Senators: “Amazon’s expansion of biometric data collection through Amazon One raises serious questions about Amazon’s plans for this data and its respect for user privacy, including about how Amazon may use the data for advertising and tracking purposes”

WASHINGTON – U.S. Senator Amy Klobuchar (D-MN), Chairwoman of the Senate Judiciary Subcommittee on Competition Policy, Antitrust, and Consumer Rights; and Senators Bill Cassidy (R-LA) and Jon Ossoff (D-GA) sent a letter to Amazon CEO Andy Jassy requesting information about Amazon’s data collection practices involving biometrics. The senators expressed concerns about the company’s use of data gathered by Amazon One, the company’s palm-print recognition and payment system, noting that this data could be used to “further cement its competitive power and suppress competition across various markets.”

The letter follows reports of Amazon offering credits to consumers to share their biometric data with Amazon One. Amazon has also announced that it is planning to expand the program, including potentially selling Amazon One technology to third-party stores.

“Amazon’s expansion of biometric data collection through Amazon One raises serious questions about Amazon’s plans for this data and its respect for user privacy, including about how Amazon may use the data for advertising and tracking purposes,” the senators wrote.

The senators continued later in the letter: “Amazon One users may experience harms if their data is not kept secure. In contrast with biometric systems like Apple’s Face ID and Touch ID or Samsung Pass, which store biometric information on a user’s device, Amazon One reportedly uploads biometric information to the cloud, raising unique security risks...Data security is particularly important when it comes to immutable customer data, like palm prints.”

In her role as Chairwoman of the Senate Judiciary Subcommittee on Competition Policy, Antitrust, and Consumer Rights, Klobuchar has championed efforts to protect consumer privacy -- especially with regard to enhancing online consumer privacy and cybersecurity. 

In June, Klobuchar and Senator Richard Blumenthal (D-CT) sent a letter to Uber and Lyft expressing concern about a new advertising program that may compromise passengers’ privacy in ride-share vehicles.

In February, Klobuchar and Senator Lisa Murkowski (R-AL) introduced the Protecting Personal Health Data Act to protect consumers’ private health data by requiring the Secretary of the U.S. Department of Health and Human Services to promulgate regulations for new health technologies such as health apps, wearable devices, and direct-to-consumer genetic testing kits that are not regulated by existing laws.

Last December, Klobuchar sent a letter to former Health and Human Services Secretary Alex Azar, urging the Trump administration to address privacy concerns surrounding the Amazon Halo, a health tracking bracelet.

In December 2019, Klobuchar joined Senate Commerce, Science, and Transportation Committee Chair Maria Cantwell (D-WA) and fellow Senators Brian Schatz (D-HI) and Ed Markey (D-MA) in unveiling comprehensive federal online privacy legislation to establish digital rules of the road that companies must follow. The Consumer Online Privacy Rights Act (COPRA) gives Americans control over their personal data; prohibits companies from using consumers’ data to harm or deceive them; establishes strict standards for the collection, use, sharing, and protection of consumer data; protects civil rights; and penalizes companies that fail to meet data protection standards.

The full text of the letter can be found below and HERE.

Dear Mr. Jassy:

We write regarding concerns about Amazon’s recent expansion and promotion of Amazon One, a palm print recognition system, and to request information about the actions Amazon is taking to protect user data privacy and security.

Amazon One appears to be a biometric data recognition system that allows consumers to pay for their purchases in grocery stores, book stores, and other retail settings using their palm print. Consumers can enroll in the program at any location with an Amazon One device by scanning one or both palms and entering their phone and credit card information. Amazon One devices are currently in use in more than 50 retail locations throughout the United States, including in Minnesota. Locations with the technology currently include Amazon Go stores, Whole Foods locations, and other Amazon stores. 

Recent reports indicate that Amazon is incentivizing consumers to share their biometric information with Amazon One by offering a $10 promotional credit for Amazon.com products. Amazon has also announced that they have plans to expand Amazon One, which may include introducing the technology in other Amazon stores as well as selling it to third-party stores. Amazon’s expansion of biometric data collection through Amazon One raises serious questions about Amazon’s plans for this data and its respect for user privacy, including about how Amazon may use the data for advertising and tracking purposes. 

Offering products from home devices to health services, Amazon possesses a tremendous amount of user data on the activities of hundreds of millions of Americans.Our concerns about user privacy are heightened by evidence that Amazon shared voice data with third-party contractors and allegations that Amazon has violated biometric privacy laws. We are also concerned that Amazon may use data from Amazon One, including data from third-party customers that may purchase and use Amazon One devices, to further cement its competitive power and suppress competition across various markets. 

Amazon One users may experience harms if their data is not kept secure. In contrast with biometric systems like Apple’s Face ID and Touch ID or Samsung Pass, which store biometric information on a user’s device, Amazon One reportedly uploads biometric information to the cloud, raising unique security risks. Like many companies, Amazon has been affected by hacks and vulnerabilities that have exposed sensitive information, such as user emails. Amazon’s various home device systems have leaked information or been hacked, as highlighted in a recent letter to the Federal Trade Commission (FTC) from 48 advocacy organizations. Company whistleblowers earlier this year also raised concerns about Amazon’s security practices. Data security is particularly important when it comes to immutable customer data, like palm prints. 

In light of these issues, we respectfully ask that you provide written answers to the following questions by August 26, 2021:

  1. Does Amazon have plans to expand Amazon One to additional Whole Foods, Amazon Go, and other Amazon store locations, and if so, on what timetable? 
  2. How many third-party customers has Amazon sold (or licensed) Amazon One to? What privacy protections are in place for those third parties and their customers?
  3. How many users have signed up for Amazon One? 
  4. Please describe all the ways you use data collected through Amazon One, including from third-party customers. Do you plan to use data collected through Amazon One devices to personalize advertisements, offers, or product recommendations to users? 
  5. Is Amazon One user data, including the Amazon One ID, ever paired with biometric data from facial recognition systems? 
  6. What information do you provide to consumers about how their data is being used? How will you ensure users understand and consent to Amazon One’s data collection, storage, and use practices when they link their Amazon One and Amazon account information?
  7. What actions have you taken to ensure the security of user data collected through Amazon One?

Ensuring the security of user data and protecting consumer privacy are of the utmost concern. We look forward to your prompt responses. 

# # #