You are viewing an archived webpage. The information on this page may be out of date. Learn about EPIC's recent work at epic.org.

In re: Facebook, Inc. Internet Tracking Litigation

Whether Facebook violated the privacy rights of users by tracking their web browsing history even after they logged out of the platform
    More top news »
  • Senate Committee Hears Testimony of Facebook Whistleblower » (Oct. 5, 2021)

    The Senate’s Subcommittee on Consumer Protection, Product Safety, and Data Security convened this morning to hear the testimony of a Facebook whistleblower about Facebook’s harm and the need for regulation. Frances Haugen, a former Facebook project manager, has come forward to reveal that Facebook knew that its platforms were harmful, especially to young users. Haugen filed complaints with the Securities and Exchange Commission and leaked documents to the Wall Street Journal which published a detailed investigation of Facebook. Today, Haugen testified that “Facebook has repeatedly misled the public about what its own research reveals about the safety of children, the efficacy of its artificial intelligence systems, and its role in spreading divisive and extreme messages.” She urged Congress to regulate Facebook, stating “there needs to be a dedicated oversight body” and “Facebook can change but it’s clearly not going to do so on its own.” EPIC advocates for the creation of a dedicated Data Protection Agency. EPIC has fought for transparency and accountability for Facebook's privacy abuses for over a decade, from filing the original FTC Complaint in 2009 that led to the FTC's 2012 Consent Order with the company, to moving to intervene in and filing an amicus brief challenging the FTC's 2019 settlement with Facebook.

  • Facebook Pauses Development of “Instagram Kids” » (Sep. 27, 2021)
    Facebook announced today that it is pausing its work on a kids’ version of Instagram after facing widespread criticism. In March 2021, reports leaked that Facebook was planning to build a version of Instagram for kids under the age of 13. Regarding today’s announcement, Fairplay’s Executive Director stated, “Today is a watershed moment for the growing tech accountability movement and a great day for anyone who believes that children’s wellbeing should come before Big Tech’s profits.” The earlier reports faced swift backlash as consumer protection advocacy groups and politicians asked Facebook to halt its plan. This announcement came after senators announced an investigation into Facebook’s negative effects on teenagers and a series of investigations by the Wall Street Journal which revealed that Facebook is aware of its harmful effects on users. EPIC signed onto a letter by Campaign for a Commercial-Free Childhood, now known as Fairplay, urging Facebook to cancel its plan for Instagram Kids. EPIC has fought for transparency and accountability for Facebook's privacy abuses for over a decade, from filing the original FTC Complaint in 2009 that led to the FTC's 2012 Consent Order with the company, to moving to intervene in and filing an amicus brief challenging the FTC's 2019 settlement with Facebook.
  • Senators Announce Probe into Facebook's Alleged Coverup of its Negative Influence on Children and Teens » (Sep. 15, 2021)
    Today, Senators Richard Blumenthal and Marsha Blackburn announced an investigation into Facebook’s knowledge and coverup of the harmful effects of Facebook’s Instagram on children and teenagers. The announcement follows a Wall Street Journal investigation which revealed that Facebook’s researchers found that Instagram is harmful to a “sizeable percentage” of its young users, most notably teenage girls. Internally, Facebook knew that Instagram’s effects on young people included increased anxiety and depression, body image issues, and thoughts of suicide. Publicly, CEO Mark Zuckerberg testified before Congress that Facebook’s research suggested that the use of its social media apps had positive mental health benefits to users. The Wall Street Journal uncovered several documents that “show that Facebook has made minimal efforts to address these issues and plays them down in public.” In response to Senators Blumenthal and Blackburn’s August 2020 request for Facebook to release its internal research on the matter, Facebook sent a six-page letter that did not include the company’s studies. EPIC has fought for transparency and accountability for Facebook's privacy abuses for over a decade, from filing the original FTC Complaint in 2009 that led to the FTC's 2012 Consent Order with the company, to moving to intervene in and filing an amicus brief challenging the FTC's 2019 settlement with Facebook.
  • Ireland's Data Protection Commission Fines WhatsApp €225 million » (Sep. 2, 2021)
    The Irish Data Protection Commission (DPC) fined Facebook’s WhatsApp €225 million ($266 million) for privacy violations following a GDPR investigation that began in 2018. In the decision, the data privacy regulator explained that WhatsApp breached the GDPR’s rules about data transparency, including when it processed user information between WhatsApp and other Facebook companies. While the €225 million fine is a record for the DPC and the second largest fine ever issued under the GDPR, privacy advocate and EPIC Advisor Max Schrems noted “[t]he DPC also proposed an initial € 50 million fine and was forced by the other European data protection authorities to move towards € 225 million, which is still only 0.08% of the turnover of the Facebook Group. The GDPR foresees fines of up to 4% of the turnover.” EPIC has long urged the Federal Trade Commission to block or unwind Facebook's acquisitions of Instagram and WhatsApp. In 2014, EPIC and the Center for Digital Democracy warned the FTC that Facebook incorporates user data from companies it acquires, and that WhatsApp users objected to the acquisition. Despite these problems, the FTC allowed the merger to go forward.
  • President Biden Signs Executive Order Requiring More Scrutiny of Tech Mergers and Data Privacy » (Jul. 9, 2021)

    President Biden today signed a wide-ranging executive order with the aim of promoting competition. EPIC has long argued that market consolidation in online platform threatens privacy. The Executive Order aims to address the ways in which dominant tech firms are undermining competition and reducing innovation in three ways: 1) greater scrutiny of mergers, especially by dominant internet platforms, with particular attention to the acquisition of nascent competitors, serial mergers, the accumulation of data, competition by “free” products, and the effect on user privacy; 2) encouraging the FTC to establish rules on "unfair data collection and surveillance practices that may damage competition, consumer autonomy, and consumer privacy"; and 3) encouraging the FTC to establish rules barring unfair methods of competition on internet marketplaces. More than a decade ago, EPIC urged the FTC to block Google’s proposed acquisition of DoubleClick. EPIC said that the acquisition would enable Google to collect the personal information of billions of users and track their browsing activities across the web. EPIC correctly warned that this acquisition would accelerate Google’s dominance of the online advertising industry and diminish competition. The FTC ultimately allowed the merger to go forward. EPIC has since repeatedly warned FTC that other mergers posed similar risks to consumer privacy and competition, including Facebook's acquisition of WhatsApp.

  • Facebook Backs Down from Forced WhatsApp Privacy Changes » (Jun. 1, 2021)

    WhatsApp previously threatened sanctions against users who would not accept the company’s new terms of use with weaker privacy protections, but backed down late Friday after a coalition of groups from around the world protested. Burcu Kilic, digital rights program director for Public Citizen, released the following statement in response: “Thank you for stopping what you never should have started. Now please also undo what you coerced millions of people into accepting.” In 2014, EPIC and the Center for Digital Democracy warned the FTC that Facebook routinelyincorporates user data from companies it acquires and that WhatsApp users objected to the acquisition. The FTC approved the merger but told EPIC and CDD that "if the acquisition is completed and WhatsApp fails to honor these promises, both companies could be in violation of Section 5 of the FTC Act and potentially the FTC's order against Facebook."

