Published on: 24th December 2025
Authored by: Abhinav Dwivedi
The West Bengal National University of Juridical Sciences
About Amazon
Amazon is an American multinational company with a global presence. It operates as an online platform for buying and selling products, provides cloud computing services, and facilitates online advertising. Amazon ranks among the largest companies in the world.[1]
Jeff Bezos founded the company on July 5, 1994, in Bellevue, Washington. Amazon initially started as an online book marketplace but gradually expanded to offer a diverse range of products. The company’s quarterly revenues are expected to reach approximately \$186 billion.[2] Currently, about 100 million users are registered in India,[3] while approximately 184 million users are registered worldwide.[4]
These figures reveal that approximately 184 million people have entrusted their data to the company. However, whether Amazon has kept user data secure or allowed it to circulate among other companies remains a critical question. Before examining this issue in depth, it is essential to discuss the importance of privacy in the digital world.
Importance of Individual Privacy in the Digital World
Privacy fundamentally concerns respecting individuals. When a person has a rational desire to keep something private, that choice deserves respect, and encroaching on their private matters constitutes disrespect. Privacy enables people to manage their dignity and establish boundaries within society. Privacy also serves as a check on government power.[5]
Digital privacy forms part of the broader concept of privacy, focusing primarily on the proper handling and use of sensitive data—including personal information, communications, and conduct generated and disseminated within digital environments.
In today’s data-driven world, digital privacy has become vital. Individuals use digital platforms for various purposes, generating massive amounts of personal data that, if misused, could reveal intimate details about their lives, including sensitive financial information and personal health records.
Digital privacy is critical because it establishes boundaries that protect users from unwanted data intrusions and manipulations while safeguarding human dignity and individual liberty. Digital privacy also plays an essential role in maintaining healthy democratic societies. It allows for unfettered thought and expression, fostering diversity of ideas and perspectives while preventing manipulative influences. In the business world, strong digital privacy practices encourage client trust and establish corporate reputation—factors vital for growth and success in competitive marketplaces.[6]
Overview of Amazon’s Privacy Policy
What Personal Data Does Amazon Collect?
Amazon gathers personal data to improve its products and services. The types of information collected include:[7]
User-Provided Data: Users send data directly to Amazon Services, which is stored for service development. Users can decline to disclose certain information but may lose access to some services.
Automatic Information: Amazon collects data about user interactions with its services through cookies and unique identifiers. This includes data collected when a user’s browser or device accesses Amazon content.
Third-Party Information: Amazon may acquire information from third parties, such as updated carrier delivery details, to correct records and ensure smoother deliveries.
Purpose of Data Collection
Amazon uses collected data for several purposes:
Order Management: To accept orders, complete transactions, handle payments, and inform customers about their orders and special offers.
Service Improvement: To enhance Amazon Services through performance analysis, error correction, and usability improvements.
Personalization: To improve user experience by recommending goods and services based on user preferences.
Voice and Image Services: To process photos and voice inputs through services like Alexa.
Legal Compliance: To fulfill legal requirements, such as confirming seller identities.
Communication: To establish connections with users through various methods.
Advertising: To display interest-based advertisements without personally identifiable data.
Fraud Prevention: To identify, prevent, and evaluate credit risks.
Cookies
Amazon uses cookies, pixels, and similar technologies to improve user experience and deliver necessary services. These cookies support user recognition upon login, preference tracking (including interest-based advertisements), shopping basket maintenance, and research to enhance services and content. They also provide relevant advertisements, strengthen security, and prevent fraud.
Users may be unable to access necessary functions like checkout and shopping carts if cookies are disabled. Authorized third parties may also place cookies to measure and deliver advertisements. While users can control cookie settings through their browsers, blocking all cookies may result in reduced functionality on Amazon.com and require manual preference adjustments.
Sharing of Information by Amazon
Amazon states that it does not sell user data and shares information only as necessary to fulfill its purposes, except in cases involving third-party transactions or business-related transfers.
