Amazon.com (Ring LLC)
Issued by Federal Trade Commission (FTC) on 2023-05-31
What happened
The FTC fined Amazon's Ring LLC $5.8 million for privacy violations related to its home security cameras. The FTC alleged that Ring gave every employee and contractor unrestricted access to customers' private videos, and that Ring failed to implement basic privacy and security protections, enabling hackers to take control of consumers' accounts, cameras, and videos. Specifically, Ring employees in Ukraine were found to have viewed thousands of video recordings from female customers' bedrooms and bathrooms. Additionally, Ring failed to implement adequate security measures like multi-factor authentication until 2019, after numerous account compromises. The settlement also required Ring to delete all data products derived from videos it unlawfully reviewed.
Articles violated
Lessons learned
Access to customer video and audio recordings must be strictly limited based on job function — unrestricted employee access to private recordings is unacceptable. IoT device companies must implement strong authentication (MFA) from the start, not as an afterthought. Employee access to customer data must be logged, audited, and restricted. Security cameras create uniquely sensitive data requiring heightened protections. Companies must delete not only improperly accessed data but also any derived products (models, algorithms) trained on that data.
Source
View original decisionDisclaimer: This summary is for informational purposes only and does not constitute legal advice. Refer to the original decision for complete details.
Get enforcement alerts for Technology
We track GDPR fines across Europe. Enter your email to get notified about new enforcement actions.