  • Irish High Court Orders DPC to Move Forward in Facebook Investigation » (May. 14, 2021)
    The Irish High Court today issued an order in a follow-on case to Irish Data Protection Commissioner v. Facebook and Schrems ("Schrems II") and, as a result, the investigation into Facebook's U.S.-EU data transfers will move forward. The case arises from a complaint filed with the DPC in Ireland against Facebook by privacy activist Max Schrems in 2013 alleging that the company violated EU law when it transferred personal data to the U.S. (where the company is obliged to provide access to the government). The case has since been referred two separate times to the highest court in Europe (the CJEU), and has led to the invalidation of both the U.S.-EU Safe Harbor Agreement and the U.S.-EU Privacy Shield Agreement. The CJEU in the Schrems II decision last year remanded the case to the Irish DPC to determine whether Facebook violated the law and whether it was necessary to block Facebook's U.S.-EU data transfers. The DPC later issued a Preliminary Draft Decision to Facebook and laid out procedures for the inquiry. Both Facebook and Schrems challenged the DPC procedures. The DPC agreed in a settlement with Schrems that it would complete the investigation into his original complaint. The Irish High Court today rejected Facebook's challenge to the DPC inquiry, and both the Schrems complaint and this new DPC inquiry against Facebook will move forward. EPIC participated as an amicus curiae in Schrems II, arguing that U.S. Surveillance law does not provide adequate privacy protections or remedies for non-U.S. persons abroad.
  • WhatsApp Policy Change Highlights Privacy Risks EPIC Warned of in Facebook Acquisition » (Jan. 15, 2021)
    Recently unveiled changes to WhatsApp's terms of service highlight the privacy and legal objections has EPIC long raised to Facebook's 2014 acquisition of the messaging platform. In early January, WhatsApp introduced a revision to its privacy policy that seemed to require app users to share extensive personal data with Facebook—an apparent violation of the privacy protections that originally fueled WhatsApp's growth. The policy change drove many WhatsApp users to turn to other secure messaging platforms including Signal and Telegram. WhatsApp later delayed the revision of its terms of service by several months and argued that the change only affected "business communication," but the episode underscores the dangers of a company built on the exploitation of personal data acquiring a company that has made explicit privacy commitments to its users. In 2014, EPIC and the Center for Digital Democracy warned the FTC that Facebook routinely incorporates user data from companies it acquires and that WhatsApp users objected to the acquisition. The FTC approved the merger but told EPIC and CDD that "if the acquisition is completed and WhatsApp fails to honor these promises, both companies could be in violation of Section 5 of the FTC Act and potentially the FTC's order against Facebook."
  • BREAKING: 48 States and U.S. Sue Facebook Seeking to End Illegal Monopoly » (Dec. 9, 2020)
    Forty-eight states and the United States have filed complaints in federal court alleging that Facebook has stifled competition to illegally maintain its social networking monopoly. EPIC has long urged the Federal Trade Commission to unwind Facebook's acquisitions of Instagram and WhatsApp. In 2014, EPIC and the Center for Digital Democracy warned the FTC that Facebook incorporates user data from companies it acquires, and that WhatsApp users objected to the acquisition. Today's complaint from state Attorneys General echoes this concern: "Facebook's conduct deprives users of product improvements and, as a result, users have suffered, and continue to suffer, reductions in the quality and variety of privacy options and content available to them." "We applaud the state Attorneys General for focusing on the ways Facebook's monopolistic behavior harmed users' privacy and reduced privacy-protective options in the market," Caitriona Fitzgerald, EPIC Policy Director said.
  • House Judiciary Committee Reports on Competition in Digital Markets » (Oct. 6, 2020)
    The House Judiciary Committee has released its report following a years-long investigation of competition in digital markets. "[O]nline platforms’ dominance carries significant costs. It has diminished consumer choice, eroded innovation and entrepreneurship in the U.S. economy, weakened the vibrancy of the free and diverse press, and undermined Americans’ privacy," the Majority Staff report states. The Committee also found that the Federal Trade Commission had neglected to use the antitrust authorities granted to the agency by Congress. "In its first hundred years, the FTC promulgated only one rule defining an "unfair method of competition," the report notes. EPIC had previously told the Committee that merger review must consider data protection. "The United States stands virtually alone in its unwillingness to address privacy as an increasingly important dimension of competition in the digital marketplace," EPIC said. The Committee report makes numerous recommendations, including "structural separations and prohibitions of certain dominant platforms from operating in adjacent lines of business."
  • Facebook Integrates Instagram and Messenger » (Oct. 1, 2020)
    Facebook has announced the integration of Facebook Messenger and Instagram. Early last year, Facebook had released plans to integrate WhatsApp, Messenger, and Instagram, breaking the promises Facebook made when it acquired WhatsApp. After yesterday's announcement, Facebook declined to give a timeline for when WhatsApp integration would occur. In 2014, EPIC and the Center for Digital Democracy warned the FTC that Facebook incorporates user data from companies it acquires, and that WhatsApp users objected to the acquisition. The FTC responded to EPIC and CDD and told Facebook and WhatsApp that "if the acquisition is completed and WhatsApp fails to honor these promises, both companies could be in violation of Section 5 of the FTC Act and potentially the FTC's order against Facebook." The FTC letter noted that "hundreds of millions of users have entrusted their personal information to WhatsApp. The FTC staff continue to monitor the companies' practices to ensure that Facebook and WhatsApp honor the promises they have made to those users." Today, the House Judiciary Committee will hold a hearing on proposals to strengthen antitrust laws and restore competition. EPIC has told the Committee that merger review must consider data protection.
  • Facebook to be Ordered to Stop Sending EU Data to U.S. » (Sep. 10, 2020)
    The Irish Data Protection Commissioner has reportedly issued a preliminary order instructing Facebook to stop transferring the data of EU users to the United States. The order comes in the wake of a recent the European Court of Justice (CJEU) decision which found the Privacy Shield, which permitted companies to freely transfer users' personal data, illegally infringed EU residents' data protection and privacy rights. EPIC participated as an amicus curiae in the case, arguing that U.S. surveillance law does not provide adequate privacy protections or remedies for non-U.S. persons abroad.
  • Court Approves FTC-Facebook Deal, But Says Data Protection Laws Need Updating » (Apr. 24, 2020)
    Despite objections from EPIC and other consumer groups, a federal judge has approved the Federal Trade Commission’s settlement with Facebook over the company’s alleged violations of the 2012 consent decree and the FTC Act. The court called Facebook’s alleged conduct “stunning,” “unscrupulous,” “shocking,” and “underhanded,” and even stated that it “might well have fashioned different remedies were it doing so out of whole cloth.” The court nevertheless approved the deal because of the “deferential” standard it felt bound to apply, but the court warned that, should the FTC accuse Facebook of further violations of the law, the court “may not apply quite the same deference to the terms of a proposed resolution.” EPIC had moved to intervene in the case and filed an amicus brief arguing that the deal imposes “few new obligations on the company that would limit the collection and use of personal data, nor will there be any significant changes in business practices.” The court denied EPIC’s motion to intervene but acknowledged that EPIC’s arguments as amicus “call into question the adequacy of laws governing how technology companies that collect and monetize Americans’ personal information must treat that information.”
  • Appeals Court Greenlights Privacy Suit Over Facebook's Invasive Web Tracking » (Apr. 9, 2020)
    The Ninth Circuit Court of Appeals ruled today that Facebook users whose privacy was violated by Facebook's tracking of web browsing can bring suit against the social media platform. The court held that consumers had the legal right, or "standing," to sue Facebook and that most legal claims could go forward. Chief Judge Sidney Thomas wrote "that Facebook set an expectation that logged-out user data would not be collected, but then collected it anyway." EPIC filed an amicus brief in the case explaining that "Facebook's tracking techniques are designed to escape detection, and the company routinely ignores users' privacy protections." EPIC argued that Facebook's "cookie tracking practices" cause "harm to the privacy of the large and diffuse group of Facebook users." EPIC first identified the privacy risks of cookie tracking in a 1997 report "Surfer Beware: Personal Privacy and the Internet." EPIC frequently participates as amicus curiae in consumer privacy cases, including United States v. Facebook, Attias v. Carefirst, Frank v. Gaos, and Rosenbach v. Six Flags.
  • EPIC Celebrates Sunshine Week with 2020 FOIA Gallery » (Mar. 16, 2020)
    In celebration of Sunshine Week, EPIC has unveiled the 2020 FOIA Gallery. Since 2001, EPIC has annually published highlights of EPIC's most significant open government cases. For example, last year EPIC filed the first lawsuit in the country for the public release of the Mueller Report. The federal court rebuked Attorney General Barr and agreed to review the complete Mueller Report to determine what additional material must be released. EPIC also prevailed in EPIC v. the Commission on AI. A federal court ruled that the Commission on Artificial Intelligence is subject to the FOIA. Following the court's decision, the AI Commission released documents about its activities to EPIC. In this year's FOIA gallery, EPIC also highlighted pre-trial risk assessment reports, documents about Justice Kavanaugh's role in the warrantless surveillance program, a DHS drone status report, the Census data transfer plan, and more than 29,000 complaints against Facebook pending at the FTC.
  • Appeals Court Affirms Consumer Rights to Facebook Suit, But Upholds Ineffective Settlement » (Mar. 3, 2020)
    The Ninth Circuit decided today that consumers could bring a case against Facebook for scanning private messages, but upheld a settlement that produced only a minor change in Facebook's business practices. In Campbell v. Facebook, the appeals court found that consumers "sued to protect concrete interests" because wiretap laws "codify a context-specific extension of the substantive right to privacy." EPIC filed an amicus brief in the case, arguing that the settlement "does not prevent Facebook from resuming the practices" consumers sued to stop. EPIC explained that the settlement only requires Facebook to post a "vague notice" that is "not the basis for consent" under applicable wiretap laws. EPIC routinely files amicus briefs in cases concerning consumer privacy and standing.
  • FTC Publishes Privacy and Data Security Update » (Feb. 27, 2020)
    The FTC has published "Privacy & Data Security Update for 2019." The FTC report summarizes the enforcement actions the agency pursued last year, including the proposed settlement with Facebook. EPIC challenged the settlement, arguing that the "Court should not adopt the proposed Consent Decree because the parties have not established that it would be fair, adequate, reasonable, appropriate, or consistent with the public interest." EPIC also uncovered 29,000 complaints against Facebook, currently pending at the FTC. The Court required the FTC and Facebook to respond to EPIC's objections. EPIC and other consumer organizations have many privacy complaints currently pending at the FTC that the Commission has failed to pursue. EPIC recently filed complaints with the FTC on HireVue and Airbnb for unfair and deceptive uses of AI.
  • FTC to Investigate Prior Big Tech Acquisitions » (Feb. 12, 2020)
    The FTC announced plans to review acquisitions by Google, Amazon, Apple, Facebook, and Microsoft between 2010-2019. The FTC will review those acquisitions that the companies were not required by law to report at the time of acquisition. FTC Chairman Joe Simons said the initiative would "evaluate whether the federal agencies are getting adequate notice of transactions that might harm competition." In a joint statement, Commissioner Wilson and Commissioner Chopra said, "While we commend the FTC for exploring this timely and important topic, we reiterate our call for the Commission to prioritize 6(b) studies that explore consumer protection issues arising from the privacy and data security practices of technology companies, including social media platforms." EPIC filed a complaint with the FTC in 2014 opposing Facebook's acquisition of WhatsApp. EPIC is presently in federal court seeking to improve the FTC's proposed settlement with Facebook and to unwind the merger.
  • "A Big Victory for Privacy Groups" - Facebook Settlement » (Jan. 30, 2020)
    This week Facebook agreed to pay $550 million to settle a lawsuit about the use of facial recognition technology. The New York Times called the settlement "A Big Victory for Privacy Groups." In 2010, EPIC objected to Facebook's collection of biometric data and urged the FTC to modify a proposed settlement to limit Facebook's use of facial recognition. EPIC filed similar complaints about facial recognition with the FTC in 2016 and 2018. EPIC also filed several amicus briefs stating that the violation of a federal privacy law is sufficient to confer "standing," the right of consumers to bring lawsuits. In response to Facebook's challenge to the Illinois Biometric Privacy Act, EPIC wrote, "Judicial second-guessing of statutory protections for biometric data established by the state legislature, following a careful weighing of the public safety concerns, will come at an enormous cost to the privacy of Illinois residents." EPIC's views were adopted by a federal court in this case, which led to the recent settlement with Facebook. The text of the Illinois privacy law is available in the 2020 EPIC Privacy Law Sourcebook at the EPIC Bookstore. And EPIC's objections to the current FTC settlement with Facebook are now pending in federal court.
  • Supreme Court Declines to Review Facebook Face Scan Case » (Jan. 21, 2020)
    The U.S. Supreme Court will leave in place a decision that allows lawsuits against Facebook for the unlawful collection of facial images. In Patel v. Facebook, the Ninth Circuit held that that an Illinois biometrics law protects "concrete privacy interests" and that violations of the law "pose a material risk of harm to those privacy interests." EPIC filed an amicus brief in the case, arguing that users can sue companies that violate rights protected by privacy laws. EPIC has long advocated for limits on the use of biometric data and has opposed Facebook's use of facial recognition software. EPIC and others recently called for a global moratorium on facial recognition. EPIC recently launched a campaign and resource page to ban face surveillance.
  • Facing Growing Criticism, Facebook Reverses Decision to Sell Ads in WhatsApp » (Jan. 21, 2020)
    Facebook reversed the controversial decision to sell ads in WhatsApp. Before WhatsApp was acquired by Facebook, the company promised users it would not sell ads. But Facebook did not honor that promise to users, causing the WhatsApp founders to resign. When Facebook proposed to acquire WhatsApp in 2014, EPIC filed a complaint with the FTC advising the agency to block the sale unless adequate privacy safeguards were established for WhatsApp user data.The FTC wrote in response "if the acquisition is completed and WhatsApp fails to honor these promises, both companies could be in violation of Section 5 of the Federal Trade Commission (FTC) Act and, potentially, the FTC's order against Facebook." EPIC has challenged the proposed FTC settlement with Facebook, arguing that it is procedurally unfair and that the FTC failed to address growing concerns about the use of WhatsApp user data. The FTC is now considering blocking the integration of Facebook and WhatsApp user data.
  • Facebook Announces Deepfakes Ban » (Jan. 7, 2020)
    Facebook has announced its plan to ban "deep fakes" in advance of a House hearing on "Americans at Risk: Manipulation and Deception in the Digital Age" this week. The new policy would ban users from posting deepfakes—computer-generated, highly manipulated videos using technologies like AI—to prevent the spread of disinformation but would allow simpler forms of manipulation. Deepfakes have been used to spread disinformation about politicians, but 96% of "deep fakes" online are videos in which women's faces are superimposed into pornography without their consent. EPIC Board Member Danielle Citron testified before Congress, saying "we need a combination of law, markets, and societal resistance" to combat deepfakes and "the phenomenon is going to be increasingly felt by women and minorities."
  • Facebook Admits to Location Tracking, Ignoring Privacy Settings » (Dec. 17, 2019)
    Facebook has admitted that it can determine a user's location even after the user has disabled location services. The statement came in response to a letter from Sens. Josh Hawley (R-Mo.) and Chris Coons (D-Del.). Sen. Hawley tweeted: "There is no opting out. No control over your personal information. That's Big Tech. And that's why Congress needs to take action." The FTC's 2011 consent order with Facebook, followed EPIC's 2009 complaint which established that Facebook ignores user privacy settings. EPIC is challenging the proposed 2019 settlement in part because it does not fix the location tracking problem. A federal court has ordered both Facebook and the FTC to file replies to EPIC. In a related matter, an EPIC case required Accuweather to end surreptitious tracking of users.
  • FTC May Block Facebook Integration of WhatsApp User Data » (Dec. 17, 2019)
    According to recent news reports, the FTC may pursue an injunction against Facebook to prevent the integration of WhatsApp and Instagram user data. Analysts noted that integration would make it more difficult to break up the company if required by a subsequent antitrust review. When Facebook proposed to acquire WhatsApp in 2014, EPIC filed a complaint with the FTC advising the agency to block the sale unless adequate privacy safeguards were established for WhatsApp user data.The FTC wrote in response "if the acquisition is completed and WhatsApp fails to honor these promises, both companies could be in violation of Section 5 of the Federal Trade Commission (FTC) Act and, potentially, the FTC's order against Facebook." The European Commission fined Facebook 122 million dollars in 2017 for misleading statements about the integration of the data sets. In a recent filing with a federal court, EPIC wrote "the Commission also seems entirely unconcerned by Facebook's planned integration of the personal data of WhatsApp users even though this would violate representations both firms previously made to the Commission."
  • Court Seeks Amicus Briefs in FTC-Facebook Settlement » (Dec. 16, 2019)
    An order from a federal court in Washington, DC creates an opportunity for groups and individuals to file amicus briefs about the proposed FTC settlement with Facebook. The proposed settlement concerns violations of consumer privacy and the adequacy of the settlement. EPIC argued, "This Court should not adopt the proposed Consent Decree because the parties have not established that it would be fair, adequate, reasonable, appropriate, or consistent with the public interest." EPIC explained that the proposed settlement "largely mirrors the preexisting Consent Order from 2012. There are few new obligations on the company that would limit the collection and use of personal data, nor will there be any significant changes in business practices." EPIC asked the court to provide an opportunity for others to file amicus briefs. The deadline for motions is December 17, 2019.
  • BREAKING: Court Orders FTC and Facebook to Reply to EPIC’s Brief » (Dec. 10, 2019)
    Today the U.S. District Court for the District of Columbia ordered both Facebook and the FTC to file replies to EPIC's amicus brief and sur-replies to EPIC's motion to intervene in United States v. Facebook. The case concerns the proposed settlement between the FTC and Facebook for violations of consumer privacy. EPIC argued, "This Court should not adopt the proposed Consent Decree because the parties have not established that it would be fair, adequate, reasonable, appropriate, or consistent with the public interest.” EPIC explained that the proposed settlement “largely mirrors the preexisting Consent Order from 2012. There are few new obligations on the company that would limit the collection and use of personal data, nor will there be any significant changes in business practices.” EPIC noted, the "Commission also seems entirely unconcerned by Facebook’s planned integration of the personal data of WhatsApp users even though this would violate representations both firms previously made to the Commission.” Through a Freedom of Information Act Request, EPIC has uncovered more than 29,000 complaints against Facebook currently pending at the Commission.
  • FTC Announces Non-Penalty in Cambridge Analytica Case » (Dec. 7, 2019)
    The FTC issued a press release today about Cambridge Analytica, the company blamed for the Brexit vote that harvested the personal data of 87 m Facebook users for voter profiling and tracking. The misuse of personal data occurred while Facebook was under a consent order and subject to the supervision of the FTC. EPIC urged the FTC to reopen the investigation of Facebook after news of the Cambridge Analytica breach in early 2018. More than 18 months after the scandal broke, the FTC found that Cambridge Analytica, a company now bankrupt, deceived consumers through its data-gathering practices. EPIC previously told Congress that the Cambridge Analytica scandal could have been avoided if the FTC had enforced its own Consent Order.
  • Facebook Asks Supreme Court to Review Face Scan Decision » (Dec. 5, 2019)
    Facebook has filed a petition asking the Supreme Court to review a decision that allows lawsuits against Facebook for the unlawful collection of facial images. In Patel v. Facebook, the Ninth Circuit held that that an Illinois biometrics law protects "concrete privacy interests" and that violations of the law "pose a material risk of harm to those privacy interests." EPIC filed an amicus brief in the case, arguing that users can sue companies that violate rights protected by privacy laws. EPIC has long advocated for limits on the use of biometric data and has opposed Facebook's use of facial recognition software. EPIC and others recently called for a global moratorium on facial recognition. EPIC recently launched a campaign and resource page to ban face surveillance.
  • EPIC's Rotenberg Calls For End to Facebook Political Ads » (Nov. 7, 2019)
    In testimony before the International Committee on Fake News, EPIC President Marc Rotenberg today called for an end to Facebook's political ads. "The company's view of political advertising is both reckless and irresponsible," said Rotenberg. He added that advertising revenue should "flow back to traditional media and help strengthen independent journalism." EPIC also urged enforcement of the GDPR. "History must not repeat itself," said Rotenberg, citing the failure of the US Federal Trade Commission to act when it had the opportunity to do so. The international Committee, meeting in Dublin, is comprised of lawmakers from 14 countries, including Rep. Cicilline, chair of the House committee on antitrust.
  • EPIC on Libra: "Facebook clearly cannot be trusted with consumers' financial data" » (Oct. 23, 2019)
    During today's House Financial Services hearing, Rep. Nydia Velazquez [D-NY] grilled Mark Zuckerberg about the misrepresentations Facebook made to regulators when it acquired WhatsApp — misrepresentations that led to fines in the EU. "Why should we believe what you and Calibra are saying about protecting customer #privacy and financial data?" said Rep. Velazquez. EPIC raised the same issue in a July statement to the House Financial Services Committee, saying "Facebook clearly cannot be trusted with consumers' financial data" and outlining Facebook's long history of failing to protect user data. EPIC is challenging the proposed settlement between the Federal Trade Commission and Facebook, charging that the Commission has failed to investigate thousands of pending complaints against the company.
  • Ninth Circuit Leaves in Place Case that Allows Users to Sue Facebook for Face-Scans » (Oct. 23, 2019)
    A federal appeals court has let stand a ruling that users can sue Facebook for collecting and using their facial images. The court previously held in Patel v. Facebook that an Illinois biometrics law protects "concrete privacy interests" and violations of the law "pose a material risk of harm to those privacy interests." EPIC filed an amicus brief in the case, arguing that the violation of a privacy law is sufficient for users to sue a company. EPIC has also long advocated for limits on the use of biometric data and has opposed Facebook's use of facial recognition software. EPIC and others recently called for a global moratorium on facial recognition.
  • EPIC to Congress: Consumers Must Be Protected in Merger Reviews » (Oct. 18, 2019)
    In a statement to the House Judiciary Committee, EPIC told lawmakers that merger review should consider data protection. EPIC wrote that "companies that protect user privacy are being absorbed by companies that do not protect privacy." EPIC pointed to the Facebook-WhatsApp deal and the failure of the FTC to protect the personal data of WhatsApp users after the merger. EPIC previously testified before the Senate Judiciary Committee about mergers in the online advertising industry after EPIC told the FTC that Google's acquisition of DoubleClick would diminish privacy and stifle innovation. EPIC earlier opposed Doubleclick's acquisition of Abacus, explaining that the deal would lead to increased profiling of American consumers. EPIC, Color of Change, the Open Markets Institute, and others have also urged the FTC to require Facebook to spin-off WhatsApp and Instagram.
  • Senator Cantwell to FTC: Settlement Lets Facebook "Off the Hook" » (Oct. 15, 2019)
    Senator Maria Cantwell [D-WA], Ranking Member on the Senate Commerce Committee, has sent a letter to Federal Trade Commission Chairman Joseph Simons regarding the FTC's controversial settlement with Facebook. "I am concerned that the settlement lets Facebook off the hook for unspecified violations, and given the many public reports of Facebook's mishandling of consumer data, it is difficult to fully understand the impact of this provision on the settlement on the data privacy protection of the millions of U.S. consumers that have used and continue to use Facebook," Cantwell wrote to Simons. Through a Freedom of Information Act Request. EPIC has obtained thousands of new consumer complaints (part 1, part 2) against Facebook. EPIC is formally challenging the proposed settlement, charging that the Commission has failed to investigate thousands of complaints against the company.
  • EPIC to Congress: 29,000 Facebook Complaints Pending at FTC » (Sep. 25, 2019)
    In advance of an FTC oversight hearing, EPIC told the House Appropriations Committee that more than 29,000 complaints against Facebook are now pending at the Federal Trade Commission. EPIC obtained documents last week revealing 3,000 new complaints against Facebook since the Commission proposed the $5 b settlement with Facebook two months ago. EPIC's Freedom of Information Act Request had previously found 26,000 complaints pending against the social media giant. "The FTC is simply ignoring thousands of consumer privacy complaints about Facebook's ongoing business practices," EPIC said to the Committee. EPIC is formally challenging the proposed settlement with Facebook, charging that the Commission has failed to investigate thousands of complaints against the company. EPIC urged the Committee to support the creation of a U.S. Data Protection Agency, saying "The Federal Trade Commission may help consumers with broken toasters, but the FTC is not an effective data protection agency."
  • EPIC Uncovers 3,156 More Facebook Complaints at FTC—Over 29,000 Now Pending » (Sep. 22, 2019)
    Through a Freedom of Information Act Request, EPIC has obtained thousands of new consumer complaints (part 1, part 2)against Facebook. The most recent documents, released to EPIC, follow the Commission’s proposed $5 b settlement in July. Among the complaints uncovered by EPIC are those from consumer groups and members of Congress. EPIC also obtained records of new complaints in the FTC’s Consumer Sentinel database. EPIC earlier uncovered 26,000 complaints against Facebook since the announcement of the 2011 consent order. EPIC is formally challenging the proposed settlement with Facebook, charging that the Commission has failed to investigate thousands of complaints against the company.
  • Facebook Changes Default Setting on Facial Recognition, Following EPIC's 2011 Recommendation » (Sep. 4, 2019)
    Following a decision by a federal appeals court which found that Facebook had violated a state law limiting the collection of biometric identifiers including facial images, Facebook has changed the default setting for facial recognition. Beginning this week, facial recognition will be set to off by default for both new users and current users. EPIC filed an amicus brief in the biometric privacy case, Patel v. Facebook arguing that "the unlawful collection of an individual's biometric information in violation of the [state law] is an invasion of a legal right..." EPIC had repeatedly warned the Federal Trade Commission that Facebook's use of facial recognition threatened privacy. In comments on the original 2011 consent order, EPIC wrote the "Commission should require that Facebook cease creating facial recognition profiles without users' affirmative, opt-In consent." EPIC had filed a complaint with the FTC early in 2011 charging that the "secretive collection compilation and subsequent use of facial images for automated online identification adversely impacts consumers in the United States and around the world." EPIC filed similar complaints with the FTC about Facebook's use of facial recognition in 2016 and 2018 and provided detailed comments to the Commission in 2012, but the FTC simply failed to act on one of the most controversial business practices of the social media company.
  • EPIC Says FTC Responsible for Cambridge Analytica » (Sep. 3, 2019)
    EPIC has filed comments on the FTC's proposed consent order with the individuals responsible for the Cambridge Analytica breach that impacted 87 million Facebook users, and possibly the outcome of the Brexit vote. EPIC wrote: "the Cambridge Analytica breach could have been prevented if the Commission had enforced the Consent Order." EPIC pointed to numerous reports that Facebook's improper sharing of personal data with third party developers was known to the FTC after the 2011 Consent Order. EPIC is currently pursuing two cases against the FTC, one to obtain the release of the complete biennial audits, the other to block the FTC's proposed settlement that would leave the Facebook's business practices largely unchanged.
  • Court Grants Facebook's Motion to Intervene in EPIC v. FTC » (Aug. 28, 2019)
    The D.C. District Court has granted Facebook's motion to intervene in EPIC's case against the Federal Trade Commission for the release of the biennial audits required by the 2011 Consent Order. The FTC turned over redacted reports to EPIC but withheld certain information, citing a confidential business information provision. EPIC explained to the court, the "release of the full audits is crucial for Congress, the States Attorneys General, and the public to evaluate how the Cambridge Analytica breach occurred." EPIC opposed Facebook's attempt to intervene but the Court granted Facebook's motion. Before the same judge, EPIC is also pursuing intervention in United States v. Facebook, a case concerning the proposed settlement between FTC and Facebook. Facebook's answer to EPIC's complaint is due September 3, 2019. The case is EPIC v. FTC, No. 18-942 (D.D.C).
  • Gallup Poll: Americans Divided on Regulation for Big Tech Firms » (Aug. 22, 2019)
    A new Gallup poll found that 48 percent of respondents said the government should boost its regulation of technology companies like Amazon, Facebook and Google, while 40 percent said regulation of these firms shouldn't change. Roughly 60 percent of self-identified liberals, union members, college graduates and Democrats support increased oversight of tech companies. EPIC maintains an extensive page on Privacy and Public Opinion which shows consistent support among Americans for stronger laws to protect their privacy. EPIC has also opposed mergers that threaten consumer privacy, including Facebook's acquisition of WhatsApp, Google's acquisition of DoubleClick, and Google's acquisition of Nest Labs.
  • Facebook Faces More Civil Rights Lawsuits » (Aug. 20, 2019)
    A new lawsuit alleges that Facebook violated the Fair Housing Act by allowing advertisers to use factors such as race, sex, and disability to prevent home buyers and renters from seeing housing ads. Facebook recently settled claims and made changes to its advertising practices following lawsuits by the Department of Housing and Urban Development. EPIC is currently challenging the FTC's settlement with Facebook, arguing that it provides little benefit to Facebook users. EPIC also supports algorithmic transparency, which would reduce bias and help ensure fairness in automated decisionmaking. EPIC proposed the Universal Guidelines for Artificial Intelligence as the basis for federal legislation. The Universal Guidelines have been endorsed by more than 250 experts and 60 organizations in 40 countries.
  • EPIC Pursues Intervention in FTC Facebook Case » (Aug. 12, 2019)
    EPIC has filed a reply brief in support of its motion to intervene in United States v. Facebook, a case concerning the proposed settlement between the Federal Trade Commission and Facebook. The Government and Facebook have sought to block EPIC's participation. EPIC pursued intervention to protect the interests of Facebook users and to ensure that pending complaints at the FTC were not ignored. EPIC told the court overseeing the case that the settlement "is not adequate, reasonable, or appropriate." In response to Facebook and the government, EPIC explained that the settlement is "arbitrary and capricious because the Commission seeks to grant Facebook immunity from any unlawful practices identified in prior consumer complaints, without addressing or even identifying the prior complaints." EPIC also argues that the FTC's failure to consider public comments on the settlement, as the agency is required to do under its own regulations, "denies EPIC and others the opportunity to submit comments on the consent agreement." An EPIC FOIA lawsuit uncovered more than 26,000 complaints against Facebook pending at the agency. In 2009, EPIC and other consumer privacy organizations filed the original complaint that created legal authority for the FTC to oversee Facebook's privacy practices. Many members of Congress, consumer organizations, and corporate law experts have opposed the proposed settlement, which was narrowly approved by the Commission, 3-2.
