Understanding GDPR Non-Compliance in Privacy Policies of Alexa Skills in European Marketplaces

Song Liao; Mohammed Aldeen; Jingwen Yan; Long Cheng; Xiapu Luo; Haipeng Cai; Hongxin Hu

Understanding GDPR Non-Compliance in Privacy Policies of Alexa Skills in European Marketplaces

Song Liao, Mohammed Aldeen, Jingwen Yan, Long Cheng, Xiapu Luo, Haipeng Cai, Hongxin Hu

Published: 23 Jan 2024, Last Modified: 23 May 2024TheWebConf24EveryoneRevisionsBibTeX

Keywords: Amazon alexa, GDPR, privacy policy

Abstract: Amazon Alexa is one of the largest Voice Personal Assistant (VPA) platforms and it allows third-party developers to publish their voice apps, named skills, to the Alexa skill store. To satisfy the needs of European users, Amazon Alexa established multiple skill marketplaces in Europe and allows developers to publish skills in their native languages, such as German, French, Italian, and Spanish. Skills targeting users in European countries are required to comply with GDPR (General Data Protection Regulation), which imposes strict obligations on data collection and processing. Skills that involve data collection should provide a privacy policy to disclose the data practice to users and meet GDPR requirements. In this work, we analyze privacy policies of skills in European marketplaces, focusing on whether skills’ privacy policies and data collection behaviors comply with GDPR. We collect a large-scale European skill dataset that includes skills in all European marketplaces with privacy policies. To classify whether a sentence in a privacy policy provides GDPR information, we gather a labeled dataset consisting of skills’ privacy policy sentences and train a BERT model for classification. Then we analyze the GDPR compliance of European skills. Using a dynamic testing tool based on ChatGPT, we check whether skills’ privacy policies comply with GDPR and are consistent with the actual data collection behaviors. Surprisingly, we find that 67% of privacy policies fail to comply with GDPR and don’t provide necessary GDPR-related information. For 1,187 skills with data collection behaviors, we find that 603 skills (50.8%) don’t provide a complete privacy policy and 1,128 skills (95%) have GDPR non-compliance issues in their privacy policies. Meanwhile, we find that the GDPR has a positive influence on European privacy policies when compared to non-European marketplaces, such as the United States, Mexico and Brazil.

Track: Responsible Web

Submission Guidelines Scope: Yes

Submission Guidelines Blind: Yes

Submission Guidelines Format: Yes

Submission Guidelines Limit: Yes

Submission Guidelines Authorship: Yes

Student Author: Yes

Submission Number: 538

Loading