Amazon was caught keeping your children's voice recordings forever, even when you asked them to delete them. They paid $25 million in fines. But their current privacy policy still says they keep your child's recordings to 'improve services' — which is exactly what got them in trouble before. Amazon says Alexa only listens when you say the wake word. But the Alexa app you must install on your phone asks to read your text messages, see your contacts, make phone calls, track your location in the background, and access your camera. That's way more access than needed to control a kids' speaker.
What they claim: Amazon's Alexa privacy page states 'Alexa is designed to record only after the device detects the wake word' — but the companion app requests READ_SMS, RECEIVE_SMS, SEND_SMS, RECEIVE_MMS, READ_CONTACTS, CALL_PHONE, and ANSWER_PHONE_CALLS permissions
What we found: The Alexa privacy page claims limited data collection focused on wake-word-activated interactions. However, the Amazon Alexa companion app (com.amazon.dee.app) requests 57 permissions including: READ_SMS, RECEIVE_SMS, SEND_SMS, RECEIVE_MMS (full text message access), READ_CONTACTS (entire contact list), CALL_PHONE, ANSWER_PHONE_CALLS (phone call control), CAMERA, ACCESS_BACKGROUND_LOCATION, ACCESS_FINE_LOCATION, and RECORD_AUDIO. These permissions grant access to a child's parent's phone far beyond what is needed to operate a children's smart speaker.
What they claim: A children's smart speaker companion app requests CAMERA, RECORD_AUDIO, and SYSTEM_ALERT_WINDOW permissions that go far beyond speaker management
What we found: The Amazon Alexa app requests CAMERA (access to phone camera), RECORD_AUDIO (microphone access on the phone itself, separate from the Echo device), and SYSTEM_ALERT_WINDOW (ability to draw over other apps). For a companion app to a children's smart speaker, these permissions enable surveillance capabilities on the parent's phone that are unrelated to speaker management. SYSTEM_ALERT_WINDOW in particular has been used by malware to create phishing overlays. Amazon's Alexa privacy page does not explain why a children's speaker requires phone camera, phone microphone, or screen overlay permissions.
What they claim: FTC settlement requires Amazon to implement comprehensive privacy safeguards for children, but the companion app includes Facebook Flipper analytics tracker and AD_ID permission
What we found: The 2023 FTC settlement mandated Amazon implement 'stringent privacy safeguards' for children's data. However, the Alexa companion app (v2.2.669603.0) contains three trackers: Amazon Analytics, Bugsnag, and Facebook Flipper (a Meta debugging/analytics framework). The app also requests the AD_ID permission (Google Advertising Identifier), designed specifically for ad tracking. A children's device companion app containing a Facebook analytics tracker and ad tracking ID directly contradicts the mandate to protect children's privacy.
What they claim: Amazon Kids privacy page claims 'we do not serve interest-based ads to children' but Amazon's general privacy notice discloses using data to 'target you with advertising' and sharing data with advertisers
What we found: Amazon's Children's Privacy Disclosure states it 'does not serve interest-based ads to children in the Amazon Kids experience.' However, the Amazon.com Privacy Notice (which also governs the device) discloses that Amazon uses collected data to 'target you with advertising' and shares information with third parties for advertising purposes. Mozilla's review confirmed Amazon uses data for targeted advertising. The distinction between 'children in the Amazon Kids experience' and all other data processing creates a loophole where children's data collected outside the Kids interface may be used for advertising.
What they claim: Amazon claims Alexa records 'only after detecting the wake word' but CVE-2023-33248 proves the device responds to inaudible ultrasonic commands between 16-22 kHz
What we found: Amazon's Alexa privacy FAQ states devices are 'designed to record only after the device detects the wake word.' CVE-2023-33248 demonstrates that Alexa devices respond to voice commands delivered via ultrasonic audio signals (16-22 kHz) that are outside human hearing range. These commands can be embedded in YouTube videos, Zoom calls, and apps — meaning the device in a child's bedroom can be controlled by inaudible signals from any media the child is consuming, completely bypassing the wake-word safeguard Amazon promotes.