  • Federal Appeals Court Says Consumers Can Sue Facebook for Facial Recognition » (Aug. 8, 2019)
    A federal appeals court has ruled that users can sue Facebook for collecting and using their facial images. In Patel v. Facebook, users contend that Facebook violated an Illinois biometric privacy law by creating biometric templates of their faces without their consent. The court found that the Illinois law "protects the plaintiffs' concrete privacy interests" and violations of the law "pose a material risk of harm to those privacy interests." The court cited the common law roots of the right to privacy and also noted that "the Supreme Court has recognized that advances in technology can increase the potential for unreasonable intrusions into personal privacy." EPIC filed an amicus brief in the case, arguing that the violation of the privacy law was sufficient for Facebook users to sue the company. EPIC wrote the "Illinois Biometric Information Privacy Act imposes, by statute, legal obligations on companies that choose to collect and store individuals' biometric data." EPIC said that plaintiffs must only "demonstrate that a defendant has invaded a concrete interest protected by the law—nothing more." Last year, EPIC filed an amicus brief in Rosenbach v. Six Flags, where the Illinois Supreme Court unanimously decided that consumers can sue companies that violate the state's biometric privacy law. EPIC routinely submits briefs in support of consumers' right to sue in privacy case. EPIC has also long advocated for limits on the use of biometric data and has opposed Facebook's use of facial recognition software.
  • Government Seeks to Block EPIC Intervention in Facebook Case » (Aug. 5, 2019)
    The federal government has asked a court to deny EPIC's Motion to Intervene in United States v. Facebook, a case which concerns a proposed settlement between the Federal Trade Commission and Facebook. EPIC filed the motion to protect the privacy interests of Facebook users. EPIC argued that the settlement "is not adequate, reasonable, or appropriate." EPIC also explained that the settlement would extinguish more than 26,000 consumer complaints against Facebook pending at the FTC. EPIC has asked the court for an opportunity for EPIC and others to be heard before the settlement is finalized. EPIC filed the original complaint that created legal authority for the FTC to oversee Facebook. Many members of Congress, consumer organizations, and corporate law experts have opposed the proposed settlement, which was narrowly approved by the Commission, 3-2.
  • International DPAs Raise Concerns About Facebook and Libra » (Aug. 5, 2019)
    Data protection commissioners from several countries published a joint statement on Facebook's proposed Libra currency network. The Commissioners said "strong privacy safeguards are the foundation for innovation in the digital world" and "we are joining together to express our shared concerns about the privacy risks posed by the Libra digital currency and infrastructure." The Commissioners said Facebook has "failed to specifically address the information handling practices that will be in place to secure and protect personal information." The Commissioners cited EPIC statements for Senate and House warning stating that "Facebook clearly cannot be trusted with consumers' financial data." EPIC also joined a coalition of consumer groups calling for an end to Facebook's Libra plan.
  • Top European Court Rules Companies Using Facebook "Like" Button Are Responsible for User Privacy » (Jul. 29, 2019)
    The Court of Justice for the European Union has ruled websites embedding the Facebook "like" button are responsible for user privacy. Facebook's tracking technique collects the personal data of visitors to a third-party website and transfers it to Facebook. In Fashion ID v Verbraucherzentrale NRW, the Court stated FashionID can be held jointly responsible with Facebook for compliance with Europe's data protection rules. Fashion ID must obtain prior consent from users or have a legitimate interest in processing their data. The case concerns Europe's 1995 privacy law, but implicates similar terms in the new EU General Data Protection Regulation. EPIC Senior Counsel Alan Butler also recently appeared before the Court of Justice in DPC v. Facebook. The landmark case considers whether the transfer of data to the U.S. using standard contract clauses violates fundamental rights.
  • EPIC Challenges FTC-Facebook Settlement, Asks Court to Hear from Privacy Groups » (Jul. 26, 2019)
    EPIC has filed a Motion to Intervene in United States v. Facebook to protect the interests of Facebook users. The case concerns a proposed settlement between the FTC and Facebook. EPIC said the settlement "is not adequate, reasonable, or appropriate." EPIC also explained that the settlement would extinguish more than 26,000 consumer complaints against Facebook pending at the FTC. EPIC asked the court for an opportunity for EPIC and others to be heard before the settlement is finalized. EPIC filed the original complaint that created legal authority for the FTC to oversee Facebook. Back in 2011, EPIC also urged the Commission to require Facebook to restore the privacy settings of users, give users access to all of the data that Facebook keeps about them, stop making facial recognition profiles without users' consent, make the results of the government privacy audits public, and stop secretly tracking users across the web. Earlier this year, EPIC and others urged the FTC to pursue structural remedies, including the divestiture of WhatsApp. Many organizations and individuals have expressed concern about the proposed settlement, which was narrowly approved by the Commission, 3-2. More info at https://epic.org/privacy/facebook/epic2019-challenge/
  • EPIC Seeks Consumer Complaints about Facebook Pending Before FTC Prior to Settlement Agreement » (Jul. 25, 2019)
    EPIC has submitted an urgent Freedom of Information Act request to the Federal Trade Commission seeking all consumer complaints pending before the Commission at the time the agency entered into the settlement with Facebook. The proposed settlement order "resolves" all consumer complaints alleging violation of the consent order prior to June 12, 2019. Earlier this year, EPIC determined that there were 26,000 complaints against Facebook pending at the Commission. Many US privacy organizations have also filed detailed complaints with the Commission, alleging that Facebook's business practices violate the FTC Act and also the Children's Online Privacy Protection Act. The release of the information sought by EPIC could help the public and the Congress assess the adequacy of the proposed settlement.
  • FTC Opens Antitrust Investigation of Facebook » (Jul. 25, 2019)
    Facebook has disclosed that the Federal Trade Commission opened an antitrust investigation into the company. In a recent statement for a Senate Judiciary committee hearing on antitrust, EPIC wrote that "companies that protect user privacy are being absorbed by companies that do not protect privacy." EPIC pointed to the Facebook-WhatsApp deal and the failure of the FTC to protect the personal data of WhatsApp users after the merger. EPIC previously testified before the Senate Judiciary Committee about mergers in the online advertising industry after EPIC told the FTC that Google's acquisition of DoubleClick would diminish privacy and stifle innovation. EPIC earlier opposed Doubleclick's acquisition of Abacus, explaining that the deal would lead to increased profiling of American consumers. This year, EPIC, Color of Change, the Open Markets Institute, and others urged the FTC to spin off WhatsApp as a remedy for violations of the 2011 consent order. In a settlement announced this week, the Commission failed to do so.
  • BREAKING - FTC Issues Facebook Fine, EPIC - "Too little, too late." » (Jul. 24, 2019)
    The Federal Trade Commission announced today the first fine against Facebook since EPIC and a coalition of privacy organizations filed a complaint with the Commission about the company’s businesses practices back in 2009. In a 2011 consent order the FTC said it would bar Facebook "from making any further deceptive privacy claims.” But in the years that followed, the FTC failed to act even as complaints emerged about marketing to children, privacy settings, tracking users, gathering health data, and facial recognition. Earlier this year, EPIC determined that there were 26,000 complaints against Facebook pending at the Commission. EPIC President Marc Rotenberg said today, “The FTC’s action is too little, too late. American consumers cannot wait another decade for the Commission to act against a company that violates their privacy rights. Congress should move quickly to establish a data protection agency."
  • EPIC Urges Antitrust Agencies to Raise their Game » (Jul. 18, 2019)
    In a statement to the Senate Judiciary committee, EPIC urged lawmakers to press the FTC and the Department of Justice on Enforcement of the Antitrust Laws. EPIC wrote that "companies that protect user privacy are being absorbed by companies that do not protect privacy." EPIC pointed to the Facebook-WhatsApp deal and the failure of the FTC to protect the personal data of WhatsApp users after the merger. EPIC previously testified before the Senate Judiciary Committee about mergers in the online advertising industry after EPIC told the FTC that Google's acquisition of DoubleClick would diminish privacy and stifle innovation. EPIC earlier opposed Doubleclick's acquisition of Abacus, explaining that the deal would lead to increased profiling of American consumers. EPIC, Color of Change, the Open Markets Institute, and others have also urged the FTC to require Facebook to spin-off WhatsApp and Instagram.
  • BREAKING - EPIC Seeks Public Release of FTC Settlement with Facebook » (Jul. 15, 2019)
    Today EPIC filed an expedited Freedom of Information Act request with the Federal Trade Commission, seeking the public release of the proposed settlement with Facebook. Last week the Wall Street Journal first reported that the FTC approved a $5 billion settlement with Facebook for violating a 2011 consent order that EPIC helped obtain. However, details about the settlement have not been disclosed. In January, EPIC recommended that the FTC 1) impose substantial fines; 2) establish structural remedies; 3) require compliance with Fair Information Practices; 4) reform hiring and management practices; and 5) restore democratic governance. In a series of FOIA cases, EPIC uncovered the biennial audits of Facebook, the number of complaints pending against Facebook at the Commission (26,000), and records of meetings by the chief agency official responsible for overseeing enforcement. EPIC also launched the #EnforceTheOrder campaign.
  • EPIC on Libra: "Facebook Clearly Cannot be Trusted With Consumers' Financial Data" » (Jul. 15, 2019)
    In advance of Congressional hearings on Facebook's plan to launch its own cryptocurrency called Libra, EPIC has sent statements to Senate and House Committees stating that "Facebook clearly cannot be trusted with consumers' financial data." EPIC noted Facebook's history of misrepresentations to regulators, highlighting the promises Facebook made when the company acquired WhatsApp regarding user privacy — promises Facebook has since broken. EPIC also discussed the Cambridge Analytica scandal and outlined Facebook's long history of failing to protect user data. As reported, a pending settlement with Facebook would not address proposals made by EPIC and others to strengthen Facebook's protection of user data. EPIC urged Congress to block Facebook's entry into cryptocurrency.
  • WSJ Reports that FTC Agrees to $5B Fine Against Facebook » (Jul. 12, 2019)
    The Federal Trade Commission has reportedly approved a $5 billion fine against Facebook, the largest fine in the Commission's history. EPIC brought the original complaint to the FTC that led to the 2011 Consent Order against Facebook. This is the first enforcement action the FTC has taken against Facebook in the eight years since the Consent Order was put in place. Earlier this year, an EPIC Freedom of Information Act request uncovered more than 26,000 complaints against Facebook pending at the Commission. EPIC also launched the #EnforceTheOrder campaign to urge action by the FTC. In January, EPIC recommended that the FTC enforcement action 1) impose substantial fines; 2) establish structural remedies; 3) require compliance with Fair Information Practices; 4) reform hiring and management practices; and 5) restore democratic governance.
  • EPIC FOIA - FTC Enforcement Director Participated in Over 100 Meetings About Facebook Post-Cambridge Analytica » (Jul. 11, 2019)
    As a result of EPIC's Freedom of Information Act request, the Federal Trade Commission released records indicating that FTC Associate Director of Enforcement James A. Kohm participated in at least 162 meetings since the Commission adopted the consent order with Facebook in 2011. Almost 140 meetings occurred after Facebook admitted to the unlawful transfer of over 87 million user profiles to Cambridge Analytica. In March 2018, the FTC said it would reopen investigation of Facebook, but the agency has never taken an enforcement action against the country. EPIC launched the #EnforceTheOrder campaign this year to urge action by the FTC.
  • EPIC to Discuss US Surveillance before Top European Court » (Jul. 8, 2019)
    This week EPIC Senior Counsel Alan Butler will appear before the Court of Justice for the European Union in the case Data Protection Commissioner v. Facebook. The case, known as "Schrems 2.0." follows the European Court's landmark decision in Schrems v. DPC striking down the "Safe Harbor" arrangement and leading to the creation of the "Privacy Shield." The current case considers whether the transfer of personal data to the U.S. using standard contract clauses violates the fundamental rights of Europeans. At issue is Section 702 of the FISA Amendments Act and Executive Order 12333. EPIC's Butler will provide the Court with expert analysis on U.S. surveillance law. EPIC is a party to the case, along with Austrian privacy activist Max Schrems. EPIC also recently filed a brief with the European Court of Human Rights in Big Brother Watch v. UK, arguing that the Human Rights Court should review UK-U.S. intelligence transfers in assessing UK bulk surveillance. That case will be heard July 10th.
  • EPIC, Coalition Oppose Facebook Libra Plan » (Jul. 3, 2019)
    EPIC joined a coalition of consumer groups in a letter to Congress calling for an end to Facebook's Libra plan. Facebook, the world's largest social network company, said it planned to enter the global financial services market, likely sidestepping government oversight and democratic accountability. Several groups warned that "a careful assessment will show that the proposal is too dangerous to proceed." The coalition also identified "profound questions" about governance, national sovereignty, law enforcement, consumer protection, privacy, competition and systemic risk. Meanwhile, the Federal Trade Commission has failed to take any action in the fifteen months since the FTC reopened the investigation of Facebook, following the Cambridge Analytica scandal. EPIC brought the original complaint to the FTC in 2009 that led to the 2011 consent order against Facebook. Earlier this year, an EPIC Freedom of Information Act request uncovered more than 26,000 complaints against Facebook pending at the Commission. EPIC has repeatedly urged the FTC to #EnforceTheOrder against Facebook.
  • EPIC Opposes Facebook's Intervention in FOIA Case for Release of FTC's Facebook Audits » (Jun. 17, 2019)
    In a recent court filing, EPIC opposed Facebook's attempt to intervene in EPIC's lawsuit against the Federal Trade Commission for the release of records concerning the company's compliance with the 2011 Consent Order. EPIC told the court hearing EPIC v. FTC that Facebook does not have standing to intervene because it has not established that it would suffer a substantial competitive harm as a result of public disclosure of the information EPIC is seeking. EPIC also explained that under the Freedom of Information Act companies do not decide for themselves what information they wish to withhold from the public. EPIC's FOIA lawsuit is one of several activities that EPIC is pursuing to hold Facebook accountable for compliance under the 2011 consent order. In a related FOIA lawsuit, EPIC determined that there are more than 26,000 complaints against Facebook currently pending at the FTC. EPIC also launched the #EnforcetheOrder campaign to pressure the FTC to take enforcement action against Facebook. The case is EPIC v. FTC, No. 18-942 (D.D.C).
  • With Complaints Against Facebook Piling Up, FTC Goes After Small Businesses » (Jun. 14, 2019)
    The FTC today announced a minor settlement with a company called SecurTest over its claims concerning the EU-U.S. Privacy Shield program. The Commission also sent letters to 13 small companies for falsely claiming participation in various privacy programs. The FTC issued no fines and took no further action. The proposed consent agreement is subject to public comment after publication in the Federal Register. The announcement comes more than a year after the Commission said it would reopen the investigation of Facebook, following the Cambridge Analytica scandal. Earlier this year, an EPIC Freedom of Information Act request uncovered more than 26,000 complaints against Facebook pending at the Commission. EPIC brought the original complaint to the FTC in 2009 that led to the 2011 consent order. EPIC has repeatedly urged the FTC to #EnforceTheOrder against Facebook.
  • As State AGs Gather at FTC Event, Still No Action on Facebook » (Jun. 11, 2019)
    The FTC hosted a roundtable with state attorneys general in Nebraska as the final hearing on competition and consumer protection in the 21st century. More than a year has passed since the FTC reopened the investigation of Facebook after the Cambridge Analytica scandal, but the FTC has not issued a fine, imposed penalties, or even updated the public about the status of the investigation. EPIC Consumer Protection Counsel Christine Bannan testified at an earlier FTC hearing that the FTC's success should be measured by the enforcement of its orders. EPIC launched the #EnforceTheOrder campaign to pressure the FTC to take enforcement action against Facebook. EPIC brought the original complaint to the FTC in 2009 that led to the consent order. Facebook anticipates a $3-5 billion fine from the FTC, but EPIC, Color of Change, and the Open Markets Institute have urged the Commission to use its equitable authorities to improve privacy protection and governance, reform hiring practices, and to spin off WhatsApp and Instagram.
  • Court Rules D.C. Attorney General's Lawsuit Against Facebook Will Proceed » (Jun. 3, 2019)
    The D.C. Superior Court denied Facebook's motion to dismiss the complaint filed by D.C. Attorney General over the privacy practices that led to Cambridge Analytica. The D.C. Attorney General alleged that Facebook failed to monitor third-party use of personal data and failed to ensure users' data was deleted. The lawsuit seeks financial penalties, and an injunction to establish safeguards to protect users' data. The court ruled that the case could proceed because "District of Columbia residents' widespread utilization of, and repeated exchange of personal information through Facebook's online social networking service, constitute 'transactions.'" EPIC launched the #EnforceTheOrder campaign to pressure the FTC to take enforcement action against Facebook. EPIC brought the original complaint to the FTC in 2009 that led to the consent order. Facebook anticipates a $3-5 billion fine from the FTC.
  • Facebook Loses Appeal to Halt European High Court Review of EU-U.S. Data Transfer » (May. 31, 2019)
    The Irish Supreme Court has dismissed an appeal by Facebook to stop the highest court in Europe from reviewing the transfers of personal data from the EU to the US. Facebook appealed a referral to the Court of Justice for the European Union on whether the transfer of data to the U.S. with standard contract clauses violates fundamental rights. EPIC is participating in that case now before the Court of Justice, DPC v. Facebook, expected to be argued July 9th. Ruling against Facebook, the Irish Supreme Court said the decision to refer a case cannot be appealed and must be decided by the referring court and the Court of Justice. "It is for the referring court, and that court alone, whether to make a reference and, indeed, whether to withdraw or amend the same," the Court concluded. EPIC also recently filed a third-party intervention with the European Court of Human Rights in Big Brother Watch v. UK, arguing that the Court should carefully review UK-U.S. intelligence transfers in the case assessing UK bulk surveillance.
  • EPIC Seeks Memos from FTC Enforcement Director About Inaction on Facebook Consent Order » (May. 30, 2019)
    EPIC has filed a Freedom of Information Act request with the Federal Trade Commission seeking memos and internal communications about the Associate Director of the Enforcement Division James A. Kohm. Kohm is responsible for overseeing enforcement of the consent order against Facebook. Since the FTC announced the 2011 Consent Order, the FTC has never charged Facebook with a single violation of the order. In March 2018, the FTC announced an investigation of Facebook following the Cambridge Analytica scandal. 430 days have now passed with no report, no fine, and not even an update about the status of the investigation. EPIC has repeatedly urged the FTC to #EnforceTheOrder against Facebook.
  • New Report on the FTC's Big Tech Revolving Door Problem » (May. 23, 2019)
    A new report from the consumer group Public Citizen finds extensive conflicts of interest at the Federal Trade Commission. According to Public Citizen, most top officials at the Federal Trade Commission (FTC) become lawyers and lobbyists for major technology companies after they leave the agency or bring Silicon Valley conflicts with them when they arrive. These conflicts help explain the FTC's chronic reluctance to enforce consumer protection and antitrust laws, said Public Citizen. EPIC previously urged the FTC to block anticompetitive mergers, such as Google's acquisition of DoubleClick and Facebook's acquisition of WhatsApp, as well as to enforce the pending consent order against Facebook that EPIC helped establish in 2011. EPIC even sued the FTC when the consumer agency failed to enforce the consent order against Google, following the Buzz consent order. As of today, 423 days have passed since the FTC announced in March 2018 that it would reopen the investigation of Facebook. But still there is no fine, no report, and no update.
  • EPIC to Congress: FTC Has Failed to Protect Privacy, New Data Protection Agency Urgently Needed » (May. 6, 2019)
    In advance of FTC oversight hearings, EPIC has sent a statement to both House and Senate Committees outlining the FTC's failure to protect consumer privacy and urging the creation of an independent Data Protection Agency in the United States. EPIC's recent Freedom of Information Act request revealed that there are there are over 26,000 complaints pending against Facebook. In the eight years since the FTC announced the consent order barring Facebook from making any misrepresentation about user privacy, the FTC has not taken a single enforcement action against the company. "The FTC is simply ignoring thousands of consumer privacy complaints about Facebook's ongoing business practices," EPIC said. EPIC launched the #EnforceTheOrder campaign to pressure the FTC to take enforcement action against Facebook. EPIC brought the original complaint to the FTC in 2009 that led to the consent order.
  • Facebook Anticipates $3B-$5B Fine » (Apr. 26, 2019)
    According to news reports, Facebook has budgeted $3 billion for in its first-quarter earnings report, saying it expected the FTC to fine the company between $3-$5 billion. In January, EPIC and a coalition of consumer and civil rights groups sent a letter to the FTC calling on the Commission to enforce the order against Facebook by 1) imposing substantial fines; 2) establishing structural remedies; 3) requiring compliance with Fair Information Practices; 4) reforming hiring and management practices; and 5) restoring democratic governance. Also, EPIC's Freedom of Information Act request revealed that there are there are over 26,000 complaints pending against Facebook. In the eight years since the FTC announced the consent order barring Facebook from making any misrepresentation about user privacy, the FTC has not taken a single enforcement action against the company. EPIC launched the #EnforceTheOrder campaign to pressure the FTC to take enforcement action against Facebook. EPIC brought the original complaint to the FTC in 2009 that led to the consent order.
  • EPIC tells FTC, "Enforcement is a measure of success" » (Apr. 16, 2019)
    EPIC Consumer Protection Counsel Christine Bannan testified at the FTC's hearing on the agency's effectiveness at protecting consumer privacy. She said that the FTC's success should be measured by the enforcement of its orders. EPIC's Freedom of Information Act request revealed that there are there are over 26,000 pending consumer complaints against Facebook made while under the consent order. In the eight years since the FTC entered the consent order barring Facebook from making any misrepresentation about user privacy, the FTC has not taken a single enforcement action against the company. EPIC launched the #EnforceTheOrder campaign to pressure the FTC to take enforcement action against Facebook.
  • EPIC FOIA - FTC Confirms Number of Pending Facebook Complaints, Doubling Every Two Years » (Apr. 3, 2019)
    In response to EPIC's Freedom of Information Act request, the FTC confirms that there are a total of 26,000 pending consumer complaints about Facebook made while under the consent order. In an e-mail to EPIC, the FTC provided a breakdown of the total number of complaints per year. In 2018 alone, the FTC received 8,391 consumer complaints about Facebook, nearly twice the number received in 2016 (4,612), and more than four times the number received in 2014 (1,860). In the eight years since the FTC entered the consent order barring Facebook from making any misrepresentation about user privacy, the FTC has not taken a single enforcement action against the company. The FTC announced the reopening of the Facebook investigation in the wake of the Cambridge Analytica scandal. But more than a year later, the agency has failed to act. EPIC has repeatedly urged the FTC to #EnforceTheOrder against Facebook.
  • EPIC FOIA - FTC Confirms More than 25,000 Facebook Complaints are Pending » (Mar. 27, 2019)
    In response to a FOIA request from EPIC, the FTC has confirmed that there are over 25,000 complaints about Facebook pending with the Commission. In the eight (8) years since the FTC announced a consent order barring Facebook from making any misrepresentations about use privacy, the FTC has not taken a single enforcement action against the company. And one year has now passed since the FTC announced the reopening Facebook investigation after news of the Cambridge Analytica data breach. EPIC has urged the FTC to #EnforceTheOrder against Facebook.
  • Senators Introduce Facial Recognition Privacy Act » (Mar. 21, 2019)
    U.S. Senators Roy Blunt [R-MO] and Brian Schatz [D-HI] introduced a bill to protect consumers from companies collecting facial images. Senator Schatz said: "Our faces are our identities. They're personal. So the responsibility is on companies to ask people for their permission before they track and analyze their faces." EPIC previously urged the FTC to stop Facebook's use of facial recognition to capture personal identity. In 2018, EPIC charged that Facebook's facial recognition practices lacks privacy safeguards and violate the 2011 Consent Order with the FTC. EPIC has urged the FTC to #EnforceTheOrder as a one-year deadline approaches.
  • Rep. Cicilline: FTC Must Investigate Facebook's Antitrust Violations » (Mar. 19, 2019)
    In a New York Times op-ed, Congressman David Cicilline (D-RI), Chairman of the House Judiciary Committee's Subcommittee on Antitrust, has asked the FTC to investigate Facebook for violating antitrust laws. Citing EPIC's work, Chairman Cicilline said "For years, privacy advocates have alerted the commission that Facebook was likely violating its commitments under the agreement. Not only did the commission fail to enforce its order, but by failing to block Facebook's acquisition of WhatsApp and Instagram, it enabled Facebook to extend its dominance." Rep. Cicilline made clear that data merger deals implicate competition law, which EPIC has long argued. Earlier this year, EPIC joined a coalition of groups urging the FTC to unwind the Facebook-WhatsApp merger, citing promises the companies made at time of the merger. EPIC has launched the #EnforceTheOrder campaign to urge action on the consent order.
  • Press Conference: Facebook, Privacy, and the Consent Order (Capitol Hill, March 19) » (Mar. 18, 2019)
    On Tuesday, March 19 at 2 pm, EPIC will host a press conference moderated by EPIC President Marc Rotenberg. The event will take place at the Fund for Constitutional Government, on Capitol Hill, across the street from the US Supreme Court. Participants include speakers from U.S. PIRG, Public Citizen, and EPIC. The event will focus on Facebook, the Federal Trade Commission, privacy and the 2011 consent order. EPIC has launched the #EnforceTheOrder Campaign to urge action on the consent order. In 2011, the agency issued a sweeping order against Facebook. The FTC Chairman said at the time, "Facebook is obligated to keep the promises about privacy that it makes to its hundreds of millions of users. Facebook's innovation does not have to come at the expense of consumer privacy. The FTC action will ensure it will not." Press advisory. Flyer.
  • EPIC Seeks from FTC All Consumer Complaints about Facebook » (Mar. 18, 2019)
    EPIC has filed an urgent Freedom of Information Act request to the Federal Trade Commission seeking all pending complaints. As a result of the extensive work of consumer organizations, the Commission issued a consent order against Facebook in 2011 barring the company from making any future misrepresentations about the privacy and security of a user's personal information. But the FTC has failed to issue any fines or declare any of Facebook's actions, including the Cambridge Analytical scandal, a violation of the consent order. The FTC has also not published the number of pending consumer complaints against Facebook. With the one-year deadline of the reopening of the Facebook investigation approaching, EPIC has launched the campaign #EnforceTheOrder.
  • Senator Hawley Says FTC Approach to Big Tech is "Toothless" » (Mar. 11, 2019)
    Senator Josh Hawley (R-MO) has sent a letter to the Federal Trade Commission urging a more aggressive approach to privacy protection. Senator Hawley outlined the many privacy violations by tech giants in recent years, including Facebook's failure to honor the promises it made when it acquired WhatsApp, Google's use of location data, and the disclosure of personal information to third parties by many platforms. "There is no excuse for inaction," Senator Hawley said. Earlier this year, EPIC joined a coalition of groups urging the FTC to unwind the Facebook-WhatsApp merger, citing promises the companies made at time of the merger. With the one-year deadline of the reopening of the Facebook investigation approaching, EPIC has launched the campaign #EnforceTheOrder, @FTC.
  • EPIC Launches #EnforceTheOrder, Urges FTC Action on Facebook » (Mar. 5, 2019)
    With the one-year deadline of the reopening of the Facebook investigation approaching, EPIC has launched the campaign #EnforceTheOrder. EPIC is urging the Federal Trade Commission to act before March 26, 2019. Many experts, including former FTC Chief Technology Officer Ashkan Soltani, Senator Richard Blumenthal, and former FTC Chair William Kovacic, have said that Facebook violated the consent order. EPIC has also joined with Color of Change, the Open Markets Institute and others to urge the FTC to impose a significant fine and also to break up the company, reform hiring and management practices, and install a director to represent users. Follow EPIC at @EPICprivacy for the latest on the campaign. Join us. Tweet why enforcement matters to you. Include #EnforceTheOrder @FTC @facebook.
  • FTC Announces Task Force on Competition in Tech » (Feb. 26, 2019)
    The FTC announced a new task force dedicated to monitoring U.S. technology markets and investigating anticompetitive conduct. FTC Chairman Joe Simons said "it makes sense for us to closely examine technology markets to ensure consumers benefit from free and fair competition." According to the FTC, the Technology Task Force will examine "prospective merger reviews" and will review "consummated technology mergers." EPIC objected to Facebook's acquisition of Whatsapp in 2014 and Google's acquisition of DoubleClick in 2007. EPIC has called on the FTC to require Google to divest Nest, after reports that the company hid listening devices in the home thermostat, and pressed the Commission to use its equitable authorities, including divestiture, to enforce consent orders.
  • UK Report Faults FTC Failure to Enforce Facebook Order » (Feb. 20, 2019)
    The UK House of Commons published the report "Disinformation and 'fake news'" following an eighteen-month investigation of Facebook. The report found that if Facebook had fully complied with the FTC settlement, Cambridge Analytica would not have happened. The UK report stated "It seems clear that Facebook was, at the very least, in violation of its Federal Trade Commission settlement." The FTC announced in March 2018 that it was reopening the Facebook investigation, following news that Cambridge Analytica improperly harvested the personal data of 87 millions users. Still no word from the FTC on how that one case is proceeding. In response to EPIC's Freedom of Information Act lawsuit, the FTC has released agency emails about the 2011 Facebook Consent Order.
  • German Competition Authorities Impose Restrictions on Facebook for Privacy Violations » (Feb. 7, 2019)
    Germany's competition agency has imposed restrictions on Facebook's practice of combining user data from across its platforms, such as WhatsApp and Instagram, and prohibited the company from linking third-party data to specific Facebook user accounts. The agency President said, "Today data are a decisive factor in competition. In the case of Facebook they are the essential factor for establishing the company's dominant position." EPIC has long warned that data consolidation poses a significant threat to competition and innovation. EPIC opposed Facebook's 2014 acquisition of WhatsApp, warning that Facebook would use WhatsApp data on other platforms. In recent comments to the FTC, EPIC told the Commission that Facebook achieved its "dominance through unrivaled access to consumer data." And as early as 2008, EPIC warned that "dominant Internet firms are moving to consolidate their control over the Internet." EPIC continues to oppose platform consolidation, and recently filed an amicus brief, challenging Facebook's web tracking practices.
  • EPIC Joins Statement to Facebook, End Messenger for Kids » (Jan. 30, 2019)
    EPIC joined a letter with fourteen other public interest groups to Mark Zuckerberg, calling on the Facebook CEO to shut down Facebook Messenger Kids, and cease all child-targeted business operations. This coalition effort, led by Campaign for a Commercial-Free Childhood, follows reporting that Facebook made millions of dollars by intentionally duping kids into making accidental purchases while playing games. Last year, the groups called on the company to shut down Facebook Messenger Kids based on research linking adolescent social media use with depression, poor sleep habits, and unhealthy body image. Senators Markey (D-MA) and Blumenthal (D-CT) also wrote a letter to Zuckerberg requesting answers on children's use of Facebook. EPIC, civil rights, and open market groups recently urged the FTC to act on numerous violations of the 2011 Consent Order.
