You are viewing an archived webpage. The information on this page may be out of date. Learn about EPIC's recent work at epic.org.

EPIC Consumer Privacy Project

EPIC has a particular interest in protecting consumer privacy and has played a leading role in developing the authority of the Federal Trade Commission to address emerging privacy issues and to safeguard the privacy rights of consumers. From its early days, EPIC has worked to ensure that the Federal Trade Commission, the Federal Communications Commission, and other agencies help protect the privacy of consumer and Internet users.

In a series of high-profile complaints brought in 2009 and 2010, with the support of other consumer privacy organizations, EPIC helped the FTC establish comprehensive privacy programs for Google and Facebook. EPIC’s complaint concerning Google Buzz provided the basis for the investigation and subsequent settlement in which the Commission found that “Google used deceptive tactics and violated its own privacy promises to consumers when it launched [Buzz].” The Commission’s settlement with Facebook also followed from a Complaint filed by EPIC and a coalition of consumer privacy organizations.

EPIC continues to write and publish complaints, comments, and letters to agencies and authorities on behalf of internet consumers. A list of EPIC's recent work follows. Media coverage of EPIC’s consumer privacy work is also below.

Top News

  • EPIC, Coalition Urge FTC to Issue Rules Protecting Consumers Against Data Abuse and Discrimination:

    Today, EPIC and a coalition of 44 consumer advocacy, civil rights, and media democracy groups urged the Federal Trade Commission to initiate a rulemaking to promote civil rights and protect against abusive data practices. “Companies use personal data to enable and even perpetuate discriminatory practices against people of color, women, members of the LGBTQIA+ community, religious minorities, persons with disabilities, persons living on low income, immigrants and other marginalized groups,” the letter explains. The letter calls for a rulemaking that would address the collection, use, management, retention, and deletion of personal data. "This country faces a deepening crisis of data abuse and discrimination,” John Davisson, Senior Counsel at EPIC. “But the FTC has the power to set industry-wide rules that will rein in exploitative data practices and protect privacy and civil rights. We join the president and members of Congress in urging the FTC to use that power as soon as possible.” EPIC has frequently challenged the FTC over its failure to address consumer privacy harms, has filed a rulemaking petition with the FTC on commercial AI use, and has long advocated for the creation of a U.S. Data Protection Agency. EPIC also published a report on the FTC’s unused statutory authorities, What the FTC Could Be Doing (But Isn’t) to Protect Privacy, in June.

    (Oct. 27, 2021)
  • EPIC Applauds FTC SpyFone Ban, Urges Similar Remedies in Future Privacy Cases: EPIC has filed comments with the Federal Trade Commission asking the agency to finalize a proposed Consent Order that would permanently ban SpyFone from the surveillance business and require the stalkerware company to delete the personal data that it stole. According to an FTC complaint, SpyFone sold surveillance tools that would allow purchasers to install software on another person’s device and surveil their victim surreptitiously. SpyFone also lied about its data security practices and its response to a 2018 data breach. Under a settlement announced by the FTC, SpyFone would be required to notify all affected users, delete any illegally collected personal information, and permanently refrain from selling, licensing, or marketing monitoring products in the future. In its comments, EPIC urged the FTC to finalize the proposed order and to impose similar requirements and bans in the future to protect consumer privacy. EPIC has frequently challenged the FTC over its failure to address consumer privacy harms and has long advocated for the creation of a U.S. Data Protection Agency. EPIC also published a report on the FTC’s unused statutory authorities, What the FTC Could Be Doing (But Isn't) to Protect Privacy, in June. (Oct. 8, 2021)
  • More top news

  • Senators Call on FTC to Conduct Privacy Rulemaking +
    Nine Democratic Senators led by Senator Richard Blumenthal have called on the Federal Trade Commission to conduct a rulemaking process to "protect consumer privacy, promote civil rights, and set clear safeguards on the collection and use of personal data in the digital economy." "Americans’ identities have become the currency in an unregulated, hidden economy of data brokers that buy and sell sensitive information about their families, religious beliefs, healthcare needs, and every movement to shadowy interests, often without their awareness and consent," the Senators said. Senators Schatz, Wyden, Warren, Coons, Luján, Klobuchar, Booker, and Markey joined Senator Blumenthal on the letter. EPIC has long urged the FTC to impose clear privacy obligations on companies that collect and use personal data, including by exercising the Commission's underused rulemaking power. In 2020, EPIC filed a petition with the FTC calling on the Commission to conduct a rulemaking on the use of artificial intelligence in commercial settings. "By defining unfair and deceptive practices ex ante, and with specificity, a trade regulation rule would make it easier for the FTC to take action against parties that harm consumers," EPIC explained. (Sep. 20, 2021)
  • EPIC, Coalition to Senators: Reject Plan Requiring SSN Collection by Peer-to-Peer Payment Services +
    EPIC and a coalition of privacy and consumer rights group today sent a letter to Senators Ron Wyden and Mike Crapo of the Senate Finance Committee regarding a proposal under consideration in the budget reconciliation bill to expand the mandatory reporting regime for private financial information in the United States. The proposal would require peer-to-peer payment apps and other similar services such as Square Cash and Venmo to collect Taxpayer Identification Numbers (“TINs”) for virtually all payee accounts in order to comply with new reporting obligations. Because most individuals do not hold a separate TIN from their Social Security Number, unlike businesses, this means that these private entities will be collecting SSNs of millions of Americans. The groups urged the Senators to reject the Treasury Department’s proposal and instead explore ways to improve tax compliance that do not put Americans’ SSNs at risk. "At minimum, the expanded reporting requirement should be scaled back to apply only to business accounts or individual accounts with a high de minimis threshold, adjusted for inflation over time," the groups said. "Peer to Peer payment apps and other similar services that currently do not collect TINs should not be required to do so under the new reporting requirements." (Sep. 15, 2021)
  • Senators Announce Probe into Facebook's Alleged Coverup of its Negative Influence on Children and Teens +
    Today, Senators Richard Blumenthal and Marsha Blackburn announced an investigation into Facebook’s knowledge and coverup of the harmful effects of Facebook’s Instagram on children and teenagers. The announcement follows a Wall Street Journal investigation which revealed that Facebook’s researchers found that Instagram is harmful to a “sizeable percentage” of its young users, most notably teenage girls. Internally, Facebook knew that Instagram’s effects on young people included increased anxiety and depression, body image issues, and thoughts of suicide. Publicly, CEO Mark Zuckerberg testified before Congress that Facebook’s research suggested that the use of its social media apps had positive mental health benefits to users. The Wall Street Journal uncovered several documents that “show that Facebook has made minimal efforts to address these issues and plays them down in public.” In response to Senators Blumenthal and Blackburn’s August 2020 request for Facebook to release its internal research on the matter, Facebook sent a six-page letter that did not include the company’s studies. EPIC has fought for transparency and accountability for Facebook's privacy abuses for over a decade, from filing the original FTC Complaint in 2009 that led to the FTC's 2012 Consent Order with the company, to moving to intervene in and filing an amicus brief challenging the FTC's 2019 settlement with Facebook. (Sep. 15, 2021)
  • House Committee Approves $1B to Create New Privacy Bureau at FTC +
    The House Energy and Commerce Committee today approved a $1 billion appropriation for the Federal Trade Commission to create and operate a new bureau focused on privacy, data security, identity theft, data abuses, and related matters. EPIC strongly supports the appropriation, but urges Congress to follow up this budget measure with comprehensive privacy legislation and create an independent data protection agency. "This increased funding for enforcement is a step in the right direction, but the increasing pervasiveness of technology in our lives and our economy necessitates an update to our privacy laws and a dedicated agency," said Caitriona Fitzgerald, EPIC's Deputy Director. "While the FTC helps to safeguard consumers and promote competition, it is not a data protection agency. Congress must follow up this budget measure with comprehensive baseline privacy legislation and the creation of an independent data protection agency. And the FTC should use these funds to promptly initiate a privacy rulemaking and go after unfair data practices and biased AI systems." EPIC has long advocated for the creation of a U.S. Data Protection Agency. (Sep. 14, 2021)
  • Ireland's Data Protection Commission Fines WhatsApp €225 million +
    The Irish Data Protection Commission (DPC) fined Facebook’s WhatsApp €225 million ($266 million) for privacy violations following a GDPR investigation that began in 2018. In the decision, the data privacy regulator explained that WhatsApp breached the GDPR’s rules about data transparency, including when it processed user information between WhatsApp and other Facebook companies. While the €225 million fine is a record for the DPC and the second largest fine ever issued under the GDPR, privacy advocate and EPIC Advisor Max Schrems noted “[t]he DPC also proposed an initial € 50 million fine and was forced by the other European data protection authorities to move towards € 225 million, which is still only 0.08% of the turnover of the Facebook Group. The GDPR foresees fines of up to 4% of the turnover.” EPIC has long urged the Federal Trade Commission to block or unwind Facebook's acquisitions of Instagram and WhatsApp. In 2014, EPIC and the Center for Digital Democracy warned the FTC that Facebook incorporates user data from companies it acquires, and that WhatsApp users objected to the acquisition. Despite these problems, the FTC allowed the merger to go forward. (Sep. 2, 2021)
  • Federal Trade Commission Refiles Facebook Antitrust Lawsuit +

    The Federal Trade Commission has refiled its antitrust complaint against Facebook after a federal court dismissed its original complaint in June. In the new complaint, the FTC alleges that Facebook used illegal anticompetitive methods to thwart competition and maintain a monopoly, including by buying competitors like Instagram and WhatsApp. The complaint details how Facebook’s practices enabled the social media giant to maintain its dominance at the expense of competition and consumers. For example, before Facebook’s acquisition of WhatsApp, the messaging platform “embraced privacy-focused offerings and design, including the principle ‘of knowing as little about you as possible’ and an ads-free subscription model” which provided “an important form of product differentiation for WhatsApp as an independent competitive threat in personal social networking.” The FTC also highlights the importance of meaningful competition, without which “Facebook has been able to provide lower levels of service quality on privacy and data protection than it would have to provide in a competitive market.” This complaint is the highest profile challenge that the Commission has brought against any tech company in decades. EPIC has long urged the FTC to block or unwind Facebook's acquisitions of Instagram and WhatsApp. In 2014, EPIC and the Center for Digital Democracy warned the FTC that Facebook incorporates user data from companies it acquires, and that WhatsApp users objected to the acquisition. Despite these problems, the FTC allowed the merger to go forward.

    (Aug. 19, 2021)
  • Poll: Nearly 8 in 10 Americans Support Creation of U.S. Data Protection Agency +
    A new poll from Data for Progress found that 7 in 10 Americans think the government should be doing more to keep their personal data safe and nearly 8 in 10 Americans across the political spectrum support Senator Gillibrand's Data Protection Act, which creates a U.S. Data Protection Agency. "Our government must continue to evolve alongside our society, and adapt to meet new challenges the American people face," Senator Gillibrand said in a blog post. "I believe the best way to do that is by creating a new federal agency designed with your data privacy in mind: the Data Protection Agency." EPIC has long advocated for the creation of a U.S. Data Protection Agency. (Jul. 29, 2021)
  • House Passes the Consumer Protection and Recovery Act +

    The House of Representatives passed the Consumer Protection and Recovery Act (H.R. 2668) Tuesday on a 221-205 vote. The bill explicitly authorizes the Federal Trade Commission to seek monetary relief for injured consumers in federal court and to require bad actors to return money obtained through illegal actions. The amendment to the FTC Act restores a key piece of the FTC's Section 13(b) power, which the FTC previously used to obtain restitution and disgorgement for wronged consumers until the Supreme Court recently limited this authority in AMG Capital Management v. FTC. On Monday, the House Rules committee voted to advance the bill to a floor vote, with bill sponsors stressing that “the urgency is not hypothetical.” The White House has also expressed support for the bill. EPIC has long called for greater protection of consumer privacy through FTC enforcement and the imposition of financial penalties against companies who engage in unfair data practices. Recently, EPIC published a report that highlighted a number of key authorities that the FTC should use to address emerging privacy threats.

    (Jul. 21, 2021)
  • President Biden Signs Executive Order Requiring More Scrutiny of Tech Mergers and Data Privacy +

    President Biden today signed a wide-ranging executive order with the aim of promoting competition. EPIC has long argued that market consolidation in online platform threatens privacy. The Executive Order aims to address the ways in which dominant tech firms are undermining competition and reducing innovation in three ways: 1) greater scrutiny of mergers, especially by dominant internet platforms, with particular attention to the acquisition of nascent competitors, serial mergers, the accumulation of data, competition by “free” products, and the effect on user privacy; 2) encouraging the FTC to establish rules on "unfair data collection and surveillance practices that may damage competition, consumer autonomy, and consumer privacy"; and 3) encouraging the FTC to establish rules barring unfair methods of competition on internet marketplaces. More than a decade ago, EPIC urged the FTC to block Google’s proposed acquisition of DoubleClick. EPIC said that the acquisition would enable Google to collect the personal information of billions of users and track their browsing activities across the web. EPIC correctly warned that this acquisition would accelerate Google’s dominance of the online advertising industry and diminish competition. The FTC ultimately allowed the merger to go forward. EPIC has since repeatedly warned FTC that other mergers posed similar risks to consumer privacy and competition, including Facebook's acquisition of WhatsApp.

    (Jul. 9, 2021)
  • House Judiciary Considering Antitrust Reform Bills +
    The House Judiciary Committee is today holding a markup session on six bills aimed at disrupting the monopoly power of Big Tech. EPIC has long argued that market consolidation in online platform threatens privacy. More than a decade ago, EPIC urged the FTC to block Google’s proposed acquisition of DoubleClick. EPIC said that the acquisition would enable Google to collect the personal information of billions of users and track their browsing activities across the web. EPIC correctly warned that this acquisition would accelerate Google’s dominance of the online advertising industry and diminish competition. The FTC ultimately allowed the merger to go forward. EPIC has since repeatedly warned FTC that other mergers posed similar risks to consumer privacy and competition, including Facebook's acquisition of WhatsApp. (Jun. 23, 2021)
  • BREAKING: Sen. Gillibrand Introduces U.S. Data Protection Agency Bill +
    Senator Kirsten Gillibrand (D-NY) has introduced the Data Protection Act of 2021 which would create an independent Data Protection Agency in the United States to safeguard the personal data of Americans. EPIC, many leading consumer and civil rights organizations, privacy experts, and scholars support Senator Gillibrand's non-partisan bill. "It’s time for America to catch up with the rest of the world and create a Data Protection Agency," said Caitriona Fitzgerald, EPIC Deputy Director. "Congress’ ongoing failure to modernize our privacy laws imposes enormous costs on individuals, communities, and American businesses alike. We need a new approach. Senator Gillibrand’s Data Protection Act creates an agency dedicated to safeguarding the personal data of individuals and ensuring that data practices are fair and non-discriminatory. The Data Protection Act is the game-changing proposal we need in order to ensure adequate oversight over what has become a massive sector of our economy and affects the daily lives of all Americans. EPIC urges Congress to enact the Data Protection Act." EPIC has long advocated for the creation of a U.S. Data Protection Agency, arguing that the Federal Trade Commission is an ineffective agency, lacking basic competence for privacy protection. [Bill text] [Sen. Gillibrand Press Release]

    (Jun. 17, 2021)
  • EPIC Releases Report on FTC's Unused Statutory Authorities +
    EPIC has released a report highlighting numerous statutory authorities that the Federal Trade Commission has failed to use to safeguard privacy. The report, What the FTC Could Be Doing (But Isn't) to Protect Privacy, identifies untapped or underused powers in the FTC's toolbox and explains how the FTC should deploy them to protect the public from abusive data practices. EPIC's report also criticizes the FTC's lack of effective privacy enforcement over the past two decades. "A common refrain from the Commission during this period is that it lacks the authority to address these mounting threats to individual privacy," the report explains. "But the FTC has not made full use of the authorities that it already has." The report comes a day after Lina Khan was confirmed to the FTC and named chairwoman of the Commission. EPIC has frequently challenged the FTC over its failure to address consumer privacy harms and has long advocated for the creation of a U.S. Data Protection Agency. EPIC also supports legislation that would restore the FTC's 13(b) authority to obtain restitution for individuals harmed by companies’ unlawful trade practices, which the Supreme Court recently curtailed in AMG Capital Management v. Federal Trade Commission. (Jun. 16, 2021)
  • Updated: Lina Khan Named Chair of Federal Trade Commission +

    Lina Khan was confirmed to the Federal Trade Commission by the U.S. Senate and named chair of the Commission by President Biden today. Khan received bipartisan support, with senators voting 69-28 in support of her confirmation. Khan is an expert on antitrust enforcement and served as counsel to House Antitrust Subcommittee Chairman David Cicilline during the Subcommittee's groundbreaking investigation last year. She has written extensively on the problems of concentrated power in the context of digital markets and said during her confirmation hearing that "I worry that some of these companies may think it's just worth the cost of business to actually violate privacy law." EPIC has long argued that the FTC is not doing its job to protect privacy and that the U.S. needs a Data Protection Agency. "Commissioner Khan has a tremendous opportunity as Chair to transform the FTC at a moment where anticompetitive and invasive business practices have proliferated," said Alan Butler, Executive Director of the Electronic Privacy Information Center (EPIC). "Large tech companies have increasingly infiltrated our lives to the most minute level, and it will take a keen and aggressive regulator to ensure that these powerful entities don't monopolize our markets and our data."

    (Jun. 15, 2021)
  • D.C. Attorney General Files Antitrust Suit Against Amazon +
    D.C. Attorney General Karl Racine filed a lawsuit today against Amazon alleging that the online retail giant has violated the District of Columbia Antitrust Act. The complaint accuses Amazon of stifling competition by imposing contractual clauses that prevent third-party sellers from offering lower prices outside of the Amazon platform. The lawsuit explains that the agreements ultimately lead to higher prices for consumers and less innovation. “Amazon wins because it controls pricing across the online retail sales market, putting itself at an advantage over everyone else,” Racine told reporters. “These restrictions allow Amazon to build and maintain monopoly power.” In February, EPIC filed a complaint with the D.C. Attorney General alleging that Amazon unlawfully employs dark patterns to manipulate consumers when they attempt to cancel their Amazon Prime subscriptions. These dark patterns enable Amazon to continue collecting subscription fees and retain the personal data of misdirected subscribers. EPIC also signed onto a recent coalition letter calling for the Federal Trade Commission to investigate Amazon’s use of dark patterns in the Prime cancellation process. EPIC has long argued that anticompetitive practices and market consolidation in the technology sector pose a threat to privacy rights. (May. 25, 2021)
  • Lawmakers Call on Facebook to Reverse WhatsApp Terms of Service Update +
    Today, Congresswoman Lori Trahan (MA-03) led a group of fellow Congressional Hispanic Caucus members in writing a letter calling on Facebook Chairman and CEO Mark Zuckerberg to reverse the company’s decision to require WhatsApp users to accept expanded data collection or leave the platform entirely. “We write to respectfully ask Facebook to consider reversing WhatsApp’s decision to update their new terms of service. We believe Facebook is potentially offering a false choice to users across the globe: accept the sharing of metadata with Facebook by May 15th or leave the platform altogether,” the lawmakers wrote. In 2014, EPIC and the Center for Digital Democracy warned the FTC that Facebook incorporates user data from companies it acquires, and that WhatsApp users objected to the acquisition. The FTC responded to EPIC and CDD and told Facebook and WhatsApp that "if the acquisition is completed and WhatsApp fails to honor these promises, both companies could be in violation of Section 5 of the FTC Act and potentially the FTC's order against Facebook." The FTC letter noted that "hundreds of millions of users have entrusted their personal information to WhatsApp. The FTC staff continue to monitor the companies' practices to ensure that Facebook and WhatsApp honor the promises they have made to those users." In their letter, the members highlight that pledge and the FTC's statement. (May. 11, 2021)
  • Poll: Vast Majority of Americans Support Online Data Protection Legislation +
    A new poll from Morning Consult found that 83% of voters say that Congress should pass national data privacy legislation this year. Democrats (86%) and Republicans (81%) expressed bipartisan support for Congress to prioritize a federal privacy bill. The poll also found that voters place similar amounts of responsibility on both federal and state lawmakers, as well as federal regulators, to regulate data privacy. With respect to regulating how companies collect, store, and share personal information, 72% of voters said Congress is either “very responsible” or “somewhat responsible” while 79% said the same for federal agencies and 75% for state governments. Nearly 9 in 10 adults said it was either “very” or “somewhat” important to protect their most sensitive identifiable information under a privacy law, including Social Security number (89%), banking information (89%), biometric data (88%), and driver’s license number (88%). EPIC has called for comprehensive baseline federal legislation and the creation of a U.S. data protection agency, and has advocated for strong state privacy laws. (Apr. 27, 2021)
  • Supreme Court Limits FTC Authority to Recover Ill-Gotten Gains +
    The Supreme Court, ruling Thursday in AMG Capital Management v. Federal Trade Commission, sharply limited the FTC’s ability to obtain restitution for individuals harmed by companies’ unlawful trade practices. Disagreeing with years of FTC practice and numerous decisions by appellate courts, the Court ruled that a key provision in the FTC Act “does not authorize the Commission to seek, or a court to award, equitable monetary relief such as restitution or disgorgement.” As a result of the decision, the FTC must now go through a burdensome administrative process to force companies to give up ill-gotten gains rather than going directly to court. Acting Chairwoman Rebecca Kelly Slaughter responded that the decision is a ruling “in favor of scam artists and dishonest corporations, leaving average Americans to pay for illegal behavior.” Members of Congress have already proposed amendments to Section 13(b) of the FTC Act that would restore the Commission’s power to seek consumer redress. EPIC routinely advocates before the FTC for meaningful financial penalties against companies whose unlawful data and privacy practices harm consumers. (Apr. 23, 2021)
  • FTC Announces New Rulemaking Group +
    Acting FTC Chairwoman Rebecca Kelly Slaughter today announced the creation of a new rulemaking group within the FTC. The announcement follows criticism that the FTC has not adequately used its authorities, including its rulemaking power, to address consumer protection harms and promote competition. Section 18 of the FTC Act enables the Commission to issue trade regulation rules to address unfair or deceptive practices that occur commonly. Once the commission has promulgated a trade regulation rule, it may seek civil penalties for each violation of the rule. “I believe that we can and must use our rulemaking authority to deliver effective deterrence for the novel harms of the digital economy and persistent old scams alike,” Acting Chair Slaughter said. EPIC has long urged the FTC to impose clear privacy obligations on companies that collect and use personal data, including by exercising the Commission's underused rulemaking power. In 2020, EPIC filed a petition with the FTC calling on the Commission to conduct a rulemaking on the use of artificial intelligence in commercial settings. "By defining unfair and deceptive practices ex ante, and with specificity, a trade regulation rule would make it easier for the FTC to take action against parties that harm consumers," EPIC explained. (Mar. 25, 2021)
  • California Bans "Dark Patterns" That Subvert CCPA's Opt-out Rights +

    California Attorney General Xavier Becerra has announced updated regulations under the California Consumer Privacy Act (CCPA) that ban so-called “dark patterns” that delay or obscure the process for opting out of the sale of personal information. Specifically, the regulations prohibit companies from burdening consumers with confusing language or unnecessary steps such as forcing them to click through multiple screens or listen to reasons why they shouldn’t opt out. "These protections ensure that consumers will not be confused or misled when seeking to exercise their data privacy rights," said Attorney General Becerra. Dark patterns "are design features used to deceive, steer, or manipulate users into behavior that is profitable for an online service, but often harmful to users or contrary to their intent." Last month, EPIC filed a complaint with the D.C. Attorney General alleging that Amazon unlawfully employs manipulative "dark patterns" in the Amazon Prime subscription cancellation process. Next month, the FTC plans a workshop on "Bringing Dark Patterns to Light." (Mar. 16, 2021)

  • Virginia Governor Signs Consumer Data Protection Act +
    Virginia Governor Ralph Northam has signed the Virginia Consumer Data Protection Act into law. "It is good to see Virginia and other states taking action to protect the privacy of their residents. States have always played a key role in establishing privacy protections," EPIC Policy Director Caitriona Fitzgerald said. "But in 2021 we need a more comprehensive and proactive approach to privacy than what Virginia adopted. We need privacy laws in the United States that address current business practices and protect individuals from all forms of corporate surveillance, algorithmic unfairness, manipulative design, and discrimination. We need privacy laws that minimize the data collected about us and encourage innovation in privacy enhancing technologies. And we need robust enforcement of these rules to make sure that the underlying business practices actually change." (Mar. 3, 2021)
  • FTC Commissioner Wilson Signals Openness to Data Privacy Rulemaking +
    Christine Wilson, one of four current members of the Federal Trade Commission, said Friday that she is open to using the FTC's rulemaking authority to regulate data privacy. "I would hope that Congress will act, but if Congress doesn't act, maybe we do spend that time," Politico quoted Commissioner Wilson as saying during a Silicon Flatirons event. EPIC has long urged the FTC to impose clear privacy obligations on companies that collect and use personal data, including by exercising the Commission's underused rulemaking power. In 2020, EPIC filed a petition with the FTC calling on the Commission to conduct a rulemaking on the use of artificial intelligence in commercial settings. "By defining unfair and deceptive practices ex ante, and with specificity, a trade regulation rule would make it easier for the FTC to take action against parties that harm consumers," EPIC explained. Acting FTC Chair Rebecca Kelly Slaughter and Commissioner Rohit Chopra have previously signaled their support for using the FTC's rulemaking authority to address consumer privacy issues. (Feb. 12, 2021)
  • FTC Orders Photo App to Delete Algorithms Built on Personal Data +
    The Federal Trade Commission has reached a settlement with Everalbum, Inc., a California-based developer of a photo storage app, over allegations that it deceived consumers about its use of facial recognition technology and its retention of the photos and videos of users who deactivated their accounts. The proposed order requires the company to delete the facial recognition technologies it illegally developed using user photos and videos. According to the FTC complaint, Everalbum represented that it would not apply facial recognition technology to users’ content unless users affirmatively chose to activate the feature. But the company allowed some Ever app users—those located in Illinois, Texas, and Washington state —to choose whether to turn on the face recognition feature, even though it was automatically active for all other users and could not be turned off. Commissioner Rohit Chopra noted in an accompanying statement that residents of those states were afforded stronger protections because their legislatures had passed laws regulating facial recognition and biometric identifiers. Everalbum's differential treatment of users illustrates why Congress must ensure that any proposed federal privacy law sets a baseline for the country while protecting the ability of states to enact stronger privacy laws. (Jan. 11, 2021)
  • Google Faces Two Additional Antitrust Suits +

    Two antitrust lawsuits were filed against Google this week by state Attorneys General. On Wednesday, Texas and eight other states filed a suit alleging anticompetitive conduct, exclusionary practices and deceptive misrepresentations in connection with Google's role in advertising technology. "Google’s entire business model is to collect comprehensive data about every user in the service of brokering targeted ad sales," the suit says. "Google also has violated users’ privacy in other egregious ways when doing so is convenient for Google." On Thursday, a bipartisan group of thirty-eight states led by Colorado Attorney General Phil Weiser filed a lawsuit alleging that Google illegally maintains its monopoly power over general search engines and related search advertising markets through anticompetitive contracts and conduct. "Google recognizes that its continued market dominance would be vulnerable in a more competitive market," the suit says. "For example, new general search challengers could emerge to offer differentiated services, such as greater privacy protection, search without advertising, or simply better search results." More than a decade ago, EPIC urged the FTC to block Google’s proposed acquisition of DoubleClick. EPIC correctly warned that this acquisition would accelerate Google’s dominance of the online advertising industry and diminish competition. The FTC ultimately allowed the merger to go forward.