What they claim: CVE-2022-25809 'Alexa versus Alexa' attack allows the device to make purchases and calls autonomously, yet the device is marketed for unsupervised use in children's bedrooms
What we found: CVE-2022-25809 (CVSS 9.8 critical) demonstrates that Echo devices can be made to issue voice commands to themselves via malicious Alexa Skills or Bluetooth pairing — making phone calls, controlling smart home devices, making purchases, and tampering with calendars. The Echo Pop Kids product page markets the device for children's bedrooms with playful Disney Princess and Marvel themes. A device with a known self-command vulnerability placed in a child's bedroom, where a parent cannot constantly monitor interactions, creates a direct safety risk that contradicts Amazon's marketing of the device as safe for children.
What they claim: FTC found Amazon retained children's voice recordings indefinitely and failed to honour parent deletion requests, used children's data to train algorithms
What we found: Amazon's Children's Privacy Disclosure now states parents can 'review and delete voice recordings at any time' and that Amazon Kids voice recordings are retained to 'improve the child's experience and improve Alexa and Amazon Kids services.' The FTC settlement proved Amazon kept children's recordings even after parents requested deletion, and used children's speech patterns to train Alexa's algorithm. Despite paying $25M, the current privacy policy still authorises using children's voice data to 'improve services' — the same justification the FTC found violated COPPA.
What they claim: The Alexa app requests ACCESS_BACKGROUND_LOCATION and ACCESS_FINE_LOCATION despite FTC settlement requiring Amazon to delete geolocation data and implement privacy safeguards
What we found: The FTC settlement specifically cited Amazon's retention of geolocation data as a COPPA violation and required Amazon to delete geolocation data. However, the Amazon Alexa companion app still requests ACCESS_BACKGROUND_LOCATION (continuous location tracking even when app is closed), ACCESS_FINE_LOCATION (precise GPS coordinates), and ACCESS_COARSE_LOCATION. Background location tracking on a parent's phone used to manage a children's device directly contradicts the FTC's requirement to limit geolocation data collection.
What they claim: Amazon privacy policy is described as a 'nightmare' of interconnected documents yet Amazon claims transparency about children's data practices
What we found: Amazon's Children's Privacy Disclosure references the Amazon Privacy Notice, Alexa Terms of Use, Amazon.com Conditions of Use, and the Alexa and Amazon Devices Acceptable Use Policy — at minimum five separate documents governing a children's device. Mozilla Foundation described Amazon's privacy documentation as 'a nightmare' of interconnected policies that are 'difficult to find, navigate, read, and understand.' Amazon's Children's Privacy page states they provide 'key information regarding how Amazon handles personal information.' Burying children's privacy practices across five+ documents that privacy experts call incomprehensible contradicts any claim of transparency.
What they claim: Device connects to 9+ Amazon cloud endpoints for an always-listening children's device, yet Amazon's children's privacy disclosure does not enumerate these data flows
What we found: Firmware analysis reveals the Echo Pop Kids connects to at least 9 Amazon endpoints: device-metrics-us.amazon.com, api.amazonalexa.com, avs-alexa-na.amazon.com, dp-gw-na.amazon.com, unagi-na.amazon.com, todo-ta-g7g.amazon.com, kindle-time.amazon.com, dcape-na.amazon.com, and softwareupdates.amazon.com. These include metrics collection, voice processing, and other services. Amazon's Children's Privacy Disclosure does not enumerate these specific data flows or explain what data each endpoint collects from children's interactions.
What they claim: Amazon gave 30,000 employees access to voice recordings without business need, yet current policy claims data is handled 'carefully and sensibly'
What we found: The FTC found that Amazon gave approximately 30,000 employees access to Alexa users' voice recordings without demonstrating a legitimate business need for such broad access. Amazon's current Alexa Privacy FAQ opens with 'Amazon knows that you care how information about you is used, and we appreciate your trust that we will do so carefully and sensibly.' The juxtaposition of allowing 30,000 employees unrestricted access to intimate home recordings with current claims of careful data handling represents a significant credibility gap, especially for a device placed in children's bedrooms.