  • EU Receives 95,000 Privacy Complaints, Still No News from US FTC on Facebook Case » (Jan. 28, 2019)
    According to the European Commission, recent figures from the European Data Protection Board reveal that EU Data Protection Authorities have received more than 95,000 complaints from citizens across the continent. In a joint statement on International Privacy Day, the Commissioners said "Citizens have become more conscious of the importance of data protection and of their rights. And they are now exercising these rights, as national Data Protection Authorities see in their daily work." The European Data Protection Board also reported that the majority of the complaints were related to activities such as telemarketing, promotional e-mails, and video surveillance. In the United States, the Federal Trade Commission announced in March 2018 that it was reopening the Facebook investigation, following news that Cambridge Analytica improperly harvested the personal data of 87 millions users. Still no word from the FTC on how that one case is proceeding.
  • During Government Shut Down, Facebook Moves to Integrate WhatsApp User Data » (Jan. 25, 2019)
    The New York Times has reported that Facebook is planning to integrate WhatsApp, Facebook Messenger, and Instagram. Earlier this week, EPIC joined a coalition of groups urging the FTC to unwind the Facebook-WhatsApp merger, citing promises the companies made at time of the merger. In 2014, EPIC and the Center for Digital Democracy warned the Commission that Facebook incorporates user data from companies it acquires, and that WhatsApp users objected to the acquisition. The FTC responded to EPIC and CDD and told Facebook and WhatsApp "if the acquisition is completed and WhatsApp fails to honor these promises, both companies could be in violation of Section 5 of the FTC Act and potentially the FTC's order against Facebook." The FTC letter concludes "hundreds of millions of users have entrusted their personal information to WhatsApp. The FTC staff continue to monitor the companies' practices to ensure that Facebook and WhatsApp honor the promises they have made to those users." Last week, Senators Markey and Blumenthal expressed concern over the impact of the government shutdown on the FTC's investigation into Facebook. Next week, the House Commerce Committee will hold a hearing on the government shutdown's impact on the FTC's Facebook investigation.
  • EPIC, Open Markets, Civil Rights Groups Press FTC on Facebook Consent Order » (Jan. 23, 2019)
    EPIC joined a coalition of groups urging the FTC to issue strong penalties in Facebook matter. "Given that Facebook’s violations are so numerous in scale, severe in nature, impactful for such a large portion of the American public and central to the company’s business model, and given the company’s massive size and influence over American consumers, penalties and remedies that go far beyond the Commission’s recent actions are called for,” the letter stated. The groups said the FTC should 1) impose substantial fines; 2) establish structural remedies; 3) require compliance with Fair Information Practices; 4) reform hiring and management practices; and 5) restore democratic governance.
  • Senators Urge FTC to Act Against Facebook » (Jan. 18, 2019)
    In a letter to the Federal Trade Commission, Senators Ed Markey and Richard Blumenthal pushed the Commission to take swift action against Facebook, despite the government shutdown. "While we have repeatedly expressed concerns about the pace of this investigation, we fear that the current government shutdown further threatens the FTC's ability to complete this investigation," the Senators wrote. "When Americans' privacy is breached, they deserve a speedy and effective response." The letter comes nearly ten months after the FTC announced it would reopen an investigation into Facebook after EPIC's urging. Since then, EPIC has urged the Commission to act and has repeatedly highlighted Facebook's violations of the 2011 consent order in statements to Congress. The 2011 consent order followed an extensive complaint filed by EPIC and a coalition of consumer privacy organizations in 2009.
  • Supreme Court to Consider Open Government and Fourth Amendment in 2019 » (Jan. 11, 2019)
    The Supreme Court agreed today to hear two cases of interest to privacy and open government advocates. One case concerns the withholding of "confidential" information requested under the Freedom of Information Act. EPIC recently sued the Federal Trade Commission for information about Facebook's privacy practices, but the FTC has claimed the records are confidential and therefore should not be released. The second case, Mitchell v. Wisconsin, concerns a state law that permits law enforcement officers to draw blood from unconscious motorists without a warrant. EPIC routinely participates as amicus in Supreme Court cases concerning open government and privacy issues. Both cases are expected to be decided by the end of the Court's term in June.
  • Facebook Gave Personal Data to Third Parties Without Consent in Violation of FTC Consent Order » (Dec. 20, 2018)
    A New York Times investigation revealed that Facebook had deals with companies giving them access to personal data without meaningful user consent. These companies include Amazon, Sony, Microsoft, Yahoo, Spotify, and Netflix, as well as two companies considered security threats to the U.S.: Chinese smartphone manufacturer Huawei and Russian search engine Yandex. The deals Facebook made gave companies broad access to user data, including the the ability to read users’ private messages and access friend lists. EPIC and several consumer privacy organizations helped establish the 2011 consent order against Facebook, following a public campaign, and extensive complaints in 2009 and 2010. In March 2018, the FTC said it would reopen the Facebook investigation, but there is still no report, no findings and no fine. In response to EPIC's Freedom of Information Act lawsuit, the FTC has released agency emails about the 2011 Facebook Consent Order. Several related EPIC complaints regarding Facebook are also pending at the FTC, including facial recognition.
  • EPIC Amicus: Unlawful Collection of Biometric Data Establishes Standing » (Dec. 18, 2018)
    EPIC has filed an amicus brief in a case concerning Facebook's collection of facial images in violation of the Illinois Biometric Information Privacy Act. In Patel v. Facebook, EPIC argued that the violation of the privacy law was sufficient for Facebook users to sue the company. EPIC said that that the legal doctrine of standing "simply requires plaintiffs to demonstrate that a defendant has invaded a concrete interest protected by the law—nothing more." Earlier in 2018, EPIC filed an amicus brief in Rosenbach v. Six Flags, another case about the Illinois biometric privacy law. EPIC routinely submits briefs in support of standing in privacy case. EPIC has also long advocated for limits on the use of biometric data and has opposed Facebook's use of facial recognition software.
  • Irish Court Finds Data Retention Law Violates Human Rights » (Dec. 11, 2018)
    The Irish High Court has ruled that Ireland's retention of telephone data violates European Law and the European Convention on Human Rights. The Communications Act, which requires all service providers to retain data for two years, is "general and indiscriminate." The Court also found insufficient safeguards for access to data, noting that the law did not require prior judicial and had few guarantees against abuse.The Court will now issue a final order to determine how the case will proceed. EPIC is participating DPC v. Facebook - an Irish High Court Case recently referred to the top European Court of Justice to determine whether Facebook's transfer of data from Ireland to the United States violates EU data protection law. EPIC has also petitioned the FCC to end a similar data retention mandate, arguing that it is inconsistent with international law.
  • In Facebook Case, Ninth Circuit Ignores Privacy Risks of Visits to Healthcare Websites » (Dec. 7, 2018)
    In a surprisingly brief opinion, the Ninth Circuit has upheld a decision to dismiss a privacy suit against Facebook concerning the collection of sensitive medical data. In Smith v. Facebook, users alleged that the company tracked their visits to healthcare websites, in violation of the websites' explicit privacy policies. In a little less than five pages, the Ninth Circuit decided that Facebook was not bound by the promises made not to disclose users' data to Facebook because Facebook has a provision, buried deep in its own policy, that allows Facebook to secretly collect such data. The court actually wrote that searches for medical information are not sensitive because the "data show only that Plaintiffs searched and viewed publicly available health information..." EPIC filed an amicus brief in the case, arguing that "consent is not an acid rinse that dissolves common sense." In 2011 Facebook settled charges with the FTC that it routinely changed the privacy settings of users to obtain sensitive personal data. The consent order resulted from detailed complaints brought by EPIC and several other consumer organizations.
  • Facebook Documents Raise New Questions About Consent Order Compliance » (Dec. 6, 2018)
    This week a British parliamentary committee released internal Facebook emails and documents. The documents revealed that Facebook concealed its decision to collect record of calls and texts on Android devices, in violation of privacy policies. An employee said of this decision: "This is a pretty high risk thing to do from a PR perspective but it appears that the growth team will charge ahead and do it." The documents also show that Facebook examined user data to determine which companies posed a threat, deciding to either target or acquire those firms. Last month, UK regulators released a report on the misuse of personal data by Cambridge Analytica for the Brexit vote. In 2011 EPIC, and other consumer privacy organizations obtained a far-reaching consent order against Facebook but the FTC has failed to enforce the legal judgment. In March, the FTC said it would reopen the Facebook investigation, but there is still no report, no findings and no fine. In response to EPIC's Freedom of Information Act lawsuit, the FTC has released agency emails about the 2011 Facebook Consent Order.
  • EPIC Urges Senate To Examine FTC's Failure to Enforce Facebook Consent Order, Unwind WhatsApp Deal » (Nov. 26, 2018)
    EPIC has sent a statement to the Senate Commerce Committee in advance of a hearing on "Oversight of the Federal Trade Commission." EPIC told the Committee that the FTC should enforce the Facebook Consent Order and unwind the Facebook-WhatsApp deal. As EPIC previously told Congress, the Cambridge Analytica scandal could have been avoided if the FTC had enforced the Consent Order. That Order followed complaints by EPIC and consumer privacy organizations in 2009 and 2010. In 2014, EPIC urged the FTC to block Facebook's acquisition of WhatsApp. In 2016, EPIC filed a second complaint after Facebook broke commitments to the FTC and began collecting WhatsApp users' data. EPIC also highlighted the FTC's inaction in major privacy cases such as those against Uber, Facebook, and Google.
  • EPIC Challenges FTC's Withholdings of Records Regarding Irish Audits of Facebook » (Nov. 21, 2018)
    EPIC has submitted a Freedom of Information Act appeal challenging the Federal Trade Commission's withholdings of 42 pages of records about the Irish Data Protection Commissioner's inquiries regarding Facebook's compliance with the FTC Consent Order In response to EPIC's FOIA request the FTC released 413 pages of publicly available documents but withheld 42 pages in full under several exemptions, including an exemption protecting records compiled for law enforcement purposes. In 2011 the Irish Data Protection Commissioner initiated an audit of Facebook Ireland, a subsidiary of Facebook that is responsible for data protection for all Facebook users outside of the U.S. and Canada, to assess its compliance with both Irish Data Protection law and EU law. The 2011 audit found that the safeguards for third party applications did not ensure security for user data. The 2012 re-audit found a "satisfactory response" from Facebook regarding preventing third party applications from accessing unauthorized user information. Following the 2012 re-audit, the FTC and Irish Data Protection Commissioner signed a Memorandum of Understanding to mutually assist and exchange information to protect consumer privacy. Two years after the Irish Data Protection Commissioner determined a "satisfactory response," Cambridge Analytica improperly harvested the personal data of millions of users to use for political purposes. The FTC announced that it was reopening the Facebook investigation after the Cambridge Analytica scandal but to date, there has been no announcement, no report, and no fine. EPIC is holding FTC accountable to its 2011 consent order enforcement obligations in EPIC v. FTC seeking the full release of the Facebook Assessments and related records.
  • UK Privacy Commissioner Releases Report on Data Analytics and Political Campaigns » (Nov. 7, 2018)
    The UK Information Commissioner released a report on the misuse of personal data in the Brexit vote. The investigation "uncovered a disturbing disregard for voters' personal privacy" and found that the Leave.EU campaign and Cambridge Analytica both improperly harvested personal data. The Commissioner's office will fine the Leave.EU campaign and would fine Cambridge Analytica if the firm were not already in bankruptcy proceedings. The UK report proposes a code of practice for the use of personal data in political campaigns. Earlier this year, EPIC and a coalition of consumer groups urged the FTC to investigate the Facebook-Cambridge Analytica matter. In March, the FTC said it would investigate the matter, but there is still no report, no findings and no fine. In response to EPIC's Freedom of Information Act lawsuit, the FTC has released agency emails about the 2011 Facebook Consent Order.
  • EPIC v. FTC: EPIC Obtains Facebook-FTC Emails About 2011 Consent Order » (Oct. 19, 2018)
    In response to EPIC's Freedom of Information Act lawsuit, the FTC has released agency emails about the 2011 Facebook Consent Order. Following a detailed complaint by EPIC and other consumer privacy organizations, the FTC issued an order in 2011 that required biennial audits of Facebook's privacy practices. EPIC pursued public release of these reports and related emails to understand why the FTC failed to bring an enforcement action action against the company. Today the FTC released to EPIC 89 emails between the FTC and Facebook from the years 2011, 2012, 2013, 2014, 2015, 2016, 2017, and 2018. In March 2018, following the Cambridge Analytica data breach, the FTC announced it was reopening the Facebook investigation. To date, there is still no announcement, no report, and no fine.
  • EPIC v. FTC: EPIC Obtains Emails about Facebook Audits » (Oct. 15, 2018)
    In response to EPIC's Freedom of Information Act lawsuit, the FTC has released communications about Facebook's biennial audits. The audits are required by the FTC's 2011 Consent Order with Facebook, which followed a detailed complaint by EPIC and other consumer privacy organizations. The emails show that the FTC had concerns about the scope of Facebook's 2015 assessment, stating "PwC's report does not demonstrate whether and how Facebook addressed the impact of acquisitions on its Privacy Program." In other email, the FTC expressed similar concerns about the 2017 assessment and whether the audit evaluated the company's acquisitions impact on Facebook's privacy program. EPIC had previously opposed Facebook's acquisition of WhatsApp and submitted detailed comments for the FTC's review of the merger remedy process. In March 2018, following the Cambridge Analytica breach, the FTC announced it was reopening the Facebook investigation, but still there is no announcement, no report, and no fine.
  • Consumer and Privacy Organizations Propose Framework for U.S. Data Protection » (Oct. 9, 2018)
    EPIC joined a group of twelve consumer and privacy organizations that submitted a statement to the Senate Commerce Committee in advance of a consumer privacy hearing. The groups outlined a draft framework for data protection in the U.S., advocating that Congress (1) enact baseline federal data protection legislation; (2) limit government access to personal data; (3) establish algorithmic transparency and end discriminatory profiling; (4) prohibit “take it or leave it” and other unfair terms; (5) ensure robust enforcement; (6) promote privacy innovation; and (7) establish a data protection agency. EPIC also submitted a statement to the Committee that highlighted recent breaches at Google and Facebook and the FTC's failure to enforce its own consent orders.
  • FTC to Explore Competition and Consumer Protection Issues at Hearings this Week » (Sep. 12, 2018)
    The FTC is holding a hearing this week to examine the regulation of consumer data, the consumer welfare standard in antitrust law, and vertical mergers. This is the first in a series of hearings on "Competition and Consumer Protection in the 21st Century" that will examine how changes in the economy affect the FTC's enforcement priorities. EPIC and a coalition of consumer groups submitted extensive comments for the hearings. EPIC and the groups said that privacy protection is critical for competition and innovation. EPIC and the groups told the FTC that it should: 1) unwind the Facebook-WhatsApp deal; 2) require Facebook and Google to spin off their advertising units; 3) block future acquisitions by Facebook and Google that would extend monopoly control over consumer data; 4) impose privacy safeguards for all mergers that implicate data privacy; and 5) perform audits of algorithmic tools to promote accountability and to limit anticompetitive conduct. The FTC reopened the investigation of Facebook in March after EPIC and consumer groups filed a formal complaint, but has still taken no action. The UK Information Commissioner completed its initial investigation, published a report, and issued a substantial fine in July.
  • EPIC FOIA: EPIC Obtains Facebook Privacy Documents » (Sep. 12, 2018)
    In response to an EPIC Freedom of Information Act lawsuit, the Federal Trade Commission has released supplemental materials from the biennial Facebook audits (production 1, production 2, production 3, production 4). The audits were required by the FTC's 2011 Consent Order with Facebook. The documents include letters from the FTC to Facebook inquiring about Facebook's relationship with Instagram and telling the company that "whenever a corporate change such as an acquisition may affect the design and/or implementation of the Company's privacy program, the Company must notify the Commission." EPIC opposed Facebook's acquisition of WhatsApp and submitted comments for the FTC's review of the merger remedy process. FTC reopened its investigation into Facebook in March after EPIC, consumer groups urged action. The UK Information Commissioner completed its initial investigation, published report, and issued a fine in July. The FTC begins hearings this week on competition and consumer protection in the 21st century.
  • FTC Chair Seeks New Privacy and Data Security Authority » (Jul. 18, 2018)
    In testimony this morning before the House Energy and Commerce Committee, new Federal Trade Commission Chairman Joseph Simons said the FTC needs greater authority to protect consumers. Simons asserted that privacy and data security are now the top priority for the FTC, and signaled his support for data protection legislation that would accomplish three things: (1) provide civil penalties for companies that violated the law, (2) give the FTC jurisdiction over nonprofits and common carriers, and (3) provide the FTC with rulemaking authority for privacy and data security. EPIC submitted a statement prior to today's hearing emphasizing that the FTC must conclude its investigation of Facebook and issue a fine for its violations of the 2011 Consent Order and unwind the Facebook-WhatsApp deal.
  • For House Hearing, EPIC Urges FTC to Unwind WhatsApp Deal, Enforce Facebook Consent Order » (Jul. 17, 2018)
    EPIC has sent a statement to the House Energy and Commerce Committee in advance of a hearing on “Oversight of the Federal Trade Commission.” EPIC told the Committee to urge the new FTC leadership to enforce the Facebook Consent Order and unwind the Facebook-WhatsApp merger As EPIC previously told Congress, the Cambridge Analytica breach could have been avoided if the FTC had enforced its 2011 Consent Order against Facebook. That Order was the result of detailed complaints filed by EPIC and consumer privacy organizations in 2009 and 2010. In 2014, EPIC and the Center for Digital Democracy urged the FTC to block Facebook’s acquisition of WhatsApp unless appropriate privacy safeguards were put in place. In 2016, EPIC and CDD filed a second complaint after Facebook broke its privacy promises and began collecting WhatsApp users' data.
  • EPIC Asks FTC and EDPB to Suspend Transfer of Facebook User Data to Social Science One » (Jul. 13, 2018)
    EPIC has sent a letter to the Federal Trade Commission and the European Data Protection Board urging the suspension of a proposed study that will disclose user data to third parties without their consent. EPIC warned that the Social Science One project transfer likely violates the GDPR, as well as the FTC's 2011 Consent Order with Facebook, which bars Facebook from disclosing data to third parties without users' affirmative consent. The FTC announced in April that Facebook is under investigation over the transfer of personal data to Cambridge Analytica, a research organization affiliated with a prestigious university. In 2012, Facebook conducted a psychological experiment on its users by secretly manipulating their news feeds to examine the effects of social media on user emotions. The study was suspended after objections from EPIC, professional societies, and others. The Guardian reported that the "lack of 'informed consent' means that Facebook experiment on nearly 700,000 news feeds broke rules on tests on human subjects."
  • EPIC to European Data Protection Board: GDPR Certifications Should Uphold Rights Above Privacy Seals » (Jul. 12, 2018)
    In the first public consultation held by the European Data Protection Board, EPIC proposed a rights-based certification criteria for the General Data Protection Regulation. The Data Protection Board is now the lead privacy agency in Europe. EPIC explained the risks of self-regulatory certification mechanisms, pointing to TRUSTe and the Facebook audits obtained by EPIC that wrongly certified Facebook's compliance with the 2011 FTC Consent Order. EPIC said, certification mechanisms "must be developed by national DPAs and implemented in conformity with the fundamental principles and rights of the GDPR." EPIC has also advised the UK Information Commissioner's Office and the Irish Data Protection Commissioner on GDPR enforcement.
  • UK Data Watchdog Fines Facebook Maximum £500,000 for Cambridge Analytica Breach » (Jul. 11, 2018)
    The Information Commissioner's Office, the lead agency for data protection in England, has issued the maximum £500,000 fine on Facebook for failing to secure user data from Cambridge Analytica. ICO investigations found that Cambridge Analytica harvested 87 million Facebook users' personal data to target ads for political purposes, and that Facebook did not compel the deletion of this data to prevent further misuses. Facebook was charged with two violations of the UK Data Protection Act 1998: "failing to safeguard people's information [and] failing to be transparent about how people's data was harvested by others and why they might be targeted by a political party or campaign." ICO also told other companies that served online political ads during the EU Brexit Referendum to stop processing UK citizens' data. In March and April, EPIC told the FTC and Congress that the Cambridge Analytica breach could have been prevented if the FTC had enforced the 2011 Consent Order with Facebook. The FTC is currently investigating Facebook but has never imposed any fines against the company.
  • FTC Announces Another Privacy Settlement, But Again Imposes No Penalties » (Jul. 2, 2018)
    The FTC announced today that it settled charges with ReadyTech, a California company, for misrepresenting compliance with Privacy Shield, a self-certification arrangement that allows US companies to obtain the personal data of Europeans. The FTC settlement prohibits the company from making future misrepresentations about Privacy Shield compliance, but imposes no penalties and provides no remedy to European consumers whose personal data was wrongfully obtained. Last year, the FTC settled charges with three companies that misrepresented their participation in Privacy Shield, but similarly failed to impose penalties. The European Parliament's Civil Liberties Committee ("LIBE") recently passed a resolution stating that Privacy Shield does not protect European consumers, and called for its suspension if the U.S. does not comply by September 1, 2018. LIBE specifically called attention to the Cambridge Analytica breach of 87 million Facebook users. In March, EPIC told the FTC that the Cambridge Analytica breach could have been prevented if the FTC had enforced its 2011 Consent Order with Facebook.
  • Facebook's Response to Congress Provides More Evidence of Consent Order Violations » (Jul. 2, 2018)
    Late Friday afternoon, Facebook submitted over 700 pages of responses to questions from members of Congress following Mark Zuckerberg's testimony in April. Facebook has now admitted that it provided developers and device makers access to personal data despite publicly stating that it had discontinued the practice. In April EPIC submitted a detailed letter to Congress, explaining that the Cambridge Analytica breach could have been avoided if the FTC had enforced the 2011 Consent Order. That Consent Order was the result of extensive complaints EPIC and consumer organizations filed with the FTC in 2009 and 2010. In March, the Acting Director of the FTC stated "Companies who have settled previous FTC actions must also comply with FTC order provisions imposing privacy and data security requirements. Accordingly, the FTC takes very seriously recent press reports raising substantial concerns about the privacy practices of Facebook." In a recent memo, FTC Commissioner Rohit Chopra stated that "FTC orders are not suggestions."
  • EPIC Urges Appeals Court to Protect Consumers Against Invasive Cookie Tracking Practices » (Jun. 27, 2018)
    EPIC has filed an amicus brief with the Ninth Circuit Court of Appeals in In re: Facebook, Inc. Internet Tracking Litigation. At issue is whether Facebook violated the privacy rights of users by tracking their web browsing even after they logged out of the platform. EPIC explained that cookies "no longer serve the interests of users" and instead "tag, track, and monitor users across the Internet." EPIC said a lower court wrongly concluded that users should develop countermeasures to assert their privacy rights. EPIC responded that it would be absurd to expect users to compete in a "technical arms race" when "Facebook's tracking techniques are designed to escape detection and the company routinely ignores users' privacy protections." EPIC first identified the privacy risks of cookie tracking in a 1997 report "Surfer Beware: Personal Privacy and the Internet." EPIC frequently participates as amicus curiae in consumer privacy cases, including hiQ Labs v. LinkedIn and Eichenberger v. ESPN.
  • In EPIC FOIA Case, FTC Releases New Information from Facebook Audits » (Jun. 26, 2018)
    In response to an EPIC Freedom of Information Act lawsuit, the Federal Trade Commission today released materials, previously withheld, from the biennial Facebook audits. The audits were required by the FTC's 2011 Consent Order with Facebook. Heavily redacted versions of those audits were previously available on the FTC's website. But in March, following the Cambridge Analytica breach, EPIC filed an urgent FOIA request for the complete 2013, 2015, 2017 Facebook audits. (The 2017 audit covers the period the Cambridge Analytica breach.) In a detailed letter to Congress in April, EPIC explained that the FTC failed to review the reports and failed to enforce the 2011 consent order against Facebook. The documents released today to EPIC contain information that was not previously available to the public. EPIC is currently reviewing the documents obtained from the FTC.
  • At Senate Hearing, Former FTC CTO States That Facebook Violated FTC Consent Order » (Jun. 19, 2018)
    In a Senate Commerce Committee hearing today on Facebook and data privacy, former FTC CTO Ashkan Soltani stated that Facebook violated the 2011 FTC Consent Order by transferring personal data to Cambridge Analytica and device makers contrary to user privacy expectations. Soltani said that Facebook continued to misrepresent the extent to which users could control their privacy settings and allowed device makers to override users' privacy settings. Senator Blumenthal and other members of Congress had previously said the company violated the Consent Order, which was the result of complaints filed by EPIC in 2009 and 2010. In a statement to the Committee in advance of the hearing, EPIC urged the Senate to focus on the FTC's failure to enforce the Consent Order with Facebook.
  • EPIC Urges Senate Committee to Focus on Consent Order with Facebook » (Jun. 19, 2018)
    EPIC has sent a statement to the Senate Commerce Committee outlining the FTC's failure to enforce the 2011 Consent Order with Facebook. The statement from EPIC is for a hearing on "Cambridge Analytica and Other Facebook Partners: Examining Data Privacy Risks." In 2009, EPIC and several consumer groups pursued a complaint, containing detailed evidence, legal theories, and proposed remedies to address growing concerns about Facebook's data practices. The FTC established a Consent Order in 2011, but failed to enforce the Order even after EPIC sued the agency in a related matter. In the statement to the Senate this week, EPIC contends that the FTC could have prevented the Cambridge Analytica debacle and Facebook's secret arrangements with device makers if the agency enforced the 2011 Order.
  • European Civil Liberties Committee: 'Privacy Shield' Should Be Suspended » (Jun. 12, 2018)
    Members of European Parliament are calling for the suspension of the EU-U.S. Privacy Shield if the U.S. does not comply in full by September 1, 2018. The Civil Liberties Committee ("LIBE") passed a resolution stating that the pact, which permits the flow of European consumers' personal data to the U.S, does not adequately protect privacy. LIBE urged US authorities to respond without delay to the Cambridge Analytica breach of 87 million Facebook users. The groups also expressed "strong concerns" about the CLOUD Act which permits US law enforcement to unilaterally access personal data stored in Europe. EPIC recently told the FTC that the Cambridge Analytica breach could have been avoided had the agency enforced a 2011 Consent Order that EPIC and a coalition of consumer privacy groups obtained.
  • Facebook Denied Attempt to Delay Review of EU-US Personal Data Transfers » (May. 3, 2018)
    The Irish High Court has denied Facebook's request to halt review of Data Protection Commissioner v. Facebookby Europe's top court. The case, which was recently referred to the European Court of Justice, concerns whether Facebook's transfers of personal data from Ireland to the United States violate the European Charter of Fundamental Rights. The case follows the landmark 2015 decision that the US had insufficient privacy protections to allow transfer of Europeans' personal data. Ruling against Facebook's request to delay the case further pending appeal, the Irish court said EU data subjects could be harmed if the case were delayed, and that there were “considerable concerns” about Facebook's conduct in the case. EPIC was designated the US NGO amicus curiae in this case, and provided a detailed assessment of US privacy law.
  • EPIC, Coalition Call On Facebook to Stop Electioneering » (Mar. 28, 2018)
    EPIC joined Consumer Watchdog and a coalition of consumer organizations to urge Facebook to cease all campaign contributions and electioneering activity. The groups also recommended that Facebook retain Jimmy Carter and the Carter Center to audit Facebook's use of personal information for election advertisements. Last week, EPIC and a coalition of consumer groups called on the Federal Trade Commission to investigate Facebook. EPIC has also urged the Federal Election Commission to provide transparency for online political ads. EPIC is fully engaged in protecting the integrity of elections with its Project on Democracy and Cybersecurity.
  • State AGs Launch Facebook Investigation » (Mar. 26, 2018)
    A bipartisan group of 37 State Attorneys General is investigating Facebook's business practices and lack of privacy protections. "Businesses like Facebook must comply with the law when it comes to how they use their customers' personal data," Pennsylvania Attorney General Josh Shapiro said. "State Attorneys General have an important role to play in holding them accountable." The Federal Trade Commission also announced today that it is investigating Facebook. Senate Judiciary Chairman Grassley has also said there will be hearings on the Facebook matter when Congress returns.
  • U.K. Blocks WhatsApp From Transferring Data to Facebook » (Mar. 14, 2018)
    U.K. privacy officials have blocked WhatApp from transferring personal data to Facebook until the company complies with the GDPR, the new European privacy law. The Information Commissioner's Office found that WhatsApp's proposed data transfer would have violated the U.K. Data Protection Act. "People have a right to have their personal data kept safe," explained Commissioner Elizabeth Denham in a blog post. EPIC has twice urged the FTC to block WhatsApp's transfer of personal data to Facebook, but the FTC has failed to act. The FTC approved Facebook's acquisition of WhatsApp in 2014 after both companies assured the Commission and the public that they would protect users' privacy, but in 2016 WhatsApp announced that it would begin transferring the names and phone numbers of its users to Facebook. France blocked the data transfer and the EU fined Facebook $122 million for misleading European authorities about the data transfer.
  • Axios Poll: Public Wants Big Tech Regulated » (Feb. 28, 2018)
    A new Axios-SurveyMonkey poll found that 55% of Americans believe the government should do more to regulate tech companies such as Google and Facebook. The poll showed bipartisan support for increased regulation, with 45% of Republicans, 64% of Democrats, and 57% of Independents saying they are "more concerned" that the government will not go far enough to regulate tech. EPIC maintains an extensive page on Privacy and Public Opinion which shows consistent support among Americans for stronger laws to protect their privacy. EPIC has also opposed mergers that threaten consumer privacy, including Facebook's acquisition of WhatsApp, Google's acquisition of DoubleClick, and Google's acquisition of Nest Labs.
  • EPIC Challenges Facebook Privacy Settlement » (Feb. 2, 2018)
