Exclusive content
Amazon is facing a proposed class action lawsuit that asserts it has secretly tracked and profited from the exact location data of its customers in California. The plaintiff, Felix Kolotinsky, a San Mateo, California resident, contends that the retail giant has been surreptitiously observing his movements through his mobile device. The lawsuit was filed on 29 January 2025 in a federal court in San Francisco.
Kolotinsky seeks to represent a class of California residents who used a mobile app embedded with the Amazon Ads SDK. An SDK (software development kit) is a set of programming tools that platforms offer developers to create applications. It enables the consolidation of various development resources in a single location. However, users have expressed concerns that integrating an SDK into a mobile device permits platforms to monitor the device owner’s personal information.
The proposed class action claims that Amazon gained “backdoor access” to users’ smartphones by distributing the Amazon Ads SDK to numerous app developers, allowing them to integrate this code into their applications.
This practice purportedly enabled Amazon to amass a significant volume of timestamped geolocation data, revealing where consumers reside, work, and shop. Thus, sensitive details such as their religious beliefs, sexual orientations, and health issues were disclosed.
The complaint asserts that Amazon has effectively fingerprinted consumers and correlated a vast amount of personal information about them without consumers’ knowledge and consent. The plaintiff alleges that the collection and sale of such sensitive information contravenes §638.51 and §502 of the California Penal Code.
Section 638.51 explicitly forbids the installation of “pen registers” without prior judicial authorization. It defines a “pen register” as a “device or process that records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is sent, excluding the content of the communication.”
Kolotinsky contends that Amazon’s SDK meets the criteria of a pen register, as it recorded timestamps related to consumers’ geographic locations and included data that could potentially identify consumers, such as device fingerprint information obtained from their mobile phones.
Section 502, the Comprehensive Computer Data Access and Fraud Act (CDAFA), protects consumers against tampering, interference, damage, and unauthorized access to legally established computer data and systems.
The plaintiff contends that class members’ cell phones qualify as “computers” or “computer systems” under the definition provided by the CDAFA, as these devices can interact with external files and execute functions such as arithmetic calculations, data storage, and communication. Kolotinsky claims that Amazon intentionally accessed the devices of the proposed class members without authorization, thereby breaching the provisions of the CDAFA.
Kolotinsky v Amazon.com Inc et al, U.S. District Court, Northern District of California, No. 25-00931.