    (Dec. 18, 2020)
  • EPIC, Coalition Urge FTC to Address Privacy in Zoom Settlement +
    EPIC, the Center for Digital Democracy, the Campaign for a Commercial-Free Childhood, the Parent Coalition for Student Privacy, and Consumer Federation of America today sent comments to the FTC urging the agency to address privacy in its proposed Consent Order with Zoom. The groups recommended that the FTC modify the Order to require Zoom to (1) implement a comprehensive privacy program; (2) obtain regular independent privacy assessments and make those assessments available to the public; (3) provide meaningful redress for victims of Zoom’s unfair and deceptive trade practices; and (4) ensure the adequate protection and limits on the collection of children’s data. In July 2019, EPIC sent a detailed complaint to the FTC citing the flaws with Zoom and warning that the company had "exposed users to the risk of remote surveillance, unwanted video calls, and denial-of-service attack." In April 2020, EPIC wrote to Chairman Simons urging the FTC to open an investigation. EPIC has long advocated for the creation of a U.S. data protection agency. (Dec. 14, 2020)
  • FTC Announces Investigation Into Privacy Practices of Major Tech Platforms +
    The FTC launched a new inquiry into the privacy policies, procedures and practices of several Social Media and Video Streaming Service providers: Amazon, ByteDance, TikTok, Discord, Facebook, Reddit, Snap, Twitter, WhatsApp, and YouTube. Specifically, the FTC is seeking information relating to how the companies collect, use, track, estimate, or derive personal information and determine which ads to show consumers; whether the companies apply algorithms to personal information; how they measure and promote user engagement; and how their practices affect children and teenagers. In a joint statement, Commissioners Chopra, Slaughter, and Wilson wrote, “Policymakers and the public are in the dark about what social media and video streaming services do to capture and sell users’ data and attention. It is alarming that we still know so little about companies that know so much about us.” In September 2020, EPIC joined 27 groups urging the FTC to study data-driven bias and discrimination in all forthcoming 6(b) investigations. (Dec. 14, 2020)
  • Bipartisan Internet of Things Security Bill Passes Congress +
    Both branches of Congress have now passed a bill governing the security of the Internet of Things. The "Internet of Things Cybersecurity Improvement Act of 2019" sets baseline cybersecurity standards for IoT devices purchased by the federal government. The bipartisan measure is sponsored by Rep. Will Hurd (R-Texas) and Rep. Robin Kelly (D-Ill.) in the House and Sens. Mark Warner (D-VA) and Cory Gardner (R-CO) in the Senate. "While more and more products and even household appliances today have software functionality and internet connectivity, too few incorporate even basic safeguards and protections, posing a real risk to individual and national security," said Sen. Warner. The bill now heads to the President's desk for signature. EPIC recently told Congress that "the IoT network is the weak link in consumer products" and urged the establishment of of mandatory privacy and security standards. (Nov. 20, 2020)
  • FTC Fails to Address Privacy in Settlement with Zoom +
    The FTC has reached a settlement with Zoom requiring the company to address data security but fails to address user privacy. Writing in dissent, Commissioner Slaughter said, "When companies offer services with serious security and privacy implications for their users, the Commission must make sure that its orders address not only security but also privacy." Commissioner Chopra, also dissenting, wrote "The FTC’s status quo approach to privacy, security, and other data protection law violations is ineffective." In July 2019, EPIC sent a detailed complaint to the FTC citing the flaws with Zoom and warning that the company had "exposed users to the risk of remote surveillance, unwanted video calls, and denial-of-service attack." In April 2020, EPIC wrote to Chairman Simons urging the FTC to open an investigation. EPIC has long advocated for the creation of a U.S. data protection agency. (Nov. 9, 2020)
  • Department of Justice Files Antitrust Suit Against Google +
    The Department of Justice has filed an antitrust case against Google in federal court, alleging violations of anti-monopoly laws in the search and advertising markets. EPIC has long warned regulators about the harmful privacy consequences of market consolidation by Google and other technology firms. More than a decade ago, EPIC urged the FTC to block Google’s proposed acquisition of DoubleClick. EPIC said that the acquisition would enable Google to collect the personal information of billions of users and track their browsing activities across the web. EPIC correctly warned that this acquisition would accelerate Google’s dominance of the online advertising industry and diminish competition. The FTC ultimately allowed the merger to go forward. EPIC has since repeatedly warned the FTC that other mergers posed similar risks to consumer privacy and competition. In 2011, EPIC warned the FTC that Google’s dominance in the internet search marketplace was allowing it to preference its own content in search results. Today Google occupies 92% of the search market worldwide. (Oct. 20, 2020)
  • Report on Trump Tax Records Reinforces EPIC's Calls for Presidential Tax Return Disclosure +
    A blockbuster report from the New York Times revealing details of President Trump's tax history underscores the need for transparency of presidential tax returns, which EPIC has repeatedly advocated. The Times reports that the President paid little or no income tax in many years; is due to repay hundreds of millions of dollars in loans in the near term; and that he has "received more money from foreign sources and U.S. interest groups than previously known." The Times also reports that Trump and the Internal Revenue Service reached a tentative agreement in 2014 over a disputed $70 million tax refund—a deal that may have been struck under the IRS's offer in compromise procedures. In EPIC v. IRS II, EPIC is currently litigating for the release of offer in compromise records involving the President and his associated businesses. By law, these records "shall be disclosed to members of the general public." In March, EPIC filed an amicus brief in Trump v. Vance urging the Supreme Court to allow the release of President Trump's tax returns to a New York grand jury. EPIC wrote that the "longstanding practice of disclosing presidential tax returns reflects a central principle of modern democracies: privacy must sometimes yield to accountability." The Court ultimately rejected the President's effort to categorically shield his tax returns from state prosecutors. EPIC also sought public release of President Trump's tax returns in EPIC v. IRS I, arguing that disclosure was necessary to correct numerous factual misstatements made by the President. (Sep. 29, 2020)
  • EPIC to Senate Commerce: the U.S. Needs a Data Protection Agency +
    In a statement to the Senate Commerce Committee before a hearing on the need for federal privacy legislation, EPIC urged lawmakers to establish an independent U.S. Data Protection Agency. EPIC laid out the FTC's typical privacy playbook: consent decrees, infrequent penalties, and no meaningful changes in business practices. "The FTC does not have the motivation or the tools necessary to enforce meaningful privacy and data protection rights in 2020," EPIC said, pointing to settlements the FTC had reached with Facebook, Google, YouTube, Uber, and Equifax. EPIC also noted the FTC's failure to use its existing authority to regulate privacy, including its rulemaking authority under Section 5 to establish stronger data security standards. "If the FTC fails to use these authorities, then the Commission is not capable of protecting Americans’ privacy, and the Commission should no longer be trusted to do so," EPIC stated. EPIC urged the Committee to hold a hearing on and give a favorable report to S. 3300, the Data Protection Act filed by Senator Gillibrand, which creates an independent U.S. Data Protection Agency. (Sep. 22, 2020)
  • Senate Republicans Introduce Weak 'SAFE DATA Act' +
    Senators Roger Wicker, John Thune, Marsha Blackburn, and Deb Fischer have introduced the “SAFE DATA Act,” which relies on an outdated notice-and-choice model that allows companies to diminish the rights of consumers and use personal data to benefit the company but not the individual. "Senator Wicker’s SAFE DATA Act allows companies to collect any personal data it pleases as long as it discloses it in its privacy policy,” said EPIC Policy Director Caitriona Fitzgerald. "And it prohibits states from adopting or enforcing any data privacy or data security laws. The SAFE DATA Act is very weak compared to Senator Gillibrand’s Data Protection Act, Senator Brown’s discussion draft, and the Online Privacy Act introduced in the House.” EPIC's recent report on federal privacy legislation Grading on a Curve: Privacy Legislation in the 116th Congress evaluates federal privacy bills. EPIC has called for comprehensive baseline, federal legislation and the creation of a data protection agency. (Sep. 18, 2020)
  • IoT Security Bill Passed in House of Representatives +
    The House of Representatives has passed a bill governing the security of the Internet of Things. The "Internet of Things Cybersecurity Improvement Act of 2019" sets baseline cybersecurity standards for IoT devices purchased by the federal government. The bipartisan measure is sponsored by Rep. Will Hurd (R-Texas) and Rep. Robin Kelly (D-Ill.) “The Internet of Things grows every single day, and, by the end of next year, it will include more than 20 billion devices. The result is an astounding, unimaginable amount of data—90% of the data in the entire world was created in the last two years. America needs to keep up with this incredible trend, and that means ensuring proper security and protections—the IoT Cybersecurity Improvement Act is a step in that direction,” said Hurd. The Senate Homeland Security Committee advanced a similar bill last year. EPIC recently told Congress that "the IoT network is the weak link in consumer products" and urged the establishment of of mandatory privacy and security standards. (Sep. 15, 2020)
  • EPIC: "Regulators Failed and Google Turned The Internet Into a Surveillance Machine" +
    In advance of a Senate Judiciary Committee hearing on "Stacking the Tech: Has Google harmed competition in online advertising?," EPIC argued in a Medium post that the answer to that question is obviously yes, but Congress shares some of the blame. "There are many problems with today's online advertising systems," EPIC wrote, "[b]ut it didn't have to be this way. More active regulation by the government could have sustained online advertising models that were good for advertisers and businesses and for consumers, journalism, and democracy." In 2000, EPIC opposed Doubleclick's acquisition of Abacus. In 2007, EPIC told the FTC that Google's proposed acquisition of DoubleClick would lead to consumers being tracked and profiled by advertisers across the web. (Sep. 15, 2020)
  • Schrems Files 101 Complaints Targeting US-EU Data Transfers +
    None of Your Business, the privacy NGO established by EPIC Advisory Board member Max Schrems, has filed complaints in all 30 EU and EEA member states against 101 European companies that still forward data about each visitor to Google and Facebook. “We have done a quick search on major websites in each EU member state for code from Facebook and Google. These code snippets forward data on each visitor to Google or Facebook. Both companies admit that they transfer data of Europeans to the US for processing, where these companies are under a legal obligation to make such data available to US agencies like the NSA. Neither Google Analytics nor Facebook Connect are essential to run these webpages and are services that could have been replaced or at least deactivated by now.” says Max Schrems, honorary chair of noyb.eu. The complaints come in the wake of a recent the European Court of Justice (CJEU) decision which found the Privacy Shield, which permitted companies to freely transfer users' personal data, illegally infringed EU residents' data protection and privacy rights. EPIC participated as an amicus curiae in the case, arguing that U.S. surveillance law does not provide adequate privacy protections or remedies for non-U.S. persons abroad. (Aug. 18, 2020)
  • EPIC to Senate Commerce: Hold Hearing on Data Protection Agency Legislation +
    In a statement to the Senate Commerce Committee before a Federal Trade Commission oversight hearing, EPIC urged lawmakers to establish an independent U.S. Data Protection Agency. "When it comes to data protection, the FTC is not up to the task. It is time to establish an independent federal data protection agency in the United States," EPIC wrote. EPIC pointed to the FTC's failure to both stop mergers that threaten consumer privacy and enforce its own consent orders. EPIC urged the Committee to hold a hearing on and give a favorable report to S. 3300, the Data Protection Act filed by Senator Gillibrand, which creates an independent U.S. Data Protection Agency. (Aug. 4, 2020)
  • Lawmakers Request FTC Privacy Investigation Into Adtech Industry +
    A bipartisan group of lawmakers led by Senators Ron Wyden [D-Ore.] and BIll Cassidy [R-La.] today called on the Federal Trade Commission to investigate the online ad economy. Wyden, Cassidy and other members asked the FTC to investigate how personal data, including the tracking of individuals at places of worship and protests, collected from Americans’ phones to deliver advertisements is being obtained by data brokers and sold without the knowledge or consent of users. The lawmakers urged the FTC to open a 6(b) investigation into the matter. Earlier this year, consumer groups called on the FTC to use its 6(b) authority to conduct a study on companies collecting data on children. No action has been taken on that request. In addition to Sens. Wyden and Cassidy, the letter is signed by Sens. Maria Cantwell, D-Wash., Sherrod Brown, D-Ohio, Elizabeth Warren, D-Mass., and Edward Markey, D-Mass. Reps. Anna Eshoo, D-Calif, Zoe Lofgren, D-Calif., Yvette D. Clarke, D-N.Y., and Ro Khanna, D-Calif., signed as well. EPIC has filed many detailed complaints with the FTC regarding consumer privacy and has called for the creation of a U.S. Data Protection Agency due to the FTC's lack of action on privacy issues. (Jul. 31, 2020)
  • Public Health Emergency Privacy Act Introduced +
    Representatives Anna G. Eshoo (CA-18), Jan Schakowsky (IL-09), Suzan DelBene (WA-01), and U.S. Senators Richard Blumenthal (D-CT), and Mark Warner (D-VA) today today introduced the Public Health Emergency Privacy Act. The bill would protect personal data collected in connection with COVID-19 from being used for non-public health purposes, and provides for both public and private enforcement. “The Public Health Emergency Privacy Act shows that privacy and public health are complementary goals. The bill requires companies to limit the collection of health data to only what is necessary for public health purposes, and crucially, holds companies accountable if they fail to do so,” said Caitriona Fitzgerald, EPIC Interim Associate Director and Policy Director. (May. 14, 2020)
  • Groups Tell FTC to Investigate TikTok’s Failure to Protect Children’s Privacy +
    EPIC and coalition of child advocacy, consumer, and privacy groups today filed a complaint urging the Federal Trade Commission to investigate and penalize TikTok for violating the Children's Online Privacy Protection Act. TikTok paid a $5.7 million fine for violating the children's privacy law last year. But more than a year later, TikTok has failed to delete personal information previously collected from children and is still collecting kids’ personal information without notice to and consent of parents. The groups were led by the Campaign for a Commercial-Free Childhood and the Center for Digital Democracy. (May. 14, 2020)
  • New York AG Reaches Agreement with Zoom over Privacy Violations +
    New York Attorney General Letitia James has announced an agreement with Zoom Video Communications following an investigation into Zoom's consumer safeguards. Zoom agreed to enhance encryption protocols, perform yearly penetration testing, and add privacy-enhancing features to its platform. The agreement also provides enhanced privacy controls for education accounts. Last month, EPIC urged the FTC to issue best practices for online conferencing. (May. 8, 2020)
  • Senators Call on FTC to Investigate Ed Tech, Advertising Aimed at Children +
    A bipartisan group of Senators has urged the Federal Trade Commission to launch an investigation into children's data practices in the educational technology and digital advertising sectors. In a letter to the FTC, Senators Edward Markey (D-Mass.), Josh Hawley (R-Mo.), Richard Blumenthal (D-Conn.), Bill Cassidy (R-La.), Dick Durbin (D-Ill.), and Marsha Blackburn (R-Tenn.) said "The FTC should use its investigatory powers to better understand commercial entities that engage in online advertising to children—especially how those commercial entities are shifting their marketing strategies in response to the Coronavirus pandemic and increased screen time among children." In December 2019, EPIC submitted comments to the FTC on the agency's regulatory review of the Children's Online Privacy Protection Act (COPPA) Rules. EPIC said the FTC should : (1) maintain the strong safeguards for children's data, (2) reject the "school official exception", (3) the FTC define the term "commercial purpose" and ensure that children's personal data collected in schools is not transferred to EdTech companies; and (4) the FTC require notification within forty-eight hours of a data breach of children's data by a company subject to COPPA. (May. 8, 2020)
  • Court Approves FTC-Facebook Deal, But Says Data Protection Laws Need Updating +
    Despite objections from EPIC and other consumer groups, a federal judge has approved the Federal Trade Commission’s settlement with Facebook over the company’s alleged violations of the 2012 consent decree and the FTC Act. The court called Facebook’s alleged conduct “stunning,” “unscrupulous,” “shocking,” and “underhanded,” and even stated that it “might well have fashioned different remedies were it doing so out of whole cloth.” The court nevertheless approved the deal because of the “deferential” standard it felt bound to apply, but the court warned that, should the FTC accuse Facebook of further violations of the law, the court “may not apply quite the same deference to the terms of a proposed resolution.” EPIC had moved to intervene in the case and filed an amicus brief arguing that the deal imposes “few new obligations on the company that would limit the collection and use of personal data, nor will there be any significant changes in business practices.” The court denied EPIC’s motion to intervene but acknowledged that EPIC’s arguments as amicus “call into question the adequacy of laws governing how technology companies that collect and monetize Americans’ personal information must treat that information.” (Apr. 24, 2020)
  • EPIC Urges FTC to Investigate Zoom, Issue Best Practices for Online Conferencing +
    In a letter to FTC Chairman Joe Simons, EPIC urged the FTC to "open an investigation of Zoom's business practices and to issue, as soon as practicable, Best Practices for Online Conferencing Services." The EPIC letter followed a 2019 complaint from EPIC warning that Zoom had "placed at risk the privacy and security of the users of its services." EPIC also explained to the FTC that Zoom had "exposed users to the risk of remote surveillance, unwanted videocalls, and denial-of-service attack." In the April 2020 letter to the Commission, EPIC reminded the Commission that it acted on similar complaints from EPIC concerning Facebook and Google but failed to act on the Zoom complaint. EPIC cited widespread reports of privacy and security flaws with the online conferencing service. EPIC wrote, "Now more than ever, the Federal Trade Commission has a responsibility to safeguard American consumers. We urge you to act." (Apr. 5, 2020)
  • Senators Again Question White House Google Website Plan +
    Five U.S. Senators have sent a follow-up letter to Google requesting more information about the company's plans to protect user data on the coronavirus screening website. Senators Bob Menendez, Sherrod Brown, Richard Blumenthal, Kamala Harris, and Cory Booker had sent a letter to the White House expressing concern about the website two weeks ago. The Senators wrote now to say that personal data should "not be used for any commercial purposes in the future, and Verily should clearly state if the collected information is in compliance with the Health Insurance Portability and Accountability Act (HIPAA)." The Senators asked for responses to several questions by April 6, 2020. Google is under a consent order that gives the FTC authority to oversee the company's privacy practices as a consequence of EPIC's complaints about Google Buzz. EPIC later sued the FTC, EPIC v. FTC, for the agency's failure to enforce the consent against Google. (Apr. 1, 2020)
  • Privacy International Tracks Privacy Impact of Response to COVID-19 +
    Privacy International has created a resource to track the privacy implications of the various responses to the Coronavirus by tech companies, governments, and international agencies. Some responses to the pandemic involve mass surveillance and locational tracking that impact on privacy and human rights. For example, Israel plans to use cellphone data for contact tracing and a U.S. company Athena Security has proposed mass surveillance for temperature monitoring. U.S. Senators have written to the Federal Trade Commission and the White House expressing concern over the privacy implications of the Administration's plan to allow Google to establish a virus screening website for COVID-19. (Mar. 19, 2020)
  • Senators Question White House Google Website Plan +
    Five U.S. Senators have sent a letter to the White House expressing concern over the privacy implications of the Administration's plan to allow Google to establish a virus screening website for COVID-19. Senators Bob Menendez, Sherrod Brown, Richard Blumenthal, Kamala Harris, and Cory Booker said "If the Administration and the private company responsible for launching and maintaining the website does not establish sufficient privacy safeguards, Americans who use the site will be more susceptible to identity theft, negative credit decisions, and employment discrimination." The Senators asked for responses to thirteen questions by March 30, 2020. Google is under a consent order that gives the FTC authority to oversee the company's privacy practices. The FTC consent order followed complaints by EPIC about Google Buzz. EPIC later sued the FTC, EPIC v. FTC, for the agency's failure to enforce the consent against Google. (Mar. 19, 2020)
  • FTC Publishes Privacy and Data Security Update +
    The FTC has published "Privacy & Data Security Update for 2019." The FTC report summarizes the enforcement actions the agency pursued last year, including the proposed settlement with Facebook. EPIC challenged the settlement, arguing that the "Court should not adopt the proposed Consent Decree because the parties have not established that it would be fair, adequate, reasonable, appropriate, or consistent with the public interest." EPIC also uncovered 29,000 complaints against Facebook, currently pending at the FTC. The Court required the FTC and Facebook to respond to EPIC's objections. EPIC and other consumer organizations have many privacy complaints currently pending at the FTC that the Commission has failed to pursue. EPIC recently filed complaints with the FTC on HireVue and Airbnb for unfair and deceptive uses of AI. (Feb. 27, 2020)
  • EPIC Files Complaint with FTC about Airbnb's Secret "Trustworthiness" Scores +
    EPIC has filed a complaint with the FTC, alleging that Airbnb has committed unfair and deceptive practices in violation of the FTC Act and the Fair Credit Reporting Act. Airbnb secretly rates customers “trustworthiness" based on a patent that considers such factors as “authoring online content with negative language.” The company’s opaque, proprietary algorithm also considers "posts on the person’s social network account" as well the individual's relationships with others, and adjusts the "trustworthiness" score based on the scores of those associations. EPIC said the company failed to comply with "established public policies" for AI decision-making, such as the OECD AI Principles and the Universal Guidelines for AI. EPIC has recently brought complaints to the FTC about the employment screening firm HireVue and the Universal Tennis Rating secret scoring technique. EPIC has also petitioned the FTC to conduct a rulemaking for "the use of artificial intelligence in commerce." The EPIC AI Policy Sourcebook includes the OECD AI Principles, the Universal Guidelines for AI, and other AI policy frameworks. (Feb. 27, 2020)
  • BREAKING - Sen. Gillibrand Introduces U.S. Data Protection Agency Bill +
    Senator Kirsten Gillibrand (D-NY) has introduced S. 3300, The Data Protection Act of 2020 which would create an independent Data Protection Agency in the United States to safeguard the personal data of Americans. EPIC, many leading consumer and civil rights organizations, privacy experts, and scholars support Senator Gillibrand's non-partisan bill. "The US confronts a privacy crisis. Our personal data is under assault. Congress must establish a data protection agency. Senator Gillibrand has put forward a bold, ambitious proposal to safeguard the privacy of Americans," said Caitriona Fitzgerald, EPIC Policy Director. EPIC has long advocated for the creation of a U.S. Data Protection Agency, arguing that the Federal Trade Commission is an ineffective agency, lacking basic competence for privacy protection. EPIC's recent report, Grading on a Curve: Privacy Legislation in the 116th Congress sets out the key elements of a modern privacy law, including the creation of a Data Protection Agency. [Bill text] [EPIC PRESS RELEASE] (Feb. 13, 2020)
  • FTC to Investigate Prior Big Tech Acquisitions +
    The FTC announced plans to review acquisitions by Google, Amazon, Apple, Facebook, and Microsoft between 2010-2019. The FTC will review those acquisitions that the companies were not required by law to report at the time of acquisition. FTC Chairman Joe Simons said the initiative would "evaluate whether the federal agencies are getting adequate notice of transactions that might harm competition." In a joint statement, Commissioner Wilson and Commissioner Chopra said, "While we commend the FTC for exploring this timely and important topic, we reiterate our call for the Commission to prioritize 6(b) studies that explore consumer protection issues arising from the privacy and data security practices of technology companies, including social media platforms." EPIC filed a complaint with the FTC in 2014 opposing Facebook's acquisition of WhatsApp. EPIC is presently in federal court seeking to improve the FTC's proposed settlement with Facebook and to unwind the merger. (Feb. 12, 2020)
  • EPIC Seeks Regulation of AI, Petitions Federal Trade Commission +
    Today EPIC filed a petition with the Federal Trade Commission for a rulemaking "concerning the use of artificial intelligence in commerce." The EPIC petition follows two recent EPIC complaints to the FTC about the use of AI for employment screening and the secret scoring of young athletes. EPIC noted that several FTC Commissioners have called for updated regulations to address the challenges of Artificial Intelligence. EPIC pointed to the recent OMB Guidance for Regulation of Artificial Intelligence in support of the FTC rulemaking. EPIC also publishes the AI Policy Sourcebook, the first reference book on AI policy. (Feb. 3, 2020)
  • "A Big Victory for Privacy Groups" - Facebook Settlement +
    This week Facebook agreed to pay $550 million to settle a lawsuit about the use of facial recognition technology. The New York Times called the settlement "A Big Victory for Privacy Groups." In 2010, EPIC objected to Facebook's collection of biometric data and urged the FTC to modify a proposed settlement to limit Facebook's use of facial recognition. EPIC filed similar complaints about facial recognition with the FTC in 2016 and 2018. EPIC also filed several amicus briefs stating that the violation of a federal privacy law is sufficient to confer "standing," the right of consumers to bring lawsuits. In response to Facebook's challenge to the Illinois Biometric Privacy Act, EPIC wrote, "Judicial second-guessing of statutory protections for biometric data established by the state legislature, following a careful weighing of the public safety concerns, will come at an enormous cost to the privacy of Illinois residents." EPIC's views were adopted by a federal court in this case, which led to the recent settlement with Facebook. The text of the Illinois privacy law is available in the 2020 EPIC Privacy Law Sourcebook at the EPIC Bookstore. And EPIC's objections to the current FTC settlement with Facebook are now pending in federal court. (Jan. 30, 2020)
  • Supreme Court to Review Constitutionality of Federal Robocall Ban +
    The Supreme Court has aqreed to hear a challenge to the constitutionality of the Telephone Consumer Protection Act, a federal law that prohibits unwanted robocalls. The law generally restricts the use of autodialers, but in 2015 Congress created an exception for robocalls to collect debts guaranteed by the federal government. Several groups have since challenged the law on First Amendment grounds, arguing that the TCPA discriminates against particular speakers. The Court will now consider the issue in Barr v. American Association of Political Consultants. EPIC filed an amicus brief in Gallion v. Charter Communications, a related case, arguing that “these challenges represent a systematic effort by companies to undermine the purpose of the TCPA and to inundates consumers with unwanted calls.” EPIC routinely files amicus briefs on consumer privacy issues, including several amicus briefs on the TCPA. (Jan. 11, 2020)
  • Department of Transportation Releases Voluntary Guidelines for Driverless Vehicles +
    The Department of Transportation announced AV 4.0, voluntary guidelines for driverless vehicles. The guidelines "use a holistic, risk-based approach to protect the security of data and the public's privacy as AV technologies are designed and integrated." EPIC commented on an earlier version of the guidelines, saying the agency "should promulgate mandatory rather than voluntary cybersecurity guidelines." EPIC warned that "the very real possibility of remote car hacking poses substantial risks to driver safety and security." EPIC also testified before Congress in 2015, explaining that "current approaches, based on industry self-regulation, are inadequate and fail to protect driver privacy and safety." (Jan. 10, 2020)
  • FTC May Block Facebook Integration of WhatsApp User Data +
    According to recent news reports, the FTC may pursue an injunction against Facebook to prevent the integration of WhatsApp and Instagram user data. Analysts noted that integration would make it more difficult to break up the company if required by a subsequent antitrust review. When Facebook proposed to acquire WhatsApp in 2014, EPIC filed a complaint with the FTC advising the agency to block the sale unless adequate privacy safeguards were established for WhatsApp user data.The FTC wrote in response "if the acquisition is completed and WhatsApp fails to honor these promises, both companies could be in violation of Section 5 of the Federal Trade Commission (FTC) Act and, potentially, the FTC's order against Facebook." The European Commission fined Facebook 122 million dollars in 2017 for misleading statements about the integration of the data sets. In a recent filing with a federal court, EPIC wrote "the Commission also seems entirely unconcerned by Facebook's planned integration of the personal data of WhatsApp users even though this would violate representations both firms previously made to the Commission." (Dec. 17, 2019)
  • Court Seeks Amicus Briefs in FTC-Facebook Settlement +
    An order from a federal court in Washington, DC creates an opportunity for groups and individuals to file amicus briefs about the proposed FTC settlement with Facebook. The proposed settlement concerns violations of consumer privacy and the adequacy of the settlement. EPIC argued, "This Court should not adopt the proposed Consent Decree because the parties have not established that it would be fair, adequate, reasonable, appropriate, or consistent with the public interest." EPIC explained that the proposed settlement "largely mirrors the preexisting Consent Order from 2012. There are few new obligations on the company that would limit the collection and use of personal data, nor will there be any significant changes in business practices." EPIC asked the court to provide an opportunity for others to file amicus briefs. The deadline for motions is December 17, 2019. (Dec. 16, 2019)
  • BREAKING: Court Orders FTC and Facebook to Reply to EPIC’s Brief +
    Today the U.S. District Court for the District of Columbia ordered both Facebook and the FTC to file replies to EPIC's amicus brief and sur-replies to EPIC's motion to intervene in United States v. Facebook. The case concerns the proposed settlement between the FTC and Facebook for violations of consumer privacy. EPIC argued, "This Court should not adopt the proposed Consent Decree because the parties have not established that it would be fair, adequate, reasonable, appropriate, or consistent with the public interest.” EPIC explained that the proposed settlement “largely mirrors the preexisting Consent Order from 2012. There are few new obligations on the company that would limit the collection and use of personal data, nor will there be any significant changes in business practices.” EPIC noted, the "Commission also seems entirely unconcerned by Facebook’s planned integration of the personal data of WhatsApp users even though this would violate representations both firms previously made to the Commission.” Through a Freedom of Information Act Request, EPIC has uncovered more than 29,000 complaints against Facebook currently pending at the Commission. (Dec. 10, 2019)
  • FTC Announces Non-Penalty in Cambridge Analytica Case +
    The FTC issued a press release today about Cambridge Analytica, the company blamed for the Brexit vote that harvested the personal data of 87 m Facebook users for voter profiling and tracking. The misuse of personal data occurred while Facebook was under a consent order and subject to the supervision of the FTC. EPIC urged the FTC to reopen the investigation of Facebook after news of the Cambridge Analytica breach in early 2018. More than 18 months after the scandal broke, the FTC found that Cambridge Analytica, a company now bankrupt, deceived consumers through its data-gathering practices. EPIC previously told Congress that the Cambridge Analytica scandal could have been avoided if the FTC had enforced its own Consent Order. (Dec. 7, 2019)
  • EPIC to Congress: FTC Must Consider Privacy, Block Google-Fitbit Deal +
    In a statement to the House Judiciary Committee, EPIC told lawmakers that merger review must consider data protection and that the Federal Trade Commission must block Google's plan to acquire Fitbit. "Far from protecting market competition and promoting innovation, the Commission is facilitating industry consolidation," EPIC said in the statement released in advance of the hearing. EPIC pointed to the Facebook-WhatsApp deal and the failure of the FTC to protect the personal data of WhatsApp users after the merger. EPIC noted that if the FTC approves Google's acquisition of Fitbit, it will be the 230th firm that Google/Alphabet has acquired "with barely a whimper from the Federal Trade Commission." EPIC said: "This is not antitrust enforcement. This is agency negligence." EPIC previously testified before the Senate Judiciary Committee about mergers in the online advertising industry after EPIC warned the FTC that Google's acquisition of DoubleClick would diminish privacy and stifle innovation. EPIC earlier opposed Doubleclick's acquisition of Abacus, explaining that the deal would lead to increased profiling of American consumers. (Nov. 12, 2019)
  • EPIC Files Complaint with FTC about Employment Screening Firm HireVue +
    Today, EPIC filed a complaint with the FTC alleging that recruiting company HireVue has committed unfair and deceptive practices in violation of the FTC Act. EPIC charged that HireVue falsely denies it uses facial recognition. EPIC also said the company failed to comply with baseline standards for AI decision-making, such as the OECD AI Principles and the Universal Guidelines for AI. The company purports to evaluate a job applicant's qualifications based upon their appearance by means of an opaque, proprietary algorithm. EPIC has brought many similar consumer privacy complaints to the FTC, including a complaint on Facebook's facial recognition practices that contributed to the FTC's 2019 settlement with Facebook. Last year EPIC also asked the FTC to investigate the Universal Tennis Rating system, a secret technique for scoring high school athletes. (Nov. 6, 2019)
  • Bill to Establish Data Protection Agency Introduced in Congress +
    Representatives Eshoo and Lofgren have introduced the Online Privacy Act, a comprehensive framework for data protection in the United States. The bill would establish a data protection agency, create meaningful privacy safeguards for consumers, and hold companies accountable for the collection and use of personal data. The bill is based on Fair Information Practices and includes a provision on algorithmic accountability. "The Online Privacy Act sets out strong rights for Internet users, promotes innovation, and establishes a data protection agency. This is the bill that Congress should enact,” EPIC Policy Director Caitriona Fitzgerald said in a statement. EPIC's legislative report graded the Online Privacy Act the #1 privacy bill in Congress. (Nov. 5, 2019)
  • EPIC to Oppose Google-Fitbit Deal +
    In a statement released today, Marc Rotenberg said that EPIC would oppose Google's proposed acquisition of the fitness tracking company Fitbit. Mr. Rotenberg said the deal should not be approved. "There is no reason to trust Google's assurances about privacy protection," Mr. Rotenberg said, citing previous matters involving Doubleclick, YouTube, Google HomeMini, and Nest. Noting statements antitrust enforcement by the the FTC Chairman and the Assistant Attorney General, Mr. Rotenberg also said, "The Google-Fitbit deal is a test of their commitment to competition, innovation, and data protection." EPIC brought the 2012 case against the FTC for the agency's failure to enforce the 2011 consent order against Google after the company consolidated user data across multiple services. (Nov. 4, 2019)
  • Ralph Nader, Color of Change Endorse US Data Protection Agency +
    In a New York Times article, consumer advocate Ralph Nader endorsed the creation of a data protection agency. Nader told the Times that the U.S. needs a "new agency when the abuse pattern is so expansive that the authority in the existing agencies is obsolete and inadequate.” Rashid Robinson, President of Color of Change, said "We need to have a new data protection agency, an agency that examines the social, ethical impact of high-risk data practices.” EPIC and consumer groups have urged Congress to establish a data protection agency. EPIC has long advocated for a U.S. Data Protection Agency, noting that the United States is one of the few democracies in the world that does not have a federal data protection agency. (Nov. 3, 2019)
  • EPIC to Congress: Consumers Must Be Protected in Merger Reviews +
    In a statement to the House Judiciary Committee, EPIC told lawmakers that merger review should consider data protection. EPIC wrote that "companies that protect user privacy are being absorbed by companies that do not protect privacy." EPIC pointed to the Facebook-WhatsApp deal and the failure of the FTC to protect the personal data of WhatsApp users after the merger. EPIC previously testified before the Senate Judiciary Committee about mergers in the online advertising industry after EPIC told the FTC that Google's acquisition of DoubleClick would diminish privacy and stifle innovation. EPIC earlier opposed Doubleclick's acquisition of Abacus, explaining that the deal would lead to increased profiling of American consumers. EPIC, Color of Change, the Open Markets Institute, and others have also urged the FTC to require Facebook to spin-off WhatsApp and Instagram. (Oct. 18, 2019)
  • Senator Cantwell to FTC: Settlement Lets Facebook "Off the Hook" +
    Senator Maria Cantwell [D-WA], Ranking Member on the Senate Commerce Committee, has sent a letter to Federal Trade Commission Chairman Joseph Simons regarding the FTC's controversial settlement with Facebook. "I am concerned that the settlement lets Facebook off the hook for unspecified violations, and given the many public reports of Facebook's mishandling of consumer data, it is difficult to fully understand the impact of this provision on the settlement on the data privacy protection of the millions of U.S. consumers that have used and continue to use Facebook," Cantwell wrote to Simons. Through a Freedom of Information Act Request. EPIC has obtained thousands of new consumer complaints (part 1, part 2) against Facebook. EPIC is formally challenging the proposed settlement, charging that the Commission has failed to investigate thousands of complaints against the company. (Oct. 15, 2019)
  • EPIC to Congress: 29,000 Facebook Complaints Pending at FTC +
    In advance of an FTC oversight hearing, EPIC told the House Appropriations Committee that more than 29,000 complaints against Facebook are now pending at the Federal Trade Commission. EPIC obtained documents last week revealing 3,000 new complaints against Facebook since the Commission proposed the $5 b settlement with Facebook two months ago. EPIC's Freedom of Information Act Request had previously found 26,000 complaints pending against the social media giant. "The FTC is simply ignoring thousands of consumer privacy complaints about Facebook's ongoing business practices," EPIC said to the Committee. EPIC is formally challenging the proposed settlement with Facebook, charging that the Commission has failed to investigate thousands of complaints against the company. EPIC urged the Committee to support the creation of a U.S. Data Protection Agency, saying "The Federal Trade Commission may help consumers with broken toasters, but the FTC is not an effective data protection agency." (Sep. 25, 2019)
  • EPIC Renews Call for Antitrust Agencies to Unwind Bad Mergers +
    In a second statement to the Senate Judiciary Committee, EPIC urged lawmakers to unwind bad mergers such as Facebook's acquisition of WhatsApp and Google's acquisition of YouTube and Nest. EPIC wrote that "companies that protect user privacy are being absorbed by companies that do not protect privacy." EPIC pointed to the Facebook-WhatsApp deal and the failure of the FTC to protect the personal data of WhatsApp users after the merger. EPIC previously testified before the Senate Judiciary Committee about mergers in the online advertising industry after EPIC told the FTC that Google's acquisition of DoubleClick would diminish privacy and stifle innovation. EPIC also warned that Google's acquisition of YouTube would skew search results. EPIC, Color of Change, and the Open Markets Institute urged the FTC to require Facebook to spin-off WhatsApp and Instagram as part of the recent enforcement action. The FTC failed to do so. (Sep. 23, 2019)
  • EPIC Uncovers 3,156 More Facebook Complaints at FTC—Over 29,000 Now Pending +
    Through a Freedom of Information Act Request, EPIC has obtained thousands of new consumer complaints (part 1, part 2)against Facebook. The most recent documents, released to EPIC, follow the Commission’s proposed $5 b settlement in July. Among the complaints uncovered by EPIC are those from consumer groups and members of Congress. EPIC also obtained records of new complaints in the FTC’s Consumer Sentinel database. EPIC earlier uncovered 26,000 complaints against Facebook since the announcement of the 2011 consent order. EPIC is formally challenging the proposed settlement with Facebook, charging that the Commission has failed to investigate thousands of complaints against the company. (Sep. 22, 2019)
  • FTC YouTube Settlement Fails to Safeguard Children's Privacy +
    Following a comprehensive complaint launched by the CCFC and the CDD concerning children's privacy, the Federal Trade Commission announced a settlement today with YouTube and parent company Google. The companies agreed to pay $170 million to settle claims that they violated the Children's Online Privacy Protection Act, but little will change in the companies business model. Writing in dissent, Commissioner Slaughter said, "Youtube and Google were knowingly profiting off of the unlawful tracking of children." She said the Commission should have required a "technological backstop" to ensure that behavioral advertising of children would not continue. Commissioner Chopra, also dissenting, wrote "the Commission repeats many of the same mistakes from the Facebook settlement." In a statement, Senator Markey said the FTC should have required Google to delete all data it collected from children under 13, prohibit Google from launching kids service without prior review, and required annual public audits. EPIC joined the CCFC and the CDD in the complaint to the FTC. Earlier, after Google acquired YouTube, EPIC sued the FTC to block Google's proposed consolidation of user data. The judge ruled against EPIC, but wrote "EPIC - along with many other individuals and organizations - has advanced serious concerns that may well be legitimate..." (Sep. 4, 2019)
  • Gallup Poll: Americans Divided on Regulation for Big Tech Firms +
    A new Gallup poll found that 48 percent of respondents said the government should boost its regulation of technology companies like Amazon, Facebook and Google, while 40 percent said regulation of these firms shouldn't change. Roughly 60 percent of self-identified liberals, union members, college graduates and Democrats support increased oversight of tech companies. EPIC maintains an extensive page on Privacy and Public Opinion which shows consistent support among Americans for stronger laws to protect their privacy. EPIC has also opposed mergers that threaten consumer privacy, including Facebook's acquisition of WhatsApp, Google's acquisition of DoubleClick, and Google's acquisition of Nest Labs. (Aug. 22, 2019)
  • EPIC Pursues Intervention in FTC Facebook Case +
    EPIC has filed a reply brief in support of its motion to intervene in United States v. Facebook, a case concerning the proposed settlement between the Federal Trade Commission and Facebook. The Government and Facebook have sought to block EPIC's participation. EPIC pursued intervention to protect the interests of Facebook users and to ensure that pending complaints at the FTC were not ignored. EPIC told the court overseeing the case that the settlement "is not adequate, reasonable, or appropriate." In response to Facebook and the government, EPIC explained that the settlement is "arbitrary and capricious because the Commission seeks to grant Facebook immunity from any unlawful practices identified in prior consumer complaints, without addressing or even identifying the prior complaints." EPIC also argues that the FTC's failure to consider public comments on the settlement, as the agency is required to do under its own regulations, "denies EPIC and others the opportunity to submit comments on the consent agreement." An EPIC FOIA lawsuit uncovered more than 26,000 complaints against Facebook pending at the agency. In 2009, EPIC and other consumer privacy organizations filed the original complaint that created legal authority for the FTC to oversee Facebook's privacy practices. Many members of Congress, consumer organizations, and corporate law experts have opposed the proposed settlement, which was narrowly approved by the Commission, 3-2. (Aug. 12, 2019)
  • EPIC Comments on FTC Safeguards Rule +
    EPIC provided comments to the FTC on the agency's proposed update to the Safeguards Rule on data security for financial institutions. In the proposal, the FTC highlighted that EPIC "recommended that certain practices set forth in the FTC's Safeguards Rule Guidance, such as employee background checks, authentication requirements, and encryption, should be mandatory." EPIC's comments (1) express support for the FTC's decision to mandate baseline security requirements, (2) request that the Safeguard Rules apply to all organizations and companies that collect consumer data, and (3) urge the FTC impose data minimization requirements. Recent breaches have highlighted the need for stronger data protection laws. EPIC has renewed calls for a data protection agency in the U.S. (Aug. 1, 2019)
  • EPIC Challenges FTC-Facebook Settlement, Asks Court to Hear from Privacy Groups +
    EPIC has filed a Motion to Intervene in United States v. Facebook to protect the interests of Facebook users. The case concerns a proposed settlement between the FTC and Facebook. EPIC said the settlement "is not adequate, reasonable, or appropriate." EPIC also explained that the settlement would extinguish more than 26,000 consumer complaints against Facebook pending at the FTC. EPIC asked the court for an opportunity for EPIC and others to be heard before the settlement is finalized. EPIC filed the original complaint that created legal authority for the FTC to oversee Facebook. Back in 2011, EPIC also urged the Commission to require Facebook to restore the privacy settings of users, give users access to all of the data that Facebook keeps about them, stop making facial recognition profiles without users' consent, make the results of the government privacy audits public, and stop secretly tracking users across the web. Earlier this year, EPIC and others urged the FTC to pursue structural remedies, including the divestiture of WhatsApp. Many organizations and individuals have expressed concern about the proposed settlement, which was narrowly approved by the Commission, 3-2. More info at https://epic.org/privacy/facebook/epic2019-challenge/ (Jul. 26, 2019)
  • EPIC Seeks Consumer Complaints about Facebook Pending Before FTC Prior to Settlement Agreement +
    EPIC has submitted an urgent Freedom of Information Act request to the Federal Trade Commission seeking all consumer complaints pending before the Commission at the time the agency entered into the settlement with Facebook. The proposed settlement order "resolves" all consumer complaints alleging violation of the consent order prior to June 12, 2019. Earlier this year, EPIC determined that there were 26,000 complaints against Facebook pending at the Commission. Many US privacy organizations have also filed detailed complaints with the Commission, alleging that Facebook's business practices violate the FTC Act and also the Children's Online Privacy Protection Act. The release of the information sought by EPIC could help the public and the Congress assess the adequacy of the proposed settlement. (Jul. 25, 2019)
  • FTC Opens Antitrust Investigation of Facebook +
    Facebook has disclosed that the Federal Trade Commission opened an antitrust investigation into the company. In a recent statement for a Senate Judiciary committee hearing on antitrust, EPIC wrote that "companies that protect user privacy are being absorbed by companies that do not protect privacy." EPIC pointed to the Facebook-WhatsApp deal and the failure of the FTC to protect the personal data of WhatsApp users after the merger. EPIC previously testified before the Senate Judiciary Committee about mergers in the online advertising industry after EPIC told the FTC that Google's acquisition of DoubleClick would diminish privacy and stifle innovation. EPIC earlier opposed Doubleclick's acquisition of Abacus, explaining that the deal would lead to increased profiling of American consumers. This year, EPIC, Color of Change, the Open Markets Institute, and others urged the FTC to spin off WhatsApp as a remedy for violations of the 2011 consent order. In a settlement announced this week, the Commission failed to do so. (Jul. 25, 2019)
  • BREAKING - FTC Issues Facebook Fine, EPIC - "Too little, too late." +
    The Federal Trade Commission announced today the first fine against Facebook since EPIC and a coalition of privacy organizations filed a complaint with the Commission about the company’s businesses practices back in 2009. In a 2011 consent order the FTC said it would bar Facebook "from making any further deceptive privacy claims.” But in the years that followed, the FTC failed to act even as complaints emerged about marketing to children, privacy settings, tracking users, gathering health data, and facial recognition. Earlier this year, EPIC determined that there were 26,000 complaints against Facebook pending at the Commission. EPIC President Marc Rotenberg said today, “The FTC’s action is too little, too late. American consumers cannot wait another decade for the Commission to act against a company that violates their privacy rights. Congress should move quickly to establish a data protection agency." (Jul. 24, 2019)
  • BREAKING - EPIC Seeks Public Release of FTC Settlement with Facebook +
    Today EPIC filed an expedited Freedom of Information Act request with the Federal Trade Commission, seeking the public release of the proposed settlement with Facebook. Last week the Wall Street Journal first reported that the FTC approved a $5 billion settlement with Facebook for violating a 2011 consent order that EPIC helped obtain. However, details about the settlement have not been disclosed. In January, EPIC recommended that the FTC 1) impose substantial fines; 2) establish structural remedies; 3) require compliance with Fair Information Practices; 4) reform hiring and management practices; and 5) restore democratic governance. In a series of FOIA cases, EPIC uncovered the biennial audits of Facebook, the number of complaints pending against Facebook at the Commission (26,000), and records of meetings by the chief agency official responsible for overseeing enforcement. EPIC also launched the #EnforceTheOrder campaign. (Jul. 15, 2019)
  • WSJ Reports that FTC Agrees to $5B Fine Against Facebook +
    The Federal Trade Commission has reportedly approved a $5 billion fine against Facebook, the largest fine in the Commission's history. EPIC brought the original complaint to the FTC that led to the 2011 Consent Order against Facebook. This is the first enforcement action the FTC has taken against Facebook in the eight years since the Consent Order was put in place. Earlier this year, an EPIC Freedom of Information Act request uncovered more than 26,000 complaints against Facebook pending at the Commission. EPIC also launched the #EnforceTheOrder campaign to urge action by the FTC. In January, EPIC recommended that the FTC enforcement action 1) impose substantial fines; 2) establish structural remedies; 3) require compliance with Fair Information Practices; 4) reform hiring and management practices; and 5) restore democratic governance. (Jul. 12, 2019)
  • EPIC Files Complaint with FTC about Zoom +
    Today EPIC filed a complaint with the FTC alleging that the videoconferencing company Zoom has committed unfair and deceptive practices in violation of the FTC Act. According to EPIC, Zoom intentionally designed its web conferencing service to bypass browser security settings and remotely enable a user's web camera without the knowledge or consent of the user. As a result, Zoom exposed users to the risk of remote surveillance, unwanted videocalls, and denial-of-service attacks. EPIC has brought many similar consumer privacy complaints to the FTC, including the complaint that led to the FTC consent order against Facebook and the complaint that led to the FTC consent order against Google. EPIC cited the Google order, which produced a $22.5 m fine, in the complaint concerning Zoom. EPIC, In re Zoom ("Concerning Zoom's ability to bypass browser security settings and remotely enable a user's web camera without the knowledge or consent of the user.”) (Jul. 11, 2019)
  • EPIC FOIA - FTC Enforcement Director Participated in Over 100 Meetings About Facebook Post-Cambridge Analytica +
    As a result of EPIC's Freedom of Information Act request, the Federal Trade Commission released records indicating that FTC Associate Director of Enforcement James A. Kohm participated in at least 162 meetings since the Commission adopted the consent order with Facebook in 2011. Almost 140 meetings occurred after Facebook admitted to the unlawful transfer of over 87 million user profiles to Cambridge Analytica. In March 2018, the FTC said it would reopen investigation of Facebook, but the agency has never taken an enforcement action against the country. EPIC launched the #EnforceTheOrder campaign this year to urge action by the FTC. (Jul. 11, 2019)
  • EPIC to Lobby for US Privacy Agency +
    In a statement released today, EPIC's Marc Rotenberg said the privacy organization would lobby for the creation a data protection agency in the United States. Criticizing the failure of the FTC to enforce the consent order against Facebook, Rotenberg said "the Commission has turned its back on the American public...Instead of going after the dominant tech firms that pose the greatest threats to privacy and competition, the FTC has chosen instead to go after small businesses." EPIC's President explained that EPIC had not previously lobbied Congress, but would do so now, "we have decided that EPIC can no longer stand on the sidelines." The statement concluded, "A data protection agency is the cornerstone of effective privacy protection. Data protection agencies act as ombudsmen for the public. They encourage innovation and good business practices. They identify emerging privacy challenges and pursue solutions. They take enforcement action when necessary and they impose penalties that are meaningful. Virtually every democratic country has created a privacy agency. But the United States has not. As a consequence, data breach and identity theft continue to rise in the United States. The pace of mergers is accelerating and the rate of innovation is slowing." (Jun. 21, 2019)
  • With Complaints Against Facebook Piling Up, FTC Goes After Small Businesses +
    The FTC today announced a minor settlement with a company called SecurTest over its claims concerning the EU-U.S. Privacy Shield program. The Commission also sent letters to 13 small companies for falsely claiming participation in various privacy programs. The FTC issued no fines and took no further action. The proposed consent agreement is subject to public comment after publication in the Federal Register. The announcement comes more than a year after the Commission said it would reopen the investigation of Facebook, following the Cambridge Analytica scandal. Earlier this year, an EPIC Freedom of Information Act request uncovered more than 26,000 complaints against Facebook pending at the Commission. EPIC brought the original complaint to the FTC in 2009 that led to the 2011 consent order. EPIC has repeatedly urged the FTC to #EnforceTheOrder against Facebook. (Jun. 14, 2019)
  • As State AGs Gather at FTC Event, Still No Action on Facebook +
