08.13.21

Cassidy, Klobuchar, Ossoff Demand Information about Amazon’s Biometric Data Collection Practices

WASHINGTON – U.S. Senators Bill Cassidy, M.D. (R-LA), Amy Klobuchar (D-MN), and Jon Ossoff (D-GA) requested information about Amazon’s data collection practices involving biometrics in a letter to Amazon CEO Andy Jassy. The senators expressed concerns about the company’s use of data gathered by Amazon One, the company’s palm-print recognition and payment system. 

The letter follows reports of Amazon offering credits to consumers to share their biometric data with Amazon One. Amazon has also announced that it is planning to expand the program, including potentially selling Amazon One technology to third-party stores. 

“Amazon’s expansion of biometric data collection through Amazon One raises serious questions about Amazon’s plans for this data and its respect for user privacy, including about how Amazon may use the data for advertising and tracking purposes,” the senators wrote

“Amazon One users may experience harms if their data is not kept secure. In contrast with biometric systems like Apple’s Face ID and Touch ID or Samsung Pass, which store biometric information on a user’s device, Amazon One reportedly uploads biometric information to the cloud, raising unique security risks...Data security is particularly important when it comes to immutable customer data, like palm prints,” the senators continued.  

Read the full letter here or below:

Dear Mr. Jassy:

We write regarding concerns about Amazon’s recent expansion and promotion of Amazon One, a palm print recognition system, and to request information about the actions Amazon is taking to protect user data privacy and security. 

Amazon One appears to be a biometric data recognition system that allows consumers to pay for their purchases in grocery stores, book stores, and other retail settings using their palm print. Consumers can enroll in the program at any location with an Amazon One device by scanning one or both palms and entering their phone and credit card information. Amazon One devices are currently in use in more than 50 retail locations throughout the United States, including in Minnesota. Locations with the technology currently include Amazon Go stores, Whole Foods locations, and other Amazon stores.  

Recent reports indicate that Amazon is incentivizing consumers to share their biometric information with Amazon One by offering a $10 promotional credit for Amazon.com products. Amazon has also announced that they have plans to expand Amazon One, which may include introducing the technology in other Amazon stores as well as selling it to third-party stores. Amazon’s expansion of biometric data collection through Amazon One raises serious questions about Amazon’s plans for this data and its respect for user privacy, including about how Amazon may use the data for advertising and tracking purposes. 

Offering products from home devices to health services, Amazon possesses a tremendous amount of user data on the activities of hundreds of millions of Americans. Our concerns about user privacy are heightened by evidence that Amazon shared voice data with third-party contractors and allegations that Amazon has violated biometric privacy laws. We are also concerned that Amazon may use data from Amazon One, including data from third-party customers that may purchase and use Amazon One devices, to further cement its competitive power and suppress competition across various markets. 

Amazon One users may experience harms if their data is not kept secure. In contrast with biometric systems like Apple’s Face ID and Touch ID or Samsung Pass, which store biometric information on a user’s device, Amazon One reportedly uploads biometric information to the cloud, raising unique security risks. Like many companies, Amazon has been affected by hacks and vulnerabilities that have exposed sensitive information, such as user emails. Amazon’s various home device systems have leaked information or been hacked, as highlighted in a recent letter to the Federal Trade Commission (FTC) from 48 advocacy organizations. Company whistleblowers earlier this year also raised concerns about Amazon’s security practices. Data security is particularly important when it comes to immutable customer data, like palm prints. 

In light of these issues, we respectfully ask that you provide written answers to the following questions by August 26, 2021: 

  1. Does Amazon have plans to expand Amazon One to additional Whole Foods, Amazon Go, and other Amazon store locations, and if so, on what timetable? 
  2. How many third-party customers has Amazon sold (or licensed) Amazon One to? What privacy protections are in place for those third parties and their customers?
  3. How many users have signed up for Amazon One? 
  4. Please describe all the ways you use data collected through Amazon One, including from third-party customers. Do you plan to use data collected through Amazon One devices to personalize advertisements, offers, or product recommendations to users? 
  5. Is Amazon One user data, including the Amazon One ID, ever paired with biometric data from facial recognition systems? 
  6. What information do you provide to consumers about how their data is being used? How will you ensure users understand and consent to Amazon One’s data collection, storage, and use practices when they link their Amazon One and Amazon account information?
  7. What actions have you taken to ensure the security of user data collected through Amazon One?

Ensuring the security of user data and protecting consumer privacy are of the utmost concern. We look forward to your prompt responses.  

###