Amazon sued for allegedly slurping sensitive data via advertising SDK

Amazon and its advertising subsidiary have been sued for allegedly collecting personal and location data from third-party mobile apps without obtaining users' informed consent.

The lawsuit, filed in federal court in San Francisco, aspires to be certified as a class action. Brought on behalf of plaintiff Felix Kolotinsky, the complaint [PDF] alleges Amazon and Amazon Advertising have been "surreptitiously tracking and selling California residents’ sensitive movements and locations."

The legal filing takes issue with the Amazon Ads SDK, a software library that the e-commerce giant provides to third-party app makers to serve ads, while also allegedly collecting user data.

Ad tech firms like Amazon, Google, Meta provide software development kits (SDKs) so that developers can monetize their apps without reinventing commonly used code patterns every time. The cost of this convenience is that the SDK maker, in addition to the app developer, may gain access to valuable data, a fact that's often buried in terms of service or not disclosed at all.

"The data that Amazon collects from unsuspecting consumers is incredibly sensitive," the complaint asserts. "Amazon collects timestamped geolocation data that reveals where a consumer lives and works, and which locations they frequent.

"The collected location data reveals sensitive information about each consumer, such as their religious affiliation, sexual orientation, and medical conditions. This enormous volume of data enables Amazon and its advertising partners to build a comprehensive profile about each consumer, including their movements and whereabouts."

Concerns about data gathering through SDKs implemented by third-parties go back years, a testament to weak US state and federal privacy laws. Last year, however, the US Federal Trade Commission took action against data broker Mobilewalla and analytics firm Gravy Analytics over similar data privacy concerns.

In its discussion of the matter, the FTC echoed the claim made in the Amazon lawsuit that geolocation data shared to target advertisements "can reveal visits to healthcare facilities, churches, labor unions, military installations, and other sensitive locations."

• GM parks claims that driver location data was given to insurers, pushing up premiums
• Allstate accused of quietly paying app makers for driver data
• Bitwarden's FOSS halo slips as new SDK requirement locks down freedoms
• Twilio's Segment SDK challenged with wiretapping claim

More recently, the Attorney General of Texas accused insurance firm Allstate Corporation and its mobile analytics subsidiary Arity of gathering similarly sensitive data without consent via the Arity SDK. Allstate insists that its activities comply with the law.

With regard to Amazon, the complaint contends that the data collection occurred through various third-party apps that implement the Amazon Ads SDK, including NewsBreak and Speedtest by Ookla.

"The problem with the Amazon Ads SDK is that consumers do not know that by interacting with an app which has embedded the SDK that their sensitive data is being surreptitiously siphoned off by an unknown third party," the complaint says.

"Consumers are never informed about Amazon’s SDK nor are they allowed to opt-in or opt-out of Amazon’s data collection practices—if they even know what the Amazon Ads SDK is, let alone that it is embedded in the apps they are using. Amazon’s unauthorized data collection was neither incidental nor accidental, but designed to covertly siphon sensitive data from consumers’ mobile devices."

Amazon did not immediately respond to a request for comment.

The complaint makes claims under California Penal Code § 638.51, which prohibits the use of a "pen register" for covert recording or wiretapping, and the state's Comprehensive Computer Data Access and Fraud Act (CDAFA).

California courts have reached different conclusions about the applicability of the wiretapping law to SDK-based data collection. And similar privacy claims, such as a lawsuit filed last year against Twilio over SDK-based data collection that cites the CDAFA, remain unresolved. ®