In a recent legal development, a group of California consumers has filed a class action lawsuit against Amazon.com, Inc., alleging that the technology giant secretly tracked and sold their sensitive data without obtaining proper consent. This lawsuit, initiated by plaintiff Felix Kolotinsky, was lodged in the US District Court for the Northern District of California San Francisco Division and is aimed at challenging Amazon’s data collection practices under state law.
The complaint highlights that the alleged data collection includes “timestamped geolocation data” that can ascertain an individual’s place of residence and work, alongside deeply personal information such as religious beliefs, sexual orientation, and medical history. The lawsuit claims that consumers were neither informed nor provided with an option to disallow the collection and sale of such sensitive data by Amazon. The plaintiff argues that these practices are in violation of Section 638.51 and Section 502 of the California Penal Code.
According to the legal filing, Kolotinsky contends that Amazon’s use of a Software Development Kit (SDK) constitutes an unauthorized “pen register” under Section 638.51, which lawfully requires prior court approval. The SDK’s role in timestamping geographical data and collecting other identifying information from users’ mobile devices allegedly breaches the state’s Comprehensive Computer Data Access and Fraud Act (CDAFA), which protects against unauthorized data access and tampering.
The broader context of this lawsuit is a growing awareness and concern over privacy and data security. Similar legal challenges have been faced by major companies such as Google, Apple, and Allstate, as consumer protection remains a prominent issue within the tech industry. Notably, in a separate case, the installation of SDKs has been a contentious legal matter, as illustrated by ongoing litigation against communications company Twilio, which is accused of similar unauthorized data collection practices.
This lawsuit against Amazon is indicative of the increasing vigilance in holding corporations accountable for data practices that may infringe on privacy rights and consumer protection laws. As the case proceeds, it will be closely watched for its implications on future regulatory standards and corporate data handling practices.
For more information, the original article from JURIST can be accessed here.