    The FTC hosted a roundtable with state attorneys general in Nebraska as the final hearing on competition and consumer protection in the 21st century. More than a year has passed since the FTC reopened the investigation of Facebook after the Cambridge Analytica scandal, but the FTC has not issued a fine, imposed penalties, or even updated the public about the status of the investigation. EPIC Consumer Protection Counsel Christine Bannan testified at an earlier FTC hearing that the FTC's success should be measured by the enforcement of its orders. EPIC launched the #EnforceTheOrder campaign to pressure the FTC to take enforcement action against Facebook. EPIC brought the original complaint to the FTC in 2009 that led to the consent order. Facebook anticipates a $3-5 billion fine from the FTC, but EPIC, Color of Change, and the Open Markets Institute have urged the Commission to use its equitable authorities to improve privacy protection and governance, reform hiring practices, and to spin off WhatsApp and Instagram. (Jun. 11, 2019)
  • EPIC Seeks Memos from FTC Enforcement Director About Inaction on Facebook Consent Order +
    EPIC has filed a Freedom of Information Act request with the Federal Trade Commission seeking memos and internal communications about the Associate Director of the Enforcement Division James A. Kohm. Kohm is responsible for overseeing enforcement of the consent order against Facebook. Since the FTC announced the 2011 Consent Order, the FTC has never charged Facebook with a single violation of the order. In March 2018, the FTC announced an investigation of Facebook following the Cambridge Analytica scandal. 430 days have now passed with no report, no fine, and not even an update about the status of the investigation. EPIC has repeatedly urged the FTC to #EnforceTheOrder against Facebook. (May. 30, 2019)
  • New Report on the FTC's Big Tech Revolving Door Problem +
    A new report from the consumer group Public Citizen finds extensive conflicts of interest at the Federal Trade Commission. According to Public Citizen, most top officials at the Federal Trade Commission (FTC) become lawyers and lobbyists for major technology companies after they leave the agency or bring Silicon Valley conflicts with them when they arrive. These conflicts help explain the FTC's chronic reluctance to enforce consumer protection and antitrust laws, said Public Citizen. EPIC previously urged the FTC to block anticompetitive mergers, such as Google's acquisition of DoubleClick and Facebook's acquisition of WhatsApp, as well as to enforce the pending consent order against Facebook that EPIC helped establish in 2011. EPIC even sued the FTC when the consumer agency failed to enforce the consent order against Google, following the Buzz consent order. As of today, 423 days have passed since the FTC announced in March 2018 that it would reopen the investigation of Facebook. But still there is no fine, no report, and no update. (May. 23, 2019)
  • EPIC to Congress: FTC Has Failed to Protect Privacy, New Data Protection Agency Urgently Needed +
    In advance of FTC oversight hearings, EPIC has sent a statement to both House and Senate Committees outlining the FTC's failure to protect consumer privacy and urging the creation of an independent Data Protection Agency in the United States. EPIC's recent Freedom of Information Act request revealed that there are there are over 26,000 complaints pending against Facebook. In the eight years since the FTC announced the consent order barring Facebook from making any misrepresentation about user privacy, the FTC has not taken a single enforcement action against the company. "The FTC is simply ignoring thousands of consumer privacy complaints about Facebook's ongoing business practices," EPIC said. EPIC launched the #EnforceTheOrder campaign to pressure the FTC to take enforcement action against Facebook. EPIC brought the original complaint to the FTC in 2009 that led to the consent order. (May. 6, 2019)
  • EPIC Advises Senate Commerce Committee on Federal Privacy Legislation +
    Prior to a hearing on "Consumer Perspectives: Policy Principles for a Federal Data Privacy Framework," EPIC has sent a statement and related materials to the Senate Commerce Committee advising on federal privacy legislation. EPIC Executive Director Marc Rotenberg recently wrote in the New York Times, "There is still much that Congress can do to strengthen privacy protections for Americans. Enacting federal baseline legislation and establishing a data protection agency would be a good start." EPIC also sent the Committee EPIC commentaries from the Financial Times, Techonomy, the OECD Observer, and the Harvard International Review. EPIC recently joined 16 organizations in support of "A Framework for Privacy Protection in the United States." (Apr. 30, 2019)
  • Facebook Anticipates $3B-$5B Fine +
    According to news reports, Facebook has budgeted $3 billion for in its first-quarter earnings report, saying it expected the FTC to fine the company between $3-$5 billion. In January, EPIC and a coalition of consumer and civil rights groups sent a letter to the FTC calling on the Commission to enforce the order against Facebook by 1) imposing substantial fines; 2) establishing structural remedies; 3) requiring compliance with Fair Information Practices; 4) reforming hiring and management practices; and 5) restoring democratic governance. Also, EPIC's Freedom of Information Act request revealed that there are there are over 26,000 complaints pending against Facebook. In the eight years since the FTC announced the consent order barring Facebook from making any misrepresentation about user privacy, the FTC has not taken a single enforcement action against the company. EPIC launched the #EnforceTheOrder campaign to pressure the FTC to take enforcement action against Facebook. EPIC brought the original complaint to the FTC in 2009 that led to the consent order. (Apr. 26, 2019)
  • FTC Renews Spam Rule, Cites EPIC Comments +
    After soliciting public comments, the Federal Trade Commission has renewed the CAN-SPAM Rule (Controlling the Assault of Non-Solicited Pornography and Marketing). The FTC rule requires subject-line labeling of commercial emails containing sexually explicit material. The rule also clarifies that a recipient of unwanted emails may not be required to pay a fee, provide additional information or take any steps beyond sending an email or visiting a web page to opt out. In confirming the final rule, the agency specifically referenced EPIC's comments in support of the rule: "For example, the Electronic Privacy Information Center ('EPIC'), a consumer advocacy group, asserted that, '[w]hile the volume of spam is lower than it was just a few years ago, the need for the Rule continues.'" EPIC continues to push the FTC to safeguard consumer privacy with the Enforce the Order campaign, urging the agency to act against Facebook. (Apr. 23, 2019)
  • EPIC tells FTC, "Enforcement is a measure of success" +
    EPIC Consumer Protection Counsel Christine Bannan testified at the FTC's hearing on the agency's effectiveness at protecting consumer privacy. She said that the FTC's success should be measured by the enforcement of its orders. EPIC's Freedom of Information Act request revealed that there are there are over 26,000 pending consumer complaints against Facebook made while under the consent order. In the eight years since the FTC entered the consent order barring Facebook from making any misrepresentation about user privacy, the FTC has not taken a single enforcement action against the company. EPIC launched the #EnforceTheOrder campaign to pressure the FTC to take enforcement action against Facebook. (Apr. 16, 2019)
  • EPIC FOIA - FTC Confirms Number of Pending Facebook Complaints, Doubling Every Two Years +
    In response to EPIC's Freedom of Information Act request, the FTC confirms that there are a total of 26,000 pending consumer complaints about Facebook made while under the consent order. In an e-mail to EPIC, the FTC provided a breakdown of the total number of complaints per year. In 2018 alone, the FTC received 8,391 consumer complaints about Facebook, nearly twice the number received in 2016 (4,612), and more than four times the number received in 2014 (1,860). In the eight years since the FTC entered the consent order barring Facebook from making any misrepresentation about user privacy, the FTC has not taken a single enforcement action against the company. The FTC announced the reopening of the Facebook investigation in the wake of the Cambridge Analytica scandal. But more than a year later, the agency has failed to act. EPIC has repeatedly urged the FTC to #EnforceTheOrder against Facebook. (Apr. 3, 2019)
  • EPIC FOIA - FTC Confirms More than 25,000 Facebook Complaints are Pending +
    In response to a FOIA request from EPIC, the FTC has confirmed that there are over 25,000 complaints about Facebook pending with the Commission. In the eight (8) years since the FTC announced a consent order barring Facebook from making any misrepresentations about use privacy, the FTC has not taken a single enforcement action against the company. And one year has now passed since the FTC announced the reopening Facebook investigation after news of the Cambridge Analytica data breach. EPIC has urged the FTC to #EnforceTheOrder against Facebook. (Mar. 27, 2019)
  • EPIC to House Oversight Committee: U.S. Data Protection Agency Needed to Protect Consumers +
    In advance of a hearing on "Improving Cybersecurity at Consumer Reporting Agencies," EPIC sent a statement to the House Oversight Committee urging the creation of a data protection agency in the United States. "The FTC also lacks the ability, authority and expertise to engage the broad range of challenges we now confront," EPIC said. EPIC cited the Federal Trade Commission's limited ability to enforce basic data protection standards, and the growing dangers of data breach, identity theft, and cyber attacks by foreign adversaries. The U.S. is one of the few democracies in the world that does not have a federal data protection agency. EPIC wrote about the need for a U.S. data protection agency in the New York Times, the Hill, and Techonomy. (Mar. 26, 2019)
  • Senators Introduce Facial Recognition Privacy Act +
    U.S. Senators Roy Blunt [R-MO] and Brian Schatz [D-HI] introduced a bill to protect consumers from companies collecting facial images. Senator Schatz said: "Our faces are our identities. They're personal. So the responsibility is on companies to ask people for their permission before they track and analyze their faces." EPIC previously urged the FTC to stop Facebook's use of facial recognition to capture personal identity. In 2018, EPIC charged that Facebook's facial recognition practices lacks privacy safeguards and violate the 2011 Consent Order with the FTC. EPIC has urged the FTC to #EnforceTheOrder as a one-year deadline approaches. (Mar. 21, 2019)
  • Rep. Cicilline: FTC Must Investigate Facebook's Antitrust Violations +
    In a New York Times op-ed, Congressman David Cicilline (D-RI), Chairman of the House Judiciary Committee's Subcommittee on Antitrust, has asked the FTC to investigate Facebook for violating antitrust laws. Citing EPIC's work, Chairman Cicilline said "For years, privacy advocates have alerted the commission that Facebook was likely violating its commitments under the agreement. Not only did the commission fail to enforce its order, but by failing to block Facebook's acquisition of WhatsApp and Instagram, it enabled Facebook to extend its dominance." Rep. Cicilline made clear that data merger deals implicate competition law, which EPIC has long argued. Earlier this year, EPIC joined a coalition of groups urging the FTC to unwind the Facebook-WhatsApp merger, citing promises the companies made at time of the merger. EPIC has launched the #EnforceTheOrder campaign to urge action on the consent order. (Mar. 19, 2019)
  • Press Conference: Facebook, Privacy, and the Consent Order (Capitol Hill, March 19) +
    On Tuesday, March 19 at 2 pm, EPIC will host a press conference moderated by EPIC President Marc Rotenberg. The event will take place at the Fund for Constitutional Government, on Capitol Hill, across the street from the US Supreme Court. Participants include speakers from U.S. PIRG, Public Citizen, and EPIC. The event will focus on Facebook, the Federal Trade Commission, privacy and the 2011 consent order. EPIC has launched the #EnforceTheOrder Campaign to urge action on the consent order. In 2011, the agency issued a sweeping order against Facebook. The FTC Chairman said at the time, "Facebook is obligated to keep the promises about privacy that it makes to its hundreds of millions of users. Facebook's innovation does not have to come at the expense of consumer privacy. The FTC action will ensure it will not." Press advisory. Flyer. (Mar. 18, 2019)
  • EPIC Seeks from FTC All Consumer Complaints about Facebook +
    EPIC has filed an urgent Freedom of Information Act request to the Federal Trade Commission seeking all pending complaints. As a result of the extensive work of consumer organizations, the Commission issued a consent order against Facebook in 2011 barring the company from making any future misrepresentations about the privacy and security of a user's personal information. But the FTC has failed to issue any fines or declare any of Facebook's actions, including the Cambridge Analytical scandal, a violation of the consent order. The FTC has also not published the number of pending consumer complaints against Facebook. With the one-year deadline of the reopening of the Facebook investigation approaching, EPIC has launched the campaign #EnforceTheOrder. (Mar. 18, 2019)
  • Senator Hawley Says FTC Approach to Big Tech is "Toothless" +
    Senator Josh Hawley (R-MO) has sent a letter to the Federal Trade Commission urging a more aggressive approach to privacy protection. Senator Hawley outlined the many privacy violations by tech giants in recent years, including Facebook's failure to honor the promises it made when it acquired WhatsApp, Google's use of location data, and the disclosure of personal information to third parties by many platforms. "There is no excuse for inaction," Senator Hawley said. Earlier this year, EPIC joined a coalition of groups urging the FTC to unwind the Facebook-WhatsApp merger, citing promises the companies made at time of the merger. With the one-year deadline of the reopening of the Facebook investigation approaching, EPIC has launched the campaign #EnforceTheOrder, @FTC. (Mar. 11, 2019)
  • Senator Blumenthal Calls on FTC to Unwind Big Tech Mergers +
    In a Senate Judiciary Committee hearing earlier this week, Senator Richard Blumenthal said that antitrust enforcers must consider unwinding anticompetitive mergers. “Over the past decade tech companies have in effect been given a free pass by antitrust regulators,” Senator Blumenthal said. "Facebook perhaps should never been allowed to acquire Instagram, Google to acquire DoubleClick. I have come to the conclusion that maybe post merger, some of these transactions should be challengeable, rarely done, but still challengeable, especially when the merger is approved on conditions that are then violated.” Earlier this year, EPIC joined a coalition of groups urging the FTC to unwind the Facebook-WhatsApp merger, citing promises the companies made at time of the merger. (Mar. 7, 2019)
  • EPIC Launches #EnforceTheOrder, Urges FTC Action on Facebook +
    With the one-year deadline of the reopening of the Facebook investigation approaching, EPIC has launched the campaign #EnforceTheOrder. EPIC is urging the Federal Trade Commission to act before March 26, 2019. Many experts, including former FTC Chief Technology Officer Ashkan Soltani, Senator Richard Blumenthal, and former FTC Chair William Kovacic, have said that Facebook violated the consent order. EPIC has also joined with Color of Change, the Open Markets Institute and others to urge the FTC to impose a significant fine and also to break up the company, reform hiring and management practices, and install a director to represent users. Follow EPIC at @EPICprivacy for the latest on the campaign. Join us. Tweet why enforcement matters to you. Include #EnforceTheOrder @FTC @facebook. (Mar. 5, 2019)
  • California AG Proposes Stronger Enforcement for State Privacy Law +
    The attorney general of California has unveiled legislation that would strengthen the California Consumer Privacy Act. The new bill would enable consumers to enforce their rights in court. The proposal comes as California seeks to implement the Consumer Privacy Act. In testimony for the US Congress, EPIC has explained that the “most effective way to improve data security is to establish a private right of action.” At present, there are hundreds, perhaps thousands, of substantial privacy complaints pending before the Federal Trade Commission. The EPIC State Policy Project monitors privacy bills nationwide. (Feb. 28, 2019)
  • FTC Announces Task Force on Competition in Tech +
    The FTC announced a new task force dedicated to monitoring U.S. technology markets and investigating anticompetitive conduct. FTC Chairman Joe Simons said "it makes sense for us to closely examine technology markets to ensure consumers benefit from free and fair competition." According to the FTC, the Technology Task Force will examine "prospective merger reviews" and will review "consummated technology mergers." EPIC objected to Facebook's acquisition of Whatsapp in 2014 and Google's acquisition of DoubleClick in 2007. EPIC has called on the FTC to require Google to divest Nest, after reports that the company hid listening devices in the home thermostat, and pressed the Commission to use its equitable authorities, including divestiture, to enforce consent orders. (Feb. 26, 2019)
  • EPIC to FTC: After Home Spying Reports, Google Should Divest Nest +
    Following reports that Google installed secret listening devices in the homes security product Nest, EPIC asked the Federal Trade Commission to require Google to spin-off Nest and to disgorge the data obtained from Nest users. It is a federal crime to intercept private communications or to plant a listening device in a private residence. In 2014, EPIC filed a complaint with the Commission regarding a related merger review and noted specifically that the "Commission clearly failed to address the significant privacy concerns presented in the Google acquisition of Nest." EPIC also said at the time that the "early termination" approval of the Google/Nest merger was surprising given the Commission's extensive consideration of the Google acquisition of Doubleclick. Both the Senate Commerce Committee and the House Energy and Commerce Committee have expressed interest in merger review in the tech industry. (Feb. 20, 2019)
  • EPIC Joins Statement to Facebook, End Messenger for Kids +
    EPIC joined a letter with fourteen other public interest groups to Mark Zuckerberg, calling on the Facebook CEO to shut down Facebook Messenger Kids, and cease all child-targeted business operations. This coalition effort, led by Campaign for a Commercial-Free Childhood, follows reporting that Facebook made millions of dollars by intentionally duping kids into making accidental purchases while playing games. Last year, the groups called on the company to shut down Facebook Messenger Kids based on research linking adolescent social media use with depression, poor sleep habits, and unhealthy body image. Senators Markey (D-MA) and Blumenthal (D-CT) also wrote a letter to Zuckerberg requesting answers on children's use of Facebook. EPIC, civil rights, and open market groups recently urged the FTC to act on numerous violations of the 2011 Consent Order. (Jan. 30, 2019)
  • During Government Shut Down, Facebook Moves to Integrate WhatsApp User Data +
    The New York Times has reported that Facebook is planning to integrate WhatsApp, Facebook Messenger, and Instagram. Earlier this week, EPIC joined a coalition of groups urging the FTC to unwind the Facebook-WhatsApp merger, citing promises the companies made at time of the merger. In 2014, EPIC and the Center for Digital Democracy warned the Commission that Facebook incorporates user data from companies it acquires, and that WhatsApp users objected to the acquisition. The FTC responded to EPIC and CDD and told Facebook and WhatsApp "if the acquisition is completed and WhatsApp fails to honor these promises, both companies could be in violation of Section 5 of the FTC Act and potentially the FTC's order against Facebook." The FTC letter concludes "hundreds of millions of users have entrusted their personal information to WhatsApp. The FTC staff continue to monitor the companies' practices to ensure that Facebook and WhatsApp honor the promises they have made to those users." Last week, Senators Markey and Blumenthal expressed concern over the impact of the government shutdown on the FTC's investigation into Facebook. Next week, the House Commerce Committee will hold a hearing on the government shutdown's impact on the FTC's Facebook investigation. (Jan. 25, 2019)
  • EPIC, Open Markets, Civil Rights Groups Press FTC on Facebook Consent Order +
    EPIC joined a coalition of groups urging the FTC to issue strong penalties in Facebook matter. "Given that Facebook’s violations are so numerous in scale, severe in nature, impactful for such a large portion of the American public and central to the company’s business model, and given the company’s massive size and influence over American consumers, penalties and remedies that go far beyond the Commission’s recent actions are called for,” the letter stated. The groups said the FTC should 1) impose substantial fines; 2) establish structural remedies; 3) require compliance with Fair Information Practices; 4) reform hiring and management practices; and 5) restore democratic governance. (Jan. 23, 2019)
  • Senators Urge FTC to Act Against Facebook +
    In a letter to the Federal Trade Commission, Senators Ed Markey and Richard Blumenthal pushed the Commission to take swift action against Facebook, despite the government shutdown. "While we have repeatedly expressed concerns about the pace of this investigation, we fear that the current government shutdown further threatens the FTC's ability to complete this investigation," the Senators wrote. "When Americans' privacy is breached, they deserve a speedy and effective response." The letter comes nearly ten months after the FTC announced it would reopen an investigation into Facebook after EPIC's urging. Since then, EPIC has urged the Commission to act and has repeatedly highlighted Facebook's violations of the 2011 consent order in statements to Congress. The 2011 consent order followed an extensive complaint filed by EPIC and a coalition of consumer privacy organizations in 2009. (Jan. 18, 2019)
  • Consumer Organizations Announce New Framework for US Privacy Protection, Propose Privacy Agency +
    EPIC joined 16 organizations in support of a “A Framework for Privacy Protection in the United States." The consumer groups outlined a new approach to privacy protection: (1) enact baseline federal legislation; (2) enforce fair information practices; (3) establish a data protection agency; (4) ensure robust enforcement; (5) establish algorithmic governance; (6) prohibit “take it or leave it” terms; (7) promote privacy innovation; and (8) limit government access to personal data. The consumer framework states that the Federal Trade Commission has failed to enforce the orders it has established. "The US needs a federal agency focused on privacy protection, compliance with data protection obligations, and emerging privacy challenges.” [Press Release] (Jan. 17, 2019)
  • D.C. Attorney General Sues Facebook +
    The D.C. Attorney General filed a complaint against Facebook under the D.C. Consumer Protection Procedures Act, making D.C. the first U.S. jurisdiction to take action against the company for the mishandling of user data that led to Cambridge Analytica. The AG's complaint alleges that Facebook failed to monitor third-party use of personal data and failed to ensure users’ data was deleted. The D.C. lawsuit seeks financial penalties, and an injunction to ensure Facebook puts in place protocols and safeguards to protect users’ data and easier for users to control their privacy settings. AG Karl Racine said: “Facebook put users at risk of manipulation by allowing companies like Cambridge Analytica and other third-party applications to collect personal data without users’ permission. Today’s lawsuit is about making Facebook live up to its promise to protect its users’ privacy.” EPIC filed a D.C. Consumer Protection Procedures Act lawsuitchallenging the unlawful collection, use, and disclosure of personal location data by AccuWeather through its mobile iOS app. (Dec. 20, 2018)
  • Facebook Gave Personal Data to Third Parties Without Consent in Violation of FTC Consent Order +
    A New York Times investigation revealed that Facebook had deals with companies giving them access to personal data without meaningful user consent. These companies include Amazon, Sony, Microsoft, Yahoo, Spotify, and Netflix, as well as two companies considered security threats to the U.S.: Chinese smartphone manufacturer Huawei and Russian search engine Yandex. The deals Facebook made gave companies broad access to user data, including the the ability to read users’ private messages and access friend lists. EPIC and several consumer privacy organizations helped establish the 2011 consent order against Facebook, following a public campaign, and extensive complaints in 2009 and 2010. In March 2018, the FTC said it would reopen the Facebook investigation, but there is still no report, no findings and no fine. In response to EPIC's Freedom of Information Act lawsuit, the FTC has released agency emails about the 2011 Facebook Consent Order. Several related EPIC complaints regarding Facebook are also pending at the FTC, including facial recognition. (Dec. 20, 2018)
  • EPIC Urges Senate To Examine FTC's Failure to Enforce Facebook Consent Order, Unwind WhatsApp Deal +
    EPIC has sent a statement to the Senate Commerce Committee in advance of a hearing on "Oversight of the Federal Trade Commission." EPIC told the Committee that the FTC should enforce the Facebook Consent Order and unwind the Facebook-WhatsApp deal. As EPIC previously told Congress, the Cambridge Analytica scandal could have been avoided if the FTC had enforced the Consent Order. That Order followed complaints by EPIC and consumer privacy organizations in 2009 and 2010. In 2014, EPIC urged the FTC to block Facebook's acquisition of WhatsApp. In 2016, EPIC filed a second complaint after Facebook broke commitments to the FTC and began collecting WhatsApp users' data. EPIC also highlighted the FTC's inaction in major privacy cases such as those against Uber, Facebook, and Google. (Nov. 26, 2018)
  • EPIC Comments on NTIA’s Consumer Privacy Framework +
    EPIC submitted comments to the National Telecommunications and Information Administration—the agency that advises the White House on Internet policy—on the proposed framework for consumer privacy. EPIC backed the "Desired Outcomes:" (1) transparency, (2) control, (3) minimization, (4) security, (5) access and correction, (6) risk management, and (7) accountability. But EPIC urged the agency to support federal baseline legislation, the creation of a data protection agency, and the ratification of the International Privacy Convention. EPIC explained, "These are not policy preferences or partisan perspectives. These are the steps that modern societies must take to safeguard the personal data of their citizens.” NTIA Secretary David Redl met with the Privacy Coalition last month. (Nov. 9, 2018)
  • Federal Trade Commission Approves Settlement with Uber +
    The Federal Trade Commission finalized a settlement with Uber after the company failed to implement reasonable security measures and allowed employees to access customers' personal information. Because of Uber's lax security practice, the company was breached twice, exposing vast amounts of sensitive information. The settlement follows on the heels of Uber's settlement with the attorneys general of all fifty states and the District of Columbia for failing to notify users of Uber's second breach in 2016. EPIC wrote to the FTC in May, urging the Commission to strengthen its existing settlement with Uber. The Commission responded directly to several of EPIC's suggestions, which included mandating cybersecurity and privacy requirements. Commissioner Chopra also agreed with EPIC that "the Commission should make required audits and assessments public." EPIC's 2015 complaint with the FTC regarding Uber's abuse of personal data led to a previous FTC settlement with Uber. EPIC has also proposed a privacy law for Uber and other similar transportation companies. (Oct. 29, 2018)
  • Consumer and Privacy Organizations Propose Framework for U.S. Data Protection +
    EPIC joined a group of twelve consumer and privacy organizations that submitted a statement to the Senate Commerce Committee in advance of a consumer privacy hearing. The groups outlined a draft framework for data protection in the U.S., advocating that Congress (1) enact baseline federal data protection legislation; (2) limit government access to personal data; (3) establish algorithmic transparency and end discriminatory profiling; (4) prohibit “take it or leave it” and other unfair terms; (5) ensure robust enforcement; (6) promote privacy innovation; and (7) establish a data protection agency. EPIC also submitted a statement to the Committee that highlighted recent breaches at Google and Facebook and the FTC's failure to enforce its own consent orders. (Oct. 9, 2018)
  • EPIC, Consumer Groups Urge Senate Commerce to Invite Privacy Witnesses to Privacy Hearing +
    EPIC joined a coalition of 28 consumer privacy groups in a letter to Senate Commerce Committee Chairman John Thune (R-S.D.) and ranking member Bill Nelson (D-Fla.) that asked the Senators to include consumer advocates in an upcoming hearing on consumer privacy. At this time, the Committee has invited, AT&T, Amazon, Google, Twitter, Apple and Charter Communications. The consumer privacy groups wrote, "the absence of consumer representatives all but ensures a narrow discussion, focused on policy alternatives favored by business groups." Proposals endorsed by consumers include, "federal baseline legislation, heightened penalties for data breaches, the end of arbitration clauses, the establishment of a privacy agency in the U.S., techniques for data minimization, [and] algorithmic transparency to prevent the secret profiling of American consumers." The groups also noted that a recent Harris survey found that "78 percent of U.S. respondents say a company's ability to keep their data private is 'extremely important,' but only 20 percent 'completely trust' organizations they interact with to maintain the privacy of their data." (Sep. 20, 2018)
  • FTC to Explore Competition and Consumer Protection Issues at Hearings this Week +
    The FTC is holding a hearing this week to examine the regulation of consumer data, the consumer welfare standard in antitrust law, and vertical mergers. This is the first in a series of hearings on "Competition and Consumer Protection in the 21st Century" that will examine how changes in the economy affect the FTC's enforcement priorities. EPIC and a coalition of consumer groups submitted extensive comments for the hearings. EPIC and the groups said that privacy protection is critical for competition and innovation. EPIC and the groups told the FTC that it should: 1) unwind the Facebook-WhatsApp deal; 2) require Facebook and Google to spin off their advertising units; 3) block future acquisitions by Facebook and Google that would extend monopoly control over consumer data; 4) impose privacy safeguards for all mergers that implicate data privacy; and 5) perform audits of algorithmic tools to promote accountability and to limit anticompetitive conduct. The FTC reopened the investigation of Facebook in March after EPIC and consumer groups filed a formal complaint, but has still taken no action. The UK Information Commissioner completed its initial investigation, published a report, and issued a substantial fine in July. (Sep. 12, 2018)
  • EPIC, Consumer Groups Advise FTC on Competition and Privacy +
    EPIC, the Center for Digital Democracy, the Consumer Federation of America, and US PIRG submitted comments to the FTC in advance of hearings on "Competition and Consumer Protection in the 21st Century." The consumer groups said that privacy protection is critical for competition and innovation. The groups told the FTC that it should: 1) unwind the Facebook-WhatsApp deal; 2) require Facebook and Google to spin off their advertising units into independent companies; 3) block all future acquisitions by Facebook and Google that would enable the companies to increase their monopoly over consumer data; 4) impose privacy safeguards for all future mergers that implicate data privacy concerns; and 5) perform audits of algorithmic tools to promote accountability and to limit anticompetitive conduct. This will be the first time the FTC has reexamined its approach to consumer protection and competition since the FTC's 1995 hearings on "Global Competition and Innovation." EPIC participated in the 1995 hearings which led to the FTC's work on consumer privacy. (Aug. 20, 2018)
  • EPIC to FTC: Google's Location Tracking Violates Consent Order +
    Following a report that Google tracks user location even when users opt-out, EPIC wrote to the FTC that Google violated the 2011 consent order. EPIC said "Google's subsequent changes to its policy, after it has already obtained location data on Internet users, fails to comply with the 2011 order." EPIC also told the FTC that "The Commission's inactions have made the Internet less safe and less secure for users and consumers." The 2011 settlement with Google followed a detailed complaint brought by EPIC and a coalition of consumer organizations. The groups charged that Google had engaged in unfair and deceptive trade practices when it changed the privacy settings of Gmail users and opted them into Google Buzz. The FTC agreed with the consumer groups, Google entered into a settlement and Buzz was shuttered. FTC chairman John Liebowitz said at the time, "When companies make privacy pledges, they need to honor them. This is a tough settlement that ensures that Google will honor its commitments to consumers and build strong privacy protections into all of its operations." (Aug. 17, 2018)
  • EPIC, Consumer Groups Urge FTC to conclude Facebook Investigation +
    EPIC and a coalition of consumer groups have asked the FTC to conclude the Facebook-Cambridge Analytica investigation by September 1, 2018. The groups said, "It is critical that the FTC conclude the Facebook matter, issue a significant fine, and ensure that the company upholds its privacy commitments to users.” Congress and the European Parliament have both conducted extensive hearings on the Cambridge Analytica matter. The U.K. Information Commissioner’s Office conducted an extensive investigation, published a substantial report, and issued a significant fine in July. The FTC announced in March that it would reopen the Facebook investigation. (Aug. 15, 2018)
  • Following EPIC Comments, FTC Strengthens Safeguards for Kids' Data in Gaming Industry +
    The FTC has unanimously voted to approve EPIC’s recommendations to strengthen safeguards for children's data in the gaming industry. In a 5-0 vote, the FTC adopted EPIC's proposals to revise the Entertainment Software Rating Board's industry rules to (1) extend children's privacy protections in COPPA to all users worldwide; and (2) to implement privacy safeguards for the collection of data "rendered anonymous." The FTC wrote, "the Commission agrees with EPIC's comment. As COPPA's protections are not limited only to U.S. residents, the definition of 'child' in the ESRB program has been revised to remove the limitation." The Commission also strengthened protections for de-identified children's data: "companies must provide notice and obtain verifiable parental consent if personal information is collected, even if it is later anonymized." EPIC has testified several times before Congress on protecting children's data and supported the 2013 updates to COPPA. (Aug. 14, 2018)
  • EPIC Urges FTC To Step Up Privacy Shield Enforcement +
    In detailed comments, EPIC advised the FTC to strengthen a proposed settlement with ReadyTech concerning Privacy Shield, a framework that permits the flow of data on Europeans to the U.S. The FTC settlement prohibited the company from making future misrepresentations regarding compliance with Privacy Shield, but provided no relief for Europeans whose data was unlawfully collected. EPIC urged the FTC to require ReadyTech to undergo and release independent privacy assessments, disgorge all data collected from E.U. citizens, and implement Fair Information Practices. EPIC told the FTC that enforcement of Privacy Shield comes at a critical moment, as the European Parliament recently called for suspension by September 1st if the U.S. does not fully comply. EPIC stressed the urgency of the FTC’s Facebook-Cambridge Analytica investigation, which the European Parliament highlighted as a particular concern. EPIC previously told the FTC that the Cambridge Analytic breach could have been prevented had the FTC enforced the 2011 Consent Order against Facebook, which EPIC and other organizations helped obtain. (Aug. 1, 2018)
  • FTC Chair Seeks New Privacy and Data Security Authority +
    In testimony this morning before the House Energy and Commerce Committee, new Federal Trade Commission Chairman Joseph Simons said the FTC needs greater authority to protect consumers. Simons asserted that privacy and data security are now the top priority for the FTC, and signaled his support for data protection legislation that would accomplish three things: (1) provide civil penalties for companies that violated the law, (2) give the FTC jurisdiction over nonprofits and common carriers, and (3) provide the FTC with rulemaking authority for privacy and data security. EPIC submitted a statement prior to today's hearing emphasizing that the FTC must conclude its investigation of Facebook and issue a fine for its violations of the 2011 Consent Order and unwind the Facebook-WhatsApp deal. (Jul. 18, 2018)
  • For House Hearing, EPIC Urges FTC to Unwind WhatsApp Deal, Enforce Facebook Consent Order +
    EPIC has sent a statement to the House Energy and Commerce Committee in advance of a hearing on “Oversight of the Federal Trade Commission.” EPIC told the Committee to urge the new FTC leadership to enforce the Facebook Consent Order and unwind the Facebook-WhatsApp merger As EPIC previously told Congress, the Cambridge Analytica breach could have been avoided if the FTC had enforced its 2011 Consent Order against Facebook. That Order was the result of detailed complaints filed by EPIC and consumer privacy organizations in 2009 and 2010. In 2014, EPIC and the Center for Digital Democracy urged the FTC to block Facebook’s acquisition of WhatsApp unless appropriate privacy safeguards were put in place. In 2016, EPIC and CDD filed a second complaint after Facebook broke its privacy promises and began collecting WhatsApp users' data. (Jul. 17, 2018)
  • FTC Announces Another Privacy Settlement, But Again Imposes No Penalties +
    The FTC announced today that it settled charges with ReadyTech, a California company, for misrepresenting compliance with Privacy Shield, a self-certification arrangement that allows US companies to obtain the personal data of Europeans. The FTC settlement prohibits the company from making future misrepresentations about Privacy Shield compliance, but imposes no penalties and provides no remedy to European consumers whose personal data was wrongfully obtained. Last year, the FTC settled charges with three companies that misrepresented their participation in Privacy Shield, but similarly failed to impose penalties. The European Parliament's Civil Liberties Committee ("LIBE") recently passed a resolution stating that Privacy Shield does not protect European consumers, and called for its suspension if the U.S. does not comply by September 1, 2018. LIBE specifically called attention to the Cambridge Analytica breach of 87 million Facebook users. In March, EPIC told the FTC that the Cambridge Analytica breach could have been prevented if the FTC had enforced its 2011 Consent Order with Facebook. (Jul. 2, 2018)
  • Facebook's Response to Congress Provides More Evidence of Consent Order Violations +
    Late Friday afternoon, Facebook submitted over 700 pages of responses to questions from members of Congress following Mark Zuckerberg's testimony in April. Facebook has now admitted that it provided developers and device makers access to personal data despite publicly stating that it had discontinued the practice. In April EPIC submitted a detailed letter to Congress, explaining that the Cambridge Analytica breach could have been avoided if the FTC had enforced the 2011 Consent Order. That Consent Order was the result of extensive complaints EPIC and consumer organizations filed with the FTC in 2009 and 2010. In March, the Acting Director of the FTC stated "Companies who have settled previous FTC actions must also comply with FTC order provisions imposing privacy and data security requirements. Accordingly, the FTC takes very seriously recent press reports raising substantial concerns about the privacy practices of Facebook." In a recent memo, FTC Commissioner Rohit Chopra stated that "FTC orders are not suggestions." (Jul. 2, 2018)
  • US Consumer Groups Urge FTC To Examine 'Deceived by Design' Practices +
    EPIC and a coalition of consumer organizations sent a letter to the FTC about recent tactics by Facebook and Google to trick users into disclosing personal data. "We urge you to investigate the misleading and manipulative tactics of the dominant digital platforms in the United States, which steer users to 'consent' to privacy-invasive default settings," the letter states. The letter highlights a report by the Norwegian Consumer Council entitled "Deceived by Design," which details how companies employ numerous tricks and tactics to nudge users into selecting the least privacy-friendly options. EPIC and consumer privacy organizations previously filed complaints with the FTC when Facebook undermined users' privacy settings and Google automatically opted users into Google Buzz. In both cases, the FTC determined that the companies had engaged in "unfair and deceptive trade practices." Both Facebook and Google settled with the FTC and were then subject to 20 year consent orders that were intended to prevent the companies from engaging in similar practices in the future. (Jun. 27, 2018)
  • FTC Launches New Inquiry on "Competition and Consumer Protection in the 21st Century" +
    The FTC Chairman Joe Simmons announced today that the FTC will hold a series of public hearings this fall on how to safeguard consumer protection and competition in light of economic and technologic developments. "The hearings may identify areas for enforcement and policy guidance, including improvements to the agency's investigation and law enforcement processes, as well as areas that warrant additional study," said the FTC. The hearings will focus on several topics, including "the intersection between privacy, big data, and competition" and "the use of algorithmic decision tools, artificial intelligence, and predictive analytics." The FTC is requesting public comment in advance of the hearings. This will be the first time the FTC has reexamined its approach to consumer protection and competition since the FTC's 1995 hearings on "Global Competition and Innovation." EPIC participated in those hearings and helped the FTC develop authority to address emerging privacy issues. More recently, EPIC has put forward "10 Recommendations" for how the FTC can protect consumers, promote competition, and encourage innovation. (Jun. 20, 2018)
  • At Senate Hearing, Former FTC CTO States That Facebook Violated FTC Consent Order +
    In a Senate Commerce Committee hearing today on Facebook and data privacy, former FTC CTO Ashkan Soltani stated that Facebook violated the 2011 FTC Consent Order by transferring personal data to Cambridge Analytica and device makers contrary to user privacy expectations. Soltani said that Facebook continued to misrepresent the extent to which users could control their privacy settings and allowed device makers to override users' privacy settings. Senator Blumenthal and other members of Congress had previously said the company violated the Consent Order, which was the result of complaints filed by EPIC in 2009 and 2010. In a statement to the Committee in advance of the hearing, EPIC urged the Senate to focus on the FTC's failure to enforce the Consent Order with Facebook. (Jun. 19, 2018)
  • EPIC Urges Senate Committee to Focus on Consent Order with Facebook +
    EPIC has sent a statement to the Senate Commerce Committee outlining the FTC's failure to enforce the 2011 Consent Order with Facebook. The statement from EPIC is for a hearing on "Cambridge Analytica and Other Facebook Partners: Examining Data Privacy Risks." In 2009, EPIC and several consumer groups pursued a complaint, containing detailed evidence, legal theories, and proposed remedies to address growing concerns about Facebook's data practices. The FTC established a Consent Order in 2011, but failed to enforce the Order even after EPIC sued the agency in a related matter. In the statement to the Senate this week, EPIC contends that the FTC could have prevented the Cambridge Analytica debacle and Facebook's secret arrangements with device makers if the agency enforced the 2011 Order. (Jun. 19, 2018)
  • EPIC Urges Safety Commission to Regulate Privacy and Security of IoT Device +
    EPIC submitted comments to the Consumer Product Safety Commission, urging the agency to regulate the privacy and security of Internet of Things devices. EPIC advised the Commission to require IoT manufacturers to (1) minimize data collection, (2) conduct privacy impact assessments, and (3) implement Privacy Enhancing Techniques (“PETs”). EPIC recently told Congress that “CPSC should establish mandatory privacy and security standards, and require certification to these standards before IoT devices are allowed into the market stream.” EPIC has also called out the CPSC for its reluctance to address the privacy and security challenges of IoT. In the statement to Congress, EPIC described the increasing risks to American consumers. (Jun. 15, 2018)
  • Court of Appeals Vacates FTC's LabMD Order, Finding It Lacked Specifics +
    The Court of Appeals for the Eleventh Circuit has vacated an administrative order by the Federal Trade Commission, which required the medical testing company LabMD to implement "reasonable" data security measures, finding that the order was not specific enough to be enforceable. The court explained that the FTC can require companies to implement data security measures as long as it provides specific guidance. EPIC has repeatedly urged the FTC to mandate specific data security requirements in consumer privacy settlements, including in comments on recent settlements with Uber and PayPal. EPIC also submitted an amicus brief in FTC v. Wyndham, a case in which the Third Circuit Court of Appeals upheld the FTC's authority to enforce data security standards. (Jun. 7, 2018)
  • Amazon Echo Secretly Recorded And Disclosed User's Private Conversation +
    "Alexa" secretly recorded the private conversation of a Portland woman and sent it to one of her contacts, according to a news report. The Federal Wiretap Act makes it a crime to intentionally intercept a private communication. In 2015, EPIC urged the Federal Trade Commission and the Department of Justice to investigate whether "always on" smart home devices violated federal wiretap law. EPIC recently warned the Consumer Product Safety Commission that the Google Home Mini continuously record users' private conversations because of a product defect. And EPIC recently testified before the CPSC on the need to regulate privacy and security hazards posed by Internet of Things devices. (May. 24, 2018)
  • EPIC Renews Call For FTC To Stop Secret Scoring of Young Athletes +
    EPIC has urged the Federal Trade Commission to act on a Complaint EPIC previously filed with the FTC about the secret scoring of young tennis players. The EPIC complaint concerns the "Universal Tennis Rating," a proprietary algorithm used to assign numeric scores to tennis players, many of whom are children under 13. According to EPIC, "the UTR score defines the status of young athletes in all tennis-related activity; impacts opportunities for scholarship, education and employment; and may in the future provide the basis for 'social scoring' and government rating of citizens." EPIC pointed to objective, provable, and transparent rating systems such as ELO as far preferable. EPIC has championed "Algorithmic Transparency" as a fundamental human right. Earlier this month, the Council of Europe adopted the modernized Privacy Convention that establishes a legal right for individuals to obtain "knowledge of the reasoning" for the processing of personal data. (May. 23, 2018)
  • EPIC To Senate Judiciary: Privacy Is Integral to Democracy +
    In advance of a hearing on Cambridge Analytica and the Future of Data Privacy, EPIC has sent a statement to the Seante Judiciary Committee. EPIC said that "It has become increasingly clear that even as we are asked to give up our privacy, companies have become ever more secretive about how they profile and target voters." In 2014, EPIC challenged Facebook's manipulation of users' News Feeds for psychological research. "If Facebook used data manipulation to shape users' emotions, it can use data manipulation to shape voters' practices," EPIC told the Committee. (May. 15, 2018)
  • EPIC Urges FTC To Strengthen Revised Settlement with Uber +
    In detailed comments to the Federal Trade Commission, EPIC urged the FTC to strengthen a revised settlement with Uber. The FTC reached a settlement with Uber back in August of 2017 for its numerous privacy abuses, including secretly tracking riders and using software to evade authorities. But shortly after announcing the settlement, the FTC discovered that Uber had hid a massive data breach and used its bug bounty program to pay off the hackers. As a result, the FTC required Uber to submit all of its privacy assessments to the Commission. While EPIC supported the FTC’s action, EPC said that "the FTC should make Uber's privacy assessments public so that consumers can evaluate whether the company is meeting its obligations under the Consent Order." The FTC's initial investigation and subsequent settlement with Uber were prompted by EPIC's complaint against Uber's in 2015. (May. 15, 2018)
  • FTC Commissioner Chopra: "FTC orders are not suggestions" +
    Incoming Federal Trade Commissioner Rohit Chopra issued a memo today warning that the FTC will enforce its consent orders against companies that violate the law. "FTC orders are not suggestions," said Chopra. Chopra said the FTC should seek structural remedies as well as monetary fines. EPIC has repeatedly told the FTC to enforce its orders, and even sued the agency, EPIC v. FTC, for failing to enforce the order against Google following the Buzz fiasco. More recently, EPIC and a coalition of consumer groups told the FTC that the Cambridge Analytica breach could have been avoided had FTC enforced the 2011 Consent Order against Facebook. The FTC has since confirmed that it is investigating Facebook for the breach. According to the former Acting Director of the FTC's Bureau of Consumer Protection, "Companies who have settled previous FTC actions must also comply with FTC order provisions imposing privacy and data security requirements. Accordingly, the FTC takes very seriously recent press reports raising substantial concerns about the privacy practices of Facebook." (May. 14, 2018)
  • EPIC Sues FTC for Release of Facebook's Audits +
    EPIC has filed a Freedom of Information Act lawsuit to obtain the release of the unredacted Facebook Assessments from the FTC. The FTC Consent Order. required Facebook to provide to the FTC biennial assessments conducted by an independent auditor. In March, EPIC filed a Freedom of Information Act request for the 2013, 2015, 2017 Facebook Assessments and related records. EPIC's FOIA request drew attention to a version of the 2017 report available at the FTC website. But that version is heavily redacted. EPIC is suing now for the release of unredacted report. EPIC has an extensive open government practice and has previously obtained records from many federal agencies. The case is EPIC v. FTC, No. 18-942 (D.D.C. filed April 20, 2018). (Apr. 20, 2018)
  • EPIC Obtains Partial Release of 2017 Facebook Audit +
    EPIC has obtained a redacted version of the 2017 Facebook Assessment required by the 2012 Federal Trade Commission Consent Order. The Order required Facebook to conduct biennial assessments from a third-party auditor of Facebook's privacy and security practices. In March, EPIC filed a Freedom of Information Act request for the 2013, 2015, and 2017 Facebook Assessments as well as related records. The 2017 Facebook Assessment, prepared by PwC, stated that "Facebook's privacy controls were operating with sufficient effectiveness" to protect the privacy of users. This assessment was prepared after Cambridge Analytica harvested the personal data of 87 million Facebook users. In a statement to Congress for the Facebook hearings last week, EPIC noted that FTC Commissioners represented that the Consent Order protected the privacy of hundreds of millions of Facebook users in the United States and Europe. (Apr. 20, 2018)
  • FTC Strengthens Penalties Against Uber for Covering Up Data Breach +
    The Federal Trade Commission has strengthened its 2017 settlement with Uber because the company hid a massive data breach and bug bounty program in 2016. Under the revised settlement, Uber must submit all of its privacy audits to the FTC, and will face civil penalties if it fails to disclose another breach. In February 2018, EPIC advised Congress that "bug bounty programs do not excuse non-compliance with data breach notification laws." The FTC's 2017 settlement with Uber was the result of EPIC's 2015 complaint to the Commission detailing Uber's numerous privacy abuses. In public comments, EPIC advised the FTC to strengthen the settlement by making all of Uber's privacy audits available to the public. (Apr. 12, 2018)
  • EPIC Urges Senate to Focus on FTC Consent Order with Facebook +
    In advance of a joint hearing about Facebook's failure to protect the personal data of users, EPIC has sent a comprehensive statement to the Senate Committee on the Judiciary and the Senate Committee on Commerce. EPIC is urging the Senators to focus on the 2011 Consent Order between Facebook and the Federal Trade Commission. In 2009, EPIC and a coalition of consumer groups presented the FTC with a complaint, containing detailed evidence, legal theories, and proposed remedies to address growing concerns about Facebook. The FTC adopted a Consent Order in 2011, based on EPIC's Complaint, but failed to enforce the Order even after EPIC sued the agency in a related matter. In numerous comments to the FTC, EPIC and others urged the FTC to enforce its consent order. In the statement to the Senate this week, EPIC contends that the Cambridge Analytica debacle could have been prevented if the FTC enforced the Order. (Apr. 9, 2018)
  • UPDATE - EPIC, Consumer Groups Urge FTC to Investigate Facebook's Use of Facial Recognition +
    EPIC and a coalition of consumer groups have filed a complaint with the FTC, charging that Facebook's use of facial recognition techniques threaten user privacy and "in multiple ways" violate the 2011 Consent Order with the Commission. "The scanning of facial images without express, affirmative consent is unlawful and must be enjoined," the groups wrote. Last week the organizations urged the Federal Trade Commission to reopen the 2009 investigation of Facebook, arguing that the disclosure of user data to Cambridge Analytica violated the consent order, and noting that the order also prohibited Facebook from "making misrepresentations about the privacy or security of consumers' personal information." In 2011 EPIC and consumer groups urged the FTC to investigate Facebook’s facial recognition practices. In 2012 EPIC advised the FTC "Commercial actors should not deploy facial techniques until adequate safeguards are established. As such safeguards have not yet been established, EPIC would recommend a moratorium on the commercial deployment of these techniques." EPIC President Marc Rotenberg said today, "Facebook should suspend further deployment of facial recognition pending the outcome of the FTC investigation." (Apr. 6, 2018)
  • EPIC, Consumer Groups to Urge Federal Trade Commission to Investigate Facebook's Use of Facial Recognition +
    EPIC and a coalition of consumer groups will file a complaint with the FTC on Friday charging that Facebook's use of facial recognition techniques threaten user privacy and violate the 2011 Consent Order with the Commission. "The scanning of facial images without express, affirmative consent is unlawful and must be enjoined," the groups wrote. Last week the organizations urged the Federal Trade Commission to reopen the 2009 investigation of Facebook, arguing that the disclosure of user data to Cambridge Analytica violated the consent order, and noting that the order also prohibited Facebook from "making misrepresentations about the privacy or security of consumers' personal information." The FTC has confirmed that an investigation is now underway. The FTC said, "Companies who have settled previous FTC actions must also comply with FTC order provisions imposing privacy and data security requirements." Facebook CEO Mark Zuckerberg will testify next week before the Senate Judiciary Committee and the House Commerce Committee. In 2011 EPIC urged the FTC to investigate Facebook's facial recognition practices. In 2012 EPIC advised the FTC "Commercial actors should not deploy facial techniques until adequate safeguards are established. As such safeguards have not yet been established, EPIC would recommend a moratorium on the commercial deployment of these techniques." (Apr. 5, 2018)
  • EPIC Urges FTC to Strengthen PayPal/Venmo Settlement +
    In detailed comments, EPIC advised the FTC to strengthen a proposed settlement with PayPal concerning Venmo, a mobile app for peer-to-peer payments. The FTC complaint found that Venmo made misrepresentations about privacy and security practices. EPIC recommended that the FTC require PayPal to (1) change the default setting to private, (2) require affirmative consent for subsequent changes, (3) make the privacy assessments public, (4) require multi-factor authentication, and (5) comply with Fair Information Practices. The FTC is obligated to consider public comments before finalizing a proposed settlement and must provide a “reasoned response” if it fails to modify an order. EPIC has previously pursued FTC complaints concerning Google, Facebook, WhatsApp, and Snapchat. (Mar. 29, 2018)
  • FTC Confirms Investigation Into Facebook about 2011 Consent Order +
    The Federal Trade Commission has confirmed an investigation into Facebook for the company's failure to protect the personal data obtained by Cambridge Analytica. Facebook likely violated the FTC's 2011 Consent Order with the company. Last week, EPIC and a coalition of consumer organizations urged the FTC to reopen the investigation. EPIC and other consumer organizations brought the complaint that led to the FTC's 2011 Order. Thomas Pahl, the Acting Director of the FTC's Bureau of Consumer Protection stated today, "Companies who have settled previous FTC actions must also comply with FTC order provisions imposing privacy and data security requirements. Accordingly, the FTC takes very seriously recent press reports raising substantial concerns about the privacy practices of Facebook." In a recent article for Techonomy, EPIC President Marc Rotenberg emphasized that "the transfer of 50 million user records to the controversial data mining and political consulting firm could have been avoided if the Federal Trade Commission had done its job." (Mar. 26, 2018)
