Amazon has implemented significant changes to the privacy settings of its Echo devices, raising concerns among users about the trade-off between convenience and data security. Starting March 28, 2025, all Alexa voice recordings will automatically be sent to Amazon’s cloud for processing, eliminating the option for local processing that previously allowed users to keep their data off Amazon’s servers.
The discontinued "Do Not Send Voice Recordings" feature was available on select Echo devices, including the Echo Dot (4th Gen), Echo Show 10, and Echo Show 15. This feature allowed audio commands to be processed locally on the device instead of being transmitted to Amazon’s cloud. However, Amazon has now replaced it with a "Don’t Save Recordings" setting, which deletes recordings after processing but still requires them to be sent to the cloud initially.
Amazon justified the move by citing its efforts to enhance Alexa’s capabilities with generative AI features that rely on cloud processing. The company stated that these changes are necessary to support Alexa+, a new AI-powered version of its voice assistant designed to provide more conversational and personalized interactions.
While users can still opt for the "Don’t Save Recordings" setting, doing so disables certain features like Voice ID. Voice ID allows Alexa to recognize individual voices and provide personalized responses, such as tailored calendar reminders or music playlists. Amazon has reassured customers that voice recordings will be encrypted during transmission and deleted after processing if the "Don’t Save Recordings" setting is enabled.
The changes are part of a broader trend in the tech industry toward integrating AI into smart home devices. Amazon hopes its revamped Alexa+ service will compete with offerings from Apple, Google, and other companies investing heavily in generative AI technologies.
Here is Amazon’s message to affected Echo customers: "We are reaching out to let you know that the Alexa feature 'Do Not Send Voice Recordings' that you enabled on your supported Echo device(s) will no longer be available beginning March 28th, 2025. This feature allowed compatible Echo devices to process the audio of Alexa requests locally on device. As we continue to expand Alexa’s capabilities with generative AI features that rely on the preceding power of Amazon’s secure cloud, we have decided to no longer support this feature. If you do not take action, your Alexa Settings will automatically be updated to 'Don’t save recordings.' This means that, starting on March 28th, your voice recordings will be sent to and processed in the cloud, and they will be deleted after Alexa processes your requests. Any previously saved voice recordings will also be deleted. If your voice recordings setting is updated to 'Don’t save recordings,' voice ID will not work and you will not be able to create a voice ID for individual users to access more personalized features."
It is important to note that only a handful of Echo devices supported the feature. According to Amazon, these were the 4th generation Echo Dot, and the Echo Show 10 and 15. The feature was also only available for users in the United States who set the device language to English. While that certainly limits the number of affected users, it certainly won’t sit well with users who do not want their voice data transmitted to the cloud. Whereas other companies launch on-device processing features, it appears that Amazon has decided to focus solely on the cloud.
As more and increasingly nuanced privacy and AI-related issues gain traction among regulators and consumers alike, organizations should expect increased scrutiny not only at the state level but potentially on a federal level as well. Recent cases spurred by the Texas Attorney General (and other Attorneys General or AGs) are prime examples of what organizations can expect in terms of new investigative trends at the intersection of data privacy and advanced technologies.
While federal privacy legislation has faltered year after year in the United States, privacy is one topic that tends to draw a measure of bipartisan support, meaning that the upcoming shift in political leadership may not lessen the momentum for regulatory action. Even in the absence of federal data privacy regulation, enforcement is expected to remain active at the state level. Investigations often start small but can quickly snowball into broader reputational crises.
For example, inquiries into companies’ practices in areas like children’s privacy or AI ethics often lead to scrutiny from stakeholders far beyond regulators, including investors, media, customers, and advocacy groups. These investigations may not always yield formal penalties, but the heightened attention they generate can amplify negative narratives and set off a chain reaction of reputational harm.
