Neither Plaintiff nor any member of the putative Class has ever agreed to allow Amazon to collect or sell their sensitive data and there is no mechanism to opt out of Amazon’s data collection practices.”
Mr. Kolotinsky said he downloaded the “Speedtest by Ookla” app on his Android phone, and enabled location services to share it with Speedtest. He contended that the developers of the Speedtest mobile app embedded the Amazon Ads SDK into their mobile app, allowing Amazon to collect his timestamped geolocation information, unique device ID’s, device fingerprint data and information about which locations he visited. Mr. Kolotinsky argues that he did not grant Amazon consent or permission to collect any information from his device.
Amazon’s privacy notice, last updated March 31, 2024, stipulates that it may collect a broad range of information when customers use Amazon Services. Among that information is: Name, address, phone numbers, payment information, age, location information, IP address, email addresses of friends and other people, personal information contained in customer’s profiles, voice recordings when speaking with Alexa, images and videos collected or stored in connection with Amazon Services, information and documents regarding identity, including Social Security and driver’s license numbers, corporate and financial information, credit history information, and Wi-Fi credentials if automatically synched with other Amazon devices. Additionally, Amazon may collect personal information relating to other people residing at the customer’s address.
Amazon also addresses information shared with third-parties. Because Amazon gives customers the ability to order products from third parties. Such dissemination of personal information is part of that transaction, and is provided to the third party, Amazon stipulates.
“These third-party service providers have access to personal information needed to perform their functions, but may not use it for other purposes.”
Amazon is a multinational company that ranks as the second largest private employer in the U.S. and the second largest company in the world. There are over 200 million subscribers to Amazon Prime worldwide. With such an incredible reach, the company has been the subject of numerous lawsuits relating to customer data collection practices.
The U.S. Federal Trade Commission (FTC) on May 31, 2023, issued a statement that the FTC and the Department of Justice (DOJ) charged Amazon with violating the Children’s Online Privacy Protection Act Rule (COPPA Rule) by storing children’s Alexa voice recordings and undermining parent’s deletion requests.
“Amazon’s history of misleading parents, keeping children’s recordings indefinitely, and flouting parents’ deletion requests violated COPPA and sacrificed privacy for profits,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, in the press release. “COPPA does not allow companies to keep children’s data forever for any reason, and certainly not to train their algorithms.”
Amazon paid a $25 million civil penalty as part of a settlement in that lawsuit filed in U.S. District Court in Seattle, WA.
“Parents want and deserve to have control over data related to their young children – this includes recordings of the child’s voice, the child’s location, and the questions the child asks an Alexa device,” said Acting U.S. Attorney Tessa M. Gorman for the Western District of Washington. “Some may be delighted to have those recordings saved for sentimental reasons – but that needs to be the parent’s choice – not a decision made by Amazon. This settlement requires Amazon to provide notice to parents with ways they can select whether and how that data is retained.”