    EPIC has filed an amicus brief with a federal appeals court urging the court to reject a proposed class action settlement over Facebook's practice of scanning private messages. EPIC challenged the settlement because it did not require Facebook to stop scanning private messages. In fact, the company can continue scanning messages by simply burying a notice on its website. Also, there was no compensation to Internet users for the prior violation of federal and state laws. EPIC is dedicated to class action fairness in privacy cases and has objected to many similar settlements that failed to provide actual benefits to Internet users. EPIC recently opposed a settlement with Google that allows the company to continue tracking web users. EPIC also opposed a settlement with Facebook in 2014 that allowed the company to continue an unlawful practice.
  • EPIC Joins Consumer and Health Groups, Urges Facebook to Scrap 'Messenger Kids' » (Jan. 30, 2018)
    EPIC, the Center for Commercial Free Childhood, and others have urged Mark Zuckerberg to shutter Facebook's "Messenger Kids" app. The groups cited rising concern about social media among adolescents and wrote it is irresponsible to encourage preschoolers to use Facebook products. Senators Edward Markey (D-MA) and Richard Blumenthal (D-CT) have questioned Facebook about the Messenger Kids app. EPIC recently backed a campaign that led Mattel to cancel a device that spies on young children. EPIC also led efforts to require Facebook to respect the privacy rights of WhatsApp users.
  • European Court of Justice Grants Standing to Privacy Advocate But Bars Class Action under Austrian Law » (Jan. 30, 2018)
    The Court of Justice of the European Union, following an advisory opinion, has determined that Max Schrem's class action in Austria cannot proceed against Facebook, but individual privacy claims can. The Court granted Schrems standing, recognizing that "the activities of publishing books, giving lectures, operating websites," and similar activities does not entail the loss of "a user's status as a 'consumer.'" However, the Court found that "the consumer forum cannot be invoked" in "claims assigned by other consumers." The class action of 25,000 consumers brought by Austrian privacy activist and EPIC Advisory Board member Max Schrems alleges that Facebook violated Europeans' privacy rights, including for transferring data to the U.S. intelligence community. Max Schrems recently launched NYOB to pursue class actions under the General Data Protection Regulation. In 2013, Max Schrems received the EPIC International Champion of Freedom Award.
  • European Court Adviser Says Facebook Privacy Class Action Barred » (Nov. 15, 2017)
    The opinion of a key adviser to the European Court of Justice holds that a class action cannot proceed against Facebook, but would permit individual privacy claims to move forward. The class action of 25,000 consumers brought by Austrian privacy activist and EPIC Advisory Board member Max Schrems alleges Facebook violated Europeans' privacy rights, including for transferring data to the U.S. intelligence community. The opinion from Advocate General Bobek said a "consumer cannot invoke, at the same time as his own claims, claims on the same subject assigned by other consumers," citing the risk of consumers shopping for the most favorable forums. The European Court of Justice typically adopts the opinions of the Advocate General. The Court of Justice will also consider DPC v. Facebook, involving whether Facebook's data transfers from Ireland to the U.S. violate European Fundamental Rights. In 2013, Max Schrems received the EPIC International Champion of Freedom Award.
  • European Privacy Experts Press WhatsApp on Data Practices » (Oct. 27, 2017)
    The Article 29 Working Party, a group of European privacy experts, warned WhatsApp that it is still not complying with data protection law. Following Facebook's acquisition of WhatsApp, WhatsApp transferred users' personal data to Facebook, violating past privacy promises. In a letter to WhatsApp, Article 29 said "the information presented to users was seriously deficient as a means to inform their consent," and a WhatsApp must promptly establish "clear, comprehensive resolution." Backed by over a dozen US consumer groups, in 2016 EPIC filed a complaint with the FTC urging the agency to block Facebook's acquisition of WhatsApp if privacy safeguards were not put in place. The FTC wrote to both companies, explaining that their failure to honor privacy obligations could violate U.S. law.
  • EPIC Urges FTC To Strengthen Privacy Settlement With Uber » (Sep. 15, 2017)
    In detailed comments to the Federal Trade Commission, EPIC urged the FTC to strengthen a proposed settlement with Uber. The FTC's investigation and subsequent settlement was prompted by EPIC's 2015 complaint, which detailed Uber's secretive tracking of customers and surreptitious collection of user data. EPIC recommended that the FTC require Uber to end collection of customer data beyond what is necessary to provide the service and to mandate that Uber implement stronger privacy safeguards. As EPIC highlighted in the original complaint, Uber has a history of abusing consumer privacy. EPIC has previously pursued FTC complaints concerning Google, Facebook, WhatsApp, and Snapchat. The FTC is obligated to consider public comments before finalizing a proposed settlement.
  • EPIC Urges Public Comments on FTC Settlement with Uber » (Sep. 6, 2017)
    EPIC is urging the public to comment on the proposed FTC settlement with Uber regarding consumer privacy. (Federal Register Notice). The FTC settlement follows EPIC's 2015 complaint, which detailed Uber's secretive tracking of customers and surreptitious collection of user data. The proposed settlement requires regular privacy audits of Uber by third parties but fails to make substantial changes in the companies business practices or require the company to delete the personal data that was wrongfully obtained. The deadline to file a comment with the FTC is September 15, 2017. The FTC is required to consider public comments before finalizing a proposed settlement. EPIC has previously pursued FTC complaints concerning Google, Facebook, WhatsApp, and Snapchat. EPIC also recently filed an FTC complaint to stop Google from tracking in-store purchases.
  • Following EPIC Complaint, Uber Agrees To Stop Tracking Riders » (Aug. 29, 2017)
    Uber has ended the practice of tracking customers before and after they are picked up. In 2015, Uber announced the company would track the location of riders from the time they ordered a ride until after they had reached their destination. EPIC promptly filed a complaint with the FTC and stated that "This collection of user's information far exceeds what customers expect from the transportation service." The end to Uber's tracking of riders comes two weeks after Uber entered into a consent agreement with the FTC following a complaint filed EPIC that highlighted Uber's history of misusing customer data. But EPIC said the FTC settlement does not go far enough. "The FTC should have imposed stronger sanctions on Uber, required the company to disgorge the personal data it had unlawfully obtained, and required the company to restore the original privacy settings," said EPIC President Marc Rotenberg. EPIC has previously pursued FTC complaints concerning Google, Facebook, WhatsApp, and Snapchat. EPIC recently filed an FTC complaint to stop Google from tracking in-store purchases.
  • News Report: FTC to Act on EPIC's Uber Complaint » (Jun. 15, 2017)
    According to news reports, the FTC is pursuing EPIC's privacy complaint regarding Uber. In 2015, EPIC filed a complaint with the Federal Trade Commission charging that Uber's plan to track users and gather contact details was an unlawful and deceptive trade practice. EPIC cited Uber's history of misusing customer data as one of many reasons the Commission should act. EPIC has previously pursued successful FTC complaints concerning Google, Facebook, WhatsApp, and Snapchat. The FTC complaints typically lead to settlements following a change in business practices. EPIC has also recommended comprehensive privacy legislation for Uber.
  • European Privacy Officials Raise Concerns About US Immigration Executive Order » (Feb. 22, 2017)
    The Article 29 Working Party, an expert group of European privacy officials, has raised concerns over a provision in the immigration Executive Order that would limit Privacy Act protections. The Working Party is seeking assurance from the US that the change will not threaten the privacy rights of non-US citizens established in the "Privacy Shield" and the Umbrella Agreement. EPIC is currently participating in Data Protection Commissioner v. Facebook, a case following a landmark decision that found insufficient legal protections for the transfer of European consumer data to the US.
  • UK Information Commissioner Suspends WhatsApp Data Transfer to Facebook » (Nov. 8, 2016)
    Facebook has agreed to suspend targeted advertising for UKWhatsApp users. The decision follows an investigation by UK Information Commissioner Elizabeth Denham. "I don't think WhatsApp has got valid consent from users to share the information," Denham stated. WhatsApp announced in August that it would transfer its users verified phone numbers to Facebook in violation of previous privacy promises. EPIC then filed a complaint with the FTC and more than a dozen US consumer groups backed the efforts. Then European Union privacy officials and officials in Spain, Germany, India, and Italy opened investigations. Back in the US, the Commission said it will "carefully review" EPIC's complaint. The FTC has previously stated, "When companies tell consumers they will safeguard their personal information, the FTC can and does take law enforcement action to make sure that companies live up these promises."
  • Supreme Court Won't Review Privacy Violations by Facebook, Google » (Oct. 4, 2016)
    The U.S. Supreme Court has declined to review two important consumer privacy cases: K.D. v. Facebook, a suit challenging Facebook’s use of young childrens’ names and images in advertising without consent, and Gourley v. Google, a suit opposing Google’s covert use of web cookies to track browsing habits. In K.D., consumers urged the Supreme Court to review a Ninth Circuit opinion, which upheld a controversial settlement. EPIC filed an amicus brief in a companion case, Fraley v. Facebook, explaining that a settlement is unfair that allows a company to continue to engage in privacy violations. In Gourley, consumers asked the Court to overrule a Third Circuit decision holding that Google's exploitation of browser privacy loopholes did not violate the Wiretap Act or Stored Communications Act.
  • EPIC, CDD Charge WhatsApp Policy Change Unlawful, Urge FTC to Act » (Aug. 29, 2016)
    EPIC and the Center for Digital Democracy have filed a complaint with the FTC concerning WhatsApp’s plan to transfer user data, including personal phone numbers, to Facebook. This reversal contradicts WhatsApp’s previous promises to users that their personal information would not be disclosed and would not be used for marketing purposes. EPIC said that WhatsApp change in business practices is unlawful and that the FTC is obligated to act. EPIC previously filed a complaint with the FTC over Facebook’s acquisition of WhatsApp in 2014. In response, the FTC warned the two companies they must honor their privacy promises to users. The FTC has said "When companies tell consumers they will safeguard their personal information, the FTC can and does take law enforcement action to make sure that companies live up these promises."
  • Facebook to Collect WhatsApp User Data, Violating FTC Order and Privacy Promises » (Aug. 25, 2016)
    WhatsApp has announced plans to disclose user information to Facebook, including phone numbers and other user data, that will be connected with Facebook profiles. Facebook purchased WhatsApp in 2014, and the companies promised users of the privacy-protective messaging service that “nothing” will change for WhatsApp users' privacy. EPIC filed a complaint with the FTC over the deal, and the FTC responded by warning the two companies that they must honor their privacy promises to WhatsApp users. The letter explained that failure to obtain users' opt-in consent before changing data practices would be an unfair and deceptive trade practice and violate Facebook’s FTC Consent Order. WhatsApp’s recent announcement indicates users will have 30 days to opt-out of data transfers to Facebook, in violation of the law and the FTC’s Order.  In 2012, EPIC and a coalition of consumer privacy organizations also led a successful effort at the FTC after Facebook changed the privacy settings of its users. As a result, Facebook is subject to an FTC consent order.
  • Federal Court Upholds Photo Tagging Suit Against Facebook » (May. 8, 2016)
    A federal judge has rejected Facebook's argument that the company did not violate an Illinois law that requires companies to obtain consent from consumers before collecting biometric data such as a "faceprint." Describing the biometric privacy law, the court said that Facebook's position was "antithetical to its broad purpose of protecting privacy in the face of emerging biometric technology." In 2011, EPIC filed a complaint with the Federal Trade Commission, arguing that the facial identification of users was an unfair and deceptive trade practice. In 2012, EPIC urged the FTC to suspend facial recognition "until adequate safeguards and privacy standards are established." Canada and Europe have since required Facebook to suspend the use of photo tagging.
  • Court Upholds Facebook Settlement, Allows Continued Use of Kids' Images in Ads » (Jan. 14, 2016)
    A federal appeals court has upheld a 2013 settlement agreement in Fraley v. Facebook, a consumer privacy class action involving Facebook's use of young children's names and images for advertising without consent. That practice is currently prohibited in seven states. Questions were also raised about the cy pres determinations. In dissent, Judge Bea stated that the "district court abused its discretion in approving the final settlement." In an amicus brief to the Ninth Circuit, EPIC urged the appeals court to overturn the deal, explaining that the settlement is unfair to class members and authorizes continued privacy violations. In 2010, EPIC and a coalition of consumer privacy organizations filed an extensive complaint with the Federal Trade Commission that eventually required Facebook to improve its privacy practices.
  • FTC Issues Enforcement Policy Statement on Deceptive "Native" Advertising » (Dec. 22, 2015)
    The FTC has issued an enforcement policy statement on the use of "native" advertisements and other deceptive advertising that appear to be non-advertising content. The FTC's statement affirmed that ads must clearly be identifiable to consumers as advertising and not editorial content. EPIC previously filed an amicus brief in Fraley v. Facebook objecting to Facebook's "Sponsored Stories" that implied the user endorsed the brand to their friends. EPIC's prior complaint to the FTC regarding Facebook's privacy practices helped establish privacy rules for the social media network.
  • European Court of Justice Hears Case Challenging "Safe Harbor" Agreement and NSA Spying » (Mar. 24, 2015)
    The Court of Justice for the European Union heard arguments this week in Maximilian Schrems v. Data Protection Commissioner, a case filed in Ireland following the revelations of the NSA PRISM program. At issue is whether the disclosure of EU citizens' data by Facebook and other Internet companies to the NSA violates the EU Charter of Fundamental Rights, and whether the EU-US "Safe Harbor" agreement provides "adequate" data protection. A decision is likely later this year. Schrems is the recipient of the 2013 EPIC International Privacy Champion Award.
  • EPIC Files Comments with FTC on Merger Review and Consumer Privacy » (Mar. 18, 2015)
    EPIC, along with 26 technical experts and legal scholars, has submitted extensive comments for the FTC's review of the merger remedy process. EPIC urged the Commission to consider the privacy risks to consumers that result from the merger of big data firms. The comments detailed EPIC's efforts, over 15 years, to warn the FTC about such mergers as Abacus and DoubleClick, then DoubleClick and Google, AOL and Time Warner, and most recently Facebook and WhatsApp. EPIC urged the FTC to asses both competitive and privacy impacts of merger, and to enforce privacy commitments prior to granting merger approval.
  • Facebook Modifies User Privacy Policy » (Jan. 2, 2015)
    Facebook has modified its privacy and data use policies, effective January 1, 2015. Facebook will now allow advertisers to include a “buy” button directly on targeted advertisements on a user’s page. Facebook will also allow advertisers to use the location data gathered from tools like “Nearby Friends” and location "check-ins” to push geolocation-based targeted advertisements. For instance, a Facebook user who checks in near a restaurant that partners with Facebook may now be shown menu items from that restaurant. Last month, the Dutch data protection commission announced that it planned to open an investigation into Facebook’s policy modifications. In July 2014, EPIC and a coalition of consumer privacy groups urged the FTC to halt Facebook’s plan to collect web-browsing information from its users. Facebook is already under a 20 year consent decree from the FTC that requires Facebook to protect user privacy. The consent decree resulted from complaints brought by EPIC and a coalition of consumer privacy organizations in 2009 and 2010. For more information, see EPIC: Facebook Privacy; and EPIC: FTC.
  • Facebook Revises Privacy Policy » (Dec. 5, 2014)
    Facebook has again revised its privacy policy. Despite the new graphics, Facebook continues to collect and disclose enormous amounts of user data without meaningful consent. The use of location data has expanded dramatically. "We collect information from or about the computers, phones, or other devices where you install or access our Services," states Facebook. These include "device locations, including specific geographic locations, such as through GPS, Bluetooth, or Wi-Fi signals." Facebook is currently under a 20 year consent decree with the Federal Trade Commission as a consequence of a complaint brought by EPIC and coalition of consumer privacy organizations when the company changed the privacy settings of users. More recently consumer organizations in the US and Europe have objected to Facebook's decision to track the web activities of users and to profile offline purchase. Privacy groups have also objected to Facebook's manipulation of user news feeds. For more information, see EPIC: Facebook and EPIC: In re Facebook.
  • Post-Snowden, Social Media Users Concerned About Access to Personal Data » (Nov. 13, 2014)
    According to the Pew Research Report "Public Perceptions of Privacy and Security in the Post-Snowden Era," most users of social media are very concerned about businesses and government accessing their personal data. 80% of adults "agree" or "strongly agree" that Americans should be concerned about the government's monitoring of phone calls and internet communications. 64% believe there should be more regulation of advertisers. Almost all users rank their social security number as the most sensitive piece of personal data. EPIC has asked the House Committee on Homeland Security to suspend a DHS program that is monitoring social networks and media organizations. EPIC has recommended that the FTC to establish privacy protections for online advertising. EPIC has also urged the US Congress over many years to limit the use of the Social Security Number for commercial purposes. For more information, see EPIC: Public Opinion on Privacy, EPIC: Facebook Privacy, EPIC: Social Media Monitoring, and EPIC: Social Security Numbers.
  • European Facebook Users Privacy Lawsuit Moves Forward » (Aug. 26, 2014)
    A group of over 25,000 European Facebook users may proceed with their lawsuit against Facebook. The users, led by privacy activist Max Schrems, sued Facebook in a court in Vienna. The users charge Facebook with violating EU privacy law by improperly handling users' data. Now that the court has approved the class action suit, Facebook must respond to the complaints. In 2011, Schrems brought a similar lawsuit against Facebook in an Irish court. In the same year, Facebook signed a consent order with the Federal Trade Commission, following a complaint filed by EPIC and a group of American consumer privacy organizations. EPIC has also filed an amicus brief in a federal class action lawsuit, opposing Facebook's use of children's images for advertising purposes. In 2013, EPIC gave the International Privacy Champion Award to Max Schrems, calling him "an innovative and effective spokesperson for the right to privacy." For more information, see EPIC: In re Facebook.
  • EPIC, Consumer Groups Challenge Facebook on Web Snooping » (Jul. 29, 2014)
    EPIC, along with a coalition of consumer groups, has urged the Federal Trade Commission to block Facebook's plan to collect users' web browsing history. Facebook recently announced plans to collect user data from sites all over the web. But the practice may violate a Federal Trade Commission order prohibiting Facebook from changing its business practices without users' express consent. The groups asked the FTC "to act immediately to notify the company that it must suspend its proposed change in business practices to determine whether it complies with current U.S. and EU law." EPIC has also filed a FOIA request, seeking the FTC's communications with Facebook about this change. For more information, see EPIC: Facebook Privacy, EPIC: Online Tracking and Behavioral Privacy, and EPIC: FTC.
  • Following EPIC Complaint, Senator Seeks Investigation of Facebook User Manipulation Study » (Jul. 17, 2014)
    Senator Mark Warner has asked the Federal Trade Commission to investigate the legality of Facebook's emotional manipulation study. In a letter to the Commission, Senator Warner stated that "it is not clear whether Facebook users were adequately informed and given an opportunity to opt-in or opt-out." He asked the FTC to conduct an investigation to see "if this 2012 experiment violated Section 5 of the FTC Act or the 2011 consent agreement with Facebook," two issues raised in EPIC's earlier complaint. "The company purposefully messed with people's minds," wrote EPIC in a complaint to the Commission. EPIC charged that Facebook violated a consent decree that required the company to respect user privacy and also engaged in a deceptive trade practice. EPIC has asked the FTC to require that Facebook make public the News Feed algorithm. For more information, see EPIC: In re Facebook, EPIC: In re Facebook (Psychological Study), and EPIC: FTC.
  • FTC Releases 2014 Data Security Update, But Enforcement Questions Remain » (Jul. 1, 2014)
    The Federal Trade Commission has released the 2014 Privacy and Data Security Update. The report is "an overview of the FTC's enforcement, policy initiatives, and consumer outreach and business guidance in the areas of privacy and data security." In the report, the FTC explains that "If a company violates an FTC order, the FTC can seek civil monetary penalties for the violations." However, the FTC has consistently failed to enforce consent orders with Google, Facebook, and other companies that have engaged in unfair or deceptive trade practices. The Commission has also failed to modify proposed settlement agreements after seeking public comment. For more information, see EPIC: FTC, EPIC: Facebook Privacy, and EPIC: In re: Google Buzz.
  • Facebook to Profile User Browsing, May Violate FTC Consent Order » (Jun. 12, 2014)
    Facebook has announced that it will collect detailed browser history on users for advertising purposes. Users who object were told to opt-out. The plan may violate a Federal Trade Commission order, prohibiting Facebook from changing its business practices without users’ express consent. The FTC order follows from complaints filed by EPIC and other consumer privacy organizations in 2009 and 2010. In issuing the order, the FTC found that Facebook "deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public." A recent Consumer Reports poll found that consumers overwhelmingly object to having their online activities tracked for advertising purposes. For more information, see EPIC: Facebook Privacy, EPIC: FTC Facebook Settlement, EPIC: Online Tracking and Behavioral Profiling, and EPIC: Practical Privacy Tools.
  • Privacy Case Moves Forward Against Facebook and Zynga » (May. 9, 2014)
    The Ninth Circuit found that the companies may have violated Facebook's privacy policies when they disclosed user information for advertising purposes. Separately, the court ruled that there was no violation of the Electronic Communications Privacy Act because the data disclosed (including Facebook IDs and HTTP referers) is not "contents" of a communication. Congress is set to consider several ECPA reforms, and could fix the court's ruling by making clear that the law prevents the disclosure of personally identifiable information. For more information, see EPIC: Electronic Communications Privacy Act and EPIC: Facebook Privacy.
  • Facebook Introduces New Privacy Features » (May. 1, 2014)
    Amidst growing concern about Facebook's disclosure of user information to third parties, the company has announced two new privacy options. Users may now decide how much of their information to disclose to Facebook apps before signing up. Users may also test apps anonymously - without transmitting the Facebook User ID to the developer. The changes appear to be a response to the 2011 Consent Order, pursued by EPIC and a coalition of privacy organization, that requires the company to obtain express affirmative consent from users before disclosing personal information to third parties. In the first report on Internet privacy, "Surfer Beware: Personal Privacy and the Internet" (1997), EPIC said web sites should "support anonymity while developing policies and practices to protect information privacy." For more information, see EPIC: Facebook Privacy, EPIC: Internet Anonymity, and EPIC: FTC.
  • Facebook Removes Crucial Privacy Setting for Users’ Names » (Oct. 11, 2013)
    Facebook has begun removing a privacy setting that allowed users to opt-out from their name being included in its “Graph Search” feature. All users, even those who had previously decided to remove their name from searches, will now be included in Graph Search results. Facebook is currently under a 20 year consent decree from the FTC that requires express affirmative consent from users before disclosing personal information which exceeds the restrictions imposed by users' privacy settings. Facebook announced the change last year, at which point EPIC warned about the consequences of Facebook removing privacy settings for its users. In 2012, EPIC sent a letter to Facebook requesting a reversal of policy changes that automatically shared users’ private information. For more information, see EPIC: Facebook and EPIC: In re Facebook.
  • Pressure Mounts on Facebook to Withdraw Proposed Changes, New Scrutiny of "Faceprints" » (Sep. 13, 2013)
    Facebook is under increasing pressure to withdraw proposed changes that would allow the company to use the names, images, and content of Facebook users for advertising without consent. After EPIC and several privacy groups wrote to the Federal Trade Commission that the changes would violate a 2011 Consent Order, the Commission has opened an investigation. Senator Ed Markey also wrote to the FTC, stating that Facebook's changes "raise[] a number of questions about whether Facebook is improperly altering its privacy policy without proper user consent and, if the changes go into effect, the degree to which Facebook users will lose control over their personal information." Senator Al Franken has called on Facebook to reconsider expansion of its facial recognition activity. In a letter to Mark Zuckerberg, Senator Franken asked "How many face prints does Facebook have?" For more information, see EPIC: EPIC: Federal Trade Commission and EPIC: Facebook Privacy.
  • EPIC, Privacy Groups, Urge FTC to Block Facebook Policy Changes » (Sep. 5, 2013)
    EPIC, joined by several leading privacy and consumer protection organizations, has called on the Federal Trade Commission to enforce the terms of a 2011 settlement with Facebook. Facebook recently announced changes that would allow the company to routinely use the names, images, and content of Facebook users for commercial advertising without consent. The changes arise from a flawed class action settlement over Facebook’s Sponsored Stories program. In the letter, the privacy groups explain that Facebook’s changes violate the terms of a 2011 settlement with the FTC. For more information, see EPIC: Federal Trade Commission and EPIC: Facebook Privacy.
  • EPIC Pursues Public Release of Facebook and MySpace Privacy Reports » (Apr. 26, 2013)
    EPIC has submitted Freedom of Information Act requests for the release of the privacy assessments of Facebook and MySpace submitted to the Federal Trade Commission. As a result of privacy violations, both companies are required to implement comprehensive privacy programs and submit to independent, biennial evaluations for 20 years. Previously, EPIC obtained a copy of Google's initial privacy assessment that redacted information about the standards by which the assessment was completed, the test procedures used to assess the effectiveness of Google's privacy controls, the procedures Google uses to identify privacy risks, and the types of personal data Google collects from users. The FTC settlements with Facebook and Google arose from complaints brought by EPIC and other consumer organizations. In comments to the agency on the proposed settlements, EPIC recommended that the privacy assessments be publicly available. For more information, see EPIC: Federal Trade Commission and EPIC: Open Government.
  • Court Denies Appeal in Cy Pres Matter Over Objection that Settlement Fails to Provide Relief to Class Members » (Feb. 28, 2013)
    The Ninth Circuit has refused to hear an appeal in a case involving a class-action lawsuit over Facebook’s Beacon program, which disclosed personal information without user consent. "Cy pres" ("as near as possible") is a legal doctrine that allows courts to allocate funds to protect the interests of individuals when there is a class action settlement. Courts typically provide cy pres awards that reflect the reason for the litigation and are aligned with the interests of class members. In the Facebook case the court chose instead to provide the funds to a new foundation created by Facebook, which was appealed. Six judges dissented from the denial, writing that "the majority in this case creates a significant loophole in our case law that will confuse litigants and judges, while endorsing cy pres settlements that in no way benefit class members." EPIC previously highlighted the dangers of improper cy pres distributions in settlements. For more information, see EPIC: Fraley v. Facebook, EPIC: Lane v. Facebook, and EPIC: In re: Google Buzz.
  • Instagram Retreats on Changes to Terms of Service, Cites User Opposition » (Dec. 21, 2012)
    Instagram announced that it would withdraw proposed changes to its terms of service announced earlier this week. Instagram backed off a plan to use the names, images, and photos of users for advertising purposes, pleading instead to "complete our plans, and then come back to our users and explain how we would like for our advertising business to work." Instagram's parent company, Facebook, is bound by the terms of a settlement with the Federal Trade Commission, initiated in 2009 by EPIC and other consumer privacy organizations, that prohibits the company from changing privacy settings without the affirmative consent of users or misrepresenting the privacy or security of users' personal information. A recent letter to Facebook CEO Mark Zuckerberg from EPIC and the Center for Digital Democracy warned that Facebook's proposed changes would adversely affect Instagram users. For more information, see EPIC: Facebook, EPIC: In re Facebook, and EPIC: FTC.
  • Instagram Privacy Change Raises Legal Questions » (Dec. 18, 2012)
    Instagram recently announced several changes to the terms of service that will allow the company to use pictures in advertisements without notifying or compensating users, and to disclose user data to Facebook and to advertisers. Instagram also proposed that the parents of minors implicitly consent to the use of their childrens' images for advertising purposes. The changes The changes will take effect January 16, 2013, and will not apply to pictures uploaded before that date. Instagram’s parent company, Facebook, is under a 2011 consent order with the Federal Trade Commission that that prohibits the company from changing privacy settings without the affirmative consent of users or misrepresenting the privacy or security of users’ personal information. Using an individual’s name or likeness for commercial purposes without consent is also prohibited in most states. EPIC had recently urged Facebook users to vote for "Existing Documents," warning that under the changed terms of service, Facebook would loosen privacy controls and that would impact Instagram. For more information, see EPIC: Facebook and EPIC: FTC.
  • Facebook Updates Privacy Controls, Removes Profiles Safeguard » (Dec. 13, 2012)
    Facebook announced changes to its privacy controls and the privacy settings of its users. The changes include settings that allow users to choose which information apps can access and disclose, and a privacy shortcuts menu. But Facebook also removed an option that allowed users to hide themselves from strangers through Facebook’s search function. The changes follow an election conducted by Facebook in which 88 percent of voters opposed changing the privacy policy and voting rights of users. EPIC previously wrote to the Federal Trade Commission regarding the blanket disclosure features of certain apps and the proposal to end the voting part of the site governance process Facebook. Facebook is currently subject to a settlement with the FTC over privacy violations. For more information, see EPIC: Facebook and EPIC: In re Facebook.
  • 88% of Facebook Users Oppose Changes to Privacy Policy and Voting Rights, EPIC Urges FB to Withdraw Proposal » (Dec. 10, 2012)
    Preliminary results from the recent Facebook Site Governance Vote, indicate that 589,141 Facebook users voted to keep the existing Statement of Rights and Responsibilities and Privacy Policy. Only 79,731 voted for the proposed changes. In the largest vote in Facebook history, approximately 88% of users who voted favored the existing documents. EPIC and the Center for Digital Democracy earlier wrote FB CEO Mark Zuckerberg, recommending that the proposal be withdrawn. In 2009, Facebook withdrew proposed changes to the Terms of Service after 150,000 users formed a group "FB Users Against the New TOS." In 2007, FB backed off "Beacon," a controversial marketing technique, when 50,000 users signed a petition. Facebook is currently under a consent order with the US Federal Trade Commission. For more information, see EPIC: Facebook.
  • EPIC Urges Vote for EXISTING Facebook Documents » (Dec. 4, 2012)
    Facebook has proposed changes to its policies that would (1) end user voting, (2) remove spam blocking, and (3) share FB user data with affiliates without user consent. EPIC and others are urging Faceboook users to participate in the Facebook Governance Vote and to vote for EXISTING documents. Anyone with a Facebook account can VOTE HERE. #existingdocuments
  • Privacy Groups Ask Facebook to Withdraw Proposed Changes » (Nov. 26, 2012)
    EPIC, along with the Center for Digital Democracy, has asked Facebook to withdraw proposed changes that will impact the privacy of users and their ability to participate in site governance. Facebook recently proposed to end the voting part of the site governance process, restrict users' ability to prevent unwanted messages, and combine personal information from Facebook with Instagram. In the letter, the groups say "[b]ecause these proposed changes raise privacy risks for users, may be contrary to law, and violate your previous commitments to users about site governance, we urge you to withdraw the proposed changes." Facebook users may also comment directly on the proposed changes. Facebook is subject to the terms of a recent settlement with the Federal Trade Commission that prohibits the company from changing privacy settings without the affirmative consent of users or misrepresenting the privacy or security of users' personal information. For more information, see EPIC: Facebook.