Strategic, forward-thinking organizations need to prepare on two fronts: substance and communication. Real investment in privacy practices is foundational to building long-term organizational resilience. The privacy challenges of today are evolving rapidly, especially with the integration of AI into consumer-facing and business operations. Companies need governance frameworks that not only address existing regulatory requirements but also anticipate emerging challenges in AI ethics, algorithmic transparency, and data protection.
Good governance starts with embedding privacy into core business operations and decision-making processes. Organizations that rely on AI must also prioritize oversight mechanisms that allow them to identify and mitigate risks before they escalate into public crises. This means engaging stakeholders from compliance and legal teams to technical and product leads in ongoing risk assessments.
A review of the recent cases in Texas suggests several areas on which organizations may wish to focus: Ethics, Trust, and Reputation Management. Trust is becoming a major differentiator. Companies appear to be judged not just by what they achieve but by how they achieve it. In numerous examples, the rise of dark patterns and secret data collection has led to lawsuits and reputational harm. Ethical data handling and values-driven decision-making are crucial for brand reputation.
Consumers increasingly prefer to do business with companies that are transparent, accountable, and privacy conscious. Organizations may wish to integrate ethical considerations into corporate strategy and consider creating an ethical review board to assess new AI, data, and technology deployments to ensure alignment with public expectations.
Companies that engage with children (e.g., social media, gaming, and educational platforms) face growing regulatory pressure to obtain parental consent for the collection of children’s data. Companies that offer digital services, educational apps, and social platforms used by children under 13 must ensure they comply with Children’s Online Privacy Protection Act (“COPPA”) in the United States and similar laws globally. Companies must also verify parental consent and implement child-appropriate privacy practices.
Regulatory authorities are cracking down on companies that use dark patterns, which are design tricks that manipulate users into making decisions that benefit the company, like clicking “accept” on broad data-sharing permissions. The Texas Attorney General has directly targeted companies for allegedly using interfaces and consent workflows that fail to obtain consent.
Companies with customer-facing digital interfaces (e.g., websites, apps, and e-commerce platforms) must ensure that user experiences are fair, transparent, and free of manipulative tactics. Regulators are scrutinizing “consent fatigue” and are enforcing rules that require companies to present clear, accessible, and unambiguous opt-in options. Companies should review their user interfaces and consent flows to ensure they align with regulatory definitions of “clear consent.”
A strong communications program ensures companies can articulate a clear, consistent narrative to stakeholders and maintain trust, even amid shifting consumer expectations and regulatory attention. Even organizations with robust privacy practices often falter when it comes to communication. Public trust hinges on the ability to both demonstrate good faith in addressing privacy and articulate a clear, consistent narrative to stakeholders.
Organizations that excel in this space adopt three key strategies: Proactive Positioning, Crisis-ready Messaging, and Relationship-building. Companies need to communicate their commitment to privacy, data ethics, and AI responsibility consistently, and not just in times of crisis. Transparency and accountability are critical, but so is avoiding premature or misleading statements that may later undermine credibility.
As investigations like those currently underway in Texas become more common, organizations should expect to face intensified scrutiny from multiple angles. A single regulatory inquiry can cascade into broader challenges — spurring media coverage, prompting investor questions, and catalyzing in class-action lawsuits. Companies unprepared for this level of attention risk falling into a reactive stance, where they are perpetually on the defensive.
On the other hand, organizations that view privacy and AI governance as strategic imperatives will be better positioned to navigate this complex landscape. By marrying robust governance with proactive communications, they can build trust, reinforce their reputation, and emerge stronger from moments of scrutiny. This confluence of privacy, AI, and regulatory momentum should be viewed as a critical moment for taking decisive leadership.
For companies to thrive in this era of heightened attention, they must not only walk the walk by investing in substantive privacy measures but also talk the talk by aligning their practices with communications that inspire trust, confidence, and differentiation from less-responsible actors. The organizations that embrace this dual approach will not only weather today’s challenges but will set themselves apart as ethical leaders in the years to come.