  • EPIC FOIAs FTC, Seeks Facebook's Privacy Assessments +
    EPIC has submitted an urgent Freedom of Information Act request to the Federal Trade Commission, seeking the privacy assessments required by the FTC's 2012 Consent Order. Facebook is required to produce independent privacy assessments every two years for the next 20 years. Each assessment should "identify Facebook's privacy controls maintained during the reporting period, explain the appropriateness of these controlsin relation to Facebook's activities and sensitivity of information, as well as explain how these controls meet or exceed the protections" required in the 2012 Consent Order. Facebook is also required to identify an independent privacy auditor, approved by the FTC. EPIC previously obtained the 2012 Initial Compliance Report as well as the 2013 Initial Assessment through an earlier FOIA request. EPIC is now seeking the 2015 and 2017 reports which cover the period for the data transfers to Cambridge Analytica. (Mar. 20, 2018)
  • EPIC, Consumer Groups Urge FTC To Investigate Facebook +
    In a statement issued today, EPIC and a coalition of consumer groups have called on the Federal Trade Commission to determine whether Facebook violated a 2011 Consent Order when it facilitated the transfer of personal data of 50 million Facebook users to the data mining firm Cambridge Analytica. The groups had repeatedly urged the FTC to enforce its own legal judgements. EPIC even sued the agency in 2012 for its failure to enforce a consent order against Google. "The FTC's failure to act imperils not only privacy but democracy as well," the groups warned. Between 2009 and 2011 EPIC and other consumer groups undertook extensive work to document Facebook's privacy abuses that led to the consent order in 2011. (Mar. 20, 2018)
  • EPIC Tells House to Probe Commerce Secretary on Data Protection, Privacy Shield +
    EPIC has sent a statement to the House Appropriations Committee outlining the key privacy issues facing the Secretary of Commerce. The Committee held a hearing today to discuss the FY19 budget for the Department of Commerce. EPIC stated that data protection may be "the most important issue that the Secretary of Commerce will confront over the next several years." EPIC said the FTC is simply not doing enough to safeguard the personal data of American consumers, as evidenced by this week's report on Facebook and Cambridge Analytica. EPIC also warned that Europe may suspend the Privacy Shield, a framework that permits the flow of European consumers' personal data to the U.S, if the United States does not modernize privacy law and establish a federal data protection agency. (Mar. 20, 2018)
  • Facebook "Breach" Highlights Failure of FTC to Enforce Consent Orders +
    In 2009, EPIC and a coalition of US consumer privacy organizations petitioned the Federal Trade Commission to establish comprehensive privacy safeguards after Facebook changed user privacy settings and secretly transferred user data to third parties. In 2011, the FTC agreed with the privacy groups and established a far-reaching settlement with the company, that prevented such disclosures, prohibited deceptive statements, and required annual reporting. But the FTC failed to enforce its consent order, even after EPIC sued the agency and consumer groups repeatedly urged the Commission to act. This weekend the Washington Post and the New York Times reported that Facebook disclosed the personal data of 50 million users without their consent to Cambridge Analytica, the controversial British data mining firm that sought to influence the 2016 presidential election. (Mar. 19, 2018)
  • EPIC to Congress: Examine "Connected Devices," Safeguard Consumer Privacy +
    EPIC sent a statement to a House Committee on Energy and Commerce in advance of a hearing on the NTIA, a key technology policy agency. EPIC warned that "American consumers face unprecedented privacy and security threats," citing both data breaches and "always on" devices that record users' private conversations. EPIC said that Congress and the NTIA should establish protections that minimize the collection of personal data and promote security for Internet-connected devices. EPIC warned of growing risks to consumer safety and public safety. EPIC has testified before Congress, litigated cases, and filed complaints with the FTC regarding connected cars, "smart homes," consumer products, and "always on" devices. (Mar. 6, 2018)
  • FTC Report - ID Theft Complaints Rank High +
    Identity theft ranked second among all complaints submitted to the Federal Trade Commission in 2017. Although the total number of complaints dropped, consumers reported losing $63 million more to identity theft and fraud in 2017 than in 2016. EPIC has warned that "the FTC's failure to act against the growing threats to consumer privacy and security could be catastrophic." 2017 marked a record year for data breaches. EPIC urged the FTC to enforce data security standards as part of its 10 recommendations for the FTC's five-year strategic plan. EPIC President Marc Rotenberg also testified before the Senate and the House following the Equifax breach, calling for comprehensive data protection legislation. (Mar. 1, 2018)
  • House Draft Data Security Bill Preempts Stronger State Safeguards +
    Rep. Luetkemeyer (R-MO) and Rep. Maloney (D-NY) circulated a draft bill, the "Data Acquisition and Technology Accountability and Security Act," that would set federal requirements for companies collecting personal data and require prompt breach notification. The Federal Trade Commission, which has often failed to pursue important data breach cases, and state Attorneys General would both be responsible for enforcing the law. The law would only trigger liability if the personal data breached is "reasonably likely to result in identity theft, fraud, or economic loss" and would preempt stronger state data breach laws. Earlier this week, EPIC President Marc Rotenberg testified before the House, calling for comprehensive data privacy legislation that would preserve stronger state laws. Last fall, EPIC testified at a Senate hearing on the Equifax breach, calling it one of the worst in U.S. history. (Feb. 16, 2018)
  • EPIC Offers Recommendations for Future of FTC Ahead of Senate Hearing on Nominees +
    In advance of a Senate hearing on four nominees to the Federal Trade Commission, EPIC recommended 10 steps for the FTC to safeguard American consumers. EPIC explained that the FTC's failure to address the data protection crisis has contributed to unprecedented levels of data breach and identity theft in the United States. EPIC helped establish the FTC's authority for consumer privacy and has urged the FTC to safeguard American consumers in cases involving Microsoft, Google, Facebook, Uber, Samsung and others. EPIC also filed a lawsuit against the FTC when it failed to enforce a consent order against Google. (Feb. 13, 2018)
  • FTC Report on Connected Cars Lacks Privacy Recommendations +
    The Federal Trade Commission released a brief report summarizing a June 2017 workshop, co-hosted with the National Highway Traffic Safety Administration, on connected vehicles. While the report acknowledges consumer privacy interests, the report offers no concrete proposals for how the FTC will address the privacy and safety risks of connected cars. EPIC submitted comments to the FTC and NHTSA and gave a presentation at the FTC workshop, calling for national safety standards for connected cars. In a recent amicus brief to the Supreme Court, EPIC also underscored the privacy risks of rental cars, which collect vast troves of personal data. The Senate is currently considering a bill on connected cars and the NHTSA recently released revised guidance for connected cars, but both lack mandatory safety standards and encourage industry self-regulation. (Jan. 9, 2018)
  • FTC Finalizes Settlement with Lenovo Over Adware +
    The Federal Trade Commission has given final approval to a settlement with Lenovo over its practice of pre-installing adware onto consumers' laptops. The complaint alleged that the adware transmitted consumers' personal information to third parties and made consumer' laptops vulnerable to cyberattacks. The settlement prohibits Lenovo from misrepresenting any pre-installed software, but imposes no fines and allows Lenovo to continue pre-installing adware onto consumers' laptops. EPIC has routinely urged the FTC to strengthen its privacy settlements, and recently emphasized the need for the FTC to step up its data protection in comments on the FTC's five-year strategic plan. (Jan. 3, 2018)
  • EPIC, Coalition Urge Action on Toys that Spy +
    EPIC and a coalition of consumer privacy groups have asked the Federal Trade Commission to crack down on companies that sell internet-connected toys and smartwatches. The statement highlights an FTC complaint concerning My Friend Cayla and I-Que Intelligent Robot, toys that recorded and analyzed children's conversations filed more than a year ago. Many retailers worldwide have pulled these toys from their shelves, but the FTC has yet to take action on the complaint. "Connected toys raise serious privacy concerns," said EPIC President Marc Rotenberg. "Kids should play with their toys and their friends, and not with surveillance devices dressed as dolls." EPIC has backed many efforts to limit the risks of internet-connected toys. Recently, EPIC joined consumer groups in asking Mattel to cancel plans to sell Aristotle, an "always on" device that records the private conversations of young children. EPIC also supported a coalition letter asking the FTC to investigate smartwatches that track the location of children. The Norwegian Consumer Council has uncovered similar problems with Cayla and i-Que, and recently released a report on toys that track children. (Dec. 19, 2017)
  • EPIC Urges Congress to Focus on Consumer Privacy and Data Security in Antitrust Hearing +
    In a statement to the Senate Judiciary committee, EPIC urged lawmakers to consider consumer privacy at a hearing on "The Consumer Welfare Standard in Antitrust." EPIC emphasized the privacy risks of mergers, stating that "when companies merge, they combine not only their products, services, and finances, but also their vast troves of personal data." EPIC reminded Congress that the United States is experiencing an epidemic of data breaches, and large databases of personal data are more vulnerable to attack. EPIC testified before the Senate Judiciary Committee in 2007 about the growing risks to competition and privacy of mergers in the online advertising industry. EPIC also warned the FTC about the consumer privacy risks of high profile mergers. In 2000, EPIC opposed Doubleclick's acquisition of Abacus. In 2007, EPIC told the FTC that Google's proposed acquisition of DoubleClick would lead to consumers being tracked and profiled by advertisers across the web. And in 2014 EPIC urged the FTC to mandate privacy safeguards for Facebook's acquisition of WhatsApp. (Dec. 12, 2017)
  • EPIC Urges Congress to Regulate AI Techniques, Promotes 'Algorithmic Transparency' +
    In advance of a hearing on "Digital Decision-Making: The Building Blocks of Machine Learning and Artificial Intelligence," EPIC warned a Senate committee that many organizations now make decisions based on opaque techniques they don't understand. EPIC told Congress that algorithmic transparency is critical for democratic accountability. In 2015, EPIC launched an international a campaign in support of Algorithmic Transparency. At a speech to UNESCO in 2015, EPIC President Marc Rotenberg called knowledge of the algorithm "a fundamental human right." Earlier this year, EPIC filed a complaint with the FTC that challenged the secret scoring of athletes by Universal Tennis. EPIC said to the FTC that it "seeks to ensure that all rating systems concerning individuals are open, transparent and accountable." (Dec. 12, 2017)
  • Senators Question Privacy and Safety of Facebook’s "Messenger Kids" App +
    Senators Edward Markey (D-Mass) and Richard Blumenthal (D-Conn) wrote to Facebook CEO Mark Zuckerberg with questions about Facebook’s Messenger Kids app, aimed at children 6-12. The Senators said, “we remain concerned about where sensitive information collected through this app could end up and for what purpose it could be used.” The Children’s Online Privacy Protection Act specifically limits the collection and use of data on children under the age of 13. Concerns about the misuse of children data remains high. EPIC and several consumer privacy organizations filed a complaint with the FTC in 2016 alleging that the Internet-connected doll Cayla spied on children. EPIC also backed a L6 recent campaign to recall Mattel’s Aristotle, a device that collected data from young children. The campaign led Mattel to cancel the sale of Aristotle. (Dec. 7, 2017)
  • EPIC Offers 10 Recommendations for the FTC's Five-Year Strategic Plan +
    EPIC has submitted 10 recommendations for the Federal Trade Commission's "Draft Strategic Plan" for 2018-2022. EPIC explained how the FTC can protect consumers, promote competition, and encourage innovation. Among the several proposals, EPIC urged the FTC to enforce consent orders, incorporate public comments into settlements, promote transparency, produce concrete outcomes, and endorse data protection legislation. EPIC and several consumer privacy groups outlined these proposals in a letter to the FTC in February, 2017. EPIC has consistently urged the FTC to exercise its full authority in protecting consumers, and even filed a lawsuit in 2012 to get the FTC to enforce an existing consent order against Google. EPIC has also filed several consumer privacy complaints with the FTC, including a recent complaint about "toys that spy." (Dec. 5, 2017)
  • EPIC Amicus - Ninth Circuit Holds Violation of Video Privacy Law Establishes 'Standing' +
    The Ninth Circuit issued an opinion today that addressed standing — the right to bring a lawsuit — under the Video Privacy Protection Act. The court found that the law protects a "substantive right to privacy that suffers any time a video service provider discloses otherwise private information." The court stated that a "plaintiff need not allege any further harm to have standing." EPIC filed an amicus letter brief in response to the court's request for parties to discuss standing following the Supreme Court decision in Spokeo v. Robbins. EPIC urged the court to recognize that "Congress intended to protect consumers' concrete interests in the confidentiality of their video viewing records." Contrasting with the Spokeo decision concerning the Fair Credit Reporting Act, the federal appeals court agreed that the video privacy law protects a "substantive interest." However, the court found that "personally identifiable information" was not disclosed by ESPN. EPIC has filed amicus briefs defending consumers in several cases after the Spokeo decision, including in Attias v. Carefirst, Gubala v. Time Warner Cable, and In re SuperValu Customer Data Security Breach Litigation. (Nov. 29, 2017)
  • EPIC Promotes 'Algorithmic Transparency,' Urges Congress to Regulate AI Techniques +
    In advance of a hearing on "Algorithms: How Companies' Decisions About Data and Content Impact Consumers," EPIC warned a Congressional committee that many organizations now make decisions based on opaque techniques they don't understand. EPIC told Congress that algorithmic transparency is critical for democratic accountability. In 2015, EPIC launched an international a campaign in support of Algorithmic Transparency. At a speech to UNESCO in 2015, EPIC President Marc Rotenberg called knowledge of the algorithm "a fundamental human right." Earlier this year, EPIC filed a complaint with the FTC that challenged the secret scoring of athletes by Universal Tennis. EPIC said to the FTC that it "seeks to ensure that all rating systems concerning individuals are open, transparent and accountable." (Nov. 28, 2017)
  • Senator Warner Questions Uber CEO On Why It Hid Data Breach +
    Senator Mark Warner sent a letter to the Uber CEO, Dara Khosrowshahi, questioning him about why the company covered up a data breach that affected 57 million consumers last year. Uber recently admitted that it hid a massive data breach from the public and paid the hackers $100,000 to delete the data. The stolen data included names, e-mail addresses, phone numbers, and drivers' licenses. Senator Warner told the Uber CEO that he had "grave concerns about your handling of a breach," including the fact that the company disclosed the breach to investors but not the public. Senator Warner has co-sponsored bipartisan legislation that would provide consumers with one free credit freeze per year and protect the credit ratings of veterans wrongly penalized by medical bills. EPIC's 2015 complaint with the FTC regarding Uber's abuse of personal data led to an FTC settlement in August, 2017. EPIC has also proposed a privacy law for Uber and other ride-sharing companies. (Nov. 28, 2017)
  • Consumer Bureau Proposes Policy Guidance for Data Aggregation Services +
    The Consumer Financial Protection Bureau recently set out guidance for financial services that aggregate consumer data. The Bureau outlined Consumer Protection Principles that "express the Bureau's vision for realizing a robust, safe, and workable data aggregation market that gives consumers protection, usefulness, and value." The Consumer Protection Principles for aggregated consumer data services are: (1) consumer access to information, (2) usability and limited scope of access by third parties, (3) consumer control and informed consent, (4) authorizing payments, (5) security (6) access transparency, (7) accuracy, (8) ability to dispute and resolve unauthorized access, and (9) efficient and effective accountability mechanisms. EPIC has urged Congress to establish privacy and data security standards for consumer services and has championed algorithmic transparency. In testimony before Congress, EPIC Board member Professor Frank Pasquale explained that the use of secret algorithms often have adverse consequences for consumers. (Nov. 16, 2017)
  • Senator Leahy Introduces Legislation To Protect Consumer Privacy +
    Senator Patrick Leahy (D-VT), joined by six other Senators, introduced comprehensive legislation to protect consumers from data breach and identity theft. The Consumer Privacy Protection Act of 2017 requires companies to provide notice to consumers after a data breach and meet certain baseline privacy and data security standards. The Consumer Privacy Act also prohibits companies from using a data breach to force consumers into individual arbitration, and would punish companies for concealing security breaches. Senator Leahy stated, "Companies that profit from our personal information should be obligated to take steps to keep it safe." Senator Leahy added, "In today's world, data security is no longer just about protecting our identities and our bank accounts; it is about protecting our privacy and even our national security." EPIC recently testified before the Senate Banking Committee in the wake of Equifax breach calling for consumer control over their personal data. EPIC President Marc Rotenberg also outlined several steps for Congress to reform the credit reporting industry in the Harvard Business Review. (Nov. 15, 2017)
  • FTC Requests Public Comments on Strategic Plan +
    The FTC released a draft of the FTC 2018-2022 strategic plan for public comment. The plan broadly summarizes the FTC's role in protecting consumers and promoting competition. Federal agencies are required by law to publish a strategic plan every four years. EPIC has stated that the Commission needs to "step up its efforts to protect the privacy interests of American consumers." EPIC wrote to Senate Commerce Committee in advance of a recent hearing on reform proposals for the FTC, stating "the FTC must do more to safeguard American consumers." EPIC also urged the FTC to re-focus an upcoming "workshop on informational injury" on the unprecedented levels of data breach and identity theft in the United States. Earlier this year, EPIC and a coalition of consumer privacy organizations set out "10 Steps for the FTC to Protect Consumers." Comments on the Strategic Plan are due to the FTC by December 5, 2017. (Nov. 9, 2017)
  • EPIC Urges FTC to Focus on Data Protection at Upcoming Workshop +
    EPIC has sent a letter to the FTC expressing concerns regarding their upcoming workshop on "Informational Injury." In advance of the workshop, the FTC has asked, "how to best characterize" privacy injuries. EPIC stated, "the injuries consumers face are obvious," in particular the unprecedented levels of data breach and identity theft. EPIC urged the FTC to re-focus the workshop on the questions of why data breach, identity theft, and financial fraud continue to rise in the United States, and how the FTC can do more to address these issues. EPIC recently testified before Congress on consumer data security and the credit bureaus, and has called on the FTC to step up its enforcement to protect consumer privacy. (Oct. 31, 2017)
  • FTC Provides Guidance on Voice Recordings and Kids +
    The Federal Trade Commission has clarified how the Children's Online Privacy Protection Act applies to toys that make voice recordings of children. The Commission's enforcement policy statement stated that an audio file may only be used "as a replacement for written words," and may only be maintained "for the brief time necessary for that purpose." Additionally, "the operator may not make any other use of the audio file in the brief period before the file is destroyed — for example, for behavioral targeting or profiling purposes." EPIC has supported efforts by consumer groups to warn of the risks smart toys pose to childhood development. Last year, a coalition of consumer groups pursued a complaint about My Friend Cayla, an Internet connected toy that recorded the private conversations of children. The complaint spurred a Congressional investigation and the toy was recalled in Europe. (Oct. 24, 2017)
  • Communications Privacy Directive Moves Forward in European Parliament +
    European Parliament Committee on Civil Liberties, Justice and Home Affairs - or LIBE Committee - has approved an update to EU communications privacy law in a key step toward finalizing the regulation. The proposed e-Privacy Regulation would extend consumer safeguards to users of all online communications services, cover content and metadata, and limit tracking of internet users. The Members recommended "privacy by default" settings be standardized, strong encryption by providers, and that users' consent obtained before the use of any personal data. In the U.S., EPIC has urged the Federal Communication Commission to bring U.S. law up to date with a similar, comprehensive approach to communications privacy. Next, the full European Parliament will vote on the legislation this week. (Oct. 23, 2017)
  • EPIC Calls for Greater FTC Enforcement +
    In advance of a Senate Commerce hearing on consumer privacy, EPIC called for more action by the Federal Trade Commission to protect American consumers. In a statement for the Committee, EPIC said that "the FTC is simply not doing enough to safeguard the personal data of American consumers." EPIC explained that "the FTC's privacy framework - based largely on 'notice and choice' - is simply not working." EPIC also warned that consumers "face unprecedented threats of identity theft, financial fraud, and security breach." EPIC has fought for consumer privacy rights at the FTC for more than two decades, filing landmark complaints about privacy violations by Uber, Microsoft, Facebook, Google, and even suing the Commission when it has failed to enforce its own orders. (Sep. 28, 2017)
  • EPIC Urges FTC To Strengthen Privacy Settlement With Uber +
    In detailed comments to the Federal Trade Commission, EPIC urged the FTC to strengthen a proposed settlement with Uber. The FTC's investigation and subsequent settlement was prompted by EPIC's 2015 complaint, which detailed Uber's secretive tracking of customers and surreptitious collection of user data. EPIC recommended that the FTC require Uber to end collection of customer data beyond what is necessary to provide the service and to mandate that Uber implement stronger privacy safeguards. As EPIC highlighted in the original complaint, Uber has a history of abusing consumer privacy. EPIC has previously pursued FTC complaints concerning Google, Facebook, WhatsApp, and Snapchat. The FTC is obligated to consider public comments before finalizing a proposed settlement. (Sep. 15, 2017)
  • FTC Announces Privacy Shield Settlement but Imposes No Penalties +
    The Federal Trade Commission announced today a settlement with three companies that misrepresented their participation in the Privacy Shield arrangement. The Privacy Shield allows companies to transfer the personal data of European consumers to the United States based on a system of industry self-certification. The FTC settlement prohibits the companies from making future false claims about compliance with Privacy Shield, but does not impose any penalty. The FTC settlement also fails to provide any remedy to the EU consumers whose personal data was wrongfully obtained, nor does it require the companies to disgorge the data they fraudulently obtained. EPIC and consumer organizations in the US and Europe have criticized Privacy Shield for failing to establish basic privacy protection and lacking effective remedies. The FTC is now soliciting public comments on the proposed settlements, and the deadline to file a comment is October 10, 2017. (Sep. 8, 2017)
  • Following EPIC Complaint, Uber Agrees To Stop Tracking Riders +
    Uber has ended the practice of tracking customers before and after they are picked up. In 2015, Uber announced the company would track the location of riders from the time they ordered a ride until after they had reached their destination. EPIC promptly filed a complaint with the FTC and stated that "This collection of user's information far exceeds what customers expect from the transportation service." The end to Uber's tracking of riders comes two weeks after Uber entered into a consent agreement with the FTC following a complaint filed EPIC that highlighted Uber's history of misusing customer data. But EPIC said the FTC settlement does not go far enough. "The FTC should have imposed stronger sanctions on Uber, required the company to disgorge the personal data it had unlawfully obtained, and required the company to restore the original privacy settings," said EPIC President Marc Rotenberg. EPIC has previously pursued FTC complaints concerning Google, Facebook, WhatsApp, and Snapchat. EPIC recently filed an FTC complaint to stop Google from tracking in-store purchases. (Aug. 29, 2017)
  • Appeals Court OKs Collusive Google Privacy Settlement +
    A divided federal appeals court has upheld a decision that allows Google to continue consumer privacy violations by means of a collusive settlement. Though the case concerns Google's illegal disclosure of personal data from 129 million consumers, the settlement fails to compensate those consumers, does nothing to change Google's business practices, and diverts funds to organizations that don’t protect consumer privacy. The dissenting judge wrote that the settlement "raises a red flag" because "47% of the settlement fund is being donated to the alma maters of class counsel." EPIC twice urged the lower court to reject the settlement, arguing that it did nothing for class members and would allow Google to "continue to engage in the privacy-invading practice." EPIC has long urged courts to reject collusive settlements and has proposed objective criteria for courts to follow in class action cases. (Aug. 23, 2017)
  • After EPIC Privacy Complaint, Uber Settles with FTC +
    After an EPIC complaint about Uber's privacy practices, Uber has entered into a consent agreement with the FTC. The agreement prohibits Uber from misrepresenting how it monitors or secures consumer information. As with most FTC privacy settlements, the agreement also requires Uber to implement a comprehensive privacy program and obtain periodic independent third-party audits. In 2015, EPIC filed a complaint with the Federal Trade Commission charging that Uber's plan to track users and gather contact details was an unlawful and deceptive trade practice. EPIC cited Uber's history of misusing customer data as one of many reasons the Commission should act. EPIC has previously pursued successful FTC complaints concerning Google, Facebook, WhatsApp, and Snapchat. EPIC recently filed an FTC complaint to stop Google from tracking in-store purchases. (Aug. 15, 2017)
  • EPIC Files FTC Complaint to Stop Google from Tracking In-Store Purchases +
    EPIC has filed a complaint with the FTC asking the Commission to investigate Google's tracking of in-store purchases. According to EPIC, Google collects billions of credit and debit card transactions and then links that personal data to the activities of Internet users. Google claims that it protects online privacy but refuses to reveal details of the algorithm that "deidentifies" consumers while tracking their purchases. EPIC's complaint asks the FTC to stop Google's tracking of in-store purchases and determine whether Google adequately protects consumer privacy. EPIC has filed several successful FTC complaints that led to FTC investigations, including complaints about changes to Facebook's privacy preferences and the launch of Google Buzz. EPIC has also focused on the adequacy of privacy techniques, with complaints against AskEraser (search histories that are not deleted) and Snapchat (images that do not "vanish"). EPIC's recent complaint against Google notes that the company is seeking to extend its dominance of online advertising to the physical world. (Jul. 31, 2017)
  • Google Faces Record Fine for Monopolistic Search Practices +
    European antitrust officials have imposed a $2.7 billion fine on Google for favoring its own services over competitors on Google search, which now dominates 90% of the market in Europe. It is the largest antitrust fine in European history. European Commissioner Margrethe Vestager stated "Google has abused its market dominance in search by promoting its own services and demoting its competitors. What Google has done is illegal under EU antitrust rules. It has denied other companies the chance to compete on the merits and to innovate. And most importantly, it has denied European consumers the benefits of competition, genuine choice, and innovation." Google competitors and news organizations, based in the United States, favored the outcome. Over many years, EPIC had urged the US government to take a closer look at Google's anti-competitive practices. In testimony before the Senate Judiciary Committee in 2007, EPIC warned that Google's growing dominance of online advertising would diminish user privacy and market competition. In a statement to the FTC in 2011, EPIC explained that Google altered the search rankings of YouTube after it acquired the company to preference Google's content over that of competitors and NGOs, including EPIC. In 2012, EPIC told the FTC that "Google's business practices raise concerns related to both competition and the implementation of the Commission's consent order." EPIC later sued the FTC for its failure to enforce the consent order. (Jun. 27, 2017)
  • EU Parliament Releases Draft Report on ePrivacy Directive +
    The European Parliament's Committee on Civil Liberties, Justice, and Home Affairs has released a draft report on regulations for privacy and electronic communications. The draft contains several proposals to strengthen online privacy, including end-to-end encryption in all electronic communications and a ban on encryption backdoors. Protecting the privacy of communications is "an essential condition for the respect of other related fundamental rights and freedoms," according to the report. EPIC has urged the FCC to follow developments with the ePrivacy Directive and has recommended the use of end-to-end encryption in applications including commercial e-mail and connected cars. (Jun. 19, 2017)
  • News Report: FTC to Act on EPIC's Uber Complaint +
    According to news reports, the FTC is pursuing EPIC's privacy complaint regarding Uber. In 2015, EPIC filed a complaint with the Federal Trade Commission charging that Uber's plan to track users and gather contact details was an unlawful and deceptive trade practice. EPIC cited Uber's history of misusing customer data as one of many reasons the Commission should act. EPIC has previously pursued successful FTC complaints concerning Google, Facebook, WhatsApp, and Snapchat. The FTC complaints typically lead to settlements following a change in business practices. EPIC has also recommended comprehensive privacy legislation for Uber. (Jun. 15, 2017)
  • EPIC Urges House Committee to Back Consumer Safeguards for Internet of Things +
    EPIC has sent a statement to the House Energy and Commerce Committee in advance of a hearing on "IOT Opportunities and Challenges." EPIC raised the "significant privacy and security risks" of the Internet of Things. A recent report from the Pew Research Center on the Internet of Things underscores the need to develop new safeguards for what some call "The Internet of Broken Things." EPIC has been at the forefront of policy efforts to establish safeguards for connected cars, "smart homes," consumer products, and "always on" devices. (Jun. 13, 2017)
  • EPIC to Congress: Data Protection Needed for Financial Technologies +
    EPIC submitted a statement to a House Committee hearing on financial technologies on the risks with new financial services. Companies now use social media data and secret algorithms to make determinations about consumers. They are also reaching out, through the "Internet of Things," to control consumers. EPIC's recently filed a complaint with the CFPB about "starter interrupt devices," deployed by auto lenders to remotely disable cars when individuals are late on their payments. (Jun. 9, 2017)
  • Pew Survey Explores Internet of Things +
    The Pew Research Center has released a report surveying experts about the security implications of the Internet of Things. The survey found a broad consensus that growth in the IoT will bring with it an increased risk of real-world physical harm. "The essential problem is that it will be impractical for people to disconnect," said EPIC President Marc Rotenberg in the survey. "Cars and homes will become increasingly dependent on internet connectivity. The likely consequence will be more catastrophic events." The ACM recently released a Statement of IoT Privacy and Security, which lists principles for protecting privacy and security in IoT devices. EPIC has been at the forefront of policy work on the Internet of Things, recommending safeguards for connected cars, "smart homes," consumer products, and "always on" devices. (Jun. 6, 2017)
  • EPIC Asks FTC to Stop System for Secret Scoring of Young Athletes +
    EPIC has filed a complaint with the Federal Trade Commission to stop the secret scoring of young tennis players. The EPIC complaint concerns the "Universal Tennis Rating", a proprietary algorithm used to assign numeric scores to tennis players, many of whom are children under 13. "The UTR score defines the status of young athletes in all tennis-related activity; impacts opportunities for scholarship, education and employment; and may in the future provide the basis for 'social scoring' and government rating of citizens," according to EPIC. EPIC urged the FTC to “find that a secret, unprovable, proprietary algorithm to evaluate children is an unfair and deceptive trade practice.” In 2015, EPIC launched a campaign on "Algorithmic Transparency" and has pursued several cases, including one for rating travelers and another for assessing guilt or innocence, that draw attention to the social risks of secret algorithms. (May. 17, 2017)
  • Court of Appeals Grants Rehearing in FTC v. AT&T Mobility +
    The Ninth Circuit Court of Appeals has granted rehearing of a decision that stripped the FTC of its authority over companies engaged in "common carrier" activities. The grant of rehearing vacates the court's earlier holding that the common carrier exemption to FTC authority is status-based, not activity-based. EPIC and a coalition of consumer advocates had filed a friend-of-the-court brief urging reconsideration of the court's decision, warning that the decision "could immunize from FTC oversight a vast swath of companies that engage in some degree in common carrier activity." EPIC previously filed an amicus brief in FTC v. Wyndham to defend the FTC's "critical role in safeguarding consumer privacy and promoting stronger security standards." (May. 15, 2017)
  • Spending Measure Increases FTC Funding by $6 Million +
    The spending measure recently approved by Congress allocates $313 million to the FTC for fiscal 2017. According to the Senate summary, the allocation is for the FTC "to detect and eliminate illegal collusion, prevent anticompetitive mergers, combat consumer fraud, fight identity theft and promote consumer privacy." The amount is an increase of $6 million, or about 2 percent, over 2016 levels. EPIC has consistently urged the FTC to exercise its full authority in protecting consumers and has filed numerous consumer privacy complaints with the FTC, including a recent complaint about "toys that spy." Earlier this year, an EPIC-led coalition detailed 10 steps for the FTC to protect consumers in 2017. (May. 4, 2017)
  • Senators Blumenthal and Udall Introduce Online Privacy Bill +
    Senators Richard Blumental (D-CT) and Tom Udall (D-NM) have introduced the Managing Your Data Against Telecom Abuses (MY DATA) Act. The MY DATA Act would grant the FTC jurisdiction over broadband providers, as well the authority to establish rules for privacy and data security online. "In the 21st century, internet access is a basic necessity. And signing up for a basic necessity should never mean you have to sign away your rights to privacy," said Senator Blumenthal. EPIC has previously told Congress that the FTC has not done enough to safeguard consumer privacy, citing the Commission's failure to enforce settlement agreements or to modify proposed settlements based on public comments. EPIC has also proposed comprehensive consumer privacy laws to combat the growing threats of data breaches, identity theft, and financial fraud. (Apr. 27, 2017)
  • EPIC Recommends Privacy Safeguards for Vehicle Networks +
    In comments to the National Highway Traffic Safety Administration, EPIC recommended stronger privacy protections for vehicle-to-vehicle communications. EPIC urged the agency to allow consumers to turn off pre-installed V2V communications and to required automobile manufacturers to be transparent about the collection of personal data. EPIC also urged that agency to establish basic cybersecurity safeguards and require encryption for all vehicle networks and ensure data minimization techniques. EPIC has previously submitted comments to NHTSA on connected cars and has submitted several statements to Congress. (Apr. 14, 2017)
  • Privacy Poll - Users More Concerned about Google and Facebook than ISPs +
    According to a POLITICO / Morning Consult poll, Americans trust Google and Facebook less than ISPs to protect personal data. Only 43% of respondents trusted broadband companies with personal information "a great deal" or "a fair amount." But trust in internet companies was much lower: 31% said they trust Facebook, 21% trust Twitter, 39% trust Google, and 35% trust other websites they visit regularly. The poll also shows public opposition to web tracking, with 70% respondents saying they were "somewhat uncomfortable" or "very uncomfortable" with companies tracking the web sites people visit and 77% being uncomfortable with companies selling people's data for advertising purposes. EPIC had urged the FCC to adopt a comprehensive approach to privacy protection and maintains an extensive page on Privacy and Public Opinion. (Apr. 11, 2017)
  • Trump Repeals Broadband Privacy Safeguards +
    Donald Trump signed a congressional resolution rescinding the FCC's broadband privacy rules. The rules required internet service providers to obtain consumers' consent before accessing sensitive information and to notify consumers of data breaches. The resolution nullifies the FCC's rules and blocks the FCC from enacting similar rules in the future. EPIC had urged the FCC to establish comprehensive safeguards for consumer privacy, and also explained to Congress that the FTC does not effectively safeguard consumer privacy. EPIC also has a petition pending before the FCC to end the mandatory retention of private customer telephone records. (Apr. 4, 2017)
  • EPIC Seeks Documents on Trump - Pai White House Meeting +
    EPIC has filed an urgent FOIA request with the FCC for information on the recent meeting between FCC Chairman Ajit Pai and President Donald Trump. EPIC is seeking memos, briefing papers, emails, and talking points relating to the White House meeting that took place on March 6, 2017. EPIC said in the FOIA request that public disclosure of this is critical as President Trump has described the media, which is subject to FCC regulation, as the "enemy of the people." FCC Chair Pai also recently suspended parts of a broadband privacy order that protects Internet users from invasive tracking and profiling. EPIC has urged the FCC to establish comprehensive safeguards for consumer privacy. EPIC also has a long-standing petition before the FCC to end the mandatory retention of customer telephone records. (Mar. 9, 2017)
  • EPIC, Children's Advocates Oppose Requests to End FCC Broadband Privacy Rules +
    EPIC and a coalition of children's advocates have filed a comment opposing petitions that ask the FCC to revoke its broadband privacy rules. The coalition urged the FCC to retain rules that treat children's data, web browsing histories, and app usage data as sensitive and to retain opt-in requirements for all categories of sensitive information. EPIC previously urged the FCC to establish comprehensive safeguards for consumer privacy, to ban pay-for-privacy schemes, and to prohibit mandatory arbitration. EPIC has frequently defended FCC privacy rules and currently has a petition pending before the FCC to end the mandatory retention of customer telephone records. (Mar. 6, 2017)
  • Congressman Pallone Asks Government Accounting Office to Study Costs of Eliminating Privacy Rules +
    Congressman Frank Pallone has asked the U.S. Government Accounting Office to study the harms of eliminating rules that protect consumer privacy. "With the near universal use of the internet, and the rapid expansion of connected devices, corporations now have more information about American consumers than ever before," Pallone wrote in his letter. "It is, therefore, more important than ever that Americans' privacy and security be protected online." Pallone asked the GAO to report on whether the "notice and choice" approach to privacy regulation works, what challenges consumers face in protecting their information, and how the FCC, FTC, and other agencies approach privacy regulation. EPIC has urged the FCC to establish comprehensive safeguards for consumer privacy. EPIC also explained in comments to the FTC and FCC and in testimony before Congress that "notice and choice" is insufficient to protect consumer privacy. (Feb. 27, 2017)
  • EPIC, Coalition Recommend 10 Steps for the FTC to Protect Consumers in 2017 +
    EPIC and a coalition of consumer groups sent a letter to the Federal Trade Commission recommending 10 steps the agency should take to protect consumers and promote competition in 2017. "American consumers today are at great risk of identity theft, financial fraud, and data breaches," the coalition wrote, arguing that "proactive efforts to strengthen data protection will spur innovation and support business models that are sustainable over time." The letter asks the FTC to increase its enforcement efforts, promote transparency, and pursue actions based on unfairness instead of relying on "notice and choice." EPIC has consistently urged the FTC to exercise its full authority in protecting consumers. EPIC has also filed numerous consumer privacy complaints with the FTC, including a recent complaint about "toys that spy." (Feb. 16, 2017)
  • States Recognize Data Privacy Day +
    Several states across the U.S., including Michigan, Montana, North Carolina, and Ohio, recognized international Data Privacy Day, held annually on January 28 to commemorate the first international treaty for privacy and data protection. State efforts to raise awareness about privacy and other consumer protection issues are published monthly in The State Center Consumer Protection Report. The Report also noted that Mississippi is pursuing legal action against Google over student data collected from public schools. The lawsuit accuses Google of collecting students' personal information and search history for its own business interests in violation of the Mississippi Consumer Protection Act. (Feb. 10, 2017)
  • Acting FTC Chair Outlines Consumer Protection Priorities +
    In a recent speech, Acting Federal Trade Commission Chairwoman Maureen Ohlhausen outlined her priorities for consumer protection. Ohlhausen recognized that "a notice-and-choice approach to privacy may not adequately protect consumers" but advocated a market-focused "harms-based approach" to privacy. She pointed to recent settlements with Ashley Madison and Eli Lilly as cases involving significant non-financial harm to consumers. Ohlhausen also proposed making the results of all FTC data security investigations public, not only those that result in enforcement actions. EPIC supports increased transparency in FTC actions but has explained in comments to the FTC and FCC and in testimony before Congress that "notice and choice" and "harms based" approaches are insufficient to protect consumer privacy. (Feb. 6, 2017)
  • FTC Reaches Settlement with VIZIO Over Smart TV Tracking +
    The Federal Trade Commission has reached a $2.2 million settlement with smart TV manufacturer VIZIO over the company's tracking of consumers' viewing habits without their knowledge or consent. The FTC's complaint alleged that VIZIO's collection and sale of viewing data was unfair and deceptive, and the settlement agreement requires the company to delete all viewing data. EPIC previously filed a complaint with the FTC over Samsung's smart TV data collection practices, including surveillance of consumers' private conversations. EPIC has also defended the privacy of consumers' TV viewing habits in a federal court case involving the Video Privacy Protection Act. (Feb. 6, 2017)
  • EPIC Urges Congress to Examine "Connected Devices," Safeguard Consumer Privacy and Protect Public Safety +
    EPIC sent a letter to a House Subcommittee on Communications and Technology in advance of a hearing on the NTIA, a key technology policy agency. EPIC warned that "American consumers face unprecedented privacy and security threats," citing recent examples of hacks of devices, including home locks and cars, connected to the internet. EPIC said that Congress and the NTIA should establish protections that minimize the collection of personal data and promote security for Internet-connected devices. EPIC warned of growing risks to consumer safety and public safety. EPIC has testified before Congress, litigated cases, and filed complaints with the FTC regarding connected cars, "smart homes," consumer products, and "always on" devices. (Feb. 2, 2017)
  • Trump Order Threatens Consumer Protection, Public Safety +
    The President has issued an executive order requiring every new regulation to be offset by the repeal of at least two existing regulations. The Order could directly impact rules that safeguard consumers against data breach, financial fraud, and identity theft. EPIC has also recommended new public safety regulations concerning aerial drones, connected vehicles, and the Internet of Things. In EPIC v. FAA, EPIC is challenging the failure of the agency to protect the public from aerial surveillance. (Jan. 31, 2017)
  • FTC Issues Report on Cross-Device Tracking +
    The Federal Trade Commission has issued Cross-Device Tracking: An FTC Staff Report, which describes online tracking technology used to link a consumer's activity across smartphones, laptops, tablets, and other internet-connected devices. The report follows from an FTC workshop on this emerging practice. EPIC filed comments with the Commission urging limits on cross-device tracking, which presents significant privacy challenges due to the "lack of transparency and control in this undetectable online tracking scheme." EPIC explained how "notice and choice" fails to protect consumers from this surreptitious activity. The FTC's report recommends continued industry-self regulation and application of the unworkable "notice and choice" approach to this new practice. (Jan. 26, 2017)
  • EPIC Urges Senate Committee to Safeguard Consumer Privacy in Internet of Things and Telemarketing Bills +
    EPIC sent a letter to the Senate Commerce Committee on Monday about privacy and security concerns in two pending bills. The DIGIT Act would "encourage the growth" of the Internet of Things and "help identify barriers to its advancement." The Spoofing Prevention Act would extend the laws prohibiting Caller ID spoofing to text messages, international calls, and Voice-over-IP calls. EPIC pointed out the "significant privacy and security risks" to American consumers of the Internet of Things. EPIC also argued for "a requirement that any automated calls reveal (1) the actual identity of the caller and (2) the purpose of the call." EPIC has been at the forefront of policy work on the Internet of Things, recommending safeguards for connected cars, "smart homes," consumer products, and "always on" devices. EPIC also supports robust telephone privacy protections and recently advised Congress on modernizing telemarketing rules. (Jan. 24, 2017)
  • FTC Sues D-Link Over Poor Security in Internet Routers and Cameras +
    The Federal Trade Commission has filed a lawsuit against Internet of Things device maker D-Link. The complaint alleges that D-Link failed to use adequate security in its internet cameras and routers despite promises that the devices were "easy to secure" and used "advanced network security." The poor security practices alleged by the FTC include using easily-guessed default passwords, mishandling code-signing keys, and storing usernames and passwords in plaintext. EPIC has worked extensively on the risks of the Internet of Things, recommending safeguards for connected cars, "smart homes," and "always on" devices. In 2013, EPIC submitted comments to the FTC addressing the security and privacy risks of IoT devices. (Jan. 12, 2017)
  • EPIC Calls on FCC to Prohibit Forced Arbitration +
    EPIC and a coalition of privacy advocates have submitted comments asking the FCC to prohibit forced arbitration clauses in communications contracts. Arbitration clauses require consumers to settle complaints in private proceedings out of court, often in inconvenient locations and before arbitrators of the company's choosing. The comments note that forced arbitration clauses allow corporations to "escape accountability for systemic harms" such as overbilling. The FCC's broadband privacy rules, adopted in October 2016, did not address forced arbitration clauses, but Chairman Wheeler announced at the FCC's October meeting that the agency had begun an internal process for rulemaking on that issue. EPIC has urged the FCC to establish comprehensive safeguards for consumer privacy, to ban pay-for-privacy schemes, and to prohibit mandatory arbitration. EPIC has frequently defended FCC privacy rules and currently has a petition pending before the FCC to end the mandatory retention of customer telephone records. (Jan. 12, 2017)
  • FTC Responds to EPIC, Consumer Groups About Toys That Spy +
    The Federal Trade Commission has responded to EPIC's complaint about toys that spy, promising to "carefully review" the filing. EPIC's complaint, filed last month and joined by the Campaign for Commercial Free Childhood, the Center for Digital Democracy, and Consumers Union, alleges that the internet-connected children's toys My Friend Cayla and i-Que Intelligent Robot violate federal privacy laws. The complaint is part of coordinated, international efforts to ban these toys from the marketplace. Walmart, Toys "R" Us, and stores across Europe have already pulled the toys from their shelves. EPIC's complaint has also spurred a congressional investigation by Sen. Edward Markey (D-MA) into the data practices of toymaker Genesis Toys and speech technology developer Nuance Communications. (Jan. 11, 2017)
  • Europe to Update Consumer Privacy Rules +
    The European Commission has released its proposal to update EU law on privacy and security safeguards for electronic communications. The revamped e-Privacy Regulation would extend important new safeguards to users of all online communications services, including email, instant messaging, and social media. The proposal would also protect both communications content and metadata, and would limit tracking of internet users. In the US, the FCC recently adopted modest privacy rules that apply only to broadband services offered by telecom companies, despite EPIC's repeated advice to the FCC to address "the full range of communications privacy issues facing US consumers." The Commission's update of the e-Privacy Directive follows the recently adopted General Data Protection Regulation, and must next be adopted by the European Parliament and European Council. (Jan. 10, 2017)
  • Center for Investigative Reporting: Uber Continues to Abuse Locational Data +
    A recent report from the Center for Investigative Reporting finds that Uber continues to allow employees broad access to rider location data, raising questions of whether the transportation service is violating the terms of a settlement with New York’s Attorney General. According to the report, "Uber gave thousands of employees access to where and when each customer travels." Uber recently changed the terms of service and expanded the collection of users location data. Uber also faces legal action in Europe over whether it should be considered a transportation service or digital platform. Last year, EPIC filed a complaint with the FTC, charging that Uber’s plan to track users and gather contact details is an unlawful and deceptive trade practice. That complaint, like many other consumer privacy complaints, is still pending before the Federal Trade Commission. (Dec. 21, 2016)
  • EPIC Urges Amazon, Walmart, Target, and Toys "R" US to Stop Selling Toys That Spy +
    EPIC has joined the Campaign for a Commercial-Free Childhood and the Center for Digital Democracy in letters to major U.S. retailers urging the companies to immediately discontinue sales of My Friend Cayla, an internet-connected doll that spies on young children. Earlier this month, EPIC filed a complaint with the Federal Trade Commission against toymaker Genesis Toys and speech recognition firm Nuance Communications over “toys that spy” on children in violations of federal privacy laws. The letters from the consumer groups, sent to AmazonWalmartToys "R" Us, and Target, urge the companies "to put the welfare of children first, and to cease sales of My Friend Cayla pending investigation and action by the FTC." Toy stores across Europe have already removed Cayla from their shelves and are offering refunds to parents who purchased the toys. (Dec. 20, 2016)
  • EPIC, International Consumer Coalition Urges Recall on "Toys That Spy" +
    #toyfail imageEPIC has filed a landmark complaint with the Federal Trade Commission about “toys that spy.” The complaint alleges that My Friend Cayla and i-Que Robot violate federal privacy law. “The toys subject young children to ongoing surveillance,” EPIC said in a statement. The EPIC complaint targets manufacturer Genesis Toys and Nuance Communications and describes how Internet-connected toys pose ongoing serious safety threats to children. EPIC’s complaint, joined by the Campaign for Commercial Free Childhood, the Center for Digital Democracy, and Consumers Union, is part of coordinated effort to ban these toys from the marketplace. The complaint follows earlier efforts by the Norwegian Consumer Council. EPIC warned Congress about the risks of the Internet of Things, and filed complaints with the FTC about “always on” devices and “smart TVs.” (Dec. 6, 2016)
  • Uber Expands Data Collection, Tracks Users, as Transport Services Case is Heard by European Court +
    Uber is now routinely tracking the location of all of its users, even when they are not using the transportation service. Last year, EPIC filed a complaint with the FTC after Uber announced the plan to collect location data when the app operated in the background. EPIC said that Uber had engaged in unfair and deceptive trade practice. The FTC failed to act and Uber is now tracking users non-stop. In Europe, Uber is facing legal action as the European Court of Justice considers whether the company should be considered a transportation service, subject to the same rules as its competitors, or a digital platform, which operates outside the law. (Dec. 1, 2016)
  • Congress Passes Consumer Review Fairness Act, Bans Gag Clauses +
    Congress has passed the Consumer Review Fairness Act, a law protecting consumers' right to post negative reviews without fear of retaliation. The bipartisan measure would make it illegal for companies to include non-disparagement clauses in consumer contracts, or to impose penalties or fees for critical reviews. The Federal Trade Commission will enforce the new law, which now awaits President Obama's signature. "By ending gag clauses, this legislation supports consumer rights and the integrity of critical feedback about products and services sold online." said Senate Commerce Committee Chairman John Thune. EPIC has long supported free speech and access to information online. (Nov. 29, 2016)
  • EPIC Asks FTC to Continue "Disposal Rule" +
    In comments to the FTC, EPIC continued support for the FTC's Disposal Rule, which requires that businesses to take reasonable steps to protect consumer information against unauthorized access or use. EPIC told the FTC that the Rule protects consumers from identity theft. EPIC backed the initial Disposal Rule. In the 2016 comments, EPIC explained that information that can identify an individual should be covered by the rule. (Nov. 21, 2016)
  • UK Information Commissioner Suspends WhatsApp Data Transfer to Facebook +
    Facebook has agreed to suspend targeted advertising for UKWhatsApp users. The decision follows an investigation by UK Information Commissioner Elizabeth Denham. "I don't think WhatsApp has got valid consent from users to share the information," Denham stated. WhatsApp announced in August that it would transfer its users verified phone numbers to Facebook in violation of previous privacy promises. EPIC then filed a complaint with the FTC and more than a dozen US consumer groups backed the efforts. Then European Union privacy officials and officials in Spain, Germany, India, and Italy opened investigations. Back in the US, the Commission said it will "carefully review" EPIC's complaint. The FTC has previously stated, "When companies tell consumers they will safeguard their personal information, the FTC can and does take law enforcement action to make sure that companies live up these promises." (Nov. 8, 2016)
  • EPIC Urges FTC to Strengthen "Safeguard Rule" +