  • Consumer Groups Ask FTC to Investigate Facebook-Datalogix Data-Matching Arrangement » (Sep. 27, 2012)
    EPIC, joined by the Center for Digital Democracy, has asked the Federal Trade Commission to investigate whether Facebook's data-matching arrangement with Datalogix violates a settlement between the FTC and Facebook. Facebook is matching the personal information of users with personal information held by Datalogix. The settlement, adopted in August, prohibits Facebook from changing privacy settings without the affirmative consent of users or misrepresenting the privacy or security of users’ personal information. EPIC had previously asked the FTC to determine whether "Timeline," which made archived user data widely available, or biometric tagging of user photos violated the terms of the consent order. The FTC has not made a determination on the EPIC Timeline request, and Facebook has suspended facial recognition in the US. For more information, see EPIC: Federal Trade Commission and EPIC: Facebook and Datalogix.
  • Facebook Ceases Facial Recognition in European Union » (Sep. 21, 2012)
    The Irish Data Protection Commissioner issued a report finding that Facebook has implemented many of the Commissioner’s recommendations, such as halting the automatic use of facial recognition through "tag suggestions." Facebook has agreed to give users the choice over the use of facial recognition, to grant users access to their facial recognition template, and to delete the facial recognition data of EU citizens by October 15. The report also found that Facebook had implemented recommendations for improving transparency, enhancing the ability for users to delete data, and allowing users to access their data. On recommendations concerning user education, data deletion, and as targeting based on sensitive terms, the report found that "full implementation has not yet been achieved but is planned to be achieved by a specific deadline." The Federal Trade Commission recently adopted a proposed settlement with Facebook that prohibits Facebook from changing privacy settings without the affirmative consent of users or misrepresenting the privacy or security of users' personal information. In November 2011, EPIC recommended that the FTC prevent Facebook from creating facial recognition profiles without users' consent. In February 2012. EPIC recommended "the suspension of facial recognition technology deployment until adequate safeguards and privacy standards are established." For more information, see EPIC: Federal Trade Commission and EPIC: Facebook and Facial Recognition.
  • Judge Rejects Settlement in Facebook "Sponsored Stories" Case » (Aug. 21, 2012)
    A federal judge has rejected a proposed settlement in a class-action lawsuit about Facebook's unapproved use of user images for advertising purposes. The judge, who had previously expressed skepticism about the terms of the settlement, wrote that the plaintiffs had not justified the lack of direct monetary payments to Facebook users, nor had they explained how users will receive an economic benefit from being able to opt out of future endorsements. EPIC and several consumer privacy organizations opposed the settlement, saying that there was little benefit to Facebook users and that the cy pres allocation was not aligned with the interests of the class. In 2009 and 2010 EPIC and a coalition of consumer privacy organizations brought a successful complaint to the Federal Trade Commission that resulted in a significant consent order. In a letter to the court following the recent court order, EPIC explained that the FTC settlement had produced far greater benefits for Facebook users. For more information, see EPIC: In re Facebook.
  • FTC Finalizes Settlement with Facebook » (Aug. 10, 2012)
    The Federal Trade Commission has finalized the terms of a settlement with Facebook first announced in November of 2011. The settlement follows from complaints filed by EPIC and other consumer and privacy organizations in 2009 and 2010 over Facebook’s decision to change its users' privacy settings in a way that made users' personal information more widely available to the public and to Facebook's business partners. The settlement bars Facebook from changing privacy settings without the affirmative consent of users or misrepresenting the privacy or security of users' personal information. In comments filed with the FTC, EPIC recommended strengthening the settlement by requiring Facebook to restore the privacy settings users had in 2009; giving users access to all of the data that Facebook keeps about them; preventing Facebook from creating facial recognition profiles without users’ consent; and publicizing the results of the government privacy audits. Although the FTC decided to adopt the settlement without any modifications, in a response to EPIC, the Commission said that facial recognition data is included within the settlement's definition of "covered information," that the audits would be publicly available to the extent permitted by law, and that the terms of the settlement "are broad enough to address misconduct beyond that expressly challenged in the complaint." Commissioner Rosch dissented from the final settlement, citing concerns that the provisions might not adequately cover deceptive statements made by Facebook apps. For more information, see EPIC: In re Facebook, and EPIC: Federal Trade Commission.
  • Judge Skeptical of Facebook Settlement » (Aug. 3, 2012)
    At a preliminary hearing on a proposed settlement involving Facebook "sponsored stories," Judge Seeborg expressed skepticism about the deal, wondering if there was any actual benefit to Facebook users. The deal, which had been endorsed by some groups funded by Facebook, was opposed by EPIC and several consumer privacy organizations. In 2009, EPIC and a coalition of consumer privacy organizations brought a successful complaint to the FTC that resulted in a significant consent order. For more information, see In re Facebook.
  • Illinois Becomes Third State to Prohibit Employers from Demanding Facebook Information » (Aug. 2, 2012)
    Illinois Governor Pat Quinn has signed a bill that will prohibit employers from seeking the social network usernames and passwords of others. The Right to Privacy in the Workplace Act takes effect on January 1, 2013, and will result in Illinois joining Maryland and Delaware as the third state that protects the social network privacy of employees and job applicants. For more information, see EPIC: Workplace Privacy and EPIC: Facebook Privacy.
  • EPIC Objects to Facebook Settlement, Cites Failure to Benefit Class Members » (Jul. 13, 2012)
    EPIC has asked a federal judge to reject a pending class action settlement concerning Facebook, stating that it does not actually benefit Facebook users. In one letter to the court, EPIC explained that the settlement does not fix the problem with "Sponsored Stories." In a second letter, joined by consumer, privacy, and academic organizations, EPIC said that "cy pres" funds should be distributed according to objective criteria, as courts have done in other similar cases. (Cy pres allows courts to allocate funds in class action settlements.) In 2009, EPIC led a coalition of consumer and privacy organizations that was responsible for the FTC's privacy settlement with Facebook.] And EPIC has routinely represented the interests of Facbeook users. For more information, see EPIC: Facebook Privacy.
  • EPIC Calls On FTC to Investigate Facebook Email Changes » (Jun. 27, 2012)
    EPIC has asked the Federal Trade Commission to review Facebook's decision to change the default email address of Facebook users. The company recently removed email addresses, selected by users, with a @facebook.com address assigned by Facebook. EPIC asked the FTC to review this practice as it finalizes the terms of a settlement with Facebook. "Facebook's willingness to disregard user choice . . . raise[s] important questions about the company's ability to comply with the terms of the proposed Consent Order," EPIC wrote. EPIC also said that the change is a deceptive business practice because Facebook did not tell users that their preferred email address could be removed by the company. And EPIC noted that the change would result in user email being sent to Facebook's servers that would otherwise have gone to the user's email service. The FTC's settlement with Facebook follows from complaints filed by EPIC and other consumer and privacy organizations in 2009 and 2010. The settlement would bar Facebook from changing privacy settings without the affirmative consent of users or misrepresenting the privacy or security of users' personal information. For more information, see EPIC: Facebook Privacy, and EPIC: FTC Facebook Settlement.
  • Facebook Acquires Facial Recognition Company Face.com » (Jun. 20, 2012)
    Facebook announced the acquisition of Face.com, a facial recognition technology company and long-time business partner of Facebook. Facebook uses an automatic facial recognition system, called "tag suggestions," to create a database of users' biometric information. Last year, EPIC filed a complaint with the Federal Trade Commission, stating that Facebook created biometric profiles of users without their explicit consent, failed to provide a clear mechanism for the deletion of these profiles, and failed to take adequate safeguards to ensure that users' biometric information would not be accessible to government agents and other third parties. In recent comments to the FTC, EPIC recommended the suspension of facial recognition technology deployment until adequate safeguards and privacy standards are established. For more information, see EPIC: Facial Recognition and EPIC: Facebook and Facial Recognition.
  • Facebook Users Force Vote on Privacy Changes » (May. 22, 2012)
    Facebook users have registered enough comments on Facebook's proposed privacy changes to force a vote on the issue. A provision in Facebook’s Statement of Rights and Responsibilities states that Facebook will allow users to vote on proposed alternatives if more than 7,000 users comment on a proposed change. The vote is binding if "more than 30 percent of all active registered users as of the date of the notice vote." Facebook's Data Use Policy accumulated 10,500 comments in English. The group Europe v. Facebook generated 30,000 comments on the German version of the page. The FTC recently issued a proposed settlement with Facebook that follows from complaints filed by EPIC and other consumer and privacy organizations in 2009 and 2010. The settlement bars Facebook from changing privacy settings without the affirmative consent of users or misrepresenting the privacy or security of users' personal information. For more information, see EPIC: Facebook Privacy, and EPIC: FTC Facebook Settlement.
  • Following Maryland, Congress and California Consider Bills Banning Employers From Asking for Facebook Passwords » (May. 1, 2012)
    Reps. Eliot Engel (D-NY) and Jan Schakowsky (D-IL) introduced the Social Networking Online Protection Act, a bill that would prohibit employers, colleges, universities, and K-12 schools from seeking usernames or passwords for the social media accounts of employees or students. Similar legislation was introduced in California. Maryland became the first state to ban employers from asking employees or applicants for social networking passwords. Senators Blumenthal and Schumer have asked the Equal Employment Opportunity Commission and the U.S. Department of Justice to investigate the practice. For more information, see EPIC: Workplace Privacy and EPIC: Facebook Privacy.
  • Facebook Asks for Feedback after Policy Changes » (Apr. 23, 2012)
    Facebook has re-opened its Statement of Rights and Responsibilities for comment after making changes to the original document. Although users’ personal data can still be accessed by the apps of their friends, Facebook clarified that users could prevent this by changing the “Apps and Websites” settings. Facebook also deleted a provision reserving the right to “exclude or limit the provision of any service or feature in our sole discretion” in certain geographic areas after users raised concerns about censorship. The FTC recently issued a proposed settlement with Facebook after finding that Facebook "deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public." The settlement follows from complaints filed by EPIC and other consumer and privacy organizations in 2009 and 2010 and bars Facebook from changing privacy settings without the affirmative consent of users or misrepresenting the privacy or security of users' personal information. In comments filed with the FTC, EPIC recommended that Facebook restore the privacy settings that users had in place when the violations occurred. In response to Facebook's prior policy change, EPIC noted that the data-disclosure practices of applications implicated issues that led the creation of the consent order. For more information, see EPIC: Facebook Privacy, and EPIC: FTC Facebook Settlement.
  • Facebook Offers Revised “Download Your Information” Option » (Apr. 12, 2012)
    The New York Times reported that Facebook would provide users with a downloadable archive containing many types of data that the company stores about users. Although the new archive contains more user information than Facebook first offered in 2010, Max Schrems, the German law student and founder of Europe v. Facebook, said that Facebook is still only providing 39 of 84 data categories. EPIC called on Facebook to give users full access to all of the data that the company keeps about them through EPIC’s Know What They Know campaign. In comments on a settlement between Facebook and the Federal Trade Commission, EPIC recommended that the FTC require Facebook to give users full access to their data. For more information, see EPIC: Facebook Privacy and EPIC: Know What They Know.
  • Maryland Passes Bill Banning Employers from Demanding Facebook Information » (Apr. 11, 2012)
    The Maryland legislature passed the first bill banning employers from asking employees or applicants for social networking passwords. The bill was introduced after Robert Collins, an employee at the Department of Public Safety and Correctional Services, was asked to turn over his Facebook password as part the process of being reinstated as a corrections officer. Recently, Senators Blumenthal and Schumer asked the Equal Employment Opportunity Commission and the U.S. Department of Justice to investigate the practice of employers asking job applicants to surrender user names and passwords for social networking sites like Facebook. For more information, see EPIC: Workplace Privacy and EPIC: Facebook Privacy.
  • Senators Call for Investigation into Employer Demands for Facebook Passwords » (Mar. 26, 2012)
    Senators Blumenthal and Schumer asked the Equal Employment Opportunity Commission and the Department of Justice to investigate the practice of employers asking job applicants to surrender Facebook user names and passwords. The Senators pointed out that accessing an applicant's profile could reveal sensitive information that employers are not permitted to ask about or base hiring decisions on. Thus, employers could be violating the Civil Rights Act and other federal laws, including the Stored Communication Act and the Computer Fraud and Abuse Act, which prohibit "unauthorized access" to electronic information. “Requiring applicants to provide login credentials to secure social media websites and then using those credentials to access private information stored on those sites may be unduly coercive and therefore constitute unauthorized access under both [Acts]," the letter states. For more information, see EPIC: Workplace Privacy and EPIC: Facebook Privacy.
  • Facebook Policy Changes Raises Questions About Compliance with 2011 Consent Order » (Mar. 23, 2012)
    Facebook has begun to review comments on changes to its Statement of Rights and Responsibilities. Among other changes, Facebook now states that a user's information is disclosed to apps used by his or her friends, that Facebook software or plugins that users download may automatically download updates, upgrades, and additional features, and that users may not tag others who do not wish to be tagged. The FTC recently issued a proposed settlement with Facebook after finding that Facebook "deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public." In particular, the FTC found that Facebook had misled users about the extent to which their personal information would be made available to apps used by their friends. The settlement follows from complaints filed by EPIC and other consumer and privacy organizations in 2009 and 2010 and bars Facebook from changing privacy settings without the affirmative consent of users or misrepresenting the privacy or security of users' personal information. In comments filed with the FTC, EPIC said that the settlement is "insufficient to address the concerns originally identified by EPIC and the consumer coalition, as well as those findings established by the Commission." For more information, see EPIC: Facebook Privacy, and EPIC: FTC Facebook Settlement.
  • Pew Study: Social Media Users Active in Protecting Privacy » (Feb. 27, 2012)
    A Pew study found that users are becoming more active in managing their social media accounts. Compared to 2009, a higher percentage of users reported deleting people from their “friends” lists, deleting comments made by others on their profile, and removing their names from photos in which they were tagged. The report also found that women and young users were the most active in protecting their privacy. The Federal Trade Commission is currently finalizing a consent order with Facebook over charges that the company changed users' privacy settings to make personal information more available to the public and to Facebook's business partners. For more information, see EPIC: Social Networking Privacy, EPIC: Facebook Privacy, and EPIC: Public Opinion and Privacy.
  • EPIC Calls for Moratorium on Facial Recognition Technology » (Feb. 1, 2012)
    In detailed comments to the Federal Trade Commission, EPIC today recommended the suspension of facial recognition technology deployment until adequate safeguards and privacy standards are established. EPIC said that facial recognition is often used by strangers to determine a person's actual identity and that this poses a risk to privacy and personal security. EPIC also noted that some companies have adopted techniques that are more favorable to privacy as they allow users to control the image database while others undermine privacy, as the image database is centrally maintained. EPIC previously submitted a complaint to the FTC about Facebook's use of facial recognition technology to build a secret database of users' biometric data and allowing the company to automatically tag users in photos. The comments follow an FTC workshop exploring the privacy and security issues raised of facial recognition technology. For more information, see EPIC: Federal Trade Commission, EPIC: Face Recognition, and EPIC: Facebook and Face Recognition.
  • EPIC Urges FTC Investigation into Facebook Timeline » (Dec. 28, 2011)
    EPIC sent a letter requesting that the Federal Trade Commission determine whether changes Facebook has made to the profiles of its users are consistent with the terms of a settlement reached between Facebook and the FTC. EPIC's letter states that "with Timeline, Facebook has once again taken control over the user's data from the user and has now made information that was essentially archived and inaccessible widely available without the consent of the user." The settlement requires Facebook to give users clear and prominent notice and obtain users' express consent before changing their privacy settings. EPIC sent a similar letter to the FTC about Timeline and the secret tracking of users in September 2011. For more information, see EPIC: Facebook Privacy, and EPIC: FTC Facebook Settlement.
  • EPIC Submits Comments on FTC Facebook Privacy Settlement » (Dec. 28, 2011)
    EPIC submitted comments to the FTC on a proposed settlement with Facebook. The settlement follows from complaints filed by EPIC and other consumer and privacy organizations in 2009 and 2010 over Facebook’s decision to change its users' privacy settings in a way that made users' personal information more widely available to the public and to Facebook's business partners. The settlement bars Facebook from changing privacy settings without the affirmative consent of users or misrepresenting the privacy or security of users' personal information. However, EPIC said that the settlement is "insufficient to address the concerns originally identified by EPIC and the consumer coalition, as well as those findings established by the Commission." In order to address the issues raised by the complaints, respond to recent changes in Facebook's business practices like Timeline, and fulfill the FTC's duty to act in the public interest, EPIC recommended that the settlement be improved. Specifically, EPIC recommended that the FTC require Facebook to restore the privacy settings users had in 2009; give users access to all of the data that Facebook keeps about them; stop making facial recognition profiles without users' consent; make the results of the government privacy audits public; and stop secretly tracking users across the web. For more information, see EPIC: Facebook Privacy, and EPIC: FTC Facebook Settlement.
  • EPIC Sues DHS Over Covert Surveillance of Facebook and Twitter » (Dec. 20, 2011)
    EPIC has filed a Freedom of information Act lawsuit against the Department of Homeland Security to force disclosure of the details of the agency's social network monitoring program. In news reports and a Federal Register notice, the DHS has stated that it will routinely monitor the public postings of users on Twitter and Facebook. The agency plans to create fictitious user accounts and scan posts of users for key terms. User data will be stored for five years and shared with other government agencies.The legal authority for the DHS program remains unclear. EPIC filed the lawsuit after the DHS failed to reply to an April 2011 FOIA request. For more information, see EPIC: Social Networking Privacy.
  • Facebook Timeline Changes User Privacy Settings. Again. » (Dec. 15, 2011)
    Without user consent, Facebook announced today that it would post archived user information, making old posts available under Facebook's current downgraded privacy settings. Users have just a week to clean up their history before Timeline goes live. The surprising announcement follows a recent decision by the Federal Trade Commission which found that the company had engaged in "unfair and deceptive" trade practices when it changed the privacy settings of its users. EPIC initiated that complaint and is now urging FB users to submit comments to strengthen the proposed settlement. For more information, see EPIC - In Re Facebook and EPIC - Facebook and Privacy.
  • EPIC Launches Campaign Urging Public Comment on Facebook Privacy Settlement » (Dec. 13, 2011)
    EPIC launched the "Fix FB Privacy Fail" campaign to encourage the public to support improvements to a settlement between Facebook and the FTC. The settlement follows from complaints filed by EPIC and other consumer and privacy organizations in 2009 and 2010 over Facebook’s decision to change its users' privacy settings in a way that made users' personal information more widely available to the public and to Facebook's business partners. Although the proposed settlement is far-reaching, there are several ways in which it could be improved. EPIC has recommended that the FTC require Facebook to restore the privacy settings users had in 2009; give users access to all of the data that Facebook keeps about them; stop making facial recognition profiles without users' consent; make the results of the government privacy audits public; and stop secretly tracking users across the web. The period for public comment on the proposed settlement ends on December 30. The campaign also allows users to sign on to the petition without using Facebook. For more information, see EPIC: FTC Facebook Settlement.
  • Federal Trade Commission Announces Settlement in EPIC Facebook Privacy Complaint » (Nov. 29, 2011)
    The Federal Trade Commission has announced an agreement with Facebook that follows from complaints filed by EPIC and other consumer and privacy organizations in 2009 and 2010. In 2009, the EPIC first asked the FTC to investigate Facebook's decision to change its users' privacy settings in a way that made users' personal information, such as Friend lists and application usage data, more widely available to the public and to Facebook’s business partners. The violations are also detailed in the FTC’s 8-count complaint against the company. The proposed settlement agreement bars Facebook from making future changes privacy settings without the affirmative consent of users and requires the company to implement a comprehensive privacy protection program and submit to independent privacy audits for 20 years. The settlement does not adopt EPIC's recommendation that Facebook restore users' privacy settings to pre-2009 levels. Facebook CEO Mark Zuckerberg reacted to the settlement in a post on Facebook's blog, saying that he was "first to admit that we've made a bunch of mistakes." For more information, see EPIC: In re Facebook, and EPIC: Federal Trade Commission.
  • Federal Trade Commission to Announce Settlement in EPIC Facebook Privacy Complaint » (Nov. 29, 2011)
    The Federal Trade Commission has scheduled a 1:00 pm EDT press conference to announce a privacy settlement with Facebook, following a complaint that was filed by EPIC and other consumer and privacy organizations. More news to follow.
  • FTC Publishes Performance Report » (Nov. 22, 2011)
    The Federal Trade Commission has issued the 2011 Performance and Accountability Report. The report summarizes the agency’s accomplishments, shows how the agency has managed its resources, and explains how it plans to address future changes. According to the FTC, during 2011 the agency exceeded its privacy goals by providing 52 comments to foreign consumer protection and privacy agencies, conducting 14 technical assistance missions, and hosting one international consumer protection fellow. The agency’s privacy goals for the coming year include "issu[ing] a final report on protecting consumer privacy," and "examin[ing] malware and spyware threats to mobile devices . . . and malware distributed through social networks." The FTC report made no mention of several pending complaints, including EPIC's 2009 complaint regarding the changes by Facebook to its users' privacy settings. For more information, see EPIC: Federal Trade Commission and EPIC: Facebook and Facial Recognition.
  • WSJ: Facebook Close to Settlement with FTC over EPIC Complaint » (Nov. 10, 2011)
    The Wall Street Journal reports that the Federal Trade Commission is finalizing a settlement with Facebook that follows from a complaint from EPIC and a coalition of US consumer and privacy organizations. In 2009, the organizations urged the Commission to investigate Facebook's decision to change its users' privacy settings which made the personal information of Facebook users more widely available to Facebook's business partners and the public. According to the Wall Street Journal, the settlement would require Facebook to obtain "express affirmative consent" if Facebook makes "material retroactive changes," and to submit to independent privacy audits for 20 years. For more information, see EPIC: In re Facebook, EPIC: Facebook Privacy and EPIC: Federal Trade Commission.
  • Congress, #KWTK Presses Facebook to Disclose Secret Profiles » (Oct. 31, 2011)
    Lawmakers in Washington have sent a letter to Mark Zuckerberg, Facebook's CEO, asking questions about the company's data retention practices, following a news report that a single European Facebook user obtained more than 1,200 pages of his own personal data from the company, including information that he had previously deleted. Following an effort of privacy advocates in Europe, EPIC has launched the KWTK (Know What They Know) campaign and is urging Facebook users to obtain their complete "data dossier" from the company. For more information, see EPIC: Facebook Privacy and EPIC:#kwtk.
  • Sen. Rockefeller Requests FTC Report on Facial Recognition Technology » (Oct. 20, 2011)
    Senator John D. Rockefeller (D-WV) sent a letter requesting that the Federal Trade Commission assess the use of facial recognition technology and recommend legislation to protect privacy. Facial recognition technology is being used by technology firms and also police agencies, which has raised civil liberties concerns. The letter cited mobile applications such as SceneTap, which "tracks the male/female ratio and age mix of the crowd [in bars]" and digital advertising at the Venetian Resort in Las Vegas that tailors ads to the person standing in front of the display based on recognition of that person’s age and gender. The FTC will hold a workshop on facial recognition technology on December 8, 2011. EPIC's complaint regarding Facebook's facial recognition is still pending before the FTC. For more information, see EPIC: In re Facebook, and EPIC: Facial Recognition.
  • EPIC-Led Coalition Calls for FTC Facebook Investigation » (Sep. 29, 2011)
    EPIC, joined by other privacy, consumer, and civil liberties groups, which include the American Civil Liberties Union, Consumer Action, American Library Association, and the Center for Digital Democracy asked the Federal Trade Commission to investigate Facebook. Facebook had been secretly tracking users after they logged off of Facebook’s webpage, and had recently announced changes in business practices that “[gave] the company far greater ability to disclose the personal information of its users to its business partners...” EPIC’s complaint regarding Facebook’s facial recognition is still pending before the FTC. For more information, see EPIC: Facebook Privacy and EPIC: Federal Trade Commission.
  • FTC Announces Workshop on Facial Recognition Technology » (Sep. 20, 2011)
    The Federal Trade Commission announced that it will host a workshop on December 8, 2011, on the privacy and security issues raised by the increasing use of facial recognition technology. Facial recognition technology has been used by Facebook to build a secret data base of users’ biometric data and to enable Facebook to automatically tag users in photos. The Army has also used facial recognition technology to collect biometric data from Iraqi and Afghan civilians at checkpoints, workplaces, the sites of attacks, and door-to-door canvasses. EPIC, Privacy International, and Human Rights Watch wrote to the US Secretary Defense in 2007 to warn that the system could lead to reprisals and further killings. Police agencies are also using facial recognition to identity political protesters. EPIC’s complaint regarding Facebook’s facial recognition is still pending before the FTC. For more information, see EPIC: In re Facebook, EPIC: Face Recognition, and EPIC: Iraqi Biometric Identification System.
  • Facebook Makes Some Changes, Privacy Complaints Still Pending » (Aug. 29, 2011)
    In response to several complaints filed by EPIC with the Federal Trade Commission, Facebook announced that it would make some changes in its business practices, including providing more accurate information about the disclosure of user data to others and new safeguards for photo tagging. EPIC, along with several privacy organizations, filed several complaints with the FTC about FB's automated tagging of users, changes in Privacy settings, and transfers of personal data, stating that Facebook's practices were "unfair and deceptive." Facebook's recent actions address some but not all of the issues raised by the consumer organizations. The complaint at the FTC are still pending. For more information see EPIC: Facebook Privacy.
  • Facebook Makes Changes to Facial Recognition; Still Relying on Opt-Out » (Jul. 27, 2011)
    In response to a letter from the Connecticut Attorney General, Facebook agreed to run ads that link users to their privacy settings and show them how to opt-out of Facebook's facial recognition program. The ads are new, but Facebook has failed to implement an opt-in model for its facial recognition technology. EPIC, along with several other organizations, filed a complaint with the Federal Trade Commission concerning Facebook's unfair and deceptive trade practices regarding biometric data collection. EPIC urged the FTC to require Facebook to suspend the program pending a full investigation. EPIC also urged the Commission to require Facebook to establish stronger privacy safeguards and an opt-in regime for the facial recognition scheme. For more information, see EPIC: In re Facebook and the Facial Identification of Users.
  • Congressman Markey Commends EPIC, Privacy Groups for Filing Facebook Complaint » (Jun. 14, 2011)
    Congressman Ed Markey today expressed support for the complaint filed last week by EPIC and privacy groups concerning Facebook's new scheme for online tagging. In a published statement, Congressman Markey said, "The Federal Trade Commission should investigate this important privacy matter, and I commend the consumer groups for their filing. When it comes to users’ privacy, Facebook’s policy should be: 'Ask for permission, don’t assume it.' Rather than facial recognition, there should be a Facebook recognition that changing privacy settings without permission is wrong. I encourage the FTC to probe this issue and will continue to closely monitor this issue." EPIC and consumer groups now have several complaints regarding Facebook pending at the FTC. For more information, see EPIC - In re Facebook and EPIC - In re Facebook II, and EPIC - Facebook and Privacy.
  • EPIC Files Complaint, Urges Investigation of Facebook's Facial Recognition Techniques » (Jun. 10, 2011)
    Today EPIC, and several privacy organizations, filed a complaint with the Federal Trade Commission about Facebook's automated tagging of Facebook users. EPIC alleged that the service was unfair and deceptive and urged the FTC to require Facebook to suspend the program, pending a full investigation, the establishment of stronger privacy standards, and a requirement that automated identification, based on user photos, require opt-in consent. EPIC alleged that "Users could not reasonably have known that Facebook would use their photos to build a biometric database in order to implement a facial recognition technology under the control of Facebook." EPIC warned that "absent injunctive relief by the Commission, Facebook will likely expand the use of the facial recognition database it has covertly established for purposes over which Facebook users will be able to exercise no meaningful control." EPIC has previously filed two complaints with the Commission regarding Facebook. For more information see EPIC: Facebook Privacy.
  • Facebook Resumes Plan to Disclose User Home Addresses and Mobile Phone Numbers » (Mar. 2, 2011)
    Facebook indicated in a letter to Rep. Markey (D-MA) and Rep. Barton (R-TX) that it will go forward with a proposal to provide users' addresses and mobile phone numbers to third-party application developers. The Congressman earlier expressed concern about the proposal. Facebook also wrote that it may disclose the home addresses and mobile numbers of minors who use the social networking service. Facebook suspended the plan after EPIC and others objected. EPIC and several consumer organizations have complaints pending at the Federal Trade Commission concerning Facebook's earlier changes to users' privacy settings. For more information, see EPIC: In re Facebook, EPIC: In re Facebook II, and EPIC: Facebook Privacy.
