If consumers’ digital footprints — their clicks, impressions, location check-ins and likes — provide a trove of information for advertisers, then daily conversations and prompts around a dutiful voice-controlled device could be the mother lode.
Amazon has employees who review conversations recorded on Echo devices in order to fine-tune its Alexa digital assistant, Bloomberg reported last week, reigniting concerns about privacy and Amazon’s collection of personal data. But where does that leave third parties who promote themselves on devices like the Echo, a cohort that increasingly includes fashion retailers such as Bloomingdale’s, Walmart and Macy’s?
Because of the hazy and evolving patchwork of state and federal privacy laws across the U.S., the answer depends. But the operative question is: What would a consumer expect in a given scenario? Would a reasonable consumer expect that the information a company is collecting is fair game for a specific purpose, or would the discovery come as a shock? The more likely it is to surprise consumers, and the more sensitive the data being collected, the riskier the practice, attorneys said.
“Any time on that sliding scale that you’re collecting more personal information, you have to think about transparency, and the choices presented to the consumer,” said Alysa Hutnik, who chairs Kelley Drye & Warren LLP’s privacy and information security practice.
For its part, Amazon does not share voice recordings or full transcripts with third parties, including companies that promote their services through Alexa’s “skills” feature, according to an Amazon spokesman. The company also limits ads on Alexa to those that might play on certain news and streaming services, he said.
“Amazon does not allow advertising on Alexa outside of certain skills, such as live radio, streaming music services like Pandora or TuneIn, or news feeds from CNN,” the Amazon spokesman said in a statement.
But the business of voice commerce is still relatively new, and the type of data advertisers try to collect through such technology might evolve over time.
The U.S. currently doesn’t have a comprehensive federal privacy law framework, but the Federal Trade Commission enforces privacy protections for consumers through a few federal statutes, including those that bar deceptive business practices and don’t let companies misrepresent how they’re collecting or using consumers’ data.
Since 2002, when the FTC broadened its enforcement of privacy protections, the agency has filed some 65 complaints against companies for allegedly misusing consumers’ data, in addition to dozens of general privacy suits, according to a report on privacy and data security it issued in March.
The agency’s suits target how companies use and safeguard the information they collect from their users. In recent years, PayPal has settled the FTC’s claims that its payment app Venmo misled users about how to keep transactions private, while ride-hailing service Uber Technologies Inc. settled the agency’s claims that it didn’t adequately oversee how its employees accessed and use consumers’ personal data, including their location information.
In 2018, California’s legislature passed a bill enshrining consumer privacy protections that were modeled on the European Union’s stricter privacy regulations. The California Consumer Privacy Act, set to take effect in 2020, would allow consumers to ask companies what information they’re collecting and what third parties they’re passing that information on to, among other things.
Washington state, and New Mexico are eyeing similar legislation, though all eyes are presently on California to see how the law will work in practice, attorneys said.
“In general, [the CCPA] provides that if you are an organization collecting information from a consumer, who it defines as a California resident, you have an obligation to let the consumer know that you’re collecting the information, and how are you processing it,” said Victoria Beckman, co-chair of Frost Brown Todd’s privacy and data security team.
As it stands, companies and their partners personalize advertisements by collecting detailed information about consumers online, particularly about their tastes and spending habits.
They observe which promotional e-mails customers open and at what time of the day, deploy cookies to track online browsing habits, and sometimes rely on geolocation in conjunction with apps to follow real-world consumer behavior.
“How are you interacting with your online communications — whether through a web site, apps, or on your e-mail — that’s what advertisers are tracking,” said Hutnik.
Questions down the road about what recordings captured by voice-directed devices would be fair game for advertisers to collect and analyze might depend on whether they are specific requests for product information.
“If you say, ‘Tell me about the red lipstick from Chanel,’ communications directed at the device could be catalogued in a similar manner as if you typed in those same instructions,” said Anthony Lupo, partner at Arent Fox LLP, speaking generally about voice-directed technology.
Collecting and retaining broader snippets of general conversations, on the other hand, would be an ethical and legal minefield for advertisers.
“It would hurt the integrity of the product, and people are already worrying about it,” he said. “I think you’re gonna see companies stay away from that.”