    In comments to the FTC, EPIC has asked the agency to strengthen the  Safeguards Rule, which sets out basic security standards for the processing of consumer information. EPIC urged the agency to expand the scope of the Rule, which now only applies to financial institutions. EPIC also recommended that the FTC mandate compliance with the Rule and require data minimization. EPIC has previously urged the Commission to enforce the Safeguards Rule against both financial and non-financial institutions and has also recommended data minimization to safeguard consumer privacy.

    (Nov. 8, 2016)
  • EPIC, Consumer Coalition Defend FTC Authority Over Common Carriers +
    EPIC joined a coalition of consumer advocates to challenge a recent federal court decision that would limit the Federal Trade Commission's authority over companies engaged in "common carrier" activities. In an amicus brief filed with the Ninth Circuit Court of Appeals, the consumer coalition urged reconsideration of the court's decision that the common carrier exemption to FTC authority is status-based, not activity-based. The brief warned the decision "could immunize from FTC oversight a vast swath of companies that engage in some degree in common carrier activity." Internet companies such as Google that offer some broadband service could be entirely exempt from consumer protection regulation. EPIC previously filed an amicus brief in FTC v. Wyndham to defend the FTC's "critical role in safeguarding consumer privacy and promoting stronger security standards." (Nov. 7, 2016)
  • House Members Urge FTC to Examine Internet-of-Things +
    In the wake of October's massive distributed denial of service attack, two members of Congress have sent a letter to Federal Trade Commission Chairwoman Edith Ramirez urging the FTC to protect consumers from insecure Internet of Things devices. Rep. Frank Pallone, Jr. and Rep. Jan Schakowsky, senior members of the House Energy and Commerce Committee, wrote that the FTC should "immediately use all the tools at its disposal to ensure that manufacturers of IoT devices implement strong security measures." EPIC is at the forefront of policy work on the Internet of Things, recommending safeguards for connected cars, "smart homes," 'consumer products, and "always on" devices. EPIC recently urged the federal government to establish legal requirements to promote Privacy Enhancing Technologies, limit user tracking, minimize data collection, and "ensure security in both design and operation of Internet-connected devices." (Nov. 4, 2016)
  • Google "Quietly" Changes Privacy Policy, Matches Tracking Data and User ID +
    Ars Technica reported this week that Google "quietly" changed its privacy policy this summer to combine tracking data and user ID - data it had previously promised to keep separated. The revised policy now says that "your activity on other sites and apps may be associated with your personal information" for ad delivery. In 2007, EPIC urged the FTC to block Google's proposed acquisition of Doubleclick, warning that Google would eventually link the Google user profile with the Doubleclick data despite the company's representations. When the FTC approved the merger without conditions, EPIC responded that the FTC "had reason to act and authority to act, and failed to do so." Currently before the FTC is a complaint from EPIC concerning WhatsApp plan to transfer user data to Facebook, breaking a privacy promise made by the company at the time of the 2014 acquisition to act "independently and autonomously." (Oct. 25, 2016)
  • FTC's Data Protection Authority Under Attack in LabMD Case +
    A medical testing lab has petitioned a federal appeals court to reject the authority of the Federal Trade Commission to enforce data security standards. The commission recently found that LabMD's poor data security practices, which led to a breach of personal medical data, were "unfair" under the FTC Act and ordered the company to take corrective measures. "[T]he privacy harm resulting from the unauthorized disclosure of sensitive health or medical information is in and of itself a substantial injury," the commission explained. EPIC previously filed an amicus brief in FTC v. Wyndham, a similar case in which another appeals court upheld the FTC's data protection authority. The court in that case stated, "A company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of their business." (Oct. 18, 2016)
  • WhatsApp Privacy Update: Spain Investigating Broken Privacy Promises +
    Spain is the latest country to investigate WhatsApp's transfer of user data, including the verified user phone number, to Facebook. The Spanish Data Protection Agency joins privacy regulators in Germany, India, Italy, and the U.K. that have taken action against WhatsApp's changes to privacy practices that contradict previous promises. EPIC filed a complaint with the Federal Trade Commission over the policy change in August, and more than a dozen consumer groups have backed these efforts. The Commission said it will "carefully review" EPIC's complaint. The FTC has previously stated, "When companies tell consumers they will safeguard their personal information, the FTC can and does take law enforcement action to make sure that companies live up these promises." (Oct. 14, 2016)
  • FTC Hosts Event on Drones and Privacy +
    Today the Federal Trade Commission will host a panel discussion on drones and privacy as part of the agency's Fall Technology Series. The Director of EPIC's Domestic Surveillance Project, Jeramie Scott, will participate in the panel. Mr. Scott previously testified before the Pennsylvania Senate on domestic drone surveillance and submitted a statement for record regarding a Maryland bill to limit drone surveillance. EPIC and leading experts previously urged the FAA to adopt privacy rules for drones, and when the agency refused, EPIC sued. EPIC v. FAA is currently pending before the D.C. Circuit Court of Appeals. (Oct. 13, 2016)
  • FCC Releases Revised Broadband Privacy Plan +
    The Federal Communications Commission has released a fact sheet outlining a revised proposal for broadband privacy rules. The revised rules will require ISPs to obtain consumers consent only for use of "sensitive" information. The original proposal offered privacy protections for all consumer data. ISPs will also be permitted to charge higher prices for basic privacy protections, subject to FCC review. EPIC has said that the FCC should go further to safeguard consumer privacy. The Commission plans to vote on the proposal on October 27th. (Oct. 6, 2016)
  • Supreme Court Won't Review Privacy Violations by Facebook, Google +
    The U.S. Supreme Court has declined to review two important consumer privacy cases: K.D. v. Facebook, a suit challenging Facebook’s use of young childrens’ names and images in advertising without consent, and Gourley v. Google, a suit opposing Google’s covert use of web cookies to track browsing habits. In K.D., consumers urged the Supreme Court to review a Ninth Circuit opinion, which upheld a controversial settlement. EPIC filed an amicus brief in a companion case, Fraley v. Facebook, explaining that a settlement is unfair that allows a company to continue to engage in privacy violations. In Gourley, consumers asked the Court to overrule a Third Circuit decision holding that Google's exploitation of browser privacy loopholes did not violate the Wiretap Act or Stored Communications Act. (Oct. 4, 2016)
  • India Joins International Opposition to WhatsApp Privacy Changes +
    India’s Deli High Court has ordered WhatsApp not to transfer to Facebook any user data that was collected prior to September 25, 2016, and to delete data of users who opted out of WhatsApp’s new data transfer policy prior to that date. Last month, WhatsApp announced it would begin transferring user data, including verified phone numbers, to Facebook in violation of previous privacy promises. Germany has also ordered Facebook to immediately stop collecting and storing user data from WhatsApp, and to delete all WhatsApp user data already transferred. EPIC filed a complaint with the FTC over the policy change, and more than a dozen consumer groups have backed these efforts. The FTC’s latest response to the consumer coalition emphasized “FTC staff’s position that companies must obtain affirmative express (opt-in) consent before making material, retroactive changes to privacy promises.” The FTC has previously stated, “When companies tell consumers they will safeguard their personal information, the FTC can and does take law enforcement action to make sure that companies live up these promises.” (Sep. 30, 2016)
  • Germany Prohibits WhatsApp Data Transfer to Facebook +
    Germany’s privacy regulator has ordered Facebook to immediately stop collecting and storing user data from WhatsApp, and to delete all WhatsApp user data that has already been transferred. In a statement, German officials said that WhatsApp’s new data transfer policy constitutes “an infringement of national data protection law.” EU Competition Commissioner Margrethe Vestager has also opened an investigation into WhatsApp’s privacy changes, which contradict previous commitments to users and regulators. EPIC filed a complaint with the FTC over the policy change, and more than a dozen consumer groups have backed these efforts. The FTC responded it would “carefully review” EPIC’s complaint. The FTC has previously stated, “When companies tell consumers they will safeguard their personal information, the FTC can and does take law enforcement action to make sure that companies live up these promises.” (Sep. 27, 2016)
  • EPIC Tells Congress FTC Must Do More for Consumer Privacy +
    EPIC has sent a letter to the Senate Commerce Committee in advance of an oversight hearing on the Federal Trade Commission. EPIC explained that the FTC has not done enough to safeguard consumer privacy, citing the Commission's failure to enforce settlement agreements or to modify proposed settlements based on public comments. "The FTC’s failure to act in the face of mounting threats to consumer privacy and security could be catastrophic," EPIC warned. EPIC  also proposed comprehensive consumer privacy laws to combat the growing threats of data breaches, identity theft, and financial fraud. Public opinion polls show broad public support for new US privacy laws. (Sep. 26, 2016)
  • Consumer Groups Back Call for FTC to Investigate WhatsApp +
    More than a dozen US consumer organizations have asked the Federal Trade Commission to pursue the complaint EPIC and the Center for Digital Democracy filed about WhatsApp’s plan to transfer user data to Facebook. The EPIC-CDD complaint said that the changes to WhatsApp contradict promises  to users that personal information would not be used for marketing purposes.  The FTC has said "When companies tell consumers they will safeguard their personal information, the FTC can and does take law enforcement action to make sure that companies live up these promises." The FTC responded that it would “carefully review” EPIC’s complaint. The consumer coalition letter urges the Commission to “fulfill its duty to protect consumer privacy, and to investigate and enjoin WhatsApp and Facebook’s proposed change in business practices.”  (Sep. 22, 2016)
  • U.S. Proposes Voluntary Guidelines for "Automated Vehicles," Privacy and Safety Issues Remain a Challenge +
    The Department of Transportation has released federal guidelines for the automated vehicle industry. The Federal Automated Vehicles Policy backs the deployment of self-driving cars in the United States. The agency acknowledges privacy concerns and endorses the Consumer Privacy Bill of Rights, which EPIC supports, however the framework lacks compliance obligations and  enforcement mechanisms.  The agency also proposes to preempt existing state regulations that may provide stronger protections. Last year in testimony before Congress, EPIC warned of public safety risks associated with automated vehicles. And yesterday Secretary of Commerce Penny Pritzker warned the Commission on Enhancing National Cybersecurity that "as cars go driverless . . . the cyberthreats we face will only grow more widespread." The Transportation Department seeks public comments on the Guidelines for Automated Vehicles. The deadline is November 22, 2016. (Sep. 20, 2016)
  • EPIC Amicus - Appeals Court Finds Inaccurate Background Reports Violate Federal Privacy Law +
    A federal appeals court has ruled that LexisNexis violated the Fair Credit Reporting Act by selling background reports that wrongly included criminal convictions for innocent individuals. EPIC filed an amicus brief in the case, highlighting the failure of crediting reporting agencies to adopt reasonable procedures to ensure accuracy. EPIC said that it is not enough to follow “industry standards” if  inaccurate reports still result. The court found that Lexis was negligent because it failed to “follow reasonable procedures to assure maximum possible accuracy” of the information. (Sep. 14, 2016)
  • FTC Seeks Comments on the "Disposal Rule" for Consumer Data +
    The Federal Trade Commission is seeking public comments on the "Disposal Rule." The Disposal Rule requires that companies delete consumer data and to protect against unauthorized use of the data. The Commission seeks comment on a variety of issues including cost-benefits analysis and industry compliance. EPIC supported the implementation of the Disposal Rule in 2004 and continues to advocate for data protection measures. EPIC has also promoted Privacy Enhancing Techniques that minimize or eliminate the collection of personal information. Identity theft continues to be the top consumer complaint reported to the Commission. (Sep. 13, 2016)
  • European Commission Begins Investigation of WhatsApp Privacy About-Face +
    Following the announcement that WhatsApp intends to transfer user data to Facebook in violation of earlier commitments, EU Competition Commissioner Margrethe Vestager has opened an investigation. Vestager stated, “That they didn’t merge data wasn’t the decisive factor when the merger was approved, but it was still a part of the decision” to approve the $19b Facebook acquisition in 2014. Last month, EPIC and the Center for Digital Democracy filed a complaint with the FTC, urging the Commission to Act. The FTC responded that it would “carefully review” EPIC’s complaint. (Sep. 13, 2016)
  • Pokemon GO Developer Niantic Responds to Sen. Franken Inquiry into Privacy Concerns +
    Pokemon GO developer Niantic has responded to Sen. Al Franken’s request for information concerning the company’s data practices. Sen. Franken’s letter, sent in early July, asked Niantic to clarify the scope, purpose, and necessity of its data collection practices. Niantic’s response letter indicates that it “collects and stores” user location data to place and position users on the game’s map, but fails to explain why and for how long location data is stored. Franken also directed the company to provide a current list of the "third party service providers" with whom user data is shared. Niantic’s letter confirms that it hires third parties to provide a variety of services, but does not specifically identify any of these companies. Privacy officials in Canada, Europe, and Asia, have begun investigations of Niantic, which is tied to the Google company Alphabet. The Niantic CEO led the Google project that captured private communications in more than 30 countries around the world. The initial Pokemon Go release provided Niantic full access to the user's Google account. EPIC sent a letter to the FTC urging the Commission to investigate the privacy risks posed by Pokemon GO,  Niantic’s data collection practices, and its ties to Google. (Sep. 8, 2016)
  • EPIC, Coalition Reject Calls to Further Weaken FCC's Modest Privacy Proposal +
    EPIC and a coalition of consumer privacy advocates have sent a letter to the Federal Communications Commission in response to industry demands to further weaken the FCC's proposed broadband privacy rules. The groups rejects efforts  by Internet Service Providers to exempt anonymized consumer data from the privacy rules and to require opt-in consent only for sensitive information. The consumer groups also oppose mandatory arbitration and “pay-for-privacy” plans that would require consumers to pay fees for basic privacy safeguards. EPIC has called the FCC's proposed privacy rules a "modest first step" and repeatedly argued that the Commission can and should go further  to "address the full range of communications privacy issues facing US consumers." (Sep. 7, 2016)
  • FTC Responds to EPIC's Complaint about WhatsApp +
    The Federal Trade Commission has responded to the EPIC and Center for Digital Democracy complaint about WhatsApp's plan to transfer user data, including verified phone numbers, to Facebook. The FTC stated that it prohibits companies from engaging in unfair and deceptive practices and will enforce its 2012 Consent Order with Facebook. The FTC letter also acknowledged that the EPIC-CDD complaint “contains allegations regarding statements WhatsApp has made about how it limits the use of mobile phone numbers or other personally identifiable information." The FTC said it will "carefully review" EPIC’s complaint. EPIC and CDD wrote that WhatsApp's plan to transfer user data to Facebook for user profiling and targeted advertising - without first obtaining users' opt-in consent - contradicts numerous FTC statements and violates Section 5 of the FTC Act. EPIC and CDD previously warned the Commission that it must protect the privacy interests of WhatsApp users following the acquisition by Facebook. (Sep. 7, 2016)
  • EPIC, Consumer Coalition Tells FCC to Protect Privacy, Security in Connected Cars +
    EPIC has joined a coalition of consumer groups in a letter to the FCC supporting safety rules for connected cars. The consumer groups endorsed a petition for rulemaking, filed earlier this year, that would establish safeguards for car communications networks. EPIC has testified before Congress on the risks of connected cars and recently filed an amicus brief in federal appeals court on vehicle-to-vehicle communications. (Aug. 30, 2016)
  • EPIC, CDD Charge WhatsApp Policy Change Unlawful, Urge FTC to Act +
    EPIC and the Center for Digital Democracy have filed a complaint with the FTC concerning WhatsApp’s plan to transfer user data, including personal phone numbers, to Facebook. This reversal contradicts WhatsApp’s previous promises to users that their personal information would not be disclosed and would not be used for marketing purposes. EPIC said that WhatsApp change in business practices is unlawful and that the FTC is obligated to act. EPIC previously filed a complaint with the FTC over Facebook’s acquisition of WhatsApp in 2014. In response, the FTC warned the two companies they must honor their privacy promises to users. The FTC has said "When companies tell consumers they will safeguard their personal information, the FTC can and does take law enforcement action to make sure that companies live up these promises." (Aug. 29, 2016)
  • Facebook to Collect WhatsApp User Data, Violating FTC Order and Privacy Promises +
    WhatsApp has announced plans to disclose user information to Facebook, including phone numbers and other user data, that will be connected with Facebook profiles. Facebook purchased WhatsApp in 2014, and the companies promised users of the privacy-protective messaging service that “nothing” will change for WhatsApp users' privacy. EPIC filed a complaint with the FTC over the deal, and the FTC responded by warning the two companies that they must honor their privacy promises to WhatsApp users. The letter explained that failure to obtain users' opt-in consent before changing data practices would be an unfair and deceptive trade practice and violate Facebook’s FTC Consent Order. WhatsApp’s recent announcement indicates users will have 30 days to opt-out of data transfers to Facebook, in violation of the law and the FTC’s Order.  In 2012, EPIC and a coalition of consumer privacy organizations also led a successful effort at the FTC after Facebook changed the privacy settings of its users. As a result, Facebook is subject to an FTC consent order. (Aug. 25, 2016)
  • Data Protection 2016: Nationwide Hotel Data Breach +
    Sheraton, Hyatt, Westin, and Marriott hotels in 10 states and Washington, D.C. have announced that hotel payment records were breached beginning as early as March 2015. Malware discovered in at least 20 hotels across the country collected customers’ names and payment card numbers, card expiration dates, and verification codes. Surprisingly, the hotels said that they will not notify individual customers of the breach. Almost every state in the country has  a mandatory breach notification law. Hyatt announced another payment card breach earlier this year at 250 hotels in approximately 50 countries. EPIC launched “Data Protection 2016,” a non-partisan campaign to make data protection an issue in the 2016 election, calling it “the most important, least well understood issue” of this election. (Aug. 15, 2016)
  • EPIC’s Rotenberg Debates FBI Director at ABA Conference +
    EPIC President Marc Rotenberg and FBI Director James Comey debated "Emerging Issues in National Security and Law Enforcement" at a plenary session of the ABA annual conference in San Francisco. Comey stated that Americans have "never had absolute privacy." Rotenberg replied that the Fifth Amendment grants absolute privacy as a Constitutional right. In response to the Director's comments that the FBI has 650 phones it can not decrypt, Rotenberg pointed out that in 2013, more than 3.1 million cell phones were stolen. "Crime would be much higher in United States if cell phone users did not have strong encryption," said Rotenberg. The EPIC amicus brief in Apple v. FBI highlighted the risk of weak encryption, and noted that stolen cell phones are tied to identity theft and financial fraud. (Aug. 7, 2016)
  • Appeals Court Affirms Consumers May Sue for Violations of Federal Law +
    A federal appeals court has held that consumers can sue when companies fail to comply with legal obligations established by Congress. The case concerned a hospital that sent debt collection letters to consumers without disclosures required by the Fair Debt Collections Practices Act. The court concluded that “Congress has created a new right—the right to receive the required disclosures.” As a result, the consumer can bring a lawsuit when a company fails to comply with the law. EPIC has filed several amicus briefs defending the right of consumers to sue for violations of federal privacy laws. (Aug. 5, 2016)
  • EPIC Defends Drivers’ Right to Sue for Safety, Privacy Risks As Congress Warns of Risks to Public +
    EPIC has filed an amicus brief in a case concerning the privacy and public safety risks of “connected” cars. EPIC warned that connected cars "expose American drivers to the risks of data breach, auto theft, and physical injury.” EPIC said a lower court was wrong to dismiss the case. EPIC urged a federal appeals court to allow consumers to "the opportunity to present legal claims stemming from the defendants’ sale of vehicles that place them at risk." This week researchers at Black Hat revealed new vulnerabilities in networked vehicles as Senators Blumenthal and Markey urged the FCC to establish “robust safety, cybersecurity, and privacy protections  before automakers deploy vehicle-2-vehicle . . . communication technologies.” EPIC has filed several amicus briefs defending consumers' rights to enforce their privacy rights. (Aug. 5, 2016)
  • FTC Finds Unauthorized Data Disclosure is "Substantial Injury" to Consumers +
    The Federal Trade Commission unanimously reversed an administrative law judge's dismissal of the FTC's complaint against LabMD, finding that LabMD's poor data security practices are "unfair" under the FTC Act. The Commission concluded that the judge had "applied the wrong legal standard for unfairness." The FTC's opinion explained that "the privacy harm resulting from the unauthorized disclosure of sensitive health or medical information is in and of itself a substantial injury." The FTC's authority to enforce data security standards was upheld last year in FTC v. Wyndham. EPIC filed an amicus brief in Wyndham, defending the FTC's "critical role in safeguarding consumer privacy and promoting stronger security standards." (Aug. 2, 2016)
  • EPIC, Consumer Coalition Oppose Robocalls by Government Contractors +
    EPIC and a coalition of consumer groups have petitioned the FCC to reverse its recent decision to exempt federal contractors from restrictions on telemarketing and robocalls. The FCC incorrectly determined that the Telephone Consumer Protection Act (TCPA) “does not apply to calls made by or on behalf of the federal government in the conduct of official government business.” The petition, led by the National Consumer Law Center, warns of significant increases in unwanted robocalls from government contractors that consumers would be powerless to stop. EPIC supports robust telephone privacy protections and filed an amicus brief in support of the FCC’s 2015 order that strengthened consumer protections under the TCPA. (Jul. 26, 2016)
  • EPIC Explains to Federal Appeals Court that Mobile App Users Protected by Video Privacy Law +
    EPIC has filed an amicus brief defending the privacy rights of users of  video apps. In the case, a CNN mobile app users challenged the disclosure of his video viewing history and personal information as a violation of federal privacy. In the brief for the federal appeals court, EPIC explained that that the privacy protections in the Video Privacy Protection Act apply to mobile apps that provide video service. EPIC said that the video privacy law covers the personal information collected by mobile apps, including the unique identifiers of the user’s device, and also that the privacy obligations apply to all companies that collect the viewing records of Internet users.  EPIC previously filed a brief in a similar case concerning the collection of video viewing records. (Jul. 26, 2016)
  • EPIC Ask FTC to Investigate Privacy Risks of Pokemon GO +
    EPIC has urged the FTC to launch an investigation of Pokemon GO and the app's developer Niantic. When the augmented-reality app was first released, Niantic granted itself "full access" to users' Google accounts in violation of federal privacy law. Even after recent changes, the company continues to collect detailed location history and has access to smartphone cameras. Pokemon GO "raises complex and novel privacy issues that require close FTC scrutiny," EPIC told the Commission. Senator Al Franken recently sent a letter to the company asking for clarification on the scope and purpose of its data collection. Niantic has close ties to Google and its CEO oversaw Google's controversial Street View project, which was found to collect private wifi data transmissions. (Jul. 22, 2016)
  • EPIC Tells FCC to Reject "Notice and Choice" Approach to Privacy +
    EPIC has filed reply comments with the Federal Communications Commission on the proposed broadband privacy rules. EPIC said that the proposed rules are a modest first step and that the FCC has legal authority to do more to safeguard American consumers. EPIC also responded to erroneous statements from industry groups that the FTC's "notice and choice" framework safeguards consumer privacy. EPIC described numerous shortcomings, including lack of enforcement, frequent changes in privacy policies, and data breaches. "Notice and choice" is “directly at odds with baseline privacy standards,” EPIC said. EPIC previously urged the Commission to "address the full range of communications privacy issues facing US consumers" and to apply the Consumer Privacy Bill of Rights to communications data. (Jul. 7, 2016)
  • EPIC Calls for Strong Communications Privacy Rules +
    EPIC has urged the Federal Communications Commission “to fully apply" the Consumer Privacy Bill of Rights to all communications services. The FCC's proposed privacy rules would regulate only broadband services and are based on the weak "notice and choice" framework.EPIC said the agency should endorse data minimization requirements, promote Privacy-Enhancing Technologies, and require opt-in consent. EPIC also urged the Commission to regulate all companies that gather consumer data for communications services. (May. 27, 2016)
  • EPIC to OPM: "If You Can't Protect It, Don't Collect It" +
    In comments to the Office of Personnel Management, EPIC urged the federal agency to limit the personal data it collects from job applicants. OPM currently gathers detailed personal information, including biometric data, Social Security numbers, educational history, medical records, foreign travel, drug use, and financial records. In 2015, OPM lost the personal data of 21.5 million people in a massive data breach. The OPM Director and CIO were forced to resign. OPM now proposes to collect even more personal data on more people, including distant relatives of job applicants. EPIC has previously urged the Supreme Court to recognize a right of "information privacy" that would limit the ability of the federal government to collect personal information. (May. 25, 2016)
  • Senate Examines "Do Not Call" Law +
    The Senate Commerce Committee held a hearing yesterday on the Telephone Consumer Protection Act. The "TCPA" bars telemarketers and robocallers from contacting consumers by phone or fax without prior express consent. In January, EPIC filed an amicus brief to provide greater TCPA protections for consumers.  EPIC said that widespread use of cellphones “has amplified the nuisance and privacy invasion caused by unwanted calls and text messages.” EPIC has testified before Congress about the TCPA and submitted many comments concerning the implementation of the consumer privacy law. (May. 19, 2016)
  • Lack of Privacy Impacts Internet Use, Economy, Says NTIA Survey +
    A recent study by the National Telecommunications and Information Administration found that nearly half of Internet users in the US refrained from online activities due to privacy and security concerns. Identity theft was the top concern, cited by 63 percent of respondents, followed by financial fraud, noted by 45 percent. Nearly a quarter of Americans cited concerns about online tracking. “In addition to being a problem of great concern to many Americans, privacy and security issues may reduce economic activity and hamper the free exchange of ideas online,” NTIA concluded. EPIC has supported enactment of the Consumer Privacy Bill of Rights and recently launched “Data Protection 2016,” a non-partisan campaign to make data protection an issue in the 2016 election. (May. 16, 2016)
  • Supreme Court Remands Consumer Privacy Case for Further Consideration +
    The Supreme Court has ruled in Spokeo v. Robins, a case brought under the Fair Credit Reporting Act concerning the sale of inaccurate personal data. The Court said it was necessary to determine whether plaintiffs injuries were sufficiently "concrete." Justice Ginsburg, in a dissenting opinion, wrote that remand was unnecessary, "Spokeo's misinformation 'cause[s] actual harm to [his] employment prospects.'" EPIC filed an amicus brief, joined by thirty-one technical experts and legal scholars, citing the national epidemic of data breaches. EPIC wrote  this is "not the time for the Supreme Court to limit the ability of individuals to seek redress for violations of privacy rights set out by Congress." (May. 16, 2016)
  • FTC Issues Guidelines for Employment Background Screening +
    The Federal Trade Commission has issued new guidelines for companies that sell employment background checks.  Under the Fair Credit Reporting Act  companies must ensure “maximum possible accuracy” in reports about job applicants. The FTC warns that a background report incorrectly listing a criminal conviction based on bad records match —for instance, a person with a different middle name than the applicant—could violate FCRA. EPIC recently filed an amicus brief in a case brought by David A. Smith, who was denied employment after a background report incorrectly included the criminal records of David O. Smith. (May. 15, 2016)
  • EPIC Urges Senate to Back Comprehensive Communications Privacy Protection +
    EPIC has sent a letter to the Senate Judiciary Committee in advance of a hearing on "Examining the Proposed FCC Privacy Rules." EPIC pointed to growing public concerns about the loss of privacy and the need to update federal privacy laws. EPIC explained that the neither Federal Communications Commission or the  Federal Trade Commission has done enough to safeguard consumer privacy. EPIC warned that the "failure to modernize our privacy law is imposing an enormous cost on American consumers and businesses." (May. 10, 2016)
  • NY Attorney General Reports 40% Increase in Data Breaches +