How Amazon Secures Information
Amazon encrypts personal information during transmission and adheres to the Payment Card Industry Data Security Standard (PCI DSS) when handling payment data. The company employs physical, electronic, and procedural measures to protect data at all stages and may require identity verification before revealing information. Amazon devices also offer customizable security options to prevent unauthorized access. Users are advised to keep their accounts secure and log out on public devices after use.
Third-Party Advertising
Amazon Services may display third-party advertisements and links to other sites. These advertisers or partners might collect information when users engage with their ads. Amazon shares non-identifying information (such as cookies and device IDs) with advertisers to help them present relevant advertisements and measure effectiveness. To prevent duplicate advertisements, Amazon can share an advertising ID with users who have installed Amazon apps. Certain third-party advertising networks can use this information to present relevant advertisements from other sources.
Information Users Can Access
The “Your Account” page on Amazon’s website or app enables users to view and control personal details, including name, address, payment options, profile information, Prime membership, household settings, and purchase history.
User Choices
Amazon customers can change account or app settings to avoid in-app notifications or interest-based advertising. They can also edit their details, which Amazon may retain for record purposes, and control their communications, advertisements, and service preferences. Blocking cookies can limit functionality, such as adding products to carts or checking out, but users remain free to log out and block cookies.
Children’s Access to Amazon Products
Amazon does not permit children to make purchases directly. Products intended for children are available, but only adults can purchase them. Users under 18 can use Amazon Services only under adult or parental supervision.
Legal Terms
By using Amazon Services, users accept the Privacy Notice and Conditions of Use, which apply to privacy disputes, harm limitations, and conflict resolution under Indian law. Privacy issues may be brought to Amazon for resolution. As Amazon’s business evolves, users are invited to review new versions of the Privacy Notice. Amazon pledges not to diminish protections for past customer information without customer approval.
Issues with Amazon’s Privacy Policy
Third-Party Data Collection
Amazon gathers data from third parties, including carriers, credit bureaus, and affiliates. Users might not be notified about what data these external sources provide to Amazon.
Issue: This external data gathering gives users minimal ability to control what data is collected, how accurate it is, and how it is utilized.
Automated Information Gathering
Amazon collects considerable automated information through cookies and device IDs, including browsing history and device usage patterns. Although consumers can opt out of certain tracking, cookies are necessary for many Amazon services, making it challenging to avoid all tracking without disrupting the user experience.
Issue: Even when customers adjust cookie settings or opt out of targeted advertisements, Amazon can collect their automatic data in large quantities for profiling user behavior—a purpose that may not be fully transparent to customers.
Data Retention
Amazon’s privacy notice does not specify how long personal data is stored. Although customers can delete their accounts or data, Amazon retains this information for “legal obligations” or “business purposes” indefinitely.
Concern: Personal data might be stored longer than consumers expect or desire, even after services are terminated.
Policy Modifications Without User Consent
The policy states that it can be changed without notice, and users bear responsibility for staying informed about modifications. Amazon has the right to amend the policy provided they inform users.
Issue: Although Amazon promises to make only those modifications that decrease safeguards with user agreement, consumers not monitoring updates risk unwittingly agreeing to revised policies that infringe on their data rights.
Widespread Use of Third Parties
Amazon extensively utilizes third-party service providers for shipping, payment processing, and advertising. Although these organizations are contractually bound to protect data, extensive third-party involvement increases risks of misuse or data breaches. Amazon cannot maintain total control over how each third party handles or protects customer information.
Concern: Despite Amazon’s assurances that third parties must comply with its privacy guidelines, some service providers could use data beyond Amazon’s intended purposes.
Business Transfers
If Amazon sells portions of its business or assets, customer data may be transferred as part of the transaction. While Amazon states it will honor existing privacy agreements, acquiring companies may change practices or policies later.
