An Open Letter to Amazon about Privacy

Mozilla and six other organizations are urging Amazon: Make privacy policies mandatory for all third-party connected devices

July 15, 2019
Dharmesh Mehta
Vice President
Consumer and Brand Protection
Amazon Corporation

Dear Mr. Mehta,

We the undersigned are writing to express our deep concern that third-party vendors are not currently required to have a privacy policy in order to sell internet-connected devices on your platform.

Earlier this year, Mozilla, Internet Society and Consumers International sent our minimum security guidelines for internet-connected devices. One of those standards related to privacy policies and called for products to have privacy policies that are “easily accessible, written in language that is easily understood and appropriate for the person using the device or service at the point of sale.”

Alarmingly, it appears that a number of third-party vendors are selling IoT products through Amazon’s platform that may collect sensitive data from users, but these vendors do not appear to have any privacy materials online. While we realize that Amazon is not selling these products, we know that Amazon does require vendors to go through a vetting process before being able to list their products on your platform, and yet it appears that the inclusion of a privacy policy is not part of that process.

Amazon is a market leader and making this change would have far reaching implications. A mandate from Amazon would force manufacturers to give privacy more thought, and could cull the worst offenders from Amazon’s digital shelves. The mandate could also help address products with opaque supply chains — that is, insecure devices that are manufactured, bought and rebranded by another entity, and then sold to consumers.

We note that in other areas of its business, Amazon already requires third-party providers to comply with terms that preclude violations of privacy. For example, in order to access apps offered through Amazon Web Services (AWS), customers must agree to the AWS Acceptable Use Policy, which prevents them from using the services for illegal or harmful use.

Consumer privacy is paramount — and violations of consumer privacy by third-party providers create considerable risk for Amazon, its shareholders and its users.That’s why Mozilla, Internet Society and Consumers International released the minimum security guidelines to make the IoT ecosystem more private and secure. The undersigned organizations believe these should be mandatory for all connected devices, which is why we’re now turning to you as one of the world’s largest retailers to enforce just one of those guidelines by requiring privacy policies for all connected devices sold on your platform.

Sincerely,

Mozilla
Internet Society
Open MIC (Open Media and Information Companies Initiative)
Campaign for a Commercial-Free Childhood
Fight for the Future
Privacy International
Consumer Federation of America