    New York Attorney General Eric Schneiderman announced that his office has received 459 notices of data breaches impacting New Yorkers so far in 2016, representing a 40 percent increase over the same period last year. The office expects to receive a record-setting thousand notices or more this year. "Data breaches are an escalating threat to our personal and national security, and companies need to do more to ensure reasonable security practices and best standards are in place to protect our most sensitive information," said Schneiderman. EPIC recently launched “Data Protection 2016,” a non-partisan campaign to make data protection an issue in the 2016 election.

    (May. 5, 2016)
  • FTC Increases Scrutiny of Google's Practices, Implicating Antitrust and Privacy Interests +
    The FTC has reportedly expanded its investigation into Google's use of the Android operating system to exclude or demote competing services. The Commission’s increased scrutiny comes shortly after the European Commission filed formal antitrust charges against Google. Last fall, the FTC began looking at whether Google unfairly prioritizes its own products after earlier ending a similar investigation in 2012 though staff recommended litigation. EPIC previously urged the Senate and the FTC to investigate Google's dominance of essential Internet services, warning that monopoly practices implicate privacy interests. EPIC had opposed Google's acquisition of online advertiser Doubleclick, which the FTC approved over the objection of Commissioner Pamela Harbor, who cited the connection between monopoly practices and privacy violations. (Apr. 27, 2016)
  • Google Wants User Data, Opposes FCC Privacy Rules +
    Google has opposed new privacy rules for consumer data even as it backed the FCC's proposal to open up the set-top box. Google described new privacy safeguards as “unnecessary." The FCC’s proposal would allow Google to gain access to the TV market and consumer viewing data. EPIC has urged the FCC to enforce strong privacy rules for all companies seeking access to user data. (Apr. 27, 2016)
  • EPIC Urges FCC to Fully Enforce Cable Privacy, Extend Rules to All Set-Top Boxes +
    In comments filed with the FCC on a proposal to unlock the set-top box market to retail manufacturers, EPIC urged the Commission to apply the Cable Act's privacy rules directly to all companies with access to cable subscriber data. EPIC explained that the Cable Subscriber Privacy Rules are "an effective model for privacy rules in the commercial sector, particularly concerning the collection of data about cable programming." However,  the FCC must clarify and enhance enforcement of these rules to address current business practices. EPIC has defended consumer privacy at the FCC for almost 20 years. (Apr. 25, 2016)
  • EPIC Defends Right of Data Breach Victims to Bring Suit +
    EPIC has filed an amicus brief urging a federal appeals court to overturn a decision that limits the ability of data breach victims to sue. The plaintiffs sued a payroll company after their Social Security Numbers and other identifying information were exposed. A lower court dismissed the case because fraudulent transactions had not yet occurred. EPIC argued that data breach victims can sue without having to wait for specific damages. EPIC cataloged the epidemic of data breaches in the US, and explained why companies should be liable when they fail to protect the consumer data they collect. EPIC regularly files briefs defending consumer privacy. (Apr. 19, 2016)
  • Senate Examines FTC's Antitrust Enforcement +
    The Senate Judiciary Committee recently examined the scope and application of the FTC's Section 5 antitrust enforcement authority at the hearing "Section 5 and 'Unfair Methods of Competition': Protecting Competition or Increasing Uncertainty?" EPIC Advisory Board member Tim Wu testified in support of the agency's approach, which he called "an important protection for competition." EPIC has urged the FTC to use Section 5 authority to protect consumers, arguing against Google's acquisition of DoubleClick and Facebook's acquisition of WhatsApp. EPIC has also recommended a transparent process for evaluation of substantial changes in business practices by companies subject to FTC consent orders. (Apr. 13, 2016)
  • EPIC to FTC: Google's April Fool's Disaster Likely Violates Consent Order +
    Google's April Fool's joke — a change in the operation of Gmail without user consent — has backfired, spectacularly. Many Gmail users inadvertently enabled the "Mic Drop" button on important emails, allowing Google to insert a GIF into their reply and then irreversibly mute the conversation. Users were outraged and Google reversed the change. EPIC informed the FTC that Google's prank also likely violates the FTC's 2011 consent order with the company following the rollout of Google Buzz. EPIC has repeatedly urged the FTC to enforce this consent order against Google, which requires the company to obtain "express affirmative consent" before changing its business practices. (Apr. 1, 2016)
  • FCC Moves Forward With Narrow Privacy Rules +
    The Federal Communications Commission has voted to adopt a Notice of Proposed Rulemaking on consumer privacy regulations. The proposal follows Chairman Wheeler's earlier draft proposal, which EPIC explained was too limited to safeguard online privacy. During the vote, Commissioner Ajit Pai echoed EPIC's view that the rulemaking should not focus solely on ISPs. EPIC has argued that the FCC proposal ignores invasive practices by Internet firms, including search companies and social media firms that track and profile Internet users. EPIC previously urged the Commission to "address the full range of communications privacy issues facing US consumers" and to apply the Consumer Privacy Bill of Rights to communications data. (Mar. 31, 2016)
  • FTC Issues Warning on Cross-Device Tracking and Surveillance Apps +
    The Federal Trade Commission has issued warnings to 12 Android app developers that use audio beacons to track consumers across their devices and monitor TV viewing habits. The smartphone apps contain Silverpush software that constantly listens for inaudible signals emitted by TV commercials and secretly collects and transmits viewing data. The announcement appears to be a response to two earlier complaints filed by EPIC with the Commission. EPIC previously urged the FTC to limit "cross-device tracking" technology that links consumers' smartphone activity with what they see on their laptop or television. EPIC also urged the FTC and the Department of Justice to investigate "always-on" consumer devices for possible violations of the Wiretap Act, state privacy laws, or the FTC Act. (Mar. 22, 2016)
  • EPIC Urges FCC to Broaden Scope, Substance of Draft Privacy Rules +
    EPIC has released a memo on the FCC's draft broadband privacy rules, urging the Commission to broaden its scope and strengthen its substantive data protections. The draft rules, previewed in a fact sheet on March 10, 2016, would apply to Internet service providers (ISPs) but not to email, search, or social media services. EPIC explained that the proposal's "framing of the communications privacy challenges facing US consumers is incomplete and fails to address the full range of activities that threaten online privacy." EPIC further explained that the proposal's focus on "choice, transparency and security" will fail to safeguard consumer privacy. EPIC has urged the Commission to apply the Consumer Privacy Bill of Rights to communications data. (Mar. 20, 2016)
  • FCC to Consider Privacy Rules for ISPs +
    The FCC will consider a proposal for consumer privacy regulations on March 31st. According to a fact sheet, the rulemaking will "apply the privacy requirements of the Communications Act" to broadband internet access services (ISPs) but not Internet websites, search services, and social media platforms. While ISPs are engaged in invasive consumer tracking and profiling practices, focusing only on these providers misses a vast amount of data collection activities by other service providers. In a previous letter to the FCC, EPIC urged the Commission to establish a broad framework for communications privacy, based on Fair Information Practices. Separately, EPIC filed a petition with the FCC, joined by 29 organizations, to end the mandatory retention of consumer data. (Mar. 10, 2016)
  • EPIC, Consumer Privacy Groups Urge FCC to Protect Consumer Privacy +
    EPIC, joined by nearly a dozen consumer privacy groups, submitted a letter to the FCC reviewing the invasive consumer tracking and consumer profiling practices of Internet service providers (ISPs), which "underscore the imperative for the FCC to exercise the full extent of its rulemaking authority to protect consumer privacy." The letter explained why encryption and virtual private networks ("VPNs") are insufficient to protect consumers from ISP surveillance. The letter described how the Federal Trade Commission's reactive, "notice and choice" approach to privacy fails to provide meaningful protections for consumers. EPIC previously urged the FCC to undertake a broad rulemaking on "the full range of communications privacy issues facing US consumers." EPIC has worked with the FCC to promote consumer privacy in the communications field for more than 20 years. (Mar. 7, 2016)
  • EPIC Files Brief in Support of Apple and Consumers in FBI iPhone Case +
    Today EPIC filed a "friend of the court" brief, joined by eight other consumer privacy organizations, in support of Apple's challenge in the FBI iPhone case. In Apple v. FBI, EPIC argued that the "security features in dispute in this case were adopted to protect consumers from crime." EPIC explained that an order to compel Apple to take extraordinary measures to undo these features places at risk millions of cell phone users across the United States. EPIC routinely files amicus briefs in cases that raise novel privacy and civil liberties issues. EPIC has filed two briefs in the United States Supreme Court in the past year in cases concerning consumer privacy and also the Fourth Amendment. (Mar. 3, 2016)
  • EPIC Files Brief in Suit Over Faulty Background Checks +
    EPIC has filed an amicus brief in Smith v. LexisNexis Screening Solutions. The case was brought by a job applicant who was denied employment after a background report incorrectly stated that he had a criminal record. A court found that LexisNexis had violated Fair Credit Reporting Act by failing to take reasonable steps to ensure "maximum possible accuracy" in the report. LexisNexis appealed. In the amicus brief, EPIC highlighted the industry practice of selling background reports with inaccurate information. EPIC argued that companies should be strictly liable when they fail to maintain accuracy in these reports. In 2005, EPIC filed a famous FTC complaint about the data broker ChoicePoint, which ultimately led to a $10 million dollar settlement. (Mar. 1, 2016)
  • California AG Releases 2016 Data Breach Report, Retail and Financial Sectors Most Vulnerable +
    A new report from California Attorney General Kamala Harris examines data breaches in California from 2012 to 2015. There were 657 data breaches during the last four years, which compromised over 49 million records. The retail sector experienced the largest share of breaches at 25%, followed by the financial sector at 18%. Among several recommendations, the report recommends that organizations adopt strong encryption. "Government and the private sector have a shared responsibility to safeguard consumers from threats to their privacy, finances, and personal security," Attorney General Harris stated. The Attorney General received a 2015 EPIC Champion of Freedom Award. EPIC recently launched "Data Protection 2016," a non-partisan campaign to make data protection an issue in the 2016 election. (Feb. 18, 2016)
  • EPIC and Consumer Privacy Groups File Brief Supporting FCC in Telephone Privacy Case +
    EPIC and six consumer privacy organizations have filed a "friend-of-the-court" brief in support of the Federal Communications Commission in ACA International v. FCC. The case was brought against the FCC by industry groups charged with violating the Telephone Consumer Protection Act. The FCC had made clear that companies cannot make automated or prerecorded calls to consumers without their consent. EPIC argued in its brief that widespread adoption of cell phones "has amplified the nuisance and privacy invasion caused by unwanted calls and text messages." EPIC and the consumer organizations urged the federal court to uphold the FCC order safeguarding consumers. (Jan. 25, 2016)
  • Supreme Court Rules Settlement Offers Can't Moot Consumer Class Actions +
    The Supreme Court has ruled that a company cannot terminate class action litigation by strategically making a settlement offer of full relief to individual plaintiffs. The case, Campbell-Ewald Co. v. Gomez, involved a consumer who refused to drop his Telephone Consumer Protection Act lawsuit in exchange for such an offer. The defendant company argued that the offer, which exceeded the statutory damages under the TCPA, mooted his case. The Justices disagreed, ruling 6-3 that "an unaccepted settlement offer has no force. Like other unaccepted contract offers, it creates no lasting right or obligation." EPIC routinely works to protect consumer privacy interests in class action settlements. (Jan. 20, 2016)
  • EPIC Urges FCC to Establish Communications Privacy Protections for Consumers +
    EPIC has submitted a letter to the Federal Communications Commission urging the agency to undertake a rulemaking to protect the communications privacy of consumers. EPIC asked the FCC to explore "the full range of communications privacy issues facing US consumers." EPIC proposed that the FCC implement Fair Information Practices and the Consumer Privacy Bill of Rights; adopt data minimization requirements; promote Privacy-Enhancing Technologies; and require opt-in consent for the use or disclosure of consumer data. EPIC suggested that the FCC model its communications privacy rules on the Code of Fair Information Practices for the National Information Infrastructure. EPIC has worked with the FCC to promote consumer privacy in the communications field for more than 20 years. (Jan. 20, 2016)
  • Uber, New York AG Reach Settlement Over Rider Data Privacy Practices +
    The New York Attorney General’s office has announced a settlement in its investigation of Uber’s collection and misuse of rider locational data, as well as its failure to provide timely notice of a data breach affecting 50,000 Uber drivers. The investigation was prompted by public outcry over Uber’s “God View” tool that allowed Uber employees to obtain a specific rider’s real-time and historic location data without permission. The settlement requires the Uber to encrypt rider locational data and enhance its data security. EPIC previously filed a complaint with the FTC, charging that Uber’s plan to track users and gather contact details is an unlawful and deceptive trade practice. In the Huffington Post, EPIC also recommended privacy law to regulate Uber and other companies in the ride-sharing industry. (Jan. 7, 2016)
  • FTC Issues Enforcement Policy Statement on Deceptive "Native" Advertising +
    The FTC has issued an enforcement policy statement on the use of "native" advertisements and other deceptive advertising that appear to be non-advertising content. The FTC's statement affirmed that ads must clearly be identifiable to consumers as advertising and not editorial content. EPIC previously filed an amicus brief in Fraley v. Facebook objecting to Facebook's "Sponsored Stories" that implied the user endorsed the brand to their friends. EPIC's prior complaint to the FTC regarding Facebook's privacy practices helped establish privacy rules for the social media network. (Dec. 22, 2015)
  • EPIC Urges FTC to Protect Consumers Amid Surge in Cross-Device Tracking +
    EPIC filed comments with the FTC on a new advertising practice with significant privacy implications. EPIC urged the FTC to limit "cross-device tracking," linking what a person types on their phone with what they see on their laptop or television. EPIC said the FTC should use its enforcement authority to investigate device tracking practices. EPIC also said the FTC should prohibit the cross-device tracking of minors. EPIC has played a leading role in developing the FTC's privacy authority. Several EPIC complaints are currently pending before the FTC, concerning "always on" devices, Uber's privacy policy, and Facebook's Psychological Study. (Dec. 17, 2015)
  • Senators Blumenthal, Markey Propose Do Not Track Legislation +
    Sen. Richard Blumenthal and Sen. Edward Markey have introduced the Do Not Track Online Act of 2015, to limit online tracking. The bill directs the FTC to develop a simple Do Not Track mechanism that would allow consumers to stop companies from collecting their personal information. The bill authorizes the FTC and state attorneys general to bring enforcement actions against companies that refuse to honor consumers' requests. EPIC has previously said that an effective mechanism must ensure that a consumer's decision is "enforceable, persistent, transparent, and simple." (Dec. 17, 2015)
  • Wyndham Settles FTC Charges Over Failure to Safeguard Customer Data +
    Wyndham Hotels has settled charges with the FTC that the company's data security practices unfairly exposed the financial data of hundreds of thousands of customers to hackers. Earlier this year, in FTC v. Wyndham, a federal appeals court upheld the FTC's authority to enforce data security standards. EPIC's amicus brief filed in Wyndham played an important role in defending the FTC's "critical role in safeguarding consumer privacy and promoting stronger security standards." EPIC explained that data breaches, which have caused more than $500 million in damages last year alone, are one of the top concerns of American consumers. (Dec. 9, 2015)
  • Administrative Decision Tosses LabMD Data Security Case +
    An administrative law judge has dismissed an FTC complaint alleging that LabMD failed to provide reasonable data security for personal information. The admin judge found that the FTC's regulation of unfair trade practices requires a showing that consumer harm was "probable," not just "possible." The decision--which is not binding on federal or state courts--leaves in place the decision in FTC v. Wyndham, which held that the FTC can enforce data security standards. EPIC filed an amicus brief in Wyndham, defending the FTC's "critical role in safeguarding consumer privacy and promoting stronger security standards." (Nov. 21, 2015)
  • Not So Picture Perfect: Snapchat Will Store User Content Forever +
    Snapchat, a popular mobile app that promised "to vanish" user messages, photos, and videos, will now store user content forever, following changes to its terms and conditions. Snapchat now claims the right to "host, store, use, display, reproduce, modify, . . .and publicly display" users' content forever. This change may violate the 2014 consent order with the Federal Trade Commission, which prohibits Snapchat from making false claims about how the company protects user information. The FTC's 2014 consent order resulted from EPIC's complaint which stated that the company violated Section 5 because "Snapchat photos and videos remain available to others even after users are informed that the photos and videos have been deleted." (Nov. 2, 2015)
  • News Reports: FTC Investigating Google Anti-Competitive Practices +
    According to the New York Times and Bloomberg News, the FTC is investigating whether Google unfairly prioritizes its own products on the Android platform. Google bundles several Google products on the Andriod platform and requires manufacturers to install them directly onto smartphones. DOJ pursued antitrust violations against Microsoft for this type of "tying" or "bundling" practice. EPIC previously urged the Senate and the FTC to investigate Google's business practices because of the privacy implications. EPIC had opposed Google's acquisition of online advertiser Doubleclick, which the FTC approved over the objection of former FTC Commissioner Pamela Harbor, who cited the close ties between monopoly practices and privacy violations. (Sep. 28, 2015)
  • FTC Approves Final Order With Nomi Over Location Tracking +
    The FTC has finalized an order with Nomi Technologies resolving allegations that Nomi engaged in deceptive trade practices. Nomi, a company that provides retailers with in-store analytics via sensor-based tracking of customers' mobile devices, falsely promised customers the ability to opt-out at stores using its services. The FTC order prohibits Nomi from misrepresenting its privacy practices in the future. EPIC has pursued several important consumer privacy issues at the FTC leading to settlements, including Google, Snapchat, Facebook and other firms. EPIC currently has a complaint pending at the FTC concerning Uber and locational tracking. (Sep. 9, 2015)
  • Appeals Court Upholds FTC's Data Security Authority +
    A federal appeals court ruled that the Federal Trade Commission can enforce data security standards. In FTC v. Wyndham, the agency sued Wyndham hotels after the company exposed financial data of hundreds of thousands of customers. The company argued that the FTC lacked authority to enforce security standards, but the court disagreed. EPIC filed an amicus brief, joined by leading technical experts and legal scholars, defending the FTC's "critical role in safeguarding consumer privacy and promoting stronger security standards." EPIC explained that data breaches, which have caused more than $500 million in damages last year alone, are one of the top concerns of American consumers. (Aug. 24, 2015)
  • Without Public Comment, FTC Narrows Section 5 Authority +
    The Federal Trade Commission has issued a "Statement of Principles Regarding Enforcement of FTC Act as a Competition Statute." The Principles appear to narrow the ability of the Commission to pursue unfair business practices and were announced without any formal opportunity for public comment. Chairwoman Ramirez said that the Statement makes "time-honored principles explicit; it does not signal any change of course in our enforcement practices and priorities." Commissioner Olhausen dissented and noted the lack of opportunity for public comment. EPIC and others have urged the FTC to use Section 5 authority to address growing concerns about industry consolidation and privacy protection. EPIC has also noted the failure of the FTC to incorporate public comments in its proceedings, as required by law. (Aug. 14, 2015)
  • FTC Sues LifeLock For Violating Consent Agreement +
    The Federal Trade Commission has filed suit in federal district court against the identity theft-protection company LifeLock for violating a 2010 consent order. The FTC previously charged LifeLock with using false claims to promote its services and prohibited the company from making false claims in the future. Now, the Commission has charged LifeLock with failing to safeguard consumer data and continuing to falsely advertise to consumers, in violation of the 2010 order. EPIC has repeatedly urged the FTC to enforce consent orders and to make its review process transparent to the public. In 2012 EPIC sued the agency for its failure to enforce a consent order against Google after the company changed its privacy practices. (Jul. 22, 2015)
  • Senators Markey and Blumenthal Introduce Bill to Protect Drivers from Remote Hacking +
    Senators Edward Markey (D-MA) and Richard Blumenthal (D-CT) have introduced the "Security and Privacy in Your Car Act of 2015." The SPY Car Act would establish cybersecurity and privacy requirements for new passenger vehicles, and inform consumers about the risks of remote hacking. The SPY Car Act follows a report from Senator Markey, which "detailed major gaps in how auto companies are securing connected features in cars against hackers." The bill would also prohibit manufacturers from using consumer driver data for marketing purposes without consumer consent. EPIC has urged the Transportation Department to protect driver privacy. EPIC has written extensively on interconnected devices, including cars, known as the "Internet of Things" and has also said that "cars should not spy on drivers." (Jul. 21, 2015)
  • EPIC Urges Investigation of "Always On" Consumer Devices +
    EPIC has asked the Federal Trade Commission and the Department of Justice to conduct a workshop on 'Always-On' Consumer Devices. EPIC described the increasing presence of internet-connected devices in consumer's homes, such as TVs, toys, and thermostats, that routinely record and store private communications. EPIC urged the agencies to conduct a comprehensive investigation to determine whether "always on" devices violate the Wiretap Act, state privacy laws, or the FTC Act. Earlier this year, EPIC filed a formal complaint with the FTC concerning Samsung TV, arguing that the recording of private communications in the home is an unfair and deceptive trade practice. (Jul. 9, 2015)
  • EPIC Files FTC Complaint Against Uber about Plan to Track Users and Gather Contact List Data +
    EPIC has filed a complaint with the Federal Trade Commission, charging that Uber's plan to track users and gather contact details is an unlawful and deceptive trade practice. EPIC cites Uber's history of misusing customer data as one of many reasons the Commission must act. EPIC has also recommended comprehensive legislation for Uber and other similar companies. EPIC has previously pursued successful complaints at the FTC concerning Google, Facebook, WhatsApp, Snapchat and other firms. The complaints typically lead to investigations and then to settlements following a change in business practices. (Jun. 22, 2015)
  • EPIC Pursues Investigation of FTC's 2012 Investigation of Google +
    EPIC has filed a FOIA request with the Federal Trade Commission, reopening a 2013 FOIA request from EPIC regarding the Commission's Google antitrust investigation. After the agency closed the investigation in 2013, EPIC asked for agency communications with the White House. The FTC denied having any such records. Now, the Wall Street Journal has reported that the Chairman of the FTC attended White House meetings on the same day as Google lobbyists. EPIC also filed a request this week for the FTC staff reports recommending that the agency file an antitrust lawsuit against Google. (Mar. 26, 2015)
  • EPIC Pursues Reports from FTC's 2012 Investigation of Google +
    EPIC has filed a FOIA request with the Federal Trade Commission, seeking the two reports prepared by agency staff during the 2012 Google antitrust investigation. After the agency closed the investigation in 2013, asked for for agency communications with the White House. Now, the Wall Street Journal has obtained a report revealing that the Commission ignored recommendations to reform Google's anticompetitive practices. EPIC warned the FTC in 2011 about Google's search ranking manipulation after the company acquired YouTube. (Mar. 24, 2015)
  • Wall Street Journal Reveals FTC Ignored Google's Anticompetitive Practices +
    According to an internal document obtained by the WSJ, in 2012 the Federal Trade Commission ignored recommendations to reform Google's anticompetitive practices. The FTC staff report concluded that Google's "conduct has resulted-and will result-in real harm to consumers and to innovation in the online search and advertising markets." The internal FTC report said the company illegally took content from rival websites to improve its own rankings and "[w]hen competitors asked Google to stop taking their content, it threatened to remove them from its search engine. The report also found that Google altered search results "to benefit its own services at the expense of rivals." In 2011 EPIC detailed for the FTC Google's manipulation of rankings for a search on the term "privacy" after it acquired YouTube. EPIC pursued an FOIA request for agency communications with the White House after the agency closed investigation. (Mar. 23, 2015)
  • EPIC Files Comments with FTC on Merger Review and Consumer Privacy +
    EPIC, along with 26 technical experts and legal scholars, has submitted extensive comments for the FTC's review of the merger remedy process. EPIC urged the Commission to consider the privacy risks to consumers that result from the merger of big data firms. The comments detailed EPIC's efforts, over 15 years, to warn the FTC about such mergers as Abacus and DoubleClick, then DoubleClick and Google, AOL and Time Warner, and most recently Facebook and WhatsApp. EPIC urged the FTC to asses both competitive and privacy impacts of merger, and to enforce privacy commitments prior to granting merger approval. (Mar. 18, 2015)
  • Senators Propose Law to Regulate Data Broker Industry +
    Senators Markey, Blumenthal, Whitehouse and Franken have introduced the Data Broker Accountability and Transparency Act. The bill would give consumers the right to access their personal information held by data brokers and stop data brokers from disclosing or selling that information to others. Senator Markey said, "The era of data keepers has given way to the era of data reapers." In 2005, EPIC testified before Congress on "Identity Theft and Data Broker Services" and urged the regulation of data brokers following the disclosure that Choicepoint sold personal information to identity thieves. EPIC's FTC complaint lead to a $10 million settlement with Choicepoint. (Mar. 5, 2015)
  • Federal Courts Considers FTC's Data Protection Authority +
    A federal appeals court heard arguments today in FTC v. Wyndham, an important data privacy case. Wyndham Hotels, which revealed hundreds of thousands of customer records following a data breach, is challenging the FTC's authority to enforce data security standards. In an amicus brief joined by legal scholars and technical experts, EPIC defended the FTC's "critical role in safeguarding consumer privacy and promoting stronger security standards." EPIC explained that the damage caused by data breaches - more than $500 million last year - makes data security one of the top concerns of American consumers. EPIC warned the court that "removing the FTC's authority to regulate data security would be to bring dynamite to the dam." (Mar. 3, 2015)
  • White House (Commerce Dept.) Privacy Bill Not Helpful, Unworkable +
    The White House has released a consumer privacy proposal, prepared by the Commerce Department. The bill falls far short of the recommendations for a “Consumer Privacy Bill of Rights” set out by President Obama in 2012 and broadly supported by consumer organizations. The draft proposal lacks meaningful protections for consumers, would preempt stronger state laws, and create unnecessary regulatory burdens for businesses. EPIC has long recommended enactment of consumer privacy legislation based on “Fair Information Practices,” the basic framework for modern privacy law. (Mar. 2, 2015)
  • EPIC Challenges Samsung's Surveillance of the Home, Files FTC Complaint +
    EPIC has filed a complaint to the Federal Trade Commission about Samsung's SmartTvs. "Samsung routinely intercepts and records the private communications of consumers in their homes," EPIC wrote. EPIC detailed widespread consumer objections and charged that "privacy notices" do not diminish the harm to American consumers. In setting out the privacy violations, EPIC cited the FTC Act, the Children's Online Privacy Protection Act, The Cable Act, and the Electronic Communications Privacy Act. EPIC also noted a recent speech of FTC Chair Edith Ramirez about privacy and consumer products. EPIC asked the FTC to enjoin Samsung and other companies that engage in similar practices. (Feb. 24, 2015)
  • Senator Markey Report Warns of Risks with "Connected Cars" +
    A report from Senator Edward Markey (D-MA) finds lax privacy practices at leading auto manufacturers. The Senator said the safeguards in the auto industry for data collection are "inconsistent" and "haphazard." The investigation also revealed, "automobile manufacturers collect large amounts of data on driving history and vehicle performance." Senator Markey has called on the Department of Transportation and the Federal Trade Commission to issue rules to protect driver privacy and security. EPIC has urged the Department of Transportation to protect driver privacy. EPIC has written extensively on interconnected devices, including cars, known as the "Internet of Things" and said also that "cars should not spy on drivers." (Feb. 10, 2015)
  • Consumer Groups Urge FTC Review of Data Consolidation +
    A coalition of consumer groups has asked the Federal Trade Commission to undertake a comprehensive review of the impact on the American public of the growing consolidation of consumer data in the digital marketing industry. The groups asked the FTC to launch an investigation and hold a public workshop on protecting privacy in online transactions. EPIC has repeatedly urged the FTC to undertake a similar review. In 2007, EPIC opposed Google's acquisition of Doubleclick, the Internet advertising firm, citing the risks of growing consolidation of user data. In 2000, EPIC also opposed Doubleclick's acquisition of Abacus, a large catalog database firm. Privacy officials outside the US have begun to scrutinize these deals more closely. (Feb. 9, 2015)
  • Senators Challenge Verizon's Secret Mobile Tracking Program +
    In a letter to Verizon, Senators on the Commerce Committee challenged the company's practice of placing a "super cookie" oncustomers' smartphones. The letter follows the recent discovery that the advertising company Turn was secretly tracking Verizon customers, even after customers deleted its cookies. In the letter, the Senators asked Verizon to stop tracking users with undeletable cookies. EPIC has urged the White House and the Federal Trade Commission to limit the use of persistent identifiers. EPIC supports opt-in requirements and Privacy Enhancing Techniques for consumers, and algorithmic transparency for data collectors. (Jan. 30, 2015)
  • Obama Calls for Disclosure of Secret Credit Scores +
    In a speech at the Federal Trade Commission today, President Obama called for free access to credit scores. This will improve transparency for companies that profile consumers with "big data." Last year, the White House explored "Big Data and the Future of Privacy." EPIC called for "algorithmic transparency" and urged the White House to end secret profiling that limits opportunities for consumers, employees, students, and others. (Jan. 12, 2015)
  • Obama Announces New Consumer Privacy Initiatives +
    Today the President announced several initiatives to help protect consumer privacy following many, many data breaches. The President will move forward the Consumer Privacy Bill of Rights, a model framework for federal consumer privacy legislation, that EPIC supported in comments to executive agencies, legislators, and the White House. The President also proposed that financial firms disclose credit scores and that Congress enact the Student Digital Privacy Act based on "Fair Information Practices." (Jan. 12, 2015)
  • FTC Chair Warns About Risks of Connected Devices +
    In a speech at the CES conference this week, FTC Chair Edith Ramirez warned of the privacy risks of connected home devices. "In the not-too-distant future, many, if not most, aspects of our everyday lives will be digitally observed and stored," Ramirez said. EPIC has written extensively on interconnected devices, known as the "Internet of Things." In comments to the FTC, EPIC described several risks, including the hidden collection of sensitive data. EPIC recommended that companies adopt Privacy Enhancing Techniques that minimize or eliminate the collection of personally identifiable information. For more information, see EPIC: FTC and EPIC: Big Data. (Jan. 7, 2015)
  • FTC Charges Data Broker with Theft +
    The Federal Trade Commission has brought a complaint against LeapLab, a commercial data broker. According to the complaint, LeapLab bought the payday loan applications of “financially strapped consumers,” and then sold the consumer information to marketers. At least one marketing company that purchased consumer information from LeapLab used that information to steal millions of dollars from consumers’ bank accounts. “This case shows that the illegitimate use of sensitive financial information causes real harm to consumers,” said Jessica Rich, Director of the Federal Trade Commission’s Bureau of Consumer Protection. In 2005, EPIC testified before the the House Commerce Committee on "Identity Theft and Data Broker Services" and Urged Congress to establish comprehensive regulation of the data broker industry following the disclosure that Choicepoint was selling personal information to criminals engaged in identity theft. Further, EPIC's complaint to the FTC against Choicepoint lead to a $10 million settlement. For more information, see EPIC: Choicepoint, EPIC: Privacy and Consumer Profiling, and EPIC: FTC. (Jan. 2, 2015)
  • FTC Finalizes Snapchat Settlement +
    The Federal Trade Commission has approved a final order with Snapchat, the messaging service that falsely promised that messages sent and received through the service would "disappear forever.” The Commission’s investigation and initial proposed consent order followed a complaint filed by EPIC in 2013. EPIC brought the complaint against Snapchat after a researcher discovered that Snapchat photos could be retrieved by others after they should have vanished. EPIC also filed comments regarding the Commission's proposed consent order, expressing support for the Commission’s findings but recommending that Snapchat should be required to implement the Consumer Privacy Bill of Rights and make Snapchat's privacy assessments publicly available. Under the settlement, Snapchat will be subject to 20 years of privacy audits, and will be prohibited from making false claims about its privacy policies. For more information, see EPIC: In re Google, EPIC: In re Facebook and EPIC: FTC. (Jan. 2, 2015)
  • Dutch Privacy Officials Find Google Violates National Privacy Law +
    The Dutch Data Protection Authority has found that Google's 2012 privacy policy change violates Dutch data protection law. Google's policy change, which EPIC also opposed, consolidated user data across more than 60 separate services and gave Google the ability to track and profile users in extraordinary detail. The Dutch DPA has ordered Google to: (1) obtain "unambiguous consent of users for the combining of personal data" from different Google services; (2) describe in detail the personal data are used by each Google service; and (3) clearly explain to consumers that YouTube is a Google service. Google must comply with the Dutch officials' order by February 2015 or face $19 million in fines. In issuing the decision, Jacob Kohnstamm, chairman of the Dutch DPA, stated, "Google catches us in an invisible web of our personal data without telling us and without asking us for our consent. This has been ongoing since 2012 and we hope our patience will no longer be tested." In 2012, EPIC sued the Federal Trade Commission to block Google's 2012 policy change, which violated a 2011 FTC Consent Order. That Consent Order followed an extensive EPIC FTC Complaint and findings by the FTC concerning Google's business practices. For more information, see EPIC: EPIC v. FTC (Enforcement of the Google Consent Order), EPIC: In re Google Buzz, and EPIC: Federal Trade Commission. (Dec. 16, 2014)
  • FTC Fines TRUSTe, Privacy Certification Company +
    The Federal Trade Commission settled charges today that TRUSTe, a company that provides privacy certifications for online businesses including children's privacy and the US-EU Safe Harbor program, deceived consumers through its privacy seal program. The FTC charged TRUSTe with failure to conduct re-certifications for companies that displayed privacy seals, even though TRUSTe stated on its website that it conducted annual re-certifications. "TRUSTe promised to hold companies accountable for protecting consumer privacy, but it fell short of that pledge," said FTC Chairwoman Edith Ramirez. Under the consent agreement, TRUSTe is prohibited from misrepresenting its business practices to consumers. TRUSTe must also submit a detailed filing to the FTC every year, describing its COPPA recertification process and must pay a fine of $200K. In February, EPIC submitted comments to the Federal Trade Commission, urging the agency to improve pending settlements in several Safe Harbor enforcement actions, citing weaknesses in current Safe Harbor oversight. And just this month, EPIC filed a lengthy amicus brief in federal appeals court in support of the FTC's "Section 5" authority. For more information, see EPIC: FTC. (Nov. 17, 2014)
  • Senator Rockefeller Questions Whisper About Privacy Practices +
    Senator Rockefeller has asked Whisper to answer several questions about the company's practices and policies. Whisper said that it does not track users and that it respects users' decisions to opt out of geolocational tracking. But the Guardian revealed that Whisper tracks "the precise time and approximate location of all messages" and specifically tracks certain users the company deems "newsworthy." Senator Rockefeller, chair of the Senate Committee on Commerce has asked Whisper to explain its tracking, data retention, and disclosure practices. EPIC has several similar matters pending before the Federal Trade Commission. For more information, see EPIC: WhatsApp, EPIC: Snapchat, and EPIC: FTC. (Oct. 24, 2014)
  • Facebook Responds to EPIC Complaint About "Emotions Study" +
    Facebook has announced revised guidelines concerning user data the company discloses to researchers. In 2012, Facebook subjected 700,000 users to an "emotional" test by manipulating their News Feeds. Facebook did not get users' permission to conduct this study or notify users that their data would be disclosed to researchers. In response, EPIC filed a formal complaint to the Federal Trade Commission. "The company purposefully messed with people's minds," states the EPIC complaint. EPIC has also asked the FTC to require that Facebook make public the News Feed algorithm. Facebook is also currently under a 20 year consent decree from the FTC that requires Facebook to protect user privacy, as a result of complaints brought by EPIC and a coalition of consumer privacy organizations in 2009 and 2010. The new guidelines have improved Facebook's research process, but they still raise questions about human subject testing by advertising companies. EPIC still believes the NewsFeed algorithm should be made public. For more information, see EPIC: In re: Facebook (Psychological Study) and EPIC: Federal Trade Commission. (Oct. 2, 2014)
  • FTC To Explore "Big Data" and Discrimination +
    The Federal Trade Commission will host a workshop entitled "Big Data: A Tool for Inclusion or Exclusion?" The FTC will explore the effects of "big data" analytics on low-income and other underserved communities. Several members of the EPIC Advisory Board will be participating. Earlier this year, the FTC published a report on data brokers, warning that, "collecting and storing large amounts of data not only increases the risk of a data breach or other unauthorized access but also increases the potential harm that could be caused." The White House also convened a task force and published a report on "big data" this year. At EPIC's urging, the White House included public participation in the review process. EPIC submitted extensive comments, warning about the enormous risk to Americans of current "big data" practices but also made clear that problems are not new, citing the Privacy Act of 1974. In 2009, EPIC testified in support of new legislation to regulate the data broker industry. For more information, see EPIC: Big Data and the Future of Privacy, and EPIC: FTC. (Sep. 10, 2014)
  • Federal Trade Commission Orders Google to Refund Parents $19 Million for Unauthorized Charges +
    The Federal Trade Commission has reached a settlement with Google over allegations that the company unfairly charged parents millions of dollars for their children's in-app purchases. The settlement mandates that Google provides full refunds for unauthorized purchases. The FTC agreement will be subject to public comments. Comments are due October 6, 2014. The Commission has previously settled charges with Apple and sued Amazon for charging parents for their kids unauthorized in-app purchases. Previously EPIC has urged the FTC to require companies subject to privacy consent orders to adhere to the Consumer Privacy Bill of Rights. For more information, see EPIC: Federal Trade Commission and EPIC: Search Engine Privacy. (Sep. 5, 2014)
  • EU Launches Investigation Into Facebook Acquisition of WhatsApp +
    Antitrust officials in the European Union have begun an investigation into Facebook's acquisition of the messaging service WhatsApp. WhatsApp gained popularity based on its pro-privacy approach to user data. Following the announcement of Facebook's plan to acquire the company, EPIC filed two complaints with the Federal Trade Commission, urging the FTC to block the sale unless adequate privacy safeguards for WhatsApp users were established. The Commission then notified Facebook and WhatsApp that they must honor their privacy commitments to users but questions remain about future business practices. Now European antitrust regulators have served Facebook with a questionnaire of more than 70 pages to determine whether the merger violates European antitrust laws. For more information, see EPIC: In re WhatsApp, and EPIC: FTC. (Sep. 2, 2014)
  • Consumer Privacy Organizations Urge Judge to Reject "Privacy Settlement" +
    EPIC, joined by leading consumer protection organizations, has asked a federal judge to reject a proposed class action settlement in In re Google Referrer Header Litigation. The settlement requires no substantial change in Google's business practices and provides no benefit to class members. EPIC wrote to the same judge last year when the settlement was first proposed, urging him not to approve. The Federal Trade Commission and the California Attorney General have opposed a similar settlement. And the Chief Justice of the US Supreme Court has expressed deep skepticism about settlements that provide no benefits to class members. The judge in the Google care will rule on the settlement August 29. For more information, see EPIC: Search Engine Privacy, and EPIC: FTC. (Aug. 27, 2014)
  • Senator Schumer Calls On Regulators to Make Fitness Data Private +
    Senator Charles Schumer has denounced the data collection practices of "activity trackers" such as FitBit. "Activity trackers" are mobile devices that record highly personal information about the wearer and constantly analyze the wearer's activities, including their diet, exercise, sleep, and even sexual habits. However, it is not clear whether federal privacy law protects this personal data from disclosure to third parties. EPIC has commented extensively on the privacy protections that are necessary in the "internet of things." EPIC has frequently pointed out the potential for misuse when companies collect data about sensitive consumer behavior. EPIC has made several recommendations to improve the privacy protections on devices such as "activity trackers," including requiring companies to adopt Privacy Enhancing Techniques, respect a consumer’s choice not to tracked, profiled, or monitored, minimize data collection, and ensure transparency in both design and operation of Internet-connected devices. For more information, see EPIC: FTC and EPIC: Practical Privacy Tools. (Aug. 14, 2014)
  • Federal Trade Commission Responds to EPIC Regarding Google Settlement +
    The Federal Trade Commission has responded to EPIC's letter urging the agency to oppose a collusive Google class action settlement. The agency stated that it "systematically monitors compliance" with its consumer protection orders and that it "takes alleged violation[s] of an order seriously," but that it cannot publicly disclose details of its investigations until a formal complaint is issued. In 2010, Google was sued for sharing user web browsing information with advertisers. Under the proposed settlement agreement, Google will distribute several million dollars to a handful of organizations, many of which already have ties to the company. EPIC and other privacy organizations urged the Commission to formally object because the proposed agreement "confers no monetary relief to class members, compels no change in Google's behavior, and misallocates the cy pres distribution." The agency has a history of filing objections - it filed a similar objection in Fraley v. Facebook, an unfair class action settlement in the Ninth Circuit. For more information see EPIC: FTC and EPIC: Search Engine Privacy. (Aug. 7, 2014)
  • Consumer Privacy Organizations Oppose Farcical Class Action Settlement +
    EPIC, along with a group of consumer privacy organizations, has asked the Federal Trade Commission to object to an unfair class action settlement in California federal court. In 2010, Google was sued for sharing user web browsing information with advertisers. Under the proposed settlement agreement, Google will distribute several million dollars to a handful of organizations, many of which already have ties to the company. EPIC and other privacy organizations have argued that the proposed agreement "confers no monetary relief to class members, compels no change in Google's behavior, and misallocates the cy pres distribution" to organizations that are "not aligned with the interests of class members and do not further the purpose of the litigation." The consumer groups, who have already written to the court opposing the settlement, urged the Federal Trade Commission to object as well. The agency filed a similar objection in Fraley v. Facebook, an unfair class action settlement in the Ninth Circuit. For more information, see EPIC: FTC and EPIC: Search Engine Privacy. (Aug. 5, 2014)
  • EPIC, Consumer Groups Challenge Facebook on Web Snooping +
    EPIC, along with a coalition of consumer groups, has urged the Federal Trade Commission to block Facebook's plan to collect users' web browsing history. Facebook recently announced plans to collect user data from sites all over the web. But the practice may violate a Federal Trade Commission order prohibiting Facebook from changing its business practices without users' express consent. The groups asked the FTC "to act immediately to notify the company that it must suspend its proposed change in business practices to determine whether it complies with current U.S. and EU law." EPIC has also filed a FOIA request, seeking the FTC's communications with Facebook about this change. For more information, see EPIC: Facebook Privacy, EPIC: Online Tracking and Behavioral Privacy, and EPIC: FTC. (Jul. 29, 2014)
  • EPIC Tells Congress FTC Does Not Enforce Consent Orders +
    EPIC has sent a letter to the House Committee on Oversight and Government Regulation stating that the Federal Trade Commission rarely enforces "Section 5" consent orders. EPIC also said that the Commission has never modified a consent order in response to public comments or required companies to implement the Consumer Privacy Bill of Rights. The Committee believed the Commission has gone too far to protect the privacy of American consumers. EPIC wrote "the opposite is true." Senator Rockefeller also wrote a letter, urging the Committee not to interfere in the FTC's "well-established legal authority." For more information, see EPIC: Wyndham Hotels and EPIC: FTC. (Jul. 25, 2014)
  • Privacy Lawsuit Against Google for Policy Change Moves Forward +
    A federal court in California has ruled that a class action privacy lawsuit against Google can continue. The plaintiffs are Android users who sued Google in 2012 after the company consolidated user data across many separate services, including Gmail, Google+, and Youtube. They allege that Google concealed a plan to modify its privacy policies and also that Google violated the privacy policy for GooglePlay. After dismissing similar claims, the court held that the case may now go forward. In 2012, EPIC objected to the same change in Google's policy and urged the Federal Trade Commission to block the change because of a 2011 consent order in which Google agreed not to combine user data without user consent. After the FTC failed to act, EPIC sued the agency. Members of Congress, state Attorneys General, European Justice Officials, technical experts, and IT managers in government and the private sector also expressed concern about the 2012 Google policy change. For more information, see EPIC: EPIC v. FTC (Google Consent Order) and EPIC: FTC. (Jul. 22, 2014)
  • Following EPIC Complaint, Senator Seeks Investigation of Facebook User Manipulation Study +
    Senator Mark Warner has asked the Federal Trade Commission to investigate the legality of Facebook's emotional manipulation study. In a letter to the Commission, Senator Warner stated that "it is not clear whether Facebook users were adequately informed and given an opportunity to opt-in or opt-out." He asked the FTC to conduct an investigation to see "if this 2012 experiment violated Section 5 of the FTC Act or the 2011 consent agreement with Facebook," two issues raised in EPIC's earlier complaint. "The company purposefully messed with people's minds," wrote EPIC in a complaint to the Commission. EPIC charged that Facebook violated a consent decree that required the company to respect user privacy and also engaged in a deceptive trade practice. EPIC has asked the FTC to require that Facebook make public the News Feed algorithm. For more information, see EPIC: In re Facebook, EPIC: In re Facebook (Psychological Study), and EPIC: FTC. (Jul. 17, 2014)
  • FTC Sues Amazon Over Billing for Childrens' In-App Purchases +
    The FTC has filed a lawsuit alleging that "Amazon.com, Inc. has billed parents and other account holders for millions of dollars in unauthorized in-app charges incurred by children." FTC Chairwoman Edith Ramirez said, "Amazon's in-app system allowed children to incur unlimited charges on their parents' accounts without permission. Even Amazon's own employees recognized the serious problem its process created." The FTC recently settled similar charges with Apple. In that case, the FTC charged Apple with "billing consumers for millions of dollars of charges incurred by children in kids' mobile apps without their parents' consent." Under the terms of the settlement, Apple must provide a refund for affected consumers and must change its billing practices to ensure that it has obtained express, informed consent from consumers before charging them for items sold in mobile apps. Previously, EPIC filed a complaint with the FTC over Amazon's collection of children's data. EPIC explained that Amazon was violating the Children's Online Privacy Protection Act by allowing children to post content, including personally identifiable information, without their parents' permission. EPIC currently has several complaints pending with the FTC. For more information, see EPIC: FTC. (Jul. 11, 2014)
  • EPIC Challenges Facebook's Manipulation of Users, Files FTC Complaint +
    EPIC has filed a formal complaint to the Federal Trade Commission concerning Facebook's manipulation of users' News Feeds for psychological research. "The company purposefully messed with people's minds," states the EPIC complaint. EPIC has charged that the study violates a privacy consent order and is a deceptive trade practice. In 2012, Facebook subjected 700,000 users to an "emotional" test with the manipulation of News Feeds. Facebook did not get users' permission to conduct this study or notify users that their data would be disclosed to researchers. In the complaint, EPIC explained that Facebook's misuse of data is a deceptive practice subject to FTC enforcement. Facebook is also currently under a 20 year consent decree from the FTC that requires Facebook to protect user privacy. The consent decree resulted from complaints brought by EPIC and a coalition of consumer privacy organizations in 2009 and 2010. EPIC has asked the FTC to require that Facebook make public the News Feed algorithm. For more information, see EPIC: In re Facebook, EPIC: In re Facebook (Psychological Study), and EPIC: FTC. (Jul. 3, 2014)
  • FTC Releases 2014 Data Security Update, But Enforcement Questions Remain +
    The Federal Trade Commission has released the 2014 Privacy and Data Security Update. The report is "an overview of the FTC's enforcement, policy initiatives, and consumer outreach and business guidance in the areas of privacy and data security." In the report, the FTC explains that "If a company violates an FTC order, the FTC can seek civil monetary penalties for the violations." However, the FTC has consistently failed to enforce consent orders with Google, Facebook, and other companies that have engaged in unfair or deceptive trade practices. The Commission has also failed to modify proposed settlement agreements after seeking public comment. For more information, see EPIC: FTC, EPIC: Facebook Privacy, and EPIC: In re: Google Buzz. (Jul. 1, 2014)
  • FTC Ignores Public Comments on Safe Harbor Settlements +
    The Federal Trade Commission has settled charges against fourteen companies that misrepresented compliance with the EU-US Safe Harbor privacy arrangement. In response to the FTC's request for public comment on the pending settlements, EPIC recommended that the Commission: (1) require the companies to comply with the Consumer Privacy Bill of Rights; (2) publish the companies' consent order compliance reports as they are submitted; and (3) strengthen the sanctions against a DNA testing firm, whose misrepresentations puts genetic information at risk. However, the FTC declined to make any changes. EPIC has previously stated that the Commission's ongoing failure to modify consent orders in response to public comments is "contrary to the interests of American consumers." An Irish Court has recently asked the European Court of Justice to determine whether the Safe Harbor Arrangement still provides adequate protection for EU consumer. For more information, see EPIC: EU Data Protection Directive and EPIC: Federal Trade Commission. (Jun. 27, 2014)
  • Facebook to Profile User Browsing, May Violate FTC Consent Order +
    Facebook has announced that it will collect detailed browser history on users for advertising purposes. Users who object were told to opt-out. The plan may violate a Federal Trade Commission order, prohibiting Facebook from changing its business practices without users’ express consent. The FTC order follows from complaints filed by EPIC and other consumer privacy organizations in 2009 and 2010. In issuing the order, the FTC found that Facebook "deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public." A recent Consumer Reports poll found that consumers overwhelmingly object to having their online activities tracked for advertising purposes. For more information, see EPIC: Facebook Privacy, EPIC: FTC Facebook Settlement, EPIC: Online Tracking and Behavioral Profiling, and EPIC: Practical Privacy Tools. (Jun. 12, 2014)
  • EPIC Urges FTC to Protect Snapchat Users' Privacy +
    EPIC has submitted comments to the Federal Trade Commission, urging the agency to require Snapchat to safeguard consumer privacy. Following a 2013 EPIC complaint, the FTC signed a consent order with Snapchat, the publisher of a mobile app that encourages users to share intimate photos and videos. Snapchat claimed that pictures and videos would "disappear forever," but that was false. As EPIC explained, "Snapchat photos and videos remain available to others even after users are informed that the photos and videos have been deleted." EPIC expressed support for the findings in the proposed FTC Settlement with Snapchat. But EPIC recommended that the FTC require Snapchat to implement the Consumer Privacy Bill of Rights and make Snapchat's independent privacy assessments publicly available. EPIC pursued similar claims involving false promises about data deletion with AskEraser. EPIC has also made similar recommendation for other proposed FTC consumer privacy settlements. For more information, see EPIC: In re Google, EPIC: In re Facebook, and EPIC: FTC. (Jun. 10, 2014)
  • Federal Trade Commission Urges Court to Protect Student Privacy +
    The Federal Trade Commission is opposing the sale of student data in a bankruptcy proceeding for ConnectEDU. The company privacy policy promises it will give students "reasonable notice and an opportunity to remove personally identifiable information" from its website. The FTC said that the sale of student information "without reasonable notice to users and an opportunity to remove personal information would contradict the privacy statements originally made to users." The FTC letter also cites consent agreements with Snapchat, Google, and Facebook. Each of these consent orders was a result of an EPIC FTC complaint. Last year, EPIC filed an extensive complaint concerning Scholarships.com's business practices. The company encourages students to divulge sensitive medical, sexual, and religious information to obtain financial aid information. For more information, see EPIC: Student Privacy, EPIC: In re Google Buzz, EPIC: In re Facebook, and EPIC: Federal Trade Commission. (May. 29, 2014)
  • FTC Report on Data Brokers Fails to Address Consumer Privacy Concerns +
    The Federal Trade Commission has published "Data Brokers: A Call for Transparency and Accountability." The report follows from a FTC Investigation of the data broker industry. The report describes the unbounded collection of personal information about American consumers that is then widely sold in the private sector. The Commission recommended modest legislative changes and failed to address many of consumers' privacy concerns, including profiling and "scoring" of consumers. Commissioner Julie Brill issued a statement, calling for more substantial consumers safeguards. Senators Rockefeller and Markey have also introduced The Data Broker Accountability and Transparency Act of 2014 (DATA Act), which would regulate data brokers and other companies that profit from the sale of consumer information. In 2005, EPIC testified before the the House Commerce Committee on "Identity Theft and Data Broker Services" and Urged Congress to establish comprehensive regulation of the data broker industry following the disclosure that Choicepoint was selling personal information to criminals engaged in identity theft. For more information, see EPIC: Choicepoint, EPIC: Privacy and Consumer Profiling, and EPIC: FTC. (May. 27, 2014)
  • Sprint Pays FCC A Record $7.5M For Violating Do Not Call +
    Sprint has reached a $7.5 million settlement with the Federal Communications Commission for violations of the Do Not Call national registry. It is the FCC's largest Do Not Call settlement ever. The settlement follows a 2011 consent decree between Sprint and the FCC which also arose out of complaints from Do Not Call registrants. Under the terms of the current settlement, Sprint must develop a compliance plan, and file two years of compliance reports with the Commission. Additionally, Sprint must designate a Do Not Call Compliance Officer and retrain all employees. EPIC has spent 20 years helping to establish and enforce the Telephone Consumer Protection Act. In 2002, EPIC and ten leading advocacy groups filed comments to both the FCC and the Federal Trade Commission, advocating the creation of the Do-Not-Call Registry. EPIC has also recommended that Congress establish a National Do Not Track registry for online consumers. For more information, see EPIC: Do Not Call Registry Timeline, EPIC: Illegal Sale of Phone Records, and EPIC: Federal Trade Commission. (May. 20, 2014)
  • EPIC's Snapchat Privacy Complaint Results in 20-Year FTC Consent Order +