Concern: Users lack precise control over whether their data can be transferred in such transactions. This poses risks if buyers have conflicting privacy practices.
Legal Obligations and Government Requests
Amazon complies with legal standards, meaning it may disclose user data to law enforcement or other governmental agencies when required. While this practice is standard among most firms, the policy does not specify how much information is supplied or whether Amazon contests such requests.
Concern: Certain jurisdictions risk over-sharing or complying with authorities without sufficient judicial scrutiny and transparent handling of such requests.
Case Studies of Amazon’s Privacy Breaches
Amazon Ring’s Privacy Breach
Amazon’s Ring doorbell cameras faced criticism for privacy violations when it was revealed that employees and contractors had access to video recordings.[8] These employees could sometimes access video recordings without user permission. Ring subsequently strengthened its security procedures and enabled customers to opt out of sharing data with law enforcement. The corporation also enhanced its privacy measures and required two-factor verification.
Alexa Eavesdropping Concerns
Alexa, Amazon’s voice assistant, was found to record conversations beyond specific commands, creating privacy concerns.[9] In some circumstances, consumers learned that Alexa mistakenly captured private conversations and saved them on Amazon servers. Amazon claimed these recordings were made to improve Alexa’s functioning but later allowed users to delete them. Privacy advocates and watchdogs have expressed concerns about how this data is handled.
Amazon’s Data Sharing with Law Enforcement
In some cases, Amazon shared user data, particularly from Ring cameras, with law enforcement authorities without user consent.[10] This practice raised concerns about privacy rights and the possibility of surveillance without transparency.
GDPR Fine from the European Union
In 2021, the European Union imposed a record €746 million (approximately \$877 million) penalty on Amazon for alleged GDPR violations.[11] The Luxembourg National Commission for Data Protection (CNPD) concluded that Amazon’s data processing methods violated user privacy rules by gathering excessive personal data for advertising purposes without sufficient user consent.[12]
Each situation has raised concerns about Amazon’s privacy practices, stimulating public debate and driving the company to implement stricter privacy protections and procedures.
Recommendations
Several enhancements to Amazon’s privacy policy could increase transparency, data security, and user control. These improvements would better align with evolving data privacy standards and legislation, such as the General Data Protection Regulation (GDPR),[13] California Consumer Privacy Act (CCPA), Digital Personal Data Protection (DPDP) Act,[14] and Information Technology Act.[15] The following recommendations address critical areas for improvement:
1. Clear Data Retention Policy
Amazon should specify how long customer data is retained for different purposes, such as account administration, transactions, and legal responsibilities. Clear retention periods would help users understand how long their data is maintained and provide mechanisms for requesting erasure when accounts are closed.
Why It Matters: Defined retention periods increase trust while reducing the risk of unnecessary data exposure.
Example: “We maintain customer data for X years after an account is closed to meet legal responsibilities and detect fraud. Following that period, the data is permanently destroyed.”
2. Granular User Consent and Control
Provide more extensive controls for users to govern the data they share with Amazon and third parties. Users should be able to opt in or out of specific data-gathering practices beyond cookies and advertising, including device metrics, browsing history, and voice recordings.
Why It Matters: Offering more specific user control ensures that Amazon respects individual privacy preferences and adheres to relevant legislation.
Example: “Users can customize their data-sharing preferences under ‘Account Settings,’ including toggles for sharing browsing data, shopping behavior, and device usage.”
3. Enhanced Transparency Around Third-Party Data Sharing
Provide a detailed, easily accessible list of third parties with whom data is shared and specify the reasons data is provided. The policy should clarify whether and how third parties may use data for advertising, analytics, or other purposes.
Why It Matters: Increased transparency enables users to better understand where their data goes and how it is utilized, reducing concerns about misuse or over-sharing.
Example: “Click here to view the list of third-party providers we work with and the specific purposes for which they use your data.”