  • Facebook Enables Full-Session Encryption » (Feb. 7, 2011)
    Facebook will now allow full-session HTTPS. The switch to encrypted cloud-based computing promotes privacy and security, particularly when users access Facebook from public Internet access points. Previously, Facebook only used HTTPS when users’ passwords were being sent to the site. Third party applications currently do not support HTTPS. Users can opt into HTTPS through their “Account Settings;” however, HTTPS is not yet the default. Facebook will use "social authentication, rather than traditional CAPTCHA," to deter hackers. EPIC has previously recommended the adoption of strong privacy techniques for cloud-based services. In 2009, EPIC filed a complaint with the Federal Trade Commission, urging an investigation into Google’s cloud computing services to determine the adequacy of privacy and security safeguards. Google subsequently established HTTPS by default for Gmail. For related information, see EPIC: Facebook, EPIC: Cloud Computing, and EPIC: Social Networking Privacy.
  • Congressman Barton and Markey Challenge Facebook on Disclosure of Home Addresses, Mobile Phone Numbers » (Feb. 2, 2011)
    A letter from Rep. Ed Markey (D-MA) and Rep. Joe Barton (R-TX) to Mark Zuckerberg asks about Facebook's plans to make users' addresses and mobile phone numbers available to websites and application developers. Facebook suspended the plan after EPIC and others objected. EPIC Executive Director Marc Rotenberg said that "Facebook is trying to blur the line between public and private information. And the request for permission does not make clear to the user why the information is needed or how it will be used." EPIC, and several consumer organizations, have complaints pending at the Federal Trade Commission concerning Facebook's earlier changes to users' privacy settings. For more information, see EPIC: In Re Facebook, EPIC: In Re Facebook II, and EPIC: Facebook Privacy.
  • Facebook Drops Plan to Disclose Users' Home Addresses and Personal Phone Numbers » (Jan. 18, 2011)
    Facebook has retreated from its decision to allow third-party access to users home addresses and phone numbers. Facebook backed off after criticism of the new policy, but said it would go forward once it has made further changes. EPIC Executive Director Marc Rotenberg said "Facebook is trying to blur the line between public and private information. And the request for permission does not make clear to the user why the information is needed or how it will be used." EPIC, and several consumer organizations, have complaints pending at the Federal Trade Commission concerning Facebook's earlier changes to users' privacy settings. For more information, see EPIC: In Re Facebook, EPIC: In Re Facebook II, and EPIC: Facebook Privacy.
  • Congressmen Question Facebook About Latest Privacy Breach » (Oct. 20, 2010)
    Congressmen Ed Markey (D-MA) and Joe Barton (R-TX) sent a letter to Facebook about the news that Facebook's business partners transmitted personal user data to advertising and internet tracking companies in violation of the company's policy. EPIC has two complaints pending at the Federal Trade Commission regarding Facebook's unfair and deceptive trade practices. For more information, see EPIC: In Re Facebook, EPIC: In Re Facebook II, and EPIC: Facebook Privacy.
  • Facebook Uses RFID to Track Users' Locations for Advertising Promotion » (Aug. 25, 2010)
    At the Coca-Cola Village Amusement Park in Israel, visitors were recently issued bracelets with RFID chips that linked to their Facebook accounts, according to Adland. RFID readers scattered throughout the park updated the users' Facebook pages when the bracelets were scanned. On-site photographers also posted photos that were automatically tagged with the users' identities. Facebook had previously tested the use of RFID for location tracking at the f8 Developer Conference in April. Facebook has also just launched Places, which is designed to make users' location information widely available. For more information, see EPIC Facebook Privacy, EPIC Facebook Places.
  • Facebook "Places" Embeds Privacy Risks, Complicated and Ephemeral Opt-Out Unfair to Users » (Aug. 19, 2010)
    The recently announced Facebook service Places makes user location data routinely available to others, including Facebook business partners, regardless of whether users wish to disclose their location. There is no single opt-out to avoid location tracking; users must change several different privacy settings to restore their privacy status quo. For users who do not want location information revealed to others, EPIC recommends that Facebook users: (1) disable "Friends can check me in to Places," (2) customize "Places I Check In," (3) disable "People Here Now," and (4) uncheck "Places I've Visited." EPIC, joined by many consumer and privacy organizations, has two complaints pending at the Federal Trade Commission concerning Facebook's unfair and deceptive trade practices, which are frequently associated with new product announcements. For more information, see EPIC In Re Facebook, EPIC In Re Facebook II, and EPIC Facebook Privacy.
  • EPIC to Urge Congress to Strengthen Privacy Laws for Facebook Users » (Jul. 28, 2010)
    In prepared testimony (PDF) for a Congressional hearing on "Online Privacy, Social Networking and Crime Vicitimization," EPIC Executive Director Marc Rotenberg urged lawmakers to update federal law to protect the privacy of Facebook users. Mr. Rotenberg said that Facebook's constant changes to the privacy settings of users have made it virtually impossible for users to control who gets access to their personal information. He also said that the failure of the Federal Trade Commission to investigate Facebook's business practices means that Congress must now amend the federal privacy law to limit the ability of Social Network companies to disclose user information to third parties without informed and explicit consent. Also testifying at the hearing are witnesses from the FBI, the Secret Service, Symantec, and Facebook. For more information, see EPIC Social Networking Privacy, EPIC Facebook, and EPIC In re Google Buzz.
  • Facebook Scores Low on Consumer Satisfaction » (Jul. 22, 2010)
    In a recent study by Foresee Results and the University of Michigan, Facebook has scored extremely low in the area of customer satisfaction. The 2010 American Customer Satisfaction Index E-Business Report included social networking companies for the first time, and Facebook scored a 64, putting it "in the bottom 5% of all measured private sector companies and in the same range as airlines and cable companies." The polling company attributed Facebook's low scores to "privacy concerns, frequent changes to the website, and commercialization and advertising." For more information, see EPIC Facebook Privacy and EPIC Public Opinion on Privacy.
  • Federal Trade Commission Takes Action Against Twitter, Social Network Service Settles Charges It Deceived Consumers » (Jun. 24, 2010)
    The FTC announced a significant enforcement action today. The Commission's complaint against Twitter charged that "serious lapses in the company's data security allowed hackers to obtain administrative control of Twitter." The FTC found that the lax practices allowed access to nonpublic tweets even though the company assured users in its privacy policy that it was "very concerned about safeguarding the confidentiality of your personally identifiable information." Under the terms of the settlement, "Twitter will be barred for 20 years from misleading consumers about the extent to which it maintains and protects the security, privacy, and confidentiality of nonpublic consumer information." EPIC has two complaints currently pending at the FTC concerning similar practices by Facebook, another social networking service. For more information, see EPIC - Facebook Privacy, EPIC - In re Facebook I, and EPIC - In re Facebook II.
  • Privacy Conference Attendees Set Out Social Networking Bill of Rights » (Jun. 23, 2010)
    Participants at the 2010 Conference on Computers, Freedom, and Privacy have prepared a Social Network Users' Bill of Rights. The Bill of Rights sets out principles for providers of  social network services, including clarity of policies, empowerment of users, freedom of speech, data minimization, and user control. For more information, follow #billofrights and see EPIC: Social Networking Privacy and EPIC: Facebook Privacy.
  • EPIC, Privacy Groups Recommend Further Changes for Facebook » (Jun. 16, 2010)
    EPIC has joined a letter, organized by the ACLU of Northern California, calling for Facebook to fix ongoing privacy problems with the social network service. The letter, signed by several privacy organizations, recommends that Facebook make "Instant Personalization" opt-in, limit data retention, give users greater control over their information, and allow users to export their content from Facebook. EPIC has a complaint currently pending at the Federal Trade Commission, charging that Facebook has engaged in unfair and deceptive trade practices. For more information, see EPIC Facebook Privacy.
  • Privacy Issue Attracts Fire in California Attorney General Race » (Jun. 7, 2010)
    Facebook privacy has become a hot topic in the California race for Attorney General. In the Democratic primary, Kamala Harris has attacked former Facebook Chief Privacy Officer Chris Kelly over the company's privacy practices. But Kelley has recently criticized some of the Facebook changes and said that "instant personalization" should be opt-in. Kelly has also supported a Moveon Facebook campaign though some bloggers have doubts. During the last election cycle, EPIC launched PRIVACY08 to encourage candidates to debate privacy issues. Also see EPIC Facebook Privacy.
  • Congress Pursues Investigation of Google and Facebook's Business Practices » (Jun. 1, 2010)
    Following similar letters from other Congressional leaders, the head of the House Judiciary Committee has asked Google Inc. and Facebook to cooperate with government inquiries into privacy practices at both companies. Rep. Conyers (D-MI) noted that Google's collection of user data "may be the subject of federal and state investigations" and asked Google to retain the data until "such time as review of this matter is complete." Rep. Conyers also asked Facebook to provide a detailed explanation regarding its collection and sharing of user information. The House Judiciary Committee is expected to hold hearings on electronic privacy later this year. For more information, see EPIC: Facebook Privacy, EPIC: In re Facebook II, and EPIC: Search Engine Privacy.
  • Facebook Expected to Announce Privacy Changes » (May. 25, 2010)
    Following a recent column in the Washington Post by Facebook CEO Mark Zuckerberg, the company is expected to announce new, simplified privacy settings this week.  EPIC objected to the last several rounds of changes that Facebook made, filing a complaint with the FTC in December when the company reclassified much of users' data as "publicly available information," a supplement to that complaint in January, and another complaint this month when Facebook forced users' profile information to become publicly available links instead of private data.  For more information, see EPIC: Facebook, EPIC: In re Facebook, and EPIC: In re Facebook II.
  • New Facebook Privacy Complaint Filed with Trade Commission » (May. 5, 2010)
    Today, EPIC and 14 privacy and consumer protection organizations filed a complaint with the Federal Trade Commission, charging that Facebook has engaged in unfair and deceptive trade practices in violation of consumer protection law. The complaint states that changes to user profile information and the disclosure of user data to third parties without consent "violate user expectations, diminish user privacy, and contradict Facebook’s own representations." The complaint also cites widespread opposition from Facebook users, Senators, bloggers, and news organizations. In a letter to Congress, EPIC urged the Senate and House Committees with jurisdiction over the FTC to monitor closely the Commission's investigation. The letter noted the FTC's failure to act on several pending consumer privacy complaints. For more information, see EPIC: Facebook Privacy.
  • Senators Oppose Facebook Changes, Schumer Urges Trade Commission to Regulate Social Network Services » (Apr. 27, 2010)
    Senators Charles Schumer (D-NY), Michael Bennet (D-CO), Mark Begich (D-AK), and Al Franken (D-MI) have sent a letter to Facebook CEO Mark Zuckerberg to express concern about "recent changes to the Facebook privacy policy and the use of personal data by third-party websites." Senator Schumer has also asked the Federal Trade Commission to establish guidelines for social networking sites. The Senators' statements came after Facebook announced it would disclose user data to websites without consent. Senator Schumer stated "Previously, users had the ability to determine what information they chose to share and what information they wanted to keep private." EPIC has filed a complaint and with the FTC about the recent changes to Facebook's privacy settings. For more information, see EPIC: Facebook Privacy and EPIC: In re Facebook.
  • Facebook's Data Grab: New Policies Transfer Control of User Data to Facebook » (Apr. 22, 2010)
    Facebook announced significant changes at F8 this week that will integrate Facebook with many web sites, but also make it more difficult for Facebook users to limit the disclosure of personal information. The announcement follows recent changes to Facebook privacy settings and privacy policies. "Instant personalization" will give Facebook's business partners access to users' likes, interests, friends, and other details, unless users opt-out. Facebook has also removed a key privacy safeguard and will allow third parties to store user data indefinitely. EPIC has a complaint pending at the FTC concerning recent changes to Facebook's privacy settings. For more information, see EPIC: Facebook Privacy and EPIC's Previous FTC Complaint regarding Facebook, EPIC: In re Facebook.
  • Facebook Announces Changes to Privacy Policy. Again. » (Mar. 26, 2010)
    Faceboook has announced "another set of revisions" to its privacy policy. The changes appear to make it easier for Facebook to gather locational data on users and to disclose user data to third-party web sites. It also appears that Facebook will make more use of data set to "Everyone." Facebook is soliciting comments on the changes. In December, EPIC filed a complaint with the FTC regarding the last series of changes to the Facebook privacy settings. EPIC, joined by nine other privacy and consumer organizations, said that the "changes violate user expectations, diminish user privacy, and contradict Facebook’s own representations." The FTC responded that the EPIC complaint "raises issues of paricular interest" to the Commission. For more information on the ever-changing Facebook privacy policy, see EPIC Facebook Privacy and EPIC In re Facebook.
  • EPIC Recommends Effective Consumer Privacy Standards, Calls Notice and Choice a "Failed Experiment" » (Mar. 17, 2010)
    At the third FTC Privacy Roundtable, EPIC senior counsel John Verdi will recommend that the Commission push forward with effective and meaningful privacy safeguards for American consumers. Mr. Verdi will say that the "notice and choice" approach has failed, and will recommend that the FTC enforce Fair Information Practices, such as the OECD Privacy Guidelines. The discussion can be viewed via webcast. Additional information on the FTC roundtable event can be found here. For more information, see EPIC In re Google Buzz, EPIC In re Facebook, and EPIC In re Google and Cloud Computing.
  • Judge Waits to Decide on Proposed Settlement in Facebook Privacy Case » (Mar. 1, 2010)
    Following a hearing last week, U.S. District Court Judge Seeborg reserved decision about the approval of Facebook’s proposed 9.5 million dollar settlement in a case involving Facebook Beacon. According to the settlement terms, Facebook would contribute about $6 million to the establishment of a privacy organization. Facebook, however, would maintain control over this organization, as Facebook's top lobbyist would become co-President and all significant decisions would require a unanimous vote. EPIC and several other privacy organizations, including the Consumer Federation of America and the Privacy Rights Clearinghouse, have written a letter to Judge Seeborg, ask him to reject the settlement as proposed. For more information, see EPIC: Facebook Privacy.
  • Study Ranks Top 20 Companies for Privacy in 2010, Facebook Drops Off List » (Feb. 26, 2010)
    Ponemon Institute released its annual study identifying the top twenty companies that are most trusted for privacy. American Express was ranked first, earning the Most Trusted for Privacy distinction for the fifth year in a row. Facebook suffered several privacy missteps over the last year, including a recent change in privacy settings at the end of 2009, and as a result, failed to make the 2010 list. Google, however, returned to the Top 20, ranked at 13. The survey also produced significant findings regarding consumer attitudes towards privacy, including the finding that consumers feel they are losing control over their personal information. Further, the responses revealed that consumers’ fear of identity theft is the main factor for brand trust diminishment, while a company’s implementation of privacy features contribute to brand trust. Other significant positive factors were limits on the collection of personal information and online anonymity.
  • Facebook Users Object to Beacon Settlement » (Feb. 2, 2010)
    Facebook users filed papers in federal court objecting to a proposed deal that would extinguish the company's liability for disclosing personal information in violation of federal law. Users criticized the class action settlement, stating "the class receives no meaningful relief." Other objectors alleged "in effect, Facebook is paying itself the benefit but class members are releasing their individual privacy claims." EPIC previously submitted a letter to the judge hearing the case. EPIC's letter opposes the settlement and proposes alternatives that would enable stronger privacy safeguards for Facebook users in the future. For more information, see EPIC Facebook Privacy, EPIC Harris v. Blockbuster.
  • EPIC Urges FTC to Protect Users' Privacy On Cloud Computing and Social Networking Services » (Jan. 28, 2010)
    EPIC submitted comments to the FTC prior to the agency’s second privacy roundtable. EPIC warned of the ongoing privacy risks associated with cloud computing and social networking privacy, highlighting the Google cloud computing complaint and Facebook privacy complaint filed by EPIC in 2009. The comments note that the FTC has failed to take any meaningful action with respect to either complaint, demonstrating the Commission's “lack of leadership and technical expertise.” EPIC's comments also draw attention to the success of international privacy initiatives, in hopes of encouraging the FTC to take meaningful action to protect American consumers. For more information, see EPIC: Cloud Computing and EPIC: Social Networking Privacy.
  • EPIC, Privacy Groups Oppose Facebook Settlement » (Jan. 19, 2010)
    EPIC and other privacy groups sent a letter to the federal judge overseeing a class-action settlement against Facebook in California, opposing the settlement as unfair and unreasonable. As proposed, the settlement does not provide any benefit for Facebook users whose private data was illegally exposed by Facebook "Beacon." Instead, the deal would create a new "privacy foundation" subject to Facebook's influence. Fair settlements typically provide compensation to class members or a remedy that addresses the underlying harm, which in this case was a violation of federal privacy law. The letter from EPIC proposes alternatives that would enable stronger privacy safeguards for Facebook users in the future. For more information, see EPIC Facebook Privacy, EPIC Harris v. Blockbuster.
  • EPIC’s Facebook Complaint of "particular interest" to FTC » (Jan. 19, 2010)
    The FTC has sent a letter to EPIC regarding the December 2009 complaint, submitted by privacy organizations, about Facebook’s recent changes to user privacy settings. In the letter, the Bureau of Consumer Protection Director states that the complaint “raises issues of particular interest” for the FTC. Further, Vladeck stresses the importance of providing “transparency about how this data is being handled, maintained, shared, and protected . . . .” The Commission, however, cannot confirm or deny whether an investigation has been launched. The letter came one day before EPIC filed a supplemental complaint regarding Facebook’s privacy practices. For more information, see EPIC: In re Facebook.
  • Canadian Privacy Commission to Investigate Facebook » (Jan. 19, 2010)
    Canada’s Privacy Commissioner Jennifer Stoddart has launched an investigation into the information collection and use practices of online social networking sites. This investigation is being conducted as the Parliament prepares to review the Personal Information Protection and Electronic Documents Act. Stoddart plans to examine “issues that we feel pose a serious challenge to the privacy of consumers, now and in the near future,” and to foster discussions about "the impact of these technological developments on privacy." This is not the first time the Commissioner has investigated the information practices of Facebook. In August 2009, Facebook made several changes to its privacy policy, following recommendations by the Commissioner and a complaint filed by the Canadian Internet Policy and Public Interest Clinic. For more information, see EPIC: Facebook Privacy and EPIC: Social Networking Privacy.
  • Privacy Groups File Amended Complaint regarding Facebook » (Jan. 14, 2010)
    EPIC and several other groups filed a supplement to the groups' original complaint with the Federal Trade Commission concerning Facebook’s recent privacy changes. The new complaint provides additional evidence of Facebook’s unfair and deceptive trade practices relating to Facebook CEO's public statements, the most recent version of the Facebook for iPhone application, Facebook Connect, and "web-suicide" applications. The complaint also offers numerous examples of media stories and blog posts in support of an investigation by the Federal Trade Commission into Facebook’s unfair and deceptive trade practices. For more information, see EPIC: In re Facebook.
  • EPIC Defends Privacy of Facebook Users: Files Complaint with the Federal Trade Commission » (Dec. 17, 2009)
    EPIC has filed a complaint with the Federal Trade Commission, urging the FTC to open an investigation into Facebook’s revised privacy settings. The EPIC complaint, signed by nine other privacy and consumer organizations, states that the  "changes violate user expectations, diminish user privacy, and contradict Facebook’s own representations." EPIC cites widespread opposition from Facebook users, security experts, bloggers, and news organizations. A previous EPIC complaint to the FTC, concerning the data broker industry, produced the largest settlement in the FTC's history.  For more information, see EPIC: In re Facebook, Frequently Asked Questions Regarding EPIC's Facebook Complaint, and EPIC Facebook Privacy. EPIC PRESS RELEASE.
  • Facebook Asks Users to Review Privacy Settings, Recommends Privacy Options, Questions Remain » (Dec. 9, 2009)
    Facebook is asking users to review and update their privacy settings. However, the privacy recommendations, suggested by Facebook, may result in greater disclosure than users intend. Facebook faces ongoing privacy scrutiny following Beacon, proposed changes to the Terms of Services, and a settlement now pending in California. EPIC has urged Facebook to respect user privacy settings. EPIC is also defending the privacy rights of Facebook users who participated in Beacon. For more information, see EPIC: Facebook Privacy.
  • Facebook to Drop Regional Networks, Change Privacy Settings » (Dec. 4, 2009)
    Facebook announced that it intends to eliminate regional networks, which allow users to restrict information shared with others based geography. The social networking service will also modify the site's privacy settings and require users to update the rules governing who can access their data. In February, revisions to Facebook's terms of service prompted users to revolt and Facebook to rescind the changes hours before EPIC planned to file a complaint with the Federal Trade Commission. Prior changes to the service resulted in disclosure of Facebook users' video rental records without their permission, prompting federal lawsuits. For more, see EPIC Facebook Privacy and Social Networking Privacy
  • EPIC Urges Court to Enforce Video Privacy Law » (Nov. 4, 2009)
    Today, EPIC filed a friend of the court brief with the Fifth Circuit Court of Appeals, urging the Court to enforce federal privacy protections for Facebook users who rented videos from Blockbuster, a Facebook business partner. The Video Privacy Protection Act prohibits companies from revealing consumers' video rental histories. EPIC wrote, "Congress established a private right of action to ensure that there would be a meaningful remedy when companies failed to safeguard the data they collected" and warned, "absent a private right of action, there would be no effective enforcement, no remedy for violations, and no way to ensure that companies complied with the intent of the Act." The lawsuit was filed by Cathryn Harris and other Facebook users after Blockbuster made public their private video rental information. Blockbuster, a participant in Facebook's Beacon program, claimed that consumers cannot sue the company and must submit to mandatory arbitration. EPIC's brief, which includes a detailed history of the video privacy law, urges the appeals court to uphold a lower court ruling, which held that the plaintiffs are allowed to pursue their claim that a federal law was violated. For more information, see EPIC Harris v. Blockbuster, EPIC The Video Privacy Protection Act, and EPIC Facebook Privacy.
  • Facebook Updates Privacy Policy in Response to Canadian Privacy Investigation » (Oct. 30, 2009)
    Facebook released a revised privacy policy. The updated policy provides a more concise description of the privacy practices of the developers of third-party applications. Facebook also announced that it will evaluate the collection of user data by application developers. According to a blog post, the revised policy is a response to a complaint filed by Canadian Internet Policy and Public Interest Clinic in 2008, and attempts to “[fulfill] our commitment to the Privacy Commissioner of Canada to update our privacy policy to better describe a number of practices.” Concerns remain about the use of Facebook users' data. For more information, see EPIC Facebook Privacy.
  • Facebook to End Beacon, Establish Privacy Foundation » (Sep. 22, 2009)
    Facebook has entered into a proposed agreement to end Beacon, the controversial advertising technique that broadcast user purchases in their public profile. EPIC and other privacy advocates objected to Beacon’s privacy implications and successfully persuaded Facebook to adopt opt-in for the service. Under the terms of a class-action lawsuit in California, Facebook will now terminate Beacon and contribute $9.5 million towards the creation of a foundation dedicated to protecting online privacy. A class-action lawsuit concerning Beacon is also pending in Texas. For more information, see EPIC Facebook Privacy and EPIC Testimony on the "Impact and Policy Implications of Spyware on Consumers and Businesses."
  • Following Canadian Investigation, Facebook Upgrades Privacy » (Aug. 28, 2009)
    The Canadian Privacy Commissioner issued a report last month raising concerns over Facebook business practices. The Office asked the social networking firm to cease the sharing of user information with application developers, clarify the policy on deactivation and deletion of accounts, protect the personal information of non-users, and "memorialize" the account of deceased users. In complying with the Commissioner's report, Facebook will include new notifications, update its Privacy Policy, and implement technical changes to enable more user control over information accessed by third-party applications. EPIC had previously raised similar concerns about the use of Facebook data by application developers. See also EPIC Facebook and EPIC Social Network Privacy.
  • Canadian Privacy Commissioner's Deadline for Facebook Arrives, Some Changes are Made at the Social Network Company » (Aug. 17, 2009)
    In mid-July, the Canadian Privacy Commissioner released a report recommending several changes to Facebook's business practices. The Commissioner's Office advised the social networking firm to limit application developers' access to user information, and inform users specifically about the nature and use of shared information. The Office also said that deactivated account information should be deleted, and that the privacy policy be amended to include all intended uses of personal information. Facebook was given 30 days. Facebook updated its privacy policy last week and has asked application developers to respect user privacy settings. See also EPIC Facebook and EPIC Social Network Privacy.
  • EPIC Forces Disclosure of Government Contracts with Social Media Companies, Privacy Terms Missing » (Aug. 12, 2009)
    In response to an EPIC Freedom of Information Act Request, the Government Services Administration released several contracts between the federal government and web 2.0 companies, including agreements with Blip.tv, Blist, Google (YouTube), Yahoo (Flickr), and MySpace. EPIC also obtained amendments to agreements with Facebook, Slideshare.net, Vimeo.com, and AddThis.com. The contracts do not address the privacy obligations of social media companies. The GSA letter to EPIC explained that “no specific Web 2.0 guidance currently exists,” but provided EPIC with Training Slides that raise privacy issues. The GSA Agreement with Google actually states that, “to the extent any rules or guidelines exist prohibiting the use of persistent cookies in connection with Provider Content applies to Google, Provider expressly waives those rules or guidelines as they may apply to Google.” Some of the agreements also permit companies to track users of government web sites for advertising purposes. For more information see EPIC Social Network Privacy, EPIC Facebook, and EPIC Cloud Computing.
  • Canadian Privacy Commissioner Holds that Facebook Must Strengthen Privacy Safeguards » (Jul. 16, 2009)
    The Office of the Privacy Commissioner of Canada today released a Report of Findings into the Complaint Filed by the Canadian Internet Policy and Public Interest Clinic against Facebook Inc. The complaint, filed under the Personal Information Protection and Electronic Documents Act, contained twenty-four allegations concerning a range of Facebook business practices, including Default Privacy Settings, Advertising, and Third-Party Applications. The Commissioner found that Facebook has taken some steps to address privacy, but that more safeguards are necessary. Facebook has 30 days to respond. See EPIC Facebook Privacy and EPIC Social Networking Privacy.
  • Facebook to Change User Privacy Settings » (Jul. 1, 2009)
    Facebook announced planned changes to user privacy controls today. Chris Kelly, Facebook's Chief Privacy Officer, stated that the new policy will promote "control, simplicity and connection" for user data. The announcement states there will be no changes in term of "the information Facebook provides to advertisers" but does not address concerns about the information provided by Facebook to app developers. In June, European Privacy Commissioners warned about the secondary use of personal data collected by social network services. The officials issued an opinion requiring robust security, privacy-friendly default settings, and the application of European privacy law. In April, EPIC supported the adoption of the new Facebook Terms of Service when Facebook said that "users own and control their information." See EPIC Social Networking Privacy.
  • EPIC Seeks Government Agreements with Social Networking Companies » (Apr. 30, 2009)
    EPIC submitted a Freedom of Information Act request to the Government Services Administration seeking agency records concerning agreements the GSA negotiated between federal agencies and social networking services, including Flickr, YouTube, Vimeo, Blip.tv, and Facebook. In the FOIA request, EPIC is asking for the public release of the contracts and any legal opinions concerning the application of the Privacy Act of 1974 and Freedom of Information Act to the services that collect information on citizens. For more information see EPIC’s pages Social Networking, Facebook, and Cloud Computing.
  • Facebook Gets Ready to Adopt Terms of Service » (Apr. 24, 2009)
    Facebook has announced the results of the vote on site governance. The initial outcome indicates that approximately 75 percent of users voted for the new terms of service which includes the new Facebook Principles and Statement of Rights and Responsibilities. Under the new Principles, Facebook users will "own and control their information." Facebook also took steps to improve account deletion, to limit sublicenses, and to reduce data exchanges with application developers. EPIC supports the adoption of the new terms. For more information, see EPIC's page on Social Networking Privacy.
  • Facebook Seeks Vote on Site Governance » (Apr. 20, 2009)
    In February, Facebook announced that it was opening its site governance to user voting after the new Terms of Service were widely criticized, and were to be the subject of an EPIC complaint to the Federal Trade Commission. Facebook restored the old terms and sought user feedback on the new Facebook Principles and the Statement of Rights and Responsibilities. These governing documents have now been updated to reflect feedback from users and experts. The voting to adopt the new terms or to maintain the previous terms is now open till April 23, 11:59 a.m. PDT. For more, see the efforts of People Against the New Terms of Service, and EPIC's Social Networking Privacy page.
  • Facebook Announces Governing Principles, Statement of Rights and Responsibilities » (Feb. 26, 2009)
    Today, Facebook proposed guidelines and a statement of rights and responsibilities governing its relationship with users. The social networking service called for user comment on the principles, which include "Ownership and Control of Information" and "Transparent Process." Facebook further committed to "open up Facebook so that users can participate meaningfully in our policies and our future." Facebook's announcement follows last week's abandonment of changes to its Terms of Service on the eve of an EPIC complaint to federal regulators. For more and see the efforts of People Against the New Terms of Service, and EPIC's "Social Networking Privacy" page.
  • On Eve of EPIC Trade Commission Complaint, Facebook Backs Down on Revised Terms of Service » (Feb. 18, 2009)
    Hours before EPIC planned to file a complaint with the Federal Trade Commission regarding changes to Facebook's Terms of Service, the social network service announced that it will restore the original policy. The new Terms of Service were announced on Feb. 4, were widely criticized, and were to be the subject of the EPIC complaint. Facebook users observed that, under the revised policies, Facebook asserted broad, permanent, and retroactive rights to users' personal information - even after they deleted their accounts. The EPIC complaint was supported by more than a dozen consumer and privacy organizations. Previous EPIC Complaints at the FTC have concerned Choicepoint, Microsoft Passport, and the Google-Doubleclick merger. For more, see EPIC's "Social Networking Privacy" page. Support EPIC's efforts to maintain your privacy in the social networking world.