    Following a 2013 EPIC complaint, the FTC has signed a consent order with Snapchat, the publisher of a mobile app that encourages user to share intimate photos and videos. Snapchat claimed that pictures and videos would "disappear forever." However, the images could be retrieved by others. As EPIC wrote in the complaint "Snapchat photos and videos remain available to others even after users are informed that the photos and videos have been deleted." In announcing the settlement, FTC Chairwoman Edith Ramirez said, "If a company markets privacy and security as key selling points in pitching its service to consumers, it is critical that it keep those promises. Any company that makes misrepresentations to consumers about its privacy and security practices risks FTC action." Under the settlement, Snapchat will be subject to 20 years of privacy audits, and will be prohibited from making false claims about its privacy policies. EPIC pursued similar claims involve false promises about data deletion with AskEraser. The FTC will be accepting Public Comments on the proposed Snapchat consent order. For more information, see EPIC: In re Google, EPIC: In re Facebook and EPIC: FTC. (May. 8, 2014)
  • Facebook Introduces New Privacy Features +
    Amidst growing concern about Facebook's disclosure of user information to third parties, the company has announced two new privacy options. Users may now decide how much of their information to disclose to Facebook apps before signing up. Users may also test apps anonymously - without transmitting the Facebook User ID to the developer. The changes appear to be a response to the 2011 Consent Order, pursued by EPIC and a coalition of privacy organization, that requires the company to obtain express affirmative consent from users before disclosing personal information to third parties. In the first report on Internet privacy, "Surfer Beware: Personal Privacy and the Internet" (1997), EPIC said web sites should "support anonymity while developing policies and practices to protect information privacy." For more information, see EPIC: Facebook Privacy, EPIC: Internet Anonymity, and EPIC: FTC. (May. 1, 2014)
  • Patent to Block Facial Recognition Follows Sale of Google Glass +
    A patent for a technology that shields users from nearby video cameras has emerged. The patent describes a detector that would blur the images of people on portable camera displays, preventing video surveillance. The patent surfaced following Google's release of Google Glass for sale by the general public. Google is seeking a patent for a contact lens style for Glass that would escape public detection. Google is also seeking to trademark the word "glass," which the US Patent and Trademark Office opposes. EPIC previously submitted comments to the Federal Trade Commission recommending the suspension of facial recognition techniques pending the establishment of privacy safeguards. For more information, see EPIC: Google Glass and Privacy, EPIC: Facial Recognition and EPIC: Federal Trade Commission. (Apr. 25, 2014)
  • Report Reveals Rise in Teens' Desire for Online Privacy +
    A report released by the Intelligence Group, a "youth-focused, research-based consumer insights company," reveals that teens want more online privacy than ever before. According to the report, only 11% of teens currently share "a lot about themselves online" - a 7% decrease from the same age group last year. By contrast, 17% of young adults aged 19- to 24 and 27% of adults aged 25 to 34 currently share "a lot about themselves online." The report also indicates that "about 18% of teens share content on social media at least once a day, including status updates, photos, pins, or articles, compared with 28% of 19- to 24-year-olds and 35% of 25- to 34-year-olds." Recently, EPIC objected to a settlement agreement that would allow Facebook to use images of teens in online advertising. EPIC has also filed comments with the FTC supporting stronger regulations to protect children's data online. For more information, see EPIC: Fraley v. Facebook, EPIC: COPPA and EPIC: FTC. (Apr. 25, 2014)
  • Court Upholds FTC Authority to Safeguard Data Privacy +
    A federal judge has ruled that the Federal Trade Commission has the power to enforce data security standards. In the case FTC v. Wyndham, the Commission alleged that criminals stole hundreds of thousands of credit card numbers from hotel guests because Wyndham Hotels maintained lax data security. Wyndham responded that the FTC could not bring an enforcement action against the company without first publishing regulations. Judge Esther Salas held that the FTC's authority to investigate "unfair or deceptive" business practices included data protection. FTC Chairwoman Edith Ramirez stated earlier, "Companies should take reasonable steps to secure sensitive consumer information. When they do not, it is not only appropriate, but critical, that the FTC take action on behalf of consumers." For more information, see EPIC: Federal Trade Commission, and EPIC: Big Data and the Future of Privacy. (Apr. 11, 2014)
  • FTC Responds to EPIC Complaint on WhatsApp and Privacy +
    The Federal Trade Commission has notified Facebook and WhatsApp that they must honor their privacy commitments to users. According to the letter from the Director of the FTC Bureau of Consumer Protection, "if the acquisition is completed and WhatsApp fails to honor these promises, both companies could be in violation of Section 5 of the FTC Act and potentially the FTC's order against Facebook." The FTC letter followed a detailed complaint from EPIC and CDD concerning the privacy implications of the $19B sale to Facebook. WhatsApp had assured users of strong privacy safeguards prior to the sale. The FTC letter concludes "hundreds of millions of users have entrusted their personal information to WhatsApp. The FTC staff continue to monitor the companies' practices to ensure that Facebook and WhatsApp honor the promises they have made to those users." For more information, see EPIC: In re: WhatsApp, EPIC: In re: Facebook and EPIC: Federal Trade Commission. (Apr. 10, 2014)
  • FTC Commissioner Wright Meets with Industry Lobbyists, Not Consumer Representatives +
    Through a Freedom of Information Act request, EPIC obtained the appointment calendar of FTC Commissioner Wright. The Commissioner's calendar reveals many meetings with corporate presentatives but no meetings with public interest organizations representing consumers. One of FTC's primary missions is to protect consumers from unfair and deceptive business practices. Commissioner Wright became an FTC Commissioner in January 2013. Since then he has met with representatives from Apple, Microsoft, Verizon, Qualcomm, the Network Advertising Initiative, and the Consumer Data Industry Association. He has attended industry conferences and given talks at trade association meetings. EPIC tried several times to arrange a meeting between Commissioner Wright and the Privacy Coalition—a nonpartisan coalition of consumer, civil liberties, educational, family, library, and technology organizations. The Privacy Coalition has hosted meetings with many FTC commissioners over the past decade. After repeatedly declining a meeting with the consumer privacy organizations, EPIC filed a FOIA request for the FTC Commissioner's appointment calendar. For more information, see EPIC: Federal Trade Commission. (Apr. 8, 2014)
  • Fandago and Credit Karma Settle FTC Charges for Weak App Security +
    Two companies have settled Federal Trade Commission charges that they misrepresented the security of their mobile apps. Fandango and Credit Karma failed to enable SSL encryption, leaving user data vulnerable on mobile apps. "Our cases against Fandango and Credit Karma should remind app developers of the need to make data security central to how they design their apps," FTC Chairwoman Edith Ramirez said in a statement. The settlements require the companies to establish data security programs, and to undergo security assessments by the Commission for the next 20 years. EPIC recently brought a complaint to the FTC concerning Scholarship.com, a company that failed to establish adequate security safeguards. Not long after the complaint from EPIC, the company implemented SSL. EPIC had earlier recommended that the Commission require encryption for all cloud-based services. For more information, see EPIC: Federal Trade Commission, and EPIC: EPIC Online Guide to Practical Privacy Tools. (Mar. 28, 2014)
  • Federal Trade Commission Backs Users in Facebook Privacy Case +
    The FTC has filed an amicus brief in a case before a federal appeals court concerning Facebook users. If a controversial settlement is approved, Facebook will display the images of users, including young children, in Facebook advertising without consent. Several Facebook users formally objected to the plan, arguing that it would violate state laws. A children's advocacy organization also objected, stating that the "settlement is actually worse than no settlement." The FTC brief explains that state privacy laws do prevent the display of children's images without consent. EPIC also filed an amicus brief in support of the users, explaining that the settlement is unfair and should be rejected. EPIC and a coalition of consumer privacy organizations filed an extensive complaint with the Federal Trade Commission that eventually required Facebook to improve its privacy practices. For more information, see EPIC: In re Facebook and EPIC: Fraley v. Facebook. (Mar. 21, 2014)
  • FTC Adopts EPIC's Recommendations on Improved FOIA Processing +
    The Federal Trade Commission has issued a final rule updating its Freedom of Information Act fee provisions. EPIC submitted extensive comments to the agency, supporting proposed fee reductions but also recommending changes to strengthen open government. The FTC adopted nearly all of EPIC's proposals. The FTC announced that all "Commission decisions, orders, and other public materials" will be electronically available to all requesters without charge. The FTC also said it would grant requesters additional time to assess fees associated with FOIA requests rather than simply terminate processing. The FTC agreed to be more lenient in resolving unpaid FOIA fees. The Commission also adopted EPIC's recommendation to disclose private sector contract rates for FOIA processing. EPIC routinely comments on agency proposals that impact FOIA requesters' rights. For more information, see EPIC: Open Government and EPIC: Federal Trade Commission. (Mar. 21, 2014)
  • EPIC Updates Facebook Complaint, Urges Careful Review of WhatsApp Acquisition +
    EPIC has filed a supplemental complaint regarding Facebook's $19 b purchase of WhatsApp. WhatsApp users had relied on the messing app's pro-privacy practices to protect their personal information, while Facebook regularly incorporates user data from the companies it acquires. In the initial complaint, EPIC urged the Federal Trade Commission to block the sale unless adequate privacy safeguard for WhatsApp user data were established. In the supplemental complaint, EPIC provided more evidence that WhatsApp users object to the acquisition. EPIC also highlighted the importance of the FTC's pre-merger review process. Recently, the Commission approved Google's purchase of Nest Labs without considering the privacy implications for consumers. For more information, see EPIC: In re WhatsApp and EPIC: Federal Trade Commission. (Mar. 21, 2014)
  • WhatsApp Founder Responds to EPIC Privacy Complaint +
    Following Facebook's announced plan to purchase WhatsApp, a popular pro-privacy messaging services, EPIC urged the FTC to block the acquisition. EPIC explained to the Commission that Facebook incorporates user data from companies it acquires, and that WhatsApp users objected to the acquisition. WhatsApp founder Jan Koum has now published a blog post in response to the EPIC Complaint. Koum wrote, "Above all else, I want to make sure you understand how deeply I value the principle of private communication. For me, this is very personal." He added, "Make no mistake: our future partnership with Facebook will not compromise the vision that brought us to this point." For more information, see EPIC: In re WhatsApp, EPIC: Federal Trade Commission, and EPIC: In re Facebook. (Mar. 18, 2014)
  • EPIC Urges FTC Investigation of WhatsApp Sale to Facebook +
    EPIC has filed a complaint to the Federal Trade Commission concerning Facebook's proposed purchase of WhatsApp. WhatsApp is a messaging service that gained popularity based on its strong pro-privacy approach to user data. WhatsApp currently has 450 million active users, many of whom have objected to the proposed acquisition. Facebook regularly incorporates data from companies it has acquired.The Federal Trade Commission has previously responded favorably to EPIC complaints concerning Google Buzz, Microsoft Passport, Changes in Facebook Privacy Settings, and Choicepoint security practices. However, the FTC approved Google's acquisition of Doubleclick over EPIC's objection. Facebook is currently under a 20 year consent decree from the FTC that requires Facebook to protect user privacy and to comply with the US-EU Safe Harbor guidelines. For more information, see EPIC: In re Google Buzz, EPIC: Microsoft Passport, EPIC: In re Facebook, and Privacy? Proposed Google/DoubleClick Merger. (Mar. 6, 2014)
  • EPIC Files Amicus Brief in Facebook Consumer Privacy Case, Urges Rejection of Settlement +
    EPIC has filed a amicus brief urging a federal appeals court to overturn a controversial consumer privacy settlement. If the Fraley v. Facebook settlement is approved, Facebook will display the images of Facebook users, including young children, for commercial endorsement without consent. Facebook users opposed "Sponsored Stories" and several have formally objected to the settlement, including a children's advocacy organization which said that the "settlement is actually worse than no settlement." The MacArthur Foundation also withdrew stating it should not have been designated to receive funds. EPIC's amicus brief in support of the objectors explains that the settlement is unfair to Facebook users and should be rejected. EPIC also notes that Chief Justice Roberts expressed concerns about a similar privacy settlement involving Facebook. EPIC and a coalition of consumer privacy organizations filed an extensive complaint with the Federal Trade Commission that eventually required Facebook to improve its privacy practices. For more information, see EPIC: In re Facebook and EPIC: Fraley v. Facebook. (Feb. 21, 2014)
  • EPIC Urges FTC to Strengthen Safe Harbor Settlements +
    EPIC has submitted comments to the Federal Trade Commission, urging the agency to improve pending settlements in several Safe Harbor enforcement actions. According to the FTC, twelve companies misrepresented compliance with the EU-US privacy arrangement. EPIC recommended that the Commission revise the proposed orders to: (1) require the companies to comply with the Consumer Privacy Bill of Rights; (2) publish the companies' consent order compliance reports as they are submitted; and (3) strengthen the sanctions against a DNA testing firm, whose misrepresentations puts genetic information at risk. EPIC also noted that the Commission's ongoing failure to modify consent orders in response to public comments is "contrary to the interests of American consumers." For more information, see EPIC: EU Data Protection Directive and EPIC: Federal Trade Commission. (Feb. 21, 2014)
  • Senators Rockefeller and Markey Propose Data Broker Legislation +
    Senators Rockefeller and Markey have introduced the The Data Broker Accountability and Transparency Act of 2014 (DATA Act). The proposed Act imposes transparency and accountability requirements on data brokers and other companies that profit from the collection and sale of consumer information. Under the DATA Act, consumers would be able to access their personal information, make corrections, and opt out of marketing schemes. The DATA Act would empower the FTC to impose civil penalties on violators, and would prohibit data brokers from collecting consumer data in deceptive ways. In 2009, EPIC testified in support of new legislation to regulate the data broker industry. In 2005, EPIC's complaint to the FTC against data broker Choicepoint lead to a $10 million settlement. For more information, see EPIC: Federal Trade Commission, EPIC: Choicepoint and EPIC: Privacy and Consumer Profiling. (Feb. 13, 2014)
  • FTC Chair Ramirez Urges Senate to Act on Data Security Legislation +
    The Senate Judiciary Committee hearing on "Privacy in the Digital Age: Preventing Data Breaches and Combating Cybercrime" followed a series of major data breaches at Target, Neiman Marcus, and Michaels, which compromised the personal data of tens of millions of consumers. Senator Leahy, who has introduced important data privacy legislation, said "In the digital age, Americans face threats to their privacy and security unlike any time before in our Nation's history." FTC Chair Edith Ramirez expressed strong support for federal data security legislation. (2h18m). In 2012 President Obama set out a framework for consumer privacy protection, the Consumer Privacy Bill of Rights, which is supported by consumer privacy organizations. For more information, see EPIC: Privacy Legislation, EPIC: Identity Theft, and EPIC: Federal Trade Commission. (Feb. 5, 2014)
  • French Data Protection Authority Fines Google for Data Consolidation +
    The CNIL, the French data protection authority, has fined Google 150,000 Euro (approximately $200,000) for consolidating user data. The decision follows an investigation triggered by the collapse of the Google privacy policy in March 2012, which allowed the company to combine user data across 60 Internet services to create detailed profiles on Internet users. In 2012, EPIC sued the Federal Trade Commission to force the FTC to enforce the terms of a settlement with Google that would have prohibited Google's changes in business practices. Google's consolidation also prompted objections from state attorneys general, members of Congress, and IT managers in the government and private sectors. For more information, see EPIC: Google Buzz and EPIC: Enforcement of Google Consent Order. (Jan. 9, 2014)
  • Snapchat Data Breach Exposes 4.6 Million Usernames +
    A data breach has exposed the usernames and partial phone numbers of 4.6 million users of Snapchat, a popular photo- and video-sharing app. The breach was accomplished by exploiting a flaw that was previously brought to company's attention by security researchers. Last year, EPIC filed a complaint with the Federal Trade Commission regarding Snapchat's deceptive claim that photos would "disappear forever" after a set period of time. The Federal Trade Commission has thus far failed to take action on the EPIC complaint. For more information, see EPIC: Federal Trade Commission. (Jan. 2, 2014)
  • Senate Report Shines Light on How Data Brokers Operate +
    A Senate Committee Majority Staff report released today highlights the oft-concealed practices of Data Brokers. The report finds that data brokers lack transparency and collect sensitive personal information, while individuals lack basic rights to know what data is collected or how it is used. The brokers, the report notes, prevent business customers from revealing how data is obtained. The report also exposed how personal information is often used to target the financially vulnerable. Thus far, the data broker industry has largely escaped federal regulation. In 2009, EPIC testified in support of new legislation to regulate the data broker industry. In 2005, EPIC's complaint to the FTC against data broker Choicepoint lead to a $10 million settlement. For more information, see EPIC: ChoicePoint and EPIC: Federal Trade Commission. (Dec. 18, 2013)
  • Lights Out for Flashlight App Developer in Privacy Case +
    The Federal Trade Commission announced a settlement with the developer of a flashlight app for Android mobile devices that deceptively collected and then disclosed consumers' personal information to third parties. "Brightest Flashlight Free" secretly collected location information and unique identifiers from users and then provided that information to third parties, including advertising networks. The developer even even included a dummy privacy setting that had no actual effect. The settlement prohibits the company from misrepresentations and requires it to obtain the affirmative express consent of consumers before using and disclosing personal information. Jessica Rich, Director of the FTC’s Bureau of Consumer Protection, said the flashlight app left users "in the dark about how their information was going to be used." EPIC has previously commented on mobile privacy issues before the FTC, emphasizing the importance of the Fair Information Practices. For more information, see EPIC: Federal Trade Commission. (Dec. 5, 2013)
  • FTC Announces 2014 Privacy Workshops +
    The Federal Trade Commission has announced a series of workshops on emerging consumer privacy issues. The series will "shine a light on new trends in Big Data and their impact on consumer privacy" and includes three topics: the use of mobile devices to track users in real space; predictive scoring algorithms that determine access to products and offers; and consumer-generated health data that falls outside HIPAA. The FTC has invited comments from the public on the proposed topics for the spring workshops. The FTC recently concluded a workshop on the Internet of Things, for which EPIC submitted comments. EPIC has also urged the Commission to enforce its prior consent orders, to incorporate the Consumer Privacy Bill of Rights in privacy settlements, and to respect public comments on proposed settlements. For more information, see EPIC: Federal Trade Commission. (Dec. 2, 2013)
  • EPIC Files FOIA Request with FTC About Facebook Investigation +
    EPIC filed a Freedom of Information Act request with the Federal Trade Commission for documents concerning the FTC's recent "investigation" of Facebook's policy changes. The investigation concerned changes to Facebook’s Data Use Policy that permit the use of the names, images, and content of Facebook users for commercial endorsement without user consent. Following announcement of the proposed change, EPIC and several several privacy groups wrote to the FTC objecting to the changes as a violation of a 2011 consent order with Federal Trade Commission. Senator Markey also expressed concern about the policy changes. The Commission opened an investigation which was then quietly closed allowing Facebook to go forward with the changes. For more information, see EPIC: Federal Trade Commission and EPIC: FOIA. (Nov. 19, 2013)
  • Google Announces Plan to Post Names and Photos of Users for Advertising Without Consent, May Violate 2011 FTC Consent Order +
    Google announced changes to its Terms of Service that will allow “your Profile name, Profile photo, and actions you take on Google or on third-party applications” to be used in advertisements. The changes will not require Google to seek the affirmative consent of users before putting their personal information to commercial use. Minors, however, will not be subject to the changes. A 2011 Consent Order with the Federal Trade Commission prohibits Google from making misrepresentations and requires the company to obtain user consent before disclosing information to third parties. EPIC recently objected to similar practices by Facebook that would allow the company to routinely use the names, images, and content of Facebook users for commercial advertising without consent. For more information, see EPIC: Federal Trade Commission and EPIC: In re Google. (Oct. 11, 2013)
  • Facebook Removes Crucial Privacy Setting for Users’ Names +
    Facebook has begun removing a privacy setting that allowed users to opt-out from their name being included in its “Graph Search” feature. All users, even those who had previously decided to remove their name from searches, will now be included in Graph Search results. Facebook is currently under a 20 year consent decree from the FTC that requires express affirmative consent from users before disclosing personal information which exceeds the restrictions imposed by users' privacy settings. Facebook announced the change last year, at which point EPIC warned about the consequences of Facebook removing privacy settings for its users. In 2012, EPIC sent a letter to Facebook requesting a reversal of policy changes that automatically shared users’ private information. For more information, see EPIC: Facebook and EPIC: In re Facebook. (Oct. 11, 2013)
  • Consumer Privacy Groups Ask Congress to End Secret Hearings on Data Industry +
    EPIC, joined by a coalition of consumer privacy groups, has asked the House of Representatives Privacy Task Force to open to the public meetings that are now taking place in secret in the hearing rooms of Congress. "We recognize that there is value in private meetings among Members and staff and with constituents," the group wrote, but said that "with public matters of common concern" meetings should be held "in the open, a public record should be created, and various viewpoints should be heard." The groups thanked Representatives Blackburn and Welch for examining "the enormously important issue of consumer privacy" but said “there is simply no reason for your task force to hold closed-door sessions." Last year, both the White House and the Federal Trade Commission recommended enactment of consumer privacy legislation. (Oct. 2, 2013)
  • Pressure Mounts on Facebook to Withdraw Proposed Changes, New Scrutiny of "Faceprints" +
    Facebook is under increasing pressure to withdraw proposed changes that would allow the company to use the names, images, and content of Facebook users for advertising without consent. After EPIC and several privacy groups wrote to the Federal Trade Commission that the changes would violate a 2011 Consent Order, the Commission has opened an investigation. Senator Ed Markey also wrote to the FTC, stating that Facebook's changes "raise[] a number of questions about whether Facebook is improperly altering its privacy policy without proper user consent and, if the changes go into effect, the degree to which Facebook users will lose control over their personal information." Senator Al Franken has called on Facebook to reconsider expansion of its facial recognition activity. In a letter to Mark Zuckerberg, Senator Franken asked "How many face prints does Facebook have?" For more information, see EPIC: EPIC: Federal Trade Commission and EPIC: Facebook Privacy. (Sep. 13, 2013)
  • EPIC, Privacy Groups, Urge FTC to Block Facebook Policy Changes +
    EPIC, joined by several leading privacy and consumer protection organizations, has called on the Federal Trade Commission to enforce the terms of a 2011 settlement with Facebook. Facebook recently announced changes that would allow the company to routinely use the names, images, and content of Facebook users for commercial advertising without consent. The changes arise from a flawed class action settlement over Facebook’s Sponsored Stories program. In the letter, the privacy groups explain that Facebook’s changes violate the terms of a 2011 settlement with the FTC. For more information, see EPIC: Federal Trade Commission and EPIC: Facebook Privacy. (Sep. 5, 2013)
  • EPIC Asks FTC To Investigate "Magna Carta" App +
    EPIC filed a complaint with the Federal Trade Commission against Samsung, the publisher of a mobile app for Jay-Z's new album "Magna Carta Holy Grail." The Magna Carta App collects massive amounts of personal information from users, including location data and data pulled from other accounts and other apps on the users phones. The Magna Carta app also includes hidden spam techniques that force users to promote the album. Well known music critic John Pareles wrote "Jay-Z Is Watching, and He Knows Your Friends." EPIC asked the Commission to require Samsung to suspend the distribution of the app until the privacy problems are fixed and to implement the privacy protections contained in the Consumer Privacy Bill of Rights. Previously, EPIC filed an FTC complaint against Snapchat, the publisher of a mobile app that falsely claimed to delete photos and videos "forever." For more information, see EPIC: Federal Trade Commission and EPIC: Samsung "JAY-Z Magna Carta" App. (Jul. 14, 2013)
  • EU Officials Recommend Do Not Track by Default +
    The International Working Group on Data Protection released a white paper on online behavioral advertising. The group of leading privacy experts from around the world noted that web tracking allows companies to "monitor every single aspect of the behavior of an identified user across websites." The Working Group also observed that the current efforts of the W3C to develop a DNT track standard could "remain a sugar pill instead of being a proper cure and would such be useless." The Working Group recommended "the default setting should be such that the user is not tracked" and that there be no invisible tracking of users. Senator Rockefeller, the Commerce Committee Chairman, has introduced legislation to regulate the commercial surveillance of consumers online. For more information, see EPIC: Online Tracking and Behavioral Advertising and EPIC: Federal Trade Commission. (Jun. 28, 2013)
  • Google Bans Facial Recognition Glass Apps +
    Google announced that it will not approve any facial recognition apps for Google Glass, pending the development of privacy safeguards. "[W]e won't add facial recognition features to our products without having strong privacy protections in place," the company said in a blog post. In comments on facial recognition to the Federal Trade Commission last year, EPIC recommended that the Federal Trade Commission enforce Fair Information Practices against commercial actors when collecting, using, or storing facial recognition data. "In the absence of guidelines and legal standards, EPIC recommends a moratorium on the commercial deployment of facial recognition techniques," EPIC wrote to the FTC in early 2012. For more information, see EPIC: Facial Recognition and EPIC: Federal Trade Commission. (Jun. 3, 2013)
  • EPIC Submits Comments on the "Internet of Things" +
    EPIC has submitted comments to the Federal Trade Commission in advance of a workshop on the Internet of Things. The "Internet of Things" refers to the growing capacity of devices to communicate via the Internet. EPIC’s comments listed several privacy and security risks posed by the Internet of Things, such as the collection of data about sensitive behavior patterns and an increase in the power imbalance between consumers and service providers. EPIC then made several recommendations, such as requiring companies to adopt Privacy Enhancing Techniques, respect a consumer’s choice not to tracked, profiled, or monitored, minimize data collection, and ensure transparency in both design and operation of Internet-connected devices. For more information see EPIC: Federal Trade Commission. (Jun. 3, 2013)
  • FTC Opens Investigation into Google Advertising Dominance +
    The Federal Trade Commission has reportedly opened a new antitrust investigation into Google’s display advertising business. The Commission is investigating whether Google used its dominant position in the display advertising market, following the acquisition of Doubleclick, to harm competition. EPIC previously opposed Google's acquisition of online advertiser Doubleclick, which was approved by the FTC over the objection of former FTC Commissioner Pamela Harbor. EPIC later testified before the Antitrust committee on Google's growing dominance of essential Internet services. Earlier this year, the Commission closed an antitrust investigation into Google’s search practices. For more information, see EPIC: Federal trade Commission and EPIC: Google/DoubleClick. (May. 29, 2013)
  • EPIC Asks FTC to Investigate Snapchat +
    EPIC filed a complaint with the Federal Trade Commission against Snapchat, the publisher of a mobile app that encourages user to share intimate photos and videos. The company represents that users can make photos and videos "disappear forever." In fact, the photos can be retrieved by others after they should have vanished. The EPIC complaint implicates Privacy Enhancing Technologies, which if properly implemented would minimize or eliminate the collection of personally identifiable information. The FTC described similar methods in a 2012 privacy report. Previously, EPIC filed a complaint at the FTC against AskEraser, which falsely represented that search queries would be deleted when in fact they were retained by the company and made available to law enforcement agencies. For more information, see EPIC: Federal Trade Commission. (May. 17, 2013)
  • FTC Rejects Industry Effort to Delay Children’s Privacy Rules +
    The Federal Trade Commission has rejected an effort by several trade groups to delay implementation of the Children’s Online Privacy Protection Act Rule, currently scheduled to take effect on July 1. In voting unanimously to retain the date, the FTC noted that it had given covered entities at least 6 months to prepare for the Rule and that industry had "not raised any concrete facts to demonstrate that a delay is necessary." The new Rule expands the definition of personal information to include geolocation information and persistent identifiers (or cookies), and prevents third-party advertisers from secretly collecting children's personal information without parental consent for behavioral advertising purposes. EPIC joined a coalition of consumer, privacy, and children's advocates in urging the FTC to keep the original implementation date. EPIC also commented in support of both the proposed rule, and a revised version introduced in August 2012. The revised rule follows a report by the FTC finding that many child-directed mobile apps did not disclose their data practices. For more information, see EPIC: FTC and EPIC: Children's Online Privacy. (May. 6, 2013)
  • EPIC Pursues Public Release of Facebook and MySpace Privacy Reports +
    EPIC has submitted Freedom of Information Act requests for the release of the privacy assessments of Facebook and MySpace submitted to the Federal Trade Commission. As a result of privacy violations, both companies are required to implement comprehensive privacy programs and submit to independent, biennial evaluations for 20 years. Previously, EPIC obtained a copy of Google's initial privacy assessment that redacted information about the standards by which the assessment was completed, the test procedures used to assess the effectiveness of Google's privacy controls, the procedures Google uses to identify privacy risks, and the types of personal data Google collects from users. The FTC settlements with Facebook and Google arose from complaints brought by EPIC and other consumer organizations. In comments to the agency on the proposed settlements, EPIC recommended that the privacy assessments be publicly available. For more information, see EPIC: Federal Trade Commission and EPIC: Open Government. (Apr. 26, 2013)
  • Consumer Groups Oppose Delay for New Children’s Privacy Rules +
    A group of consumer, privacy, and children's advocates wrote to the Federal Trade Commission to oppose an industry effort to delay implementation of the new Children's Online Privacy Protection Act rule. The groups noted that two-and-a-half years have passed since the Commission proposed the updates to COPPA. They said there was no "compelling reason for giving the industry more time to comply with the law." The new Rule expands the definition of personal information to include geolocation information and persistent identifiers (or cookies), and prevents third-party advertisers from secretly collecting children's personal information without parental consent for advertising purposes. EPIC previously commented in support of the proposed rule and a revised version. The new safeguards follow a report by the FTC finding that many child-directed mobile apps conceal their data collection practices. For more information, see EPIC: FTC and EPIC: Children’s Online Privacy. (Apr. 23, 2013)
  • FTC Releases 2013 Report +
    The Federal Trade Commission has released its annual report for the period from April 2012-2013. The report begins with a description of the FTC’s accomplishments on consumer privacy, and lists the data-breach lawsuit against Wyndham, Google’s $22.5 million fine for tracking Safari users, settlements with the data brokers Equifax and Spokeo, and a survey of the credit reporting industry. EPIC has previously recommended that the FTC enforce its consent orders with Google and Facebook, require adoption of the Consumer Privacy Bill of Rights, and modify proposed settlements in response to public comment. For more information, see EPIC: Federal Trade Commission. (Apr. 16, 2013)
  • EPIC Comments on FTC's FOIA Procedures +
    EPIC has submitted comments to the Federal Trade Commission, supporting several of the agency's changes to its FOIA regulations. EPIC applauded the agency for reducing fees for requesters. EPIC also urged the Committee to: (1) update its definition for news media representative; (2) clarify which documents are public information and ensure that hyperlinks to those records work properly; (3) disclose private sector contract rates for FOIA processing; (4) refrain from prematurely closing FOIA requests; and (5) adopt alternative dispute resolution or arbitration when resolving delinquent FOIA fees. EPIC routinely comments on agency proposals that impact the rights of FOIA requesters. Last year, EPIC submitted extensive comments to theDepartment of Defense, warning the agency not to erect new obstacles for FOIA requesters. For more information, see EPIC: Open Government. (Apr. 4, 2013)
  • EU Takes Action Against Google for Privacy Policy Meltdown +
    Data protection agencies in six European countries have announced enforcement actions against Google. The agencies acted after Google ignored recommendations to comply with European data protection law. "It is now up to each national data protection authority to carry out further investigations according to the provisions of its national law transposing European legislation," the French data protection authority said. The enforcement action follows from Google's March 2012 decision to combine user data across 60 Internet services to create detailed profiles on Internet users. Last year, EPIC sued the Federal Trade Commission to force the FTC to enforce the terms of a settlement with Google that would have prohibited Google's changes in business practices. Google's revised privacy policies also prompted objections from state attorneys general, members of Congress, and IT managers in the government and private sectors. For more information, see EPIC: Google Buzz and EPIC: Enforcement of Google Consent Order. (Apr. 2, 2013)
  • EPIC, Consumer Privacy Groups Call on FTC Chair to Appoint Consumer Advocate for Key Office +
    Over thirty privacy and consumer groups wrote to the FTC Chair Edith Ramirez, urging her to appoint a Director of the Bureau of Consumer Protection who is "independent of industry" and has a "well-established consumer rights and public interest background." The letter comes after the departure of former director David Vladeck. EPIC has also urged the Commission to require compliance with the Consumer Privacy Bill of Rights for companies that violate consumer privacy. For more information, see EPIC: Federal Trade Commission. (Mar. 19, 2013)
  • FTC Approves Final Settlement over Consumer Tracking, Fails to Enforce FIPs or Suggest Best Practices for Anonymization +
    The Federal Trade Commission adopted a proposed settlement with Compete, Inc., over allegations that Compete failed to adopt reasonable data security practices and deceived consumers about the amount of personal information that its toolbar and survey panel would collect. The FTC also charged Compete with deceptive practices for falsely claiming that the data it kept was anonymous. The settlement requires Compete to obtain consumers' express consent before collecting any data through its software, to delete personal information already collected, and to provide directions for uninstalling its software. In comments to the agency, EPIC recommended that the FTC also require the Compete to implement Fair Information Practices similar to those contained in the Consumer Privacy Bill of Rights, and develop a best practices guide to de-identification techniques. The FTC declined to adopt EPIC’s recommendations, stating that it "does not provide specific technical guidance in areas like [anonymization], which are constantly changing," and "may not impose additional obligations that are not reasonably related to such conduct or preventing its recurrence." For more information, see EPIC: Federal Trade Commission and EPIC: Re-Identification. (Feb. 26, 2013)
  • FTC Reaches Settlement with Mobile App Path over Privacy Violations +
    The Federal Trade Commission announced a settlement with the social networking app Path over charges that the app secretly collected information from mobile users' address books without their consent. The FTC also fined the company $800,000 for violating the Children's Online Privacy Protection Act, which prohibits the collection of personal information from a children without obtaining parental consent. The consent order requires Path to implement a comprehensive privacy program and to submit to independent privacy assessments for the next 20 years. The FTC has released a series of reports documenting privacy problems with mobile apps that collect the personal information of children. Recently, EPIC submitted comments supporting the FTC’s proposed improvements to the children’s online privacy rule, which the agency ended up adopting. For more information, see EPIC: FTC and EPIC: Children's Online Privacy. (Feb. 1, 2013)
  • FTC Denies White House Involvement in Decision to Close Google Investigation +
    In response to a FOIA request filed by EPIC, the Federal Trade Commission has stated that there are no records of "communications . . . between the White House and the FTC regarding the Commission's antitrust inquiry into Google." In a closely watched proceeding, the Federal Trade Commission announced in early January that it had closed an antitrust inquiry into Google's business practices. EPIC has previously expressed concern about anticompetitive practices by Internet firms. In 2000, EPIC filed a complaint with the Federal TradeCommission regarding the proposed merger of Doubleclick, an Internet advertising company and Abacus, a catalog database firm. In 2007, EPIC opposed Google's acquisition of DoubleClick, which was approved by the FTC over the objection of former FTC Commissioner Pamela Harbor. In 2011, EPIC wrote to the FTC about Google's use of YouTube search rankings to give preferential treatment to its proprietary content over non-Google content. EPIC has also testified before the Senate Judiciary Committee regarding growing market concentration of essential Internet services. For more information, see EPIC: Open Government and EPIC: Federal Trade Commission. (Jan. 18, 2013)
  • FTC Closes Investigation into Google Search Bias +
    The Federal Trade Commission announced that it had concluded its investigation into allegedly anticompetitive practices by Google. The Commission reached a settlement with Google that would give competitors access to patents necessary to make smart phones, laptops, and other devices, and Google voluntarily agreed to stop borrowing others' content for use in its own services. On the issue of search bias, however, the Commission decided to close the investigation without taking action. Despite finding some evidence that changes to the company's search algorithm harmed competitors, the Commission said that these changes "could be plausibly justified as innovations that improved Google's product and the experience of its users." In 2011, EPIC wrote to the Commission about Google's use of Youtube search rankings to give preferential treatment to its own video content over non-Google content. EPIC had also opposed Google's acquisition of online advertiser Doubleclick, which was approved by the FTC over the objection of former FTC Commissioner Pamela Harbor. EPIC later testified before the Antitrust committee on Google's growing dominance of essential Internet services. For more information, see EPIC: Federal Trade Commission and EPIC: Google/DoubleClick. (Jan. 3, 2013)
  • FTC Releases Updated Children’s Online Privacy Rule +
    The Federal Trade Commission has updated the Children's Online Privacy Protection Act. The new Rule expands the definition of personal information to include geolocation information and persistent identifiers (or "cookies)", and prevents third-party advertisers from secretly collecting children’s personal information without parental consent for behavioral advertising purposes. EPIC supported the changes and responded to criticisms from industry groups. In 2010, EPIC testified before the United States Senate that the 1998 law was critical to protect the privacy of children but that updates were also essential in light of new business practices, the emergence of social networks, smartphone apps. A subsequent FTC report found that many child-directed mobile apps lack adequate privacy safeguards. For more information, see EPIC: FTC and EPIC: Children's Online Privacy. (Dec. 19, 2012)
  • FTC Pursues Investigation of Data Brokers +
    The Federal Trade Commission has issued orders requiring nine data brokerage companies to provide the agency with information about how they collect and use data about consumers. The agency said it will use the information to study privacy practices in the data broker industry. In 2009, EPIC testified in support of new legislation to regulate the data broker industry. In 2005, EPIC brought a complaint to the FTC against the data broker Choicepoint that produced a $10 million settlement, then the largest in the FTC's history for a violation of federal privacy law. For more information, see EPIC: ChoicePoint and EPIC: Federal Trade Commission. (Dec. 19, 2012)
  • Instagram Privacy Change Raises Legal Questions +
    Instagram recently announced several changes to the terms of service that will allow the company to use pictures in advertisements without notifying or compensating users, and to disclose user data to Facebook and to advertisers. Instagram also proposed that the parents of minors implicitly consent to the use of their childrens' images for advertising purposes. The changes The changes will take effect January 16, 2013, and will not apply to pictures uploaded before that date. Instagram’s parent company, Facebook, is under a 2011 consent order with the Federal Trade Commission that that prohibits the company from changing privacy settings without the affirmative consent of users or misrepresenting the privacy or security of users’ personal information. Using an individual’s name or likeness for commercial purposes without consent is also prohibited in most states. EPIC had recently urged Facebook users to vote for "Existing Documents," warning that under the changed terms of service, Facebook would loosen privacy controls and that would impact Instagram. For more information, see EPIC: Facebook and EPIC: FTC. (Dec. 18, 2012)
  • FTC Report Finds Privacy Problems for Children’s Mobile Apps +
    A report by the Federal Trade Commission found little progress on transparency for child-directed mobile applications. The FTC surveyed apps from Google Play and Apple App stores and concluded that "many apps included interactive features or shared kids' information with third parties without disclosing these practices to parents." The report commits the FTC to another review of the app marketplace and indicates that the agency has launched "multiple non-public" investigations to determine whether certain apps had engaged in unfair and deceptive trade practices or violated the Children’s Online Privacy Protection Act. The FTC recently proposed revisions to the COPPA Rule, which EPIC supported. For more information, see EPIC: Children’s Online Privacy and EPIC: Federal Trade Commission. (Dec. 10, 2012)
  • EPIC: Hearing on FTC Nominee Should Address FTC's Settlement Process for Privacy Violations +
    In a letter to the Senate Commerce Committee, EPIC has recommended that Congress require the Federal Trade Commission to consider more carefully the public's views on proposed privacy settlements. EPIC also recommended that the FTC require compliance with the Consumer Privacy Bill of Rights for companies that violate consumer privacy. The Committee is holding a hearing on the nomination of Joshua Wright to the FTC. The letter states that EPIC takes no position on the nomination of Dr. Wright, but encourages Congress to take the opportunity to explore the Commission's response to growing public concerns about privacy. EPIC routinely submits comments to the FTC on proposed consent orders, most recently on the Compete, Inc. settlement. EPIC has also recommended that the FTC promote the Consumer Privacy Bill of Rights in privacy settlements. For more information, see EPIC: Federal Trade Commission. (Dec. 4, 2012)
  • Privacy Groups Ask Facebook to Withdraw Proposed Changes +
    EPIC, along with the Center for Digital Democracy, has asked Facebook to withdraw proposed changes that will impact the privacy of users and their ability to participate in site governance. Facebook recently proposed to end the voting part of the site governance process, restrict users' ability to prevent unwanted messages, and combine personal information from Facebook with Instagram. In the letter, the groups say "[b]ecause these proposed changes raise privacy risks for users, may be contrary to law, and violate your previous commitments to users about site governance, we urge you to withdraw the proposed changes." Facebook users may also comment directly on the proposed changes. Facebook is subject to the terms of a recent settlement with the Federal Trade Commission that prohibits the company from changing privacy settings without the affirmative consent of users or misrepresenting the privacy or security of users' personal information. For more information, see EPIC: Facebook. (Nov. 26, 2012)
  • Pew Survey Finds Most Parents Concerned About Children's Online Privacy +
    A new report from the Pew Research Center and the Berkman Center for Internet & Society finds that 81% of parents are concerned about how much information advertisers can learn about their child's online behavior. Also, 69% of parents of online teens are concerned about how their child’s online activity might affect their future academic or employment opportunities. And 63% of parents of teens ages 12-13 say they are "very" concerned about their child's interactions with people they do not know online. Many parents reported taking steps to address these risks, such as talking to their children or helping them configure privacy settings. The Federal Trade Commission is considering new privacy rules to strengthen the Children’s Online Privacy Protection Act. EPIC strongly supports the proposed changes. For more information, see EPIC: Children's Online Privacy and EPIC: Federal Trade Commission. (Nov. 21, 2012)
  • FTC Releases 2012 Performance Report +
    The Federal Trade Commission has released its performance and accountability report for 2012. The report summarizes the agency’s activities, shows how the agency has managed its resources, and explains how it plans to address future changes. Regarding consumer privacy, the agency cites the release of a new privacy report, the adoption of a consent order with Facebook, and a $22.5 million fine against Google as its primary accomplishments . The Commission reported that it acted on 90.6% of all consumer complaints that it received, though it did not indicate how many of these actions concerned consumer privacy. The agency’s goals for the coming year include “promot[ing] stronger privacy protections through policy initiatives on a range of topics such as data brokers, mobile devices, and comprehensive online data collection.” Earlier this year, EPIC brought suit against the Federal Trade Commission for its failure to enforce a 2011 consent order. EPIC has also routinely urged the FTC to take account of public comments when the agencies sets out proposed settlements and asks for public comments. For more information, see EPIC: Federal Trade Commission and EPIC: EPIC v. FTC (Enforcement of Google Consent Order). (Nov. 20, 2012)
  • EPIC Submits Comments to FTC on Consumer Tracking Settlement +
    EPIC submitted comments to the Federal Trade Commission on a recent settlement with Compete, Inc. The settlement arises from allegations that Compete failed to adopt reasonable data security practices and deceived consumers about the amount of personal information that its toolbar and survey panel would collect. The FTC also charged Compete with deceptive practices for falsely claiming that the data it kept was anonymous. The proposed settlement requires Compete to obtain consumers’ express consent before collecting any data through its software, to delete personal information already collected, and to provide directions for uninstalling its software. EPIC expressed support for the settlement, but recommended that the FTC also require the Compete to implement Fair Information Practices similar to the Consumer Privacy Bill of Rights, make the compliance reports publicly available, and develop a best practices guide to de-identification techniques, as anonymization has become more critical for online privacy. For more information, see EPIC: Federal Trade Commission and EPIC: Re-Identification. (Nov. 20, 2012)
  • Senate Reauthorizes SAFE WEB Act +
    The Senate has approved a House bill to reauthorize the SAFE WEB Act. The SAFE WEB Act gives the Federal Trade Commission additional tools to combat cross-border fraud, spam, and spyware. EPIC previously testified before both the House Committee on Energy and Commerce and the Senate Committee on Commerce, Science and Transportation on the SAFE WEB Act. EPIC said that it supported legislation that safeguards privacy and ensures government oversight while enabling the FTC to work more closely with consumer protection agencies in other countries. For more information, see EPIC: Federal Trade Commission. (Nov. 15, 2012)
  • Lawmakers Gain "Partial Glimpse" into Data Brokers' Business Practices +
    Members of the Congressional Bi-Partisan Privacy Caucus released the responses of several data brokers to an inquiry into their business practices. Data brokers collect and sell the personal information of consumers to third parties, typically without the knowledge of the consumers themselves. The lawmakers reported that most of the companies did not consider themselves "data brokers," and that "[m]any questions about how these data brokers operate have been left unanswered, particularly how they analyze personal information to categorize and rate consumers." The Federal Trade Commission recently called for data-broke legislation in a report on consumer privacy. In 2005, EPIC brought a complaint against the data broker Choicepoint that produced a $10 million settlement, the largest in the FTC's history for a violation of federal privacy law. For more information, see EPIC: ChoicePoint and EPIC: Federal Trade Commission. (Nov. 8, 2012)
  • EPIC Comments on FTC Rent-to-Own Computer Spying Settlement +
    EPIC has submitted comments on a series of settlements between the Federal Trade Commission and companies that offered computers on a rent-to-own basis, typically to low-income consumers. The companies installed surveillance technology that secretly recorded keystrokes, location information, screenshots, and even took webcam photos. The settlements prohibit the companies from deceptively collecting information from consumers or collecting location information without consent, and require them to destroy the illegally-gathered data. EPIC expressed support for the settlements, and also recommended that the FTC also require the companies to implement Fair Information Practices similar to the Consumer Privacy Bill of Rights; make the compliance reports publicly available, and hold a workshop on privacy and inequality. EPIC routinely comments on the FTC's proposed settlements concerning consumer privacy. For more information, see EPIC: Federal Trade Commission. (Oct. 26, 2012)
  • Federal Trade Commission Proposes "Best Practices" for Facial Recognition Technology +
    The Federal Trade Commission has released a report recommending practices that businesses using facial recognition technology should follow in order to protect the privacy and security of consumers. The report noted that facial recognition techniques range from simple face detection to the identification of previously anonymous individuals. The FTC recommended several practices for all businesses, such as privacy by design, data deletion, and security standards. In services involving facial recognition to identify individuals, the FTC recommended that companies obtain the affirmative express consent of consumers, and in certain sensitive locations, such as health care facilities, the FTC said that the technology should not be used at all. In earlier comments to the Commission, EPIC recommended a moratorium on the use of facial recognition until adequate privacy safeguards are developed. A similar recommendation is found in the Madrid Privacy Declaration, which is endorsed by more than 100 civil society organizations worldwide. Facebook has ended the use of facial recognition in the European Union and suspended use in the United States. For more information, see EPIC: Face Recognition and EPIC: Federal Trade Commission. (Oct. 22, 2012)
  • Verizon Begins Invasive Marketing Program +
    Verizon has begun selling the personal information of Verizon users, including location information and web browsing activity. The collection of content information implicates federal wiretapping law, although some have suggested that Verizon escapes liability by allowing users to opt-out. EPIC previously filed a complaint with the Federal Trade Commission regarding Verizon’s business practices, which EPIC described as “unfair and deceptive, contrary to the privacy and security interests of Verizon Wireless customers, and actionable by the Federal Trade Commission.” For more information, see EPIC: Federal Trade Commission, and EPIC: Electronic Communications Privacy Act. (Oct. 22, 2012)
  • FTC Holds "Robocall Summit" +
    A Federal Trade Commission workshop on automated telephone calls focused on the legal and technical aspects of robocalls, including the current state of telephonic technology, call authentication technology, and call blocking technology. The Federal Communications Commission recently established new penalties for Caller ID "spoofing," the practice of faking caller ID information. In comments to the FCC and testimony before Congress, EPIC recommended, and Congress and the FCC agreed, that intent to do harm is necessary in order to trigger the penalties, because spoofing can also be used to maintain anonymity, and to protect, for example, victims of domestic violence. For more information, see EPIC: FTC and EPIC: Caller ID. (Oct. 18, 2012)
  • EPIC FOIA Uncovers Google’s Privacy Assessment +
    Through a Freedom of Information Act request to the Federal Trade Commission, EPIC has obtained Google's initial privacy assessment. The assessment was required by a settlement between Google and the FTC that followed from a 2010 complaint filed by EPIC over Google Buzz. The FTC has withheld from public disclosure information about the audit process, procedures to assess privacy controls, techniques to identify privacy risks, and the types of personal data Google collects from users. EPIC intends to challenge the agency withholdings. For more information, see EPIC: Federal Trade Commission, EPIC: Google Buzz, and EPIC: Open Government. (Sep. 28, 2012)
  • Consumer Groups Ask FTC to Investigate Facebook-Datalogix Data-Matching Arrangement +
    EPIC, joined by the Center for Digital Democracy, has asked the Federal Trade Commission to investigate whether Facebook's data-matching arrangement with Datalogix violates a settlement between the FTC and Facebook. Facebook is matching the personal information of users with personal information held by Datalogix. The settlement, adopted in August, prohibits Facebook from changing privacy settings without the affirmative consent of users or misrepresenting the privacy or security of users’ personal information. EPIC had previously asked the FTC to determine whether "Timeline," which made archived user data widely available, or biometric tagging of user photos violated the terms of the consent order. The FTC has not made a determination on the EPIC Timeline request, and Facebook has suspended facial recognition in the US. For more information, see EPIC: Federal Trade Commission and EPIC: Facebook and Datalogix. (Sep. 27, 2012)
  • EPIC Supports New Children’s Privacy Rule +
    EPIC submitted comments on the Federal Trade Commission's revisions to the proposed Children’s Online Privacy Protection Act Rule. EPIC said that it supported the new definitions of "operator" and "website or online service directed to children," which hold child-directed websites and third-party services responsible for the collection of children’s personal information, but asked the FTC to monitor age-screening and to clarify the scope of a provision on using persistent identifiers, such as "cookies." EPIC supported the original FTC rule in September 2011, noting that the proposed revisions take "account of the increased use of mobile devices by users and new data collection practices by businesses." For more information, see EPIC: Children's Online Privacy Protection Act and EPIC: Federal Trade Commission. (Sep. 27, 2012)
  • Facebook Ceases Facial Recognition in European Union +
    The Irish Data Protection Commissioner issued a report finding that Facebook has implemented many of the Commissioner’s recommendations, such as halting the automatic use of facial recognition through "tag suggestions." Facebook has agreed to give users the choice over the use of facial recognition, to grant users access to their facial recognition template, and to delete the facial recognition data of EU citizens by October 15. The report also found that Facebook had implemented recommendations for improving transparency, enhancing the ability for users to delete data, and allowing users to access their data. On recommendations concerning user education, data deletion, and as targeting based on sensitive terms, the report found that "full implementation has not yet been achieved but is planned to be achieved by a specific deadline." The Federal Trade Commission recently adopted a proposed settlement with Facebook that prohibits Facebook from changing privacy settings without the affirmative consent of users or misrepresenting the privacy or security of users' personal information. In November 2011, EPIC recommended that the FTC prevent Facebook from creating facial recognition profiles without users' consent. In February 2012. EPIC recommended "the suspension of facial recognition technology deployment until adequate safeguards and privacy standards are established." For more information, see EPIC: Federal Trade Commission and EPIC: Facebook and Facial Recognition. (Sep. 21, 2012)
  • FTC Finalizes Settlement with Myspace +
    The Federal Trade Commission has finalized the terms of a settlement with Myspace. The settlement follows from allegations that Myspace allowed advertisers to access personally-identifying information after promising to keep such information private. The settlement requires Myspace to implement a comprehensive privacy program, submit to independent audits, and refrain from privacy misrepresentations. EPIC commented on the settlement, recommending that the FTC make the settlement at least as protective as a previous settlement with Facebook. Additionally, EPIC said, the FTC should require Myspace to implement practices consistent with the White House’s Consumer Privacy Bill of Rights. In response to EPIC’s comments, the FTC decided to accept the proposed settlement without modification but said that “the privacy program mandated under the consent order will require Myspace to address many of the consumer protections discussed in your comment.” For more information, see EPIC: Federal Trade Commission and EPIC: Social Networking Privacy. (Sep. 11, 2012)
  • FTC Finalizes Settlement with Facebook +
