Amazon announced its plans to acquire iRobot, maker of the popular Roomba robotic vacuums, just weeks after the company announced it was acquiring One Medical, a tech-forward concierge medical company.
With the acquisition of companies that provide personal services, such as medical or in-home cleaning devices, for example, Amazon stands to obtain massive amounts of personal data, a valuable commodity in today’s climate. The scary part is that our current laws do not protect us from the compounded privacy risks that arise when corporate behemoths own so much of our personal information.
Amazon has shared consumer Ring video footage with law enforcement without user permission at least 11 times so far this year.
In just under three decades, Amazon has grown from a scrappy e-commerce startup to a multifaceted corporate goliath. In addition to the e-commerce business that first launched Amazon into the tech stratosphere, Amazon now owns a number of subsidiaries, including Amazon Web Services, Ring and Whole Foods. From a privacy standpoint, this means that Amazon already has direct access to vast quantities of consumer data, from your Whole Foods shopping history to your Amazon Prime watchlist to raw video fed directly from Ring cameras installed on your (or your neighbor’s) front door.
Acquisitions of more companies and services will only lengthen its reach into consumers’ personal lives. iRobot’s home cleaning products include smart vacuums and mops that can map out the layout of your entire home. When combined with Amazon Echo’s always-on voice assistants, plus Ring’s video surveillance, Amazon will soon have the potential to be fully enmeshed in every part of your home. One Medical runs a network of subscription-based health care clinics, which means that Amazon will soon get its hands on One Medical’s stores of private user data related to health information.
The ultimate question is, what happens when our data falls into the wrong hands? The short answer is that our legal system simply does not yet have a solution in place. It is always a mistake to give up our privacy in exchange for convenience.
Amazon hasn’t always been the best steward of its consumer data. For example, the company recently admitted that Amazon has shared consumer Ring video footage with law enforcement without user permission at least 11 times so far this year. Amazon has also allowed police use of Rekognition, its flawed facial recognition program, though the company banned this practice indefinitely in June 2020.
Even if Amazon tries to protect consumer privacy over profits (there is no promise that it will), there are still risks involved with any mass collection of consumer data, especially at this enormous scale. Malicious third parties can hack into corporate systems and expose consumer information. Data brokers and aggregators can buy and repackage data from multiple sources, compounding the risks of reidentification of personal information, making it more likely that information that was once private can be linked to individuals.
And Amazon isn’t the only tech giant using strategic mergers and acquisitions to consolidate and grow its access to personal data. In the past, Meta (the company formerly known as Facebook) received backlash for consolidating its market power through acquisitions of WhatsApp (messaging), Instagram (social media) and Oculus (virtual reality gaming). Alphabet Inc. (Google’s parent company) has also branched out in the past, with acquisitions as diverse as self-driving car company Waymo and health care wearable company Fitbit.
Current privacy laws do not fully protect our privacy rights, especially at a time when tech giants like Amazon, Meta, and Alphabet are buying up all our data. Current privacy laws do not fully protect our privacy rights, especially at a time when tech giants like Amazon, Meta, and Alphabet are buying up all our data. We currently have no federal privacy law and thus no baseline regulation that provides standardized protections for privacy across all 50 states. Instead, we have a patchwork system of state laws and regulations that vary by industry, making it difficult for any company, giant or not, to fully comply with all privacy regulations. For example, in the health care industry, you might have heard of HIPAA, the Health Insurance Portability and Accountability Act. However, what you might not know is that HIPAA is incredibly limited and only protects certain kinds of health information when electronically transmitted in scenarios involving a select category of health care provider. HIPAA is not a broad regulation that protects health privacy in all cases. There are also exceptions to HIPAA that allow law enforcement to access to medical records, something that came up recently in a Nebraska case in which law enforcement obtained access to records from Facebook and from a health care provider in order to prosecute a teen and her mom for performing an at-home abortion. Recently, both Sens. Josh Hawley, R-Mo., and Amy Klobuchar, D-Minn., separately called on the Federal Trade Commission to investigate the One Medical deal for potential antitrust violations. It’s true that the FTC and the Justice Department should look into these Amazon deals for anti-competition reasons, as Amazon continues to consolidate its market power across sectors. But Amazon’s recent acquisitions do not only raise issues of market competition and power imbalance; they also highlight privacy risks we cannot ignore any longer. Our current privacy regulatory regime is not enough to protect our fundamental right of privacy. We need comprehensive privacy legislation on a federal level, and we need to make sure that any new federal privacy law includes special protections for sensitive categories of data, including personal health information. We also need legislative protection against government abuse of access to consumer data to protect against unreasonable searches that violate our constitutional right to privacy. The more of our private data these tech giants own, the more they will be able to invade our privacy. Even worse, the more this happens, the more we also begin to expect that our privacy will be invaded. Over time, we normalize these privacy violations, so much so that eventually, our society stops believing in privacy. By not protecting privacy today, we may risk losing privacy forever.
Tiffany C. Li
Tiffany C. Li is a technology lawyer and legal scholar. She is an assistant professor of law at the University of New Hampshire School of Law and a fellow at Yale Law School's Information Society Project. 
