The Luxembourg National Commission for Data Protection (CNPD) has issued Amazon the largest GDPR fine to date, hitting the online shopping giant with a penalty of €746 million (about $887 million) over its targeted advertising practices.
The fine stems from a complaint first filed by French privacy rights group La Quadrature du Net on behalf of about 10,000 Amazon customers that had personal information used for ad tracking without their knowledge. The amount tops the previous GDPR fine record of €50 million (about $57 million), issued by France’s CNIL to Google over failure to collect proper consent from Android users setting up new phones.
Amazon GDPR fine smashes previous records
News of the GDPR fine came from Amazon’s quarterly SEC filing. The company attached a statement indicating that it intended to challenge the fine, asserting that the amount is excessive given that there was not a data breach or third-party theft of any customer data.
There has yet to be public comment from the CNPD on what went into the decision to levy a record-setting GDPR fine. The agency said that Amazon must “change its business practices,” but neither party elaborated on exactly what business practices are in question other than naming the company’s targeted advertising program. Amazon’s advertising program primarily consists of “sponsored posts” that are elevated to the top of search results for particular terms, and sidebar ads that will appear on the pages of related products. While Amazon sellers are bidding on specific internal search terms, third parties are also able to access certain advertising slots to pitch non-Amazon services through the company’s site and apps. These advertisers are tapping into Amazon’s customer histories, which meticulously log what buyers have previously bought and searched for. All of the company’s services now exist under the banner of Amazon Advertising, which has become the third-largest targeted ad network behind the ones operated by Facebook and Google.
Unlike many Silicon Valley tech giants, Amazon has made Luxembourg the home of its EU headquarters (rather than the usual choice of Dublin). The GDPR fine demonstrates that the CNPD intends to be aggressive in taking on cases it has jurisdiction in; a draft document leaked in June had actually proposed a fine that was less than half the amount of the eventual penalty. The current GDPR fine would reach the maximum amount of 4% of annual global turnover allowed by the EU-spanning regulation, going by Amazon’s 2020 reported net income.
Google and Facebook are the tech behemoths that generally take the brunt of the criticism (and GDPR fines) when it comes to personal data privacy issues, along with a vast network of smaller adtech companies that are not household names. Amazon takes its own criticism on numerous fronts, but data privacy and security are not among the more common.
Privacy and security issues possibly on the horizon
If several anonymous whistleblowers are to be believed, that may be changing for the company in the near future. In February, three former high-level information security employees of the company (from both the EU and US) came forward to tell the media that they had observed serious security lapses in the company that have gone ignored by senior leadership even after being brought to their attention. The whistleblowers said that the company is so focused on growth that it does not adequately keep track of the vast network of personal data it holds and will sometimes play fast and loose with fundamental security hygiene. Among other specific issues, the security professionals said that former employees often retain their access for months and that the company is failing to keep up with security patching.
In addition to shopping records, Amazon holds sensitive customer contact and payment information including stored credit card numbers. It is also present in tens of millions of homes in the United States market alone, in the form of its Alexa smart speaker systems and Ring doorbell cameras. The company has even recently proposed moving into the bedroom, receiving approval from the FCC to develop a sleep monitoring system that would use radar to track body movements through the night to improve quality of sleep. Its monitoring systems are the area in which it has had the greatest amount of privacy issues, with Alexa speakers on occasion sending random recorded files to other users. Along with other smart speaker companies, Amazon was also found to surreptitiously record snippets of private conversations and send them to outside contractors for quality assurance testing purposes; there did not appear to be any system in place to screen the content of these sound samples, with contractors sometimes receiving audio of intimate moments and even in some cases hearing potential crimes being discussed.