4. Periodic Privacy Audits and Reporting
Conduct periodic privacy audits by independent third-party organizations to ensure Amazon meets its privacy commitments. Publish annual privacy reports outlining how data is managed, any breaches that occurred, and the number of third-party access requests (for example, from law enforcement).
Why It Matters: Independent audits foster confidence and accountability, ensuring that Amazon consistently enforces privacy safeguards.
Example: “Independent experts assess our privacy practices annually. We produce a privacy transparency report detailing third-party access requests and incidents.”
5. Limit Scope of Third-Party Data Usage
Restrict third-party suppliers from using Amazon customer data for purposes other than providing agreed-upon services. Implement robust contracts that prohibit partners from using data for independent purposes, such as analytics or targeted advertising, without user permission.
Why It Matters: Restricting third-party data use reduces the risk of privacy infractions and makes data handling more predictable for users.
Example: “Third-party providers may only use Amazon customer data for performing contracted services and are prohibited from using data for independent commercial purposes.”
6. Data Minimization and Anonymization
Adopt data minimization techniques in which Amazon collects only information essential to providing services. Any data not necessary for service performance should be anonymized or deleted. This includes anonymizing data used for targeted advertisements or analytics, such as browsing history and purchasing patterns.
Why It Matters: Reducing the amount of personal data collected and retaining only what is essential minimizes the risk of data breaches and misuse.
Example: “We only collect data required to provide and improve our services. All non-essential data is anonymized to prevent personal identification.”
7. User-Friendly Opt-Out Mechanisms
Provide clear opt-out options for all types of data collection and sharing, not just cookies. Offer a single, consolidated page where users can manage advertising settings, tracking preferences, and third-party data sharing in a user-friendly manner.
Why It Matters: Simplifying the opt-out process for tracking or data sharing empowers users while demonstrating respect for their privacy.
Example: “Manage all your data-sharing preferences and advertising settings on one page, accessible through your account settings.”
8. Data Portability and Deletion Rights
Make it easier for users to download or delete their data. Ensure this process is seamless and transparent, with clear timelines and confirmation of deletion.
Why It Matters: Giving users control over their data builds trust in Amazon’s privacy practices and ensures compliance with data protection legislation.
Example: “Download your data or request deletion from your account. We process deletion requests within X days.”
9. Limited Legal Disclosure
Develop more detailed standards for how Amazon handles government and law enforcement requests for user data. Implement and publicize a policy of contesting excessive or overly broad data requests.
Why It Matters: Users are increasingly concerned about how firms handle government access to personal information. Transparent treatment of such requests fosters trust.
Example: “We notify you when legal requests for your data are made unless prohibited by law. We oppose requests that are unduly broad or incompatible with privacy rights.”
10. Transparency in AI and Voice Data Use
Clarify how Amazon uses AI systems (such as Alexa and voice recognition) to process and store voice data. Specify how long voice recordings are kept, whether they are shared with third parties, and what mechanisms are available to delete voice data.
Why It Matters: As more users adopt AI-driven services like Alexa, addressing concerns about handling sensitive voice data is essential.
Example: “Voice recordings associated with your account can be reviewed and deleted at any time. We retain voice data for no longer than X days unless required by law.”
11. Stronger Data Encryption Standards
Use industry-standard encryption techniques to protect all customer data in transit and at rest. Enable two-factor authentication (2FA) for all sensitive actions, such as logging in or modifying personal information.
Why It Matters: Strong encryption and multi-factor authentication safeguard user accounts from unauthorized access and data breaches.
Example: “All personal data is encrypted using X-level encryption. Enable two-factor authentication to improve account security.”
12. Explicit Consent for Policy Changes
Require explicit user approval whenever significant changes are made to the privacy policy, particularly those that may undermine privacy protections. Changes should be implemented only after notifying users and receiving their approval.
Why It Matters: Ensuring user consent for policy changes guarantees customers maintain control over their data even as Amazon evolves.
Example: “We will obtain your permission before making any changes that impact your privacy. You will receive notification via email or through your account.”