Summary

In re: Facebook, Inc. Internet Tracking Litigation (Perrin Davis v. Facebook), 263 F. Supp. 3d 836 (N.D. Cal. 2017), appeal docketed No. 17-17486 (9th. Cir. Dec. 15, 2017), is a privacy suit brought against Facebook to challenge the company's use of cookies to track Facebook users even after they have logged out of the platform. Facebook users filed a class action lawsuit in the Northern District of California alleging that Facebook’s conduct violated the Federal Wiretap Act, the Stored Communications Act (SCA), the Computer Fraud and Abuse Act (CFAA) and California common law and statutes.

Background

Factual Background

A “cookie” is a small text file that a server creates and sends to a browser, storing files in a particular directory on an individual computer. Facebook cookies come in two flavors. The first is a “session cookie” that is set when a user logs into Facebook. Session cookies are supposed to be deleted when a user logs out of Facebook. The second is a “tracking cookie” - also known as a “persistent cookie” - which uses Facebook “like” buttons placed on other websites to track which websites a user visits as she surfs the web. The tracking cookie sends data back to Facebook any time user accesses a page with the Facebook “like” button. Tracking cookies are not deleted when a user logs out of Facebook. In fact, Facebook sets these cookies on an individual’s computer whether or not they have a Facebook account.

One such tracking cookie is called a “datr” cookie. When a logged-out user visits a website that includes a Facebook “like” button, such as the CNN homepage, the CNN server responds with the file for the CNN homepage, which also contains embedded code from Facebook. The user’s browser, triggered by the Facebook code, sends a request to the Facebook server to display the Facebook “like” button on the page. This request contains information from the user’s datr cookie as well as details of the specific webpage that the user accessed. When Facebook receives this information, the Facebook server adds it to its database records for the browser and the user, enabling Facebook to build a profile of the individual user’s browsing habits over time.

Plaintiffs alleged that Facebook used these datr cookies to intentionally track users’ browsing activity after they logged-out of Facebook despite contrary representations in the social network’s governing materials.

Plaintiffs also alleged that the information Facebook receives through tracking logged-out users is specific enough to identify the user. They alleged that if a user has logged into Facebook, the datr tracking cookie that is set on her machine is linked to her through a number which is unique to her browser and computer or mobile device. Plaintiffs contend that the personal information Facebook receives from its users, including users’ browsing history, has “massive economic value” and that a market exists for such information.

Procedural History

Plaintiffs filed a class action complaint against Facebook in the Federal District Court for the Northern District of California on May 23, 2012, alleging violations of the federal Wiretap Act, 18 U.S.C. §2510 et seq., the Stored Communications Act (“SCA”), 18 U.S.C. § 2701 et seq., the California Invasion of Privacy Act (“CIPA”), invasion of privacy under the California Constitution, as well as common law claims.. The district court granted Facebook’s motion to dismiss on October 23, 2015, with leave to amend, on the grounds that Plaintiffs had failed to establish Article III standing with respect to some of their claims, and that Plaintiffs had failed to state a claim with respect to the rest.

Specifically, the court dismissed the Plaintiffs’ Wiretap Act claim with leave to amend because the Plaintiffs had not sufficiently alleged that Facebook intercepted the “contents” of a communication. The court reasoned that the tracking cookies Facebook set on Plaintiffs’ web browsers collected only their browsing history, which does not qualify as “contents” under the Ninth Circuit’s holding in In re Zynga Privacy Litig., 750 F.3d 1098 (9th Cir. 2014). Zynga held that a “referrer header” - basically the portion of the webpage request that provides the address of the webpage - does not meet the Wiretap Act’s definition of “contents”

The court also dismissed Plaintiffs’ CIPA claims with leave to amend, adding that “Plaintiffs have not pled facts to show how Facebook used a ‘machine, instrument, or contrivance’ to obtain the contents of communications.” Although Plaintiffs contended that a cookie is a “contrivance” under CIPA, the court stated that, “Plaintiffs must include facts in their pleading to show why it is so. In its current form, the [complaint] only defines a cookie as a small text file containing a limited amount of information which sits idly on a user’s computer until contacted by the server.” The court did not specifically address the common law invasion of privacy claim, but dismissed all common law claims with leave to amend for lack of standing.

Plaintiffs filed an amended complaint on December 1, 2015, re-alleging the same statutory and common law claims as the original complaint. On June 30, 2017, the court again granted Facebook’s motion to dismiss. This time, the court provided alternative reasons for why the plaintiffs’ Wiretap Act, CIPA, and SCA claims failed. The court found that the Wiretap Act claims failed because Facebook did not “intercept” the browser communications—Plaintiffs’ browsers communicated with both Facebook and the third-party websites simultaneously. The court found that Plaintiffs CIPA claims likewise “fail for the same reason.” In addition, the court found that the Plaintiffs’ SCA claims failed because “personal computers are not ‘facilities’ under the SCA.”

Finally, the court dismissed Plaintiffs’ common law invasion of privacy and intrusion upon seclusion claims because Plaintiffs “have not established that they have a reasonable expectation of privacy in the URLs of the pages they visit,” explaining that “Plaintiffs could have taken steps to keep their browsing histories private.”

Plaintiffs appealed the district court’s order to the Ninth Circuit Court of Appeals on December 15, 2017.

EPIC’s Interest

EPIC has a strong interest in protecting the privacy of Internet users. In particular, EPIC has challenged the growing use of advanced tracking techniques that allow companies such as Google and Facebook to track users as they go from website to website, gaining a trove of personal information on individuals that can be used to develop behavioral profiles for targeted advertising.

EPIC directly challenged the underlying conduct by Facebook at issue in this particular lawsuit. In 2009 and 2010, EPIC and a number of public interest organizations filed a series of complaints to the FTC detailing how Facebook was misrepresenting its privacy practices. EPIC’s 2010 complaint specifically highlighted how Facebook was using cookies to track users across the web, limiting users’ ability to browse the Internet anonymously. In 2011, the FTC entered into a 20-year consent order as the result of EPIC’s complaints. EPIC told the FTC in comments on the proposed settlement that the FTC should explicitly require Facebook to cease its secret, post-log out tracking of users across websites. EPIC also detailed Facebook’s use of persistent cookies to track logged-out users in a letter to the FTC.

EPIC has also filed amicus briefs challenging Facebook’s privacy-invasive practices in related cases. In Smith v. Facebook, EPIC challenged Facebook’s tracking of users’ visits to sensitive medical websites despite these websites’ representations that they would protect visitors’ privacy. And in Campbell v. Facebook, EPIC challenged a proposed class action settlement arising from Facebook’s conduct of scanning private messages.

EPIC has done extensive work in the areas of online tracking and behavioral profiling, including urging the FTC to limit the use of cross-device tracking, whereby companies track consumers across their smartphones, laptops, tablets, and other Internet-connected devices. EPIC also supports proposals such as do not track, that would address the problem of companies like Google and Facebook tracking users when they visit third-party websites.

In particular, EPIC has sought to protect Internet users from invasive cookie tracking practices. Back in 2000, EPIC opposed DoubleClick’s use of cookies to collect information on Internet users to utilize for targeted advertisements. In 2007, EPIC warned the FTC that the Google-DoubleClick merger would lead to Google tracking users across the web for the purposes of behavioral profiling and targeted advertising. In 2017, EPIC filed an amicus brief in In re: Google Cookie Placement Settlement, arguing that a proposed class action settlement, which arose from Google’s conduct of circumventing the privacy settings of users’ web browsers to track them across the web, was inadequate because it failed to prohibit Google from continuing that practice. And in 2015, EPIC filed an amicus brief in In Re Nickelodeon, a case involving the Video Privacy Protection Act, in which the plaintiffs alleged that Viacom placed cookies on childrens’ computers without the their parents’ consent.

Legal Documents

U.S. Court of Appeals for the Ninth Circuit, No. 17-17486

U.S. District Court for the Northern District of California, In re: Facebook, Inc. Internet Tracking Litigation, No. 5:12-md-02314-MJD

Resources

News

Share this page:

Defend Privacy. Support EPIC.
US Needs a Data Protection Agency
2020 Election Security