You may have heard the news about Amazon being sued for storing recordings of children talking to Alexa, without first asking for consent. Two suits were filed in Seattle and Los Angeles, ironically on the day before the company released its new Echo Dot: Kids Edition smart speaker.
The lawsuits allege Amazon failed to gain consent to create the voiceprints, which the firm uses to help Alexa become more accurate – and which human operators can access and listen to.
Now, you might think this is coming under the auspices of the GDPR, which includes biometric data like voice recordings as personal data, requires informed consent, and specifically says: Children merit specific protection with regard to their personal data.
Or, it could be the California Consumer Privacy Act (CCPA), which also classifies voiceprints as biometric information that should be protected, and says:
A business that collects a consumer’s personal information shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used.
Under both of these laws, Amazon doesn’t appear to have a leg to stand on. But, of course, GDPR doesn’t apply to US residents, and the CCPA doesn’t come into effect until January 2020.
So, what’s going on?
The lawyers, in this case, are saying there’s been a violation of the Massachusetts Wiretap Statute along with ‘substantially similar laws’ in Florida, Illinois, Maryland, Michigan, New Hampshire, Pennsylvania, and Washington.
The Massachusetts Wiretap Statute is one of the most restrictive wiretapping laws in the US and was introduced to address the uncontrolled development and unrestricted use of electronic recordings which posed grave dangers to the privacy of citizens. It specifically states:
The secret use of such devices by private individuals must be prohibited.
It became law in 1968.
And yes, that was 50 years before the GDPR was introduced. And yes, it does resonate remarkably well with the current state of technology, despite the fact that it was written when technology was, well, a bit less complicated.
This is fascinating because it echoes something that came up while I was reading the Global Data Privacy Roadmap whitepaper. I was looking at how data protection legislation in every country around the world has changed one year on from the introduction of the GDPR, and three recurring issues stood out:
- Lots of countries were in the midst of proposing or introducing new data protection legislation and the GDPR was the benchmark many were following
- Other countries were proposing or introducing data protection legislation for the first time that, while not as strict as the GDPR, was better than no legislation at all
- And – here’s the interesting bit – there was a lot of talk going on about using existing legislation in new ways
A paper presented at the annual conference of the African Bar Association in 2017, for example, talked about the then-upcoming GDPR and looked at ways that existing laws could be used to provide similar protections for citizens of different African countries. In the case of Angola, it discussed how the GDPR applies to any company processing the data of EU residents, whether or not the company is based in the EU, and went on to say:
While the Angolan Data Protection Act may not apply to a foreign entity, constitutional rights belong to citizens at all times, and an Angolan court or the Data Protection Agency may therefore find that, for reasons of public policy or public order, these rights cannot be excluded or avoided due to the fact that the party controlling their data does not have any type of presence in Angola.
So, in other words, the author, João Luís Traça, a Partner at Lisbon-based legal practice, Miranda, was saying that even without a new data protection law, businesses that collect and process data could still be held accountable.
João Luís Traça’s paper barely caused a ripple outside Africa when it was first presented. Amazon’s latest lawsuit, on the other hand, could prompt many more similar lawsuits. Not by waiting for new privacy legislation, but by looking back at legislation that already exists and seeing how it can now be applied.