Conclusion
Amazon’s privacy policy, though comprehensive, contains many areas where improvements could better protect privacy by aligning with the latest data protection standards. As a technology leader that has amassed vast amounts of data, Amazon’s approach must be rigorous, transparent, and flexible enough to adapt to the evolving regulatory landscape, including the DPDP Act, GDPR, OECD principles, and CCPA.
The policy effectively outlines how Amazon collects data, including user-provided information, automatically gathered data, and third-party access. However, the potential for user data to be used in ways that lack transparency remains a concern. The policy could be strengthened by explicitly specifying data retention periods, providing users with granular control over consent, and establishing clear parameters around data sharing with third parties and government agencies.
Moreover, Amazon should adopt industry-leading data minimization and anonymization practices, introduce robust opt-out mechanisms, and enforce stronger encryption standards. The company should move beyond mere compliance to genuinely uphold user privacy. Implementing these measures would not only fulfill legal obligations but also strengthen user trust.
While Amazon has established a foundational privacy policy, significant room exists for improvement in transparency, data management, and security. By proactively addressing these issues, Amazon could strengthen its commitment to privacy while setting high standards in this evolving digital landscape.
References
[1] About Amazon, AMAZON INDIA, https://www.aboutamazon.in/?utm_source=gateway&utm_medium=footer (last visited Dec. 24, 2025).
[2] Amazon vs Walmart Revenue and Profit Comparison 2010-2024, FORRESTER, https://www.forrester.com/blogs/amazon-vs-walmart-revenue-and-profit-comparison-2010-2024/ (last visited Dec. 24, 2025).
[3] Ten Amazon Statistics, SHIPROCKET, https://www.shiprocket.in/blog/ten-amazon-statistics/ (last visited Dec. 24, 2025).
[4] Amazon Prime Users, BACKLINKO, https://backlinko.com/amazon-prime-users (last visited Dec. 24, 2025).
[5] 10 Reasons Privacy Matters, TEACH PRIVACY, https://teachprivacy.com/10-reasons-privacy-matters/ (last visited Dec. 24, 2025).
[6] What is Digital Privacy and Its Importance, IEEE DIGITAL PRIVACY, https://digitalprivacy.ieee.org/publications/topics/what-is-digital-privacy-and-its-importance (last visited Dec. 24, 2025).
[7] Amazon Privacy Notice, AMAZON INDIA, https://www.amazon.in/gp/aw/help/?id=200534380 (last updated Apr. 25, 2024).
[8] FTC Says Ring Employees Illegally Surveilled Customers, Failed to Stop Hackers from Taking Control of Users’ Cameras, FEDERAL TRADE COMMISSION (May 31, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/05/ftc-says-ring-employees-illegally-surveilled-customers-failed-stop-hackers-taking-control-users.
[9] Alexa Has Been Eavesdropping on You This Whole Time, WASHINGTON POST (May 6, 2019), https://www.washingtonpost.com/technology/2019/05/06/alexa-has-been-eavesdropping-you-this-whole-time/.
[10] Amazon Gives Ring Videos to Police Without User Consent or a Warrant, ASSOCIATED PRESS (July 13, 2022), https://apnews.com/article/technology-edward-markey-congress-government-and-politics-244f59188ee3414495452c955c11b89b.
[11] Amazon Hit with Record EU Fine Over Privacy Violations, WASHINGTON POST (July 30, 2021), https://www.washingtonpost.com/business/2021/07/30/amazon-record-fine-europe/.
[12] Kamal Afifi-Sabet, Amazon Faces £637 Million Fine Over GDPR Violations, IT PRO (2021).
[13] General Data Protection Regulation, 2016 O.J. (L 119) (EU).
[14] Digital Personal Data Protection Act, No. 22 of 2023, INDIA CODE (2023).
[15] Information Technology Act, No. 21 of 2000, INDIA CODE (2000).