    The Federal Trade Commission has finalized the terms of a settlement with Facebook first announced in November of 2011. The settlement follows from complaints filed by EPIC and other consumer and privacy organizations in 2009 and 2010 over Facebook’s decision to change its users' privacy settings in a way that made users' personal information more widely available to the public and to Facebook's business partners. The settlement bars Facebook from changing privacy settings without the affirmative consent of users or misrepresenting the privacy or security of users' personal information. In comments filed with the FTC, EPIC recommended strengthening the settlement by requiring Facebook to restore the privacy settings users had in 2009; giving users access to all of the data that Facebook keeps about them; preventing Facebook from creating facial recognition profiles without users’ consent; and publicizing the results of the government privacy audits. Although the FTC decided to adopt the settlement without any modifications, in a response to EPIC, the Commission said that facial recognition data is included within the settlement's definition of "covered information," that the audits would be publicly available to the extent permitted by law, and that the terms of the settlement "are broad enough to address misconduct beyond that expressly challenged in the complaint." Commissioner Rosch dissented from the final settlement, citing concerns that the provisions might not adequately cover deceptive statements made by Facebook apps. For more information, see EPIC: In re Facebook, and EPIC: Federal Trade Commission. (Aug. 10, 2012)
  • FTC Proposes Additional Changes to Children’s Online Privacy Rule +
    The Federal Trade Commission proposed additional changes to the Children's Online Privacy Protection Act Rule. The revised rule would clarify that operators of websites who choose to use advertising services and plug-ins that collect data about children would have to comply with COPPA. The rule would also allow mixed-audience websites to age-screen visitors, and would clarify the circumstances in which persistent identifiers such as cookies or IP addresses are considered "personal information." The revisions modify an earlier rule that was proposed by the FTC in September 2011. EPIC commented on the September 2011 rule, noting that "the proposed revisions update the COPPA Rule by taking better account of the increased use of mobile devices by users and of new data collection practices by businesses." For more information, see EPIC: Children's Online Privacy Protection Act and EPIC: Federal Trade Commission. (Aug. 1, 2012)
  • EPIC Urges FTC to Develop Meaningful Privacy Protections for Mobile Services +
    EPIC has submitted comments to the Federal Trade Commission concerning "Advertising and Privacy Disclosures in a Digital World". The FTC is currently exploring ways businesses could improve privacy notices for mobile devices. EPIC pointed out that many of the techniques, such as privacy icons, suffer from the same problems as traditional privacy notices. EPIC recommended that the FTC focus instead on substantive privacy protections, such as those found in the federal Privacy Act, sectoral privacy laws, and the Consumer Privacy Bill of Rights, proposed by the White House. An earlier FTC report called for new privacy legislation and an FTC investigation documented privacy problems with mobile applications for children. For more information, see EPIC: Federal Trade Commission. (Jul. 11, 2012)
  • EPIC Calls On FTC to Investigate Facebook Email Changes +
    EPIC has asked the Federal Trade Commission to review Facebook's decision to change the default email address of Facebook users. The company recently removed email addresses, selected by users, with a @facebook.com address assigned by Facebook. EPIC asked the FTC to review this practice as it finalizes the terms of a settlement with Facebook. "Facebook's willingness to disregard user choice . . . raise[s] important questions about the company's ability to comply with the terms of the proposed Consent Order," EPIC wrote. EPIC also said that the change is a deceptive business practice because Facebook did not tell users that their preferred email address could be removed by the company. And EPIC noted that the change would result in user email being sent to Facebook's servers that would otherwise have gone to the user's email service. The FTC's settlement with Facebook follows from complaints filed by EPIC and other consumer and privacy organizations in 2009 and 2010. The settlement would bar Facebook from changing privacy settings without the affirmative consent of users or misrepresenting the privacy or security of users' personal information. For more information, see EPIC: Facebook Privacy, and EPIC: FTC Facebook Settlement. (Jun. 27, 2012)
  • Spokeo to Pay $800, 000 to Trade Commission to Settle Privacy Violations +
    The data broker Spokeo agreed to pay $800,000 to settle a complaint filed by the Federal Trade Commission that the company marketed its data profiles to employers in violation of federal privacy law. The FTC alleges that Spokeo violated the Fair Credit Reporting Act by failing to ensure that its information was accurate, failing to ensure that it would be used only for legally permissible purposes, and failing to tell users if adverse decisions were made based on the information. The FTC also alleged that Spokeo created its own endorsements on news and technology websites and represented them as independent endorsements. The FTC's settlement bans Spokeo from future FCRA violations and misrepresentations. In 2004, EPIC successfully urged the FTC to investigate the compilation and sale of personal dossiers by the data broker ChoicePoint. That investigation produced a $10 m settlement, the largest in the FTC's history for a violation of federal privacy law. For more information, see EPIC: Federal Trade Commission and EPIC: Choicepoint. (Jun. 12, 2012)
  • EPIC Urges FTC to Protect Privacy of Myspace Users +
    EPIC submitted comments to the Federal Trade Commission on a proposed settlement with Myspace. The settlement follows from allegations that Myspace allowed advertisers to access personally-identifying information after promising to keep such information private. The settlement requires Myspace to implement a comprehensive privacy program, submit to independent audits, and refrain from privacy misrepresentations. EPIC expressed support for the settlement in general, but recommended that the FTC make the settlement at least as protective as a previous settlement with Facebook. Additionally, EPIC said, the FTC should require Myspace to implement practices consistent with the White House's Consumer Privacy Bill of Rights. For more information, see EPIC: Federal Trade Commission and EPIC: Social Networking Privacy. (Jun. 8, 2012)
  • Facebook Users Force Vote on Privacy Changes +
    Facebook users have registered enough comments on Facebook's proposed privacy changes to force a vote on the issue. A provision in Facebook’s Statement of Rights and Responsibilities states that Facebook will allow users to vote on proposed alternatives if more than 7,000 users comment on a proposed change. The vote is binding if "more than 30 percent of all active registered users as of the date of the notice vote." Facebook's Data Use Policy accumulated 10,500 comments in English. The group Europe v. Facebook generated 30,000 comments on the German version of the page. The FTC recently issued a proposed settlement with Facebook that follows from complaints filed by EPIC and other consumer and privacy organizations in 2009 and 2010. The settlement bars Facebook from changing privacy settings without the affirmative consent of users or misrepresenting the privacy or security of users' personal information. For more information, see EPIC: Facebook Privacy, and EPIC: FTC Facebook Settlement. (May. 22, 2012)
  • EPIC Calls on FTC to Develop Substantive Privacy Protections at Workshop on Mobile Advertising +
    EPIC submitted comments to the Federal Trade Commission for the May 30 workshop on mobile advertising disclosures. EPIC recommended that the agency focus on the development of substantive privacy protections, such as the Consumer Privacy Bill of Rights announced by the President earlier this year, for mobile services. EPIC also recommended that the workshop address a series of problems with the "notice and consent" approach, as well as the merits of innovative, nonverbal approaches proposed by privacy scholars. The workshop follows an FTC report calling for privacy legislation and an investigation that documented privacy problems with mobile applications for children. For more information, see EPIC: Federal Trade Commission. (May. 11, 2012)
  • Myspace Settles With FTC Over Deceptive Practices Complaint +
    The Federal Trade Commission has reached a settlement with the social networking service Myspace over charges that Myspace allowed advertisers to access personally-identifying information after promising to keep such information private. Advertisers were able to access the unique "Friend ID" of users and link this identifier to other personal information. The settlement requires Myspace to implement a comprehensive privacy program, submit to independent audits, and refrain from privacy misrepresentations. For more information, see EPIC: Federal Trade Commission and EPIC: Social Networking Privacy. (May. 8, 2012)
  • FTC Announces $30 Million Penalty Against Deceptive Robocallers +
    The Federal Trade Commission announced that a federal judge has ordered the defendants behind a deceptive robocall scheme to pay a $30 million civil penalty and surrender more than $1.1 million in ill-gotten gains. The scheme promised "cash grants" to individuals—many of whom were on the Do No Call Registry--but merely referred them to grant-related websites that charged a fee for providing general information about obtaining grants from private sources. The FTC determined that the robocalls violated the FTC Act and the Telemarketing Sales Rule. For more information, see EPIC: Federal Trade Commission and EPIC: Telephone Consumer Protection Act. (Apr. 2, 2012)
  • FTC Announces Settlement with RockYou Over Security Flaws, COPPA Violations +
    The Federal Trade Commission announced a settlement with the social game site RockYou over charges that the site's poor security allowed hackers to access the personal information of 32 million users. The FTC also alleged that RockYou violated the Children's Online Privacy Protection Act Rule by knowingly collecting approximately 179,000 children's email addresses and associated passwords without the consent of their parents. The settlement prohibits future deceptive claims by the company regarding privacy and data security and future violations of the COPPA Rule, and requires the company to implement a data security program and to pay a $250,000 civil penalty. Last year, the FTC proposed new COPPA rules to better protect children, about which EPIC submitted comments. For more information, see EPIC: Children’s Online Privacy and EPIC: FTC. (Mar. 27, 2012)
  • Federal Trade Commission Calls for Privacy Legislation +
    Today the Federal Trade Commission released Protecting Consumer Privacy in an Era of Rapid Change. The FTC report called for the enactment of baseline privacy legislation and for legislation that gives consumers the right to access personal information held by data brokers. However, the framework is not as extensive as the White House Consumer Privacy Bill of Rights and depends on industry self-regulation. EPIC previously commented on an earlier draft of the framework, pointing out that the FTC "mistakenly endorses self-regulation and 'notice and choice,' and fails to explain why it has not used its current Section 5 authority to better safeguard the interests of consumers." For more information, see EPIC: Federal Trade Commission. (Mar. 26, 2012)
  • Facebook Policy Changes Raises Questions About Compliance with 2011 Consent Order +
    Facebook has begun to review comments on changes to its Statement of Rights and Responsibilities. Among other changes, Facebook now states that a user's information is disclosed to apps used by his or her friends, that Facebook software or plugins that users download may automatically download updates, upgrades, and additional features, and that users may not tag others who do not wish to be tagged. The FTC recently issued a proposed settlement with Facebook after finding that Facebook "deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public." In particular, the FTC found that Facebook had misled users about the extent to which their personal information would be made available to apps used by their friends. The settlement follows from complaints filed by EPIC and other consumer and privacy organizations in 2009 and 2010 and bars Facebook from changing privacy settings without the affirmative consent of users or misrepresenting the privacy or security of users' personal information. In comments filed with the FTC, EPIC said that the settlement is "insufficient to address the concerns originally identified by EPIC and the consumer coalition, as well as those findings established by the Commission." For more information, see EPIC: Facebook Privacy, and EPIC: FTC Facebook Settlement. (Mar. 23, 2012)
  • Twitter to Sell Two Years' Worth of Old Tweets +
    Twitter recently announced a deal with the analytics firm Datasift that authorizes Datasift to sell the content of public tweets posted over the last two years. Companies who buy the data from Datasift will be able to market to users based on the topic or location of the tweets. DataSift will be required to regularly remove tweets that users delete. Previously, Twitter gave the Library of Congress access to every public tweet since the company’s inception in 2006. In 2011, the Federal Trade Commission reached a settlement with Twitter over charges that inadequate security measures allowed computer criminals to gain administrative access to the company. For more information, see EPIC: Federal Trade Commission. (Mar. 2, 2012)
  • European Justice Minister Says Google Now in Violation of EU Law +
    European Justice Minister Vivian Reding said today that Google's March 1 changes to its terms of service violate European Union law "in numerous respects." Commissioner Reding pointed to the failure of the company to obtain user consent, the lack of transparency, and the fact that most users do not read privacy policies. European privacy officials recently concluded that the changes do not comply with the European Union Data Protection Directive and asked the company to suspend its planned changes. In the US, EPIC has urged a federal court to require the Federal Trade Commission to determine whether Google's changes changes violate a 2011 Consent Order. The court denied the motion. The case is now on appeal. For more information, see EPIC v. FTC (Google Consent Order). (Mar. 1, 2012)
  • Identity Theft Remains Top Concern of US Consumers +
    According to the Federal Trade Commission, identity theft was the top source of consumer complaints in 2011 comprising 15 percent of the 1.8 million total complaints filed. This is the 12th year in a row in which identity theft has occupied the top position. The report contains data on 30 complaint categories, which are broken down by metropolitan areas and provided to state and local law enforcement offices. For more information, see EPIC: FTC and EPIC: Identity Theft. (Feb. 29, 2012)
  • FTC Chairman: Google Users Face a "brutal choice" -- Europeans: "Google's new policy does not meet the requirements of the European Directive on Data Protection." +
    Pressure is building as the March 1 deadline for Google's planned changes in user privacy approaches. In an interview with C-Span, the Chairman of the Federal Trade Commission said that users of Google services face a "brutal" choice." The head of the French Data Protection Agency, on behalf of European privacy agencies, has warned that Google's proposed change violates European Union privacy law. She is reiterated the recommendation of Europe's Justice Minister that Google suspend the change. In Washington, DC, EPIC has filed an emergency appeal with the DC Circuit Court of Appeals to force the FTC to enforce the 2011 consent order against Google. For more information, see EPIC v. FTC (Google Consent Order). (Feb. 28, 2012)
  • EPIC Appeals Court Ruling in Google Privacy Case +
    Within hours after a federal court in Washington, DC ruled that it could not require the Federal Trade Commission to enforce a consent order against Google, EPIC filed an emergency appeal with the Court Appeals for the DC Circuit. EPIC has asked the appellate court to overturn the lower court decision before March 1, when Google will change its terms of service and consolidate user data without consent. For more information, see EPIC - EPIC v. FTC (Google Consent Order). (Feb. 27, 2012)
  • Privacy Groups to Rep. Bono-Mack: "Hold *Public* Hearings on Google Privacy Changes" +
    Five privacy organizations, including EPIC, wrote today to Rep. Bono-Mack to urge the Chairwoman of a powerful Congressional committee to hold a public hearing on Google's proposed changes in business practices that will take effect March 1. Rep. Bono-Mack has held closed-door meetings with the Internet giant, but so far has scheduled no public hearings on the plan to consolidate user data, which EPIC alleges violates a 2011 Consent Order with the Federal Trade Commission. The consumer groups also asked the Congresswoman to urge Google to suspend its plan pending an investigation. They said there would be "overwhelming public support for this action" and cited recent statements from Members of Congress, Attorneys General, European Justice Officials, the President, technical experts, and IT managers in government and the private sector. For more information see EPIC: EPIC v. FTC. (Feb. 24, 2012)
  • Judge Rules that Courts Lacks Jurisdiction over FTC, Acknowledges "Serious Concerns" with Google Privacy Changes +
    A federal court today dismissed EPIC's lawsuit against the FTC, because the "decision to enforce the Consent Order is committed to agency discretion and is not subject to judicial review." However, the Judge also said "the Court has not reached the question of whether the new policies would violate the consent order or if they would be contrary to any other legal requirements." And she said "the FTC, which has advised the Court that the matter is under review, may ultimately decide to institute an enforcement action." EPIC will appeal the decision on judicial review, asking the DC federal appeals court to rule that courts can require federal agencies to enforce final orders. For more, see EPIC: EPIC v. FTC (Google Consent Order). (Feb. 24, 2012)
  • White House Sets Out Consumer Privacy Bill of Rights +
    The Obama Administration put forward a comprehensive privacy framework with principles designed to establish new safeguards for consumers and new responsibilities for companies that collect and use personal information. The principles include (1) individual control over the collection and use of personal data; (2) transparency; (3) respect for the context in which data is collected; (4) security; (5) access and correction rights for consumers; (6) data limitation; and (7) accountability. President Obama stated that "even though we live in a world in which we share personal information more freely than in the past, we must reject the conclusion that privacy is an outmoded value. It has been at the heart of our democracy from its inception, and we need it now more than ever." EPIC praised the framework and the President's support for privacy, and said that the challenge ahead would be implementation and enforcement. For more information, see EPIC: Commerce Department and EPIC: Federal Trade Commission, and EPIC: White House - Consumer Privacy Bill of Rights. (Feb. 23, 2012)
  • EPIC Urges Federal Court To Hold FTC Accountable for Failure to Enforce Google Consent Order +
    In a reply brief filed today in Washington, DC, EPIC said that the Federal Trade Commission's failure to enforce the Consent Order against Google prior to March 1 would cause "irreparable injury." EPIC cited Google's plans to combine user data without consent, and pointed to numerous cases that establish the need for the Court to assess the FTC's failure to act. Dismissing arguments asserted by the government that "FTC enforcement decisions are not subject to judicial review," EPIC said that Congress has clearly told the Federal Trade Commission to enforce its final orders. And in response to a claim that EPIC's request for action by March 1 is "arbitrary," EPIC wrote "If the government is unaware that Google plans to make a substantial change in its business practices on March 1, 2012, it should turn on a computer connected to the Internet." For more information, see EPIC, EPIC v. FTC (Google Consent Order). (Feb. 21, 2012)
  • FTC Files Opposition / Motion to Dismiss in EPIC v FTC +
    The Federal Trade Commission today filed an opposition and a motion to dismiss in response to EPIC's complaint to compel the agency to enforce the October 2011 Consent Order against Google. The government stated that EPIC would "deprive the Commission of the discretion to exercise its enforcement authority." The government also charged that EPIC's lawsuit is "completely baseless." The papers were filed in federal District Court on the same day that the Wall Street Journal reported that Google had subverted the privacy settings of millions of users of the Internet browser software Safari. For more information see: EPIC: EPIC v. FTC (Google Consent Order). (Feb. 17, 2012)
  • "FOIA Matters" - EPIC Obtains Google Privacy Compliance Report +
    As the result of a Freedom of Information Act request to the Federal Trade Commission, EPIC has obtained a full copy of Google's first Privacy Compliance Report. Last year, spurred by a complaint pursued by EPIC, the FTC reached a settlement with Google and required the company to file regular reports with the Commission detailing its steps to comply with the Consent order. However, the report obtained by EPIC raises new questions about the company's efforts to safeguard user privacy. EPIC has recently filed a lawsuit against the FTC to compel the agency to enforce the Consent Order. For more information see: EPIC: EPIC v. FTC (Google Consent Order) and EPIC: In re Google Buzz. (Feb. 17, 2012)
  • EPIC to FTC: Enforce the Google Consent Order +
    Today EPIC wrote to the Federal Trade Commission urging it to enforce the consent order with Google in light of a recent Wall Street Journal article based on research from Stanford's Jonathan Mayer that described how Google had been circumventing the privacy settings of Safari users despite Google's promise to respect such settings. EPIC said that Google "took elaborate measures to circumvent the Safari privacy safeguards, and it benefited from the misrepresentations by the commercial value it surreptitiously obtained." EPIC has filed a lawsuit to force the FTC to require Google to comply with the Consent Order to protect the privacy interests of Google users. The FTC's Response to the EPIC motion is due February 17; EPIC's reply is due February 21, 2012. For more information, see EPIC: EPIC v. FTC (Google Consent Order). (Feb. 17, 2012)
  • FTC Report Shows Privacy Problems with Mobile Apps +
    The Federal Trade Commission issued a report today that found widespread failure among app stores and app developers to provide information to parents about the collection and use of children's data. The report noted that there are currently more than 500,000 apps in the Apple App Store and 380,000 in the Android Market, and that young children and teens are increasingly using smartphones for entertainment and educational purposes. The FTC report recommends that apps provide simple, short disclosures about their information collection and use practices, and that app stores assume greater role in providing information about the apps that they sell. EPIC previously submitted comments to the FTC on a proposed rule for the Children's Online Privacy Protection Act. For more information, see EPIC: Children's Online Privacy Protection Act and EPIC: Federal Trade Commission. (Feb. 16, 2012)
  • Google Report Raises New Questions About Compliance with Consent Order +
    The Google privacy compliance report, made public today, raises new questions about the company's failure to comply with an FTC Consent Order. The Order required Google to answer detailed questions about how it protects the personal information of Google users. But Google chose not to answer many of the questions. Most significantly, the company did not explain to the Commission the impact on user privacy of the proposed changes that will take place on March 1. EPIC has filed a lawsuit to force the Federal Trade Commission to require Google to comply with the Consent Order to protect the privacy interests of Google users. For more information, see EPIC v. FTC (Google Consent Order). (Feb. 10, 2012)
  • EPIC Sues Federal Trade Commission to Enforce Google Consent Order +
    EPIC today filed a Complaint and a Motion for Temporary Restraining Order and Preliminary Injunction in Federal District Court in Washington, DC. EPIC is seeking to compel the Federal Trade Commission to act prior to March 1, when Google plans to make changes in its terms of service that will make it possible for the company to combine user data without user consent. EPIC alleges that this change in business practice is in clear violation of the consent order that Google entered into on October 13, 2011. The consent order arises from a complaint that EPIC brought to the Commission in February, 2010 concerning Google Buzz and a similar attempt by Google to combine user data without user consent. For more information, see EPIC - In re Google Buzz, FTC - "FTC Charges Deceptive Privacy Practices in Google's Rollout of Its Buzz Social Network." (Feb. 8, 2012)
  • EPIC Seeks Public Release of Google's Privacy Report +
    EPIC has filed a Freedom of Information Act request with the Federal Trade Commission for the Privacy Report that Google was recently required to submit to the agency. The Commission had previously investigated Google after EPIC filed a complaint regarding Google's Buzz product, which transformed private user contacts into publicly available social network data. Last fall the Commission reached a settlement with Google and, as a result, the company is subject to a consent order that requires it to file regular reports with the Commission. EPIC has requested that Google's first report, filed on January 26, 2012, be released to the public. Because of Google's plan to change its business practice on March 1, 2012, EPIC has asked the FTC to expedite the disclosure of the report. For more information see EPIC: In re Google Buzz. (Feb. 1, 2012)
  • EPIC Calls for Moratorium on Facial Recognition Technology +
    In detailed comments to the Federal Trade Commission, EPIC today recommended the suspension of facial recognition technology deployment until adequate safeguards and privacy standards are established. EPIC said that facial recognition is often used by strangers to determine a person's actual identity and that this poses a risk to privacy and personal security. EPIC also noted that some companies have adopted techniques that are more favorable to privacy as they allow users to control the image database while others undermine privacy, as the image database is centrally maintained. EPIC previously submitted a complaint to the FTC about Facebook's use of facial recognition technology to build a secret database of users' biometric data and allowing the company to automatically tag users in photos. The comments follow an FTC workshop exploring the privacy and security issues raised of facial recognition technology. For more information, see EPIC: Federal Trade Commission, EPIC: Face Recognition, and EPIC: Facebook and Face Recognition. (Feb. 1, 2012)
  • Google Changes Privacy Practices, Consolidates User Data +
    Google announced that it would begin combining data gathered on users of over 60 Google products and services, including Gmail, Google+, Youtube, and the Android mobile operating system. Previously, users could use one Google service, such as Google+, without having their information combined with that gathered from other services, such as Youtube. Users cannot opt out of having their data combined unless they avoid signing into their user accounts or stop using Google’s services altogether. Google’s changes come after the company began surfacing personal information from Google+ in Google search results, a move that EPIC said raised privacy and antitrust issues. In 2010, EPIC, along with other privacy groups, wrote a letter to Google over the company's decision to combine user data among 12 Google services. Google is subject to a settlement with the Federal Trade Commission that establishes new privacy safeguards for users of all Google products and services and subjects the company to regular privacy audits. For more information, see EPIC: Federal Trade Commission and EPIC: Google Search. (Jan. 25, 2012)
  • FTC Adds Google+ to Antitrust Investigation +
    Bloomberg News has reported that the Federal Trade Commission has expanded its antitrust investigation of Google to include Google's social networking service, Google+. The report comes after Google announced that it would include personal data gathered from Google+ in the results of users' searches, a move that led EPIC to urge the FTC to investigate the company. EPIC said that "Google's business practices raise concerns related to both competition and the implementation of the Commission’s consent order," referring to a settlement that the FTC reached with Google that establishes new privacy safeguards for users of all Google products and services and subjects the company to regular privacy audits. Google first confirmed the FTC’s antitrust investigation in June 2011. Recently, the Senate held a hearing on Google's use of its dominance in the search market to suppress competition, and EPIC urged the Federal Trade Commission to investigate Google's use of Youtube search rankings to give preferential treatment to its own video content over non-Google content. For more information, see EPIC: Google/DoubleClick and EPIC: Federal Trade Commission. (Jan. 13, 2012)
  • EPIC Urges FTC Investigation into Facebook Timeline +
    EPIC sent a letter requesting that the Federal Trade Commission determine whether changes Facebook has made to the profiles of its users are consistent with the terms of a settlement reached between Facebook and the FTC. EPIC's letter states that "with Timeline, Facebook has once again taken control over the user's data from the user and has now made information that was essentially archived and inaccessible widely available without the consent of the user." The settlement requires Facebook to give users clear and prominent notice and obtain users' express consent before changing their privacy settings. EPIC sent a similar letter to the FTC about Timeline and the secret tracking of users in September 2011. For more information, see EPIC: Facebook Privacy, and EPIC: FTC Facebook Settlement. (Dec. 28, 2011)
  • EPIC Submits Comments on FTC Facebook Privacy Settlement +
    EPIC submitted comments to the FTC on a proposed settlement with Facebook. The settlement follows from complaints filed by EPIC and other consumer and privacy organizations in 2009 and 2010 over Facebook’s decision to change its users' privacy settings in a way that made users' personal information more widely available to the public and to Facebook's business partners. The settlement bars Facebook from changing privacy settings without the affirmative consent of users or misrepresenting the privacy or security of users' personal information. However, EPIC said that the settlement is "insufficient to address the concerns originally identified by EPIC and the consumer coalition, as well as those findings established by the Commission." In order to address the issues raised by the complaints, respond to recent changes in Facebook's business practices like Timeline, and fulfill the FTC's duty to act in the public interest, EPIC recommended that the settlement be improved. Specifically, EPIC recommended that the FTC require Facebook to restore the privacy settings users had in 2009; give users access to all of the data that Facebook keeps about them; stop making facial recognition profiles without users' consent; make the results of the government privacy audits public; and stop secretly tracking users across the web. For more information, see EPIC: Facebook Privacy, and EPIC: FTC Facebook Settlement. (Dec. 28, 2011)
  • EPIC Submits Comments on Children's Online Privacy Rule +
    EPIC submitted comments to the FTC on a proposed rule for the Children's Online Privacy Protection Act. The proposed rule would revise the definition of Personally Identifiable Information to include identifiers such as cookies, IP addresses, and geolocation information. The new rules also contain data minimization and deletion requirements and simplified methods of obtaining parental consent for data collection. "The proposed revisions update the COPPA Rule by taking better account of the increased use of mobile devices by users and of new data collection practices by businesses," EPIC said. However, EPIC urged the FTC to further improve the rule by applying it to SMS and MMS messaging services, extending the definition of "personal information" to cover the combination of date of birth, gender, and ZIP code, and adding a data-breach notification requirement. EPIC previously testified before the Senate and filed comments with the agency. For more information, see EPIC: Children's Online Privacy Protection Act and EPIC: Federal Trade Commission. (Dec. 22, 2011)
  • Senate Opens Investigation Into Google Search +
    Senator Herb Kohl (D-WI) and Mike Lee (R-UT), Chairman and Ranking member of the Judiciary Antitrust Subcommittee, have sent a letter to FTC Chairman Jon Leibowitz, expressing concern about Google's business practices and the company's impact on competition in Internet search and commerce. In September, EPIC wrote to the FTC and described how Google biased YouTube search rankings to give preferential treatment to its own content following the acquisition of the Internet's largest video service provider. The EPIC letter preceded a Senate hearing on "The Power of Google: Serving Consumers or Threatening Competition?" EPIC testified before the Senate Antitrust Subcommittee in 2007 on Google's growing dominance of essential Internet services. (Dec. 20, 2011)
  • EPIC Launches Campaign Urging Public Comment on Facebook Privacy Settlement +
    EPIC launched the "Fix FB Privacy Fail" campaign to encourage the public to support improvements to a settlement between Facebook and the FTC. The settlement follows from complaints filed by EPIC and other consumer and privacy organizations in 2009 and 2010 over Facebook’s decision to change its users' privacy settings in a way that made users' personal information more widely available to the public and to Facebook's business partners. Although the proposed settlement is far-reaching, there are several ways in which it could be improved. EPIC has recommended that the FTC require Facebook to restore the privacy settings users had in 2009; give users access to all of the data that Facebook keeps about them; stop making facial recognition profiles without users' consent; make the results of the government privacy audits public; and stop secretly tracking users across the web. The period for public comment on the proposed settlement ends on December 30. The campaign also allows users to sign on to the petition without using Facebook. For more information, see EPIC: FTC Facebook Settlement. (Dec. 13, 2011)
  • Federal Trade Commission Releases 2011 Do Not Call List, Warns of Do Not Call Scams +
    The FTC has released the 2011 National Do Not Call Registry Data Book, which includes extensive information on the Do Not Call Registry as well as tips for consumers. Over 209 million telephone numbers are now listed on the Do Not Call Registry. In 2011, over 2 million consumers filed complaints over unwanted telemarketing calls. In announcing the Data Book, the FTC also warned consumers that scammers are calling consumers and claiming to sign them up for the National Do Not Call Registry. The FTC said that these calls were not coming from the Commission or the Registry, and that consumers should ignore them. For more information, see EPIC: Federal Trade Commission, or EPIC: Telemarketing and the Telephone Consumer Protection Act. (Dec. 5, 2011)
  • Federal Trade Commission Announces Settlement in EPIC Facebook Privacy Complaint +
    The Federal Trade Commission has announced an agreement with Facebook that follows from complaints filed by EPIC and other consumer and privacy organizations in 2009 and 2010. In 2009, the EPIC first asked the FTC to investigate Facebook's decision to change its users' privacy settings in a way that made users' personal information, such as Friend lists and application usage data, more widely available to the public and to Facebook’s business partners. The violations are also detailed in the FTC’s 8-count complaint against the company. The proposed settlement agreement bars Facebook from making future changes privacy settings without the affirmative consent of users and requires the company to implement a comprehensive privacy protection program and submit to independent privacy audits for 20 years. The settlement does not adopt EPIC's recommendation that Facebook restore users' privacy settings to pre-2009 levels. Facebook CEO Mark Zuckerberg reacted to the settlement in a post on Facebook's blog, saying that he was "first to admit that we've made a bunch of mistakes." For more information, see EPIC: In re Facebook, and EPIC: Federal Trade Commission. (Nov. 29, 2011)
  • Federal Trade Commission to Announce Settlement in EPIC Facebook Privacy Complaint +
    The Federal Trade Commission has scheduled a 1:00 pm EDT press conference to announce a privacy settlement with Facebook, following a complaint that was filed by EPIC and other consumer and privacy organizations. More news to follow. (Nov. 29, 2011)
  • FTC Releases Agenda for Facial Recognition Workshop +
    The Federal Trade Commission has announced the agenda and panelists for a workshop exploring the privacy and security issues raised by the increased use of facial recognition technology. The workshop will be held December 8, 2011 at the FTC Conference Center, and will feature diverse panelists with consumer protection, privacy, business, international, and academic backgrounds. EPIC Senior Counsel John Verdi will speak on the panel "Facial Detection & Recognition: Exploring the Policy Implications." EPIC has a complaint pending before the FTC over Facebook's use of facial recognition technology to build a secret database of users' biometric data and to enable the company to automatically tag users in photos. For more information, see EPIC: In re Facebook, and EPIC: Federal Trade Commission. (Nov. 22, 2011)
  • FTC Publishes Performance Report +
    The Federal Trade Commission has issued the 2011 Performance and Accountability Report. The report summarizes the agency’s accomplishments, shows how the agency has managed its resources, and explains how it plans to address future changes. According to the FTC, during 2011 the agency exceeded its privacy goals by providing 52 comments to foreign consumer protection and privacy agencies, conducting 14 technical assistance missions, and hosting one international consumer protection fellow. The agency’s privacy goals for the coming year include "issu[ing] a final report on protecting consumer privacy," and "examin[ing] malware and spyware threats to mobile devices . . . and malware distributed through social networks." The FTC report made no mention of several pending complaints, including EPIC's 2009 complaint regarding the changes by Facebook to its users' privacy settings. For more information, see EPIC: Federal Trade Commission and EPIC: Facebook and Facial Recognition. (Nov. 22, 2011)
  • WSJ: Facebook Close to Settlement with FTC over EPIC Complaint +
    The Wall Street Journal reports that the Federal Trade Commission is finalizing a settlement with Facebook that follows from a complaint from EPIC and a coalition of US consumer and privacy organizations. In 2009, the organizations urged the Commission to investigate Facebook's decision to change its users' privacy settings which made the personal information of Facebook users more widely available to Facebook's business partners and the public. According to the Wall Street Journal, the settlement would require Facebook to obtain "express affirmative consent" if Facebook makes "material retroactive changes," and to submit to independent privacy audits for 20 years. For more information, see EPIC: In re Facebook, EPIC: Facebook Privacy and EPIC: Federal Trade Commission. (Nov. 10, 2011)
  • EPIC Files Complaint, Urges FTC to Investigate Verizon's Recent Changes to Privacy Practices +
    EPIC filed a complaint with the Federal Trade Commission charging that Verizon Wireless has engaged in unfair and deceptive trade practices in violation of consumer protection law. After consumers entered into long-term contracts with Verizon Wireless, the company changed its business practices, and revealed detailed personal information of its customers, including location data, web browsing and search histories, and demographic data, to other companies EPIC also charges that Verizon Wireless has failed to establish adequate techniques to deidentify its customers. "Such practices are unfair and deceptive, contrary to the privacy and security interests of Verizon Wireless customers, and actionable by the Federal Trade Commission," the complaint states. EPIC's complaint regarding Facebook's facial recognition is still pending before the FTC. (Oct. 31, 2011)
  • EPIC-Led Coalition Calls for FTC Facebook Investigation +
    EPIC, joined by other privacy, consumer, and civil liberties groups, which include the American Civil Liberties Union, Consumer Action, American Library Association, and the Center for Digital Democracy asked the Federal Trade Commission to investigate Facebook. Facebook had been secretly tracking users after they logged off of Facebook’s webpage, and had recently announced changes in business practices that “[gave] the company far greater ability to disclose the personal information of its users to its business partners...” EPIC’s complaint regarding Facebook’s facial recognition is still pending before the FTC. For more information, see EPIC: Facebook Privacy and EPIC: Federal Trade Commission. (Sep. 29, 2011)
  • Lawmakers Say Undeletable Supercookies Raise "Serious Privacy Concerns" +
    Representatives Joe Barton (R-TX) and Ed Markey (D-MA) wrote a letter asking the FTC to investigate whether the use of "supercookie" - cookies placed on users' computers by websites such as Hulu.com that cannot be deleted -constitutes an unfair or deceptive business practice. The representatives called this kind of tracking "unacceptable" and said that the cookies "take away consumer control over their own personal information." EPIC had earlier opposed the White House's use of persistent Google Analytics cookies that track users for up to two years and supported opt-in requirements for Internet tracking techniques that are transparent for the user and easily disabled. For more information, see EPIC: Cookies and EPIC: Federal Trade Commission. (Sep. 27, 2011)
  • Senate Holds Hearing on Google’s Anticompetitive Practices +
    Today's Senate Judiciary Committee hearing "The Power of Google: Serving Consumers or Threatening Competition?” examined Google’s use of its dominance in the search market to suppress competition. The company’s executive chairman, Eric Schmidt, testified on the first panel, while witnesses from Google’s rivals Yelp and Nextag appeared on the second panel. The hearing covered a wide range of issues, including search bias, Google’s proprietary search algorithm, and the downgrading of search rankings. EPIC testified before the the same committee in 2009 on Google’s growing dominance of essential Internet services, and recently sent a letter to the Federal Trade Commission regarding Google’s biasing of Youtube search rankings to give preferential treatment to its own video content. For more information, see EPIC: Google/DoubleClick and EPIC: Federal Trade Commission. (Sep. 21, 2011)
  • Federal Trade Commission Proposes New Rules for Children’s Online Privacy +
    Today the FTC proposed new rules for the Children’s Online Privacy Protection Act. The FTC rules would revise the definition of Personally Identifiable Information to include identifiers such as cookies and IP addresses, video and audio files containing a child's image or voice, and geolocation information. The new rules also contain data minimization and deletion requirements that promote Internet security, as well as simplified methods of obtaining parental consent for data collection, such as electronic submission and video verification. EPIC Executive Director Marc Rotenberg said that the proposed rules were "a well-reasoned and innovative approach to online privacy." EPIC had previously testified before the Senate and submitted comments to the agency. EPIC’s complaint regarding Facebook’s facial recognition is still pending before the FTC. For more information, see EPIC: Children’s Online Privacy. (Sep. 15, 2011)
  • US and European Consumer Groups Oppose Latest Industry Proposal for Self-Regulation +
    The Transatlantic Consumer Dialogue has sent a letter to U.S. and European Union officials, urging them to reject an advertising industry proposal to protect online privacy through self-regulation. The industry proposal relies on opt-out techniques that force consumers to click on small icons, hidden on the websites they visit. The TACD letter described the icon regime as “inadequate,” and said that it “is an insufficient means of [giving] notice to a user about the wide range of data collection that they routinely face.” In 1998, EPIC conducted the first evaluation of industry self-regulation to protect online privacy and concluded that "Notice is Not Enough." For more information, see EPIC: Online Tracking and Behavioral Profiling, and EPIC: FTC. (Sep. 9, 2011)
  • EPIC Urges FTC to Examine YouTube Search Rankings Following Google Acquisition +
    EPIC sent a letter to the FTC urging the Trade Commission to investigate the extent to which Google has used its dominance in the search market to influence the marketplace of online video content. EPIC pointed specifically to the Google acquisition of YouTube and the change in the YouTube search rankings that followed. EPIC said that Google substituted its own subjective, "relevance" ranking in place of objective search criteria, such as "Hits" or "Rankings," to preference Google's own video material over non-Google material. EPIC's letter includes detailed examples using the search term "privacy." Google has acknowledged that the Commission has opened an investigation into the company's business practices for possible antitrust violations. EPIC previously testified before the Senate Judiciary Antitrust Subcommittee on Google's growing dominance of essential Internet services. For more information, see EPIC: Google/DoubleClick and EPIC: Federal Trade Commission. (Sep. 8, 2011)
  • EPIC Settles Street View Case with Trade Commission +
    EPIC and the Federal Trade Commission have agreed to settle an open government lawsuit concerning the FTC's decision to close the investigation of Google Street View. EPIC sought documents from the Commission after Members of Congress had urged the agency to pursue an aggressive investigation and many privacy agencies around the world found that Google violated national privacy laws. The agency turned over to EPIC agency records which suggested that the agency believed it lacked enforcement authority. However, the closing letter in the case also indicated that the Commission never undertook an independent investigation to determine whether other violations of law may have occurred. The case is EPIC v. FTC, No. 11-cv-00881 (D.C. Dist. Ct 2011). For more information, see EPIC: Google Street View. (Aug. 26, 2011)
  • FTC Finds Mobile Phone App Violated Children's Privacy Law +
    W3 Innovations, a company that develops mobile phone games, settled charges with the Federal Trade Commission for violations of the Children's Online Privacy Protection Act (COPPA). In the first settlement concerning a mobile application, the Commission imposed a fine of $50,000 against the company for "illegally collecting and disclosing personal information from tens of thousands of children under age 13 without their parents prior consent." EPIC previously testified before the Senate Commerce Committee and submitted comments to the FTC on the need to update COPPA and to clarify the law's application to mobile and social networking services. EPIC also has pending complaints at the FTC regarding Facebook's facial recognition program and changes Facebook made to user privacy settings. For more information, see EPIC: FTC and EPIC: COPPA. (Aug. 16, 2011)
  • Federal Trade Commission Launches Google Antitrust Investigation +
    Google has acknowledged that the Federal Trade Commission has opened an investigation into the search company's business practices for possible antitrust violations. The investigation likely focuses on whether Google uses its dominance in the search field to inhibit competition in other areas. EPIC had previously opposed Google's acquisition of online advertiser Doubleclick, which was approved by the FTC over the objection of then Commissioner Pamela Harbor. EPIC later testified before the Senate Judiciary Antitrust Subcommittee on Google's growing dominance of essential Internet services. For more information, see EPIC: Google/DoubleClick and EPIC: Federal Trade Commission. (Jun. 27, 2011)
  • FCC and FTC Announce Public Meeting on Locational Privacy +
    The Federal Communications Commission and the Federal Trade Commission will co-host a Location Based Services Forum on June 28, 2011. The event will include representatives from industry, consumer advocacy groups, and academia discussing the benefits and risks of location based services and industry best practices. The agencies are calling for public comment on location based services. EPIC previously submitted comments to the FCC on locational privacy in 2001 and 2006, requesting that the Commission establish guidelines for the protection of users' locational privacy. In 2010, EPIC specifically warned two Congressional committees about the privacy risks of location services in mobile phones. For more information, see EPIC: Locational Privacy. (May. 25, 2011)
  • EPIC Briefing to Explore Google Street View and Wi-Fi Privacy +
    EPIC will host a Capitol Briefing on Wednesday, May 18, 2011 on "Street View, Privacy, & the Security of Wireless Networks." The luncheon symposium will feature a panel with FTC Director of Consumer Protection David Vladeck and Former FTC Commissioner Pamela Harbour, and other experts. Sky Hook CEO Ted Morgan will demonstrate Wi-Fi scanning. Many countries have launched investigations of Google Street View after investigators found that Google unlawfully collected Wi-Fi data and intercepted private communications traffic. EPIC has recommended that the US FCC undertake an investigation. The Briefing will be held at the Capitol Visitor’s Center in room HVC-201 from 11:30 am to 1:30 pm. Registration information. For More Information, see EPIC: Street View and EPIC: FTC and follow #wifiprivacy. (May. 17, 2011)
  • EPIC Sues Federal Trade Commission for Details on Spy-Fi Investigation +
    EPIC filed a Freedom of Information Act lawsuit against the Federal Trade Commission over the agency's failure to disclose to EPIC information about the FTC's decision to end the Google Spy-Fi investigation. EPIC is specifically seeking documents that the FTC widely circulated to members of Congress and their staff that provide the basis for the agency's decision. Privacy agencies around the world found that Google unlawfully intercepted private communications traffic. Yet documents obtained earlier by EPIC under the FOIA suggest that the FTC did not even examine the data Google gathered from private residential Wi-Fi routers in the United States. EPIC is hosting a Capitol Briefing on May 18th on "Street View, Privacy, and the Security of Wireless Networks." For more information, see EPIC: Street View and EPIC: FTC. (May. 12, 2011)
  • EPIC Proposes "Fair Information Practices" for Google +
    Today EPIC submitted detailed comments on a landmark privacy agreement that requires Google to adopt a "Comprehensive Privacy Plan" to safeguard the privacy and personal information of Internet users. In comments to the Federal Trade Commission, EPIC recommended that the FTC require Google to adopt and implement comprehensive Fair Information Practices, as part of the Privacy Program. EPIC also recommended encryption for Google's cloud-based services, new safeguards for reader privacy, limitations on data collection, and warrant requirements for data disclosures to government officials. EPIC said that similar privacy safeguards should be established for other Internet companies. The FTC investigation and settlement arises from a complaint filed by EPIC with the Commission in February 2010. For more information, see EPIC: In re Google Buzz and FTC - Public Comments on In Re Google. (May. 3, 2011)
  • Public Submits Comments on Proposed Google Consent Order +
    Today marks the end of the public comment period for the Federal Trade Commission's landmark Consent Order with Google regarding Buzz, Gmail, and all Google products and services. As part of the legal order, Google must adopt a "Comprehensive Privacy Plan" to safeguard its users data and personal information. EPIC launched an online petition and a "Fix Google Privacy" page to promote public participation in the FTC's deliberations. The FTC's action against Google follows a Complaint and an Amended Complaint, filed by EPIC on behalf of Gmail subscribers and other users. For more information, see EPIC: In re Google Buzz. (May. 2, 2011)
  • Senators Kerry and McCain introduce Internet Privacy Legislation +
    Senators John Kerry (D-MA) and John McCain (R-AZ) have introduced the "Commercial Privacy Bill of Rights Act of 2011," aimed at protecting consumers' privacy both online and offline. The Bill endorses several "Fair Information Practices," gives consumers the ability to opt-out of data disclosures to third-parties, and restricts the sharing of sensitive information. But the Bill does not allow for a private right of action, preempts better state privacy laws, and includes a "Safe Harbor" arrangement that exempts companies from significant privacy requirements. EPIC has supported privacy laws that provide meaningful enforcement, limit the ability of companies' to exploit loopholes for behavioral targeting, and ensure that the Federal Trade Commission can investigate and prosecute unfair and deceptive trade practices, as it did with Google Buzz. For more information, see EPIC: Online Tracking and Behavioral Profiling and EPIC: Federal Trade Commission. (Apr. 12, 2011)
  • EPIC Launches "Fix Google Privacy" Campaign +
    In response to the recent announcement that Google has agreed to adopt a "Comprehensive Privacy Plan," EPIC has launched "Fix Google Privacy," a campaign to encourage Internet users to offer their suggestions to improve safeguards for Google's products and services. Submissions to EPIC will be forwarded to the Federal Trade Commission and considered by the agency as part of the final Privacy Plan. All comments must be sent before May 2, 2011. For more information, see EPIC - In Re Google Buzz and FTC - Analysis to Aid Public Comments. (Apr. 5, 2011)
  • FTC Releases Annual Report, Highlights Consumer Protection +
    The Federal Trade Commission released the 2011 Annual Report, which emphasized the agency's actions in the consumer protection and anti-trust areas. The agency highlighted its work on privacy, data security, and technology and noted the settlement of several privacy cases, including Echometrix, Lifelock, Twitter, and U.S. Search. EPIC filed a complaint with the Commission concerning Echometrix, and still has complaints pending regarding changes in Facebook's privacy settings and Google cloud computing. For more information, see EPIC: Federal Trade Commission. (Apr. 1, 2011)
  • FTC Announces Agreement in EPIC Google Buzz Complaint +
    The Federal Trade Commission has reached a agreement with Google regarding Buzz, the social network service launched in early 2010. The FTC action follows a complaint and an amended complaint filed by EPIC on behalf of Gmail subscribers and other Internet users. The FTC agreement with Google is far-reaching. It is the most significant privacy decision by the Commission to date. For Internet users, it should lead to higher privacy standards and better protection for personal data. EPIC has pursued similar successful complaints at the FTC in the past, including Microsoft Passport and Choicepoint, the databroker firm. For more information, see EPIC - In re Google Buzz. (Mar. 30, 2011)
  • Senate Antitrust Agenda Includes Google, FTC Oversight +
    Senator Kohl (D-WI) has announced the agenda for the Senate Subcommittee on Antitrust, Competition Policy, and Consumer Rights. Among other issues, the Subcommittee will focus on competition in online markets and internet search, as well as oversight of the Justice Department and the Federal Trade Commission. EPIC had opposed Google's acquisition of online advertiser Doubleclick, which was approved by the FTC over the objection of former FTC Commissioner Pamela Harbor. EPIC later testified before the Antitrust committee on Google's growing dominance of essential Internet services. For more information, see EPIC: Google/DoubleClick and EPIC: Federal Trade Commission. (Mar. 14, 2011)
  • EPIC Says FTC Has Failed to Safeguard Consumer Privacy +
    In response to a request for comments on an FTC report on future action, EPIC criticized the Commission for failing to act on numerous privacy complaints currently pending before the Commission, including those involving Facebook privacy settings, Google Buzz, and Cloud Computing Services. EPIC recommended a comprehensive federal privacy law based on Fair Information Practices, support for Privacy Enhancing Technologies, and the establishment of an independent privacy agency.  The FTC report recommended the creation of a Do Not Track mechanism, the adoption of "privacy by design" techniques, and the use of simplified consumer privacy notices. For more information, see EPIC - Federal Trade Commission. (Feb. 18, 2011)
  • EPIC Pursues Investigation of FTC's Spy-Fi Noninvestigation +
    EPIC has filed an administrative appeal with the Federal Trade Commission, challenging the agency's failure to disclose to information about the FTC's decision to end the Google Spy-Fi investigation. EPIC is specifically seeking a slide presentation that the FTC provided to Congress about the matter. The agency has claimed that the presentation to Congress is exempt from disclosure under the Freedom of Information Act. Privacy agencies around the world found that Google intercepted private communications traffic. Yet documents obtained earlier by EPIC under the FOIA suggest that the FTC did not even examine the data Google gathered from private residential wifi routers in the US. For more information, see Google: Street View. (Feb. 11, 2011)
  • Federal Trade Commission Extends Deadline for Comments on Privacy Report +
    To provide business groups more time to express their views on consumer privacy, the FTC has extended the deadline for submitting comments on the agency's Internet privacy report to February 18th. The preliminary staff report "Protecting Consumer Privacy in an Era of Rapid Change: a Proposed Framework for Businesses and Policy Makers" recommends the creation of a Do Not Track mechanism, the adoption of "privacy by design" techniques, and the use of simplified consumer privacy notices. However, the FTC's report did not address the privacy implications of cloud computing and social networking, the need for a US privacy agency, or a comprehensive federal privacy law based on "Fair Information Practices," as privacy groups had urged. For more information, see EPIC: Federal Trade Commission and EPIC: Online Tracking and Behavioral Profiling. (Jan. 24, 2011)
  • FTC: Investigating Google Street View is a "waste of summer" +
    In documents obtained by EPIC through a Freedom of Information Act request, a senior attorney with the Federal Trade Commission describes the Google WiFi investigation as a "wasted summer" and hopes that a Hill briefing on Google WiFi "won't be too much of a time suck." EPIC sought these documents after the FTC dropped its investigation of Google Streetview. Several countries, including the U.K., Germany, Spain, and Canada, have conducted similar investigations and determined that Google violated their privacy laws. In the U.S., the Federal Communications Commission opened an investigation after EPIC filed a complaint, asking the Commission to investigate violations of US wiretap law and the Communications Act. For more information, see EPIC: Google Street View. (Jan. 20, 2011)
  • Federal Trade Commission Recommends Do Not Track, Privacy by Design, and Short Privacy Notices +
    The Federal Trade Commission released a preliminary staff report on privacy, following a series of public roundtable discussions. The report recommends the establishment of a Do Not Track mechanism, the adoption of a "privacy by design" techniques, and the use of simplified consumer privacy notices. However, the FTC report did not address the privacy implications of cloud computing and social networking, the need for a US privacy agency, or a comprehensive federal privacy law based on "Fair Information Practices," as privacy groups had urged. For more information, see EPIC: Federal Trade Commission. (Dec. 2, 2010)
  • Wall Street Journal Confirms FCC Investigation of Google Street View Following EPIC Complaint +
    The Wall Street Journal reported today that the Federal Communications Commission has opened an investigation into Google's secretive interception and collection of wifi data collection. This occurred in thirty countries over a three year period and is linked to Google "Street View" vehicles which many thought simply captured digital images. In May, EPIC filed a complaint with the Commission, asking it to investigate Google's possible violations of federal wiretap law and the U.S. Communications Act. Investigations in other countries have revealed that Google secretly collected passwords, email, and sensitive medical data from millions of Internet users, and also built an extensive database of personal information associated with private residential wifi routers. The Federal Trade Commission recently ended its inquiry into Google Street View, even though members of Congress had urged a comprehensive investigation. For more information, see EPIC - Investigation of Google Street View. (Nov. 10, 2010)
  • FTC Appoints Executive Director, Chief Technology Officer +
    The Federal Trade Commission has announced that Eileen Harrington will be rejoining the Commission as the Executive Director. Harrington was recently the Chief Operating Officer at the U.S. Small Business Administration, following a 25-year stint at the Commission in a variety of positions. The Commission has also announced that Princeton University professor Dr. Edward W. Felton has been named as Chief Technologist, a new position that will focus on evolving technology and policy issues. Dr. Felten was the founding director for Princeton’s Center for Information Technology Policy. For more information, see EPIC: Federal Trade Commission. (Nov. 9, 2010)
  • Federal Trade Commission Closes Noninvestigation of Google Street View +
    The Federal Trade Commission has sent a letter to Google, ending an investigation that never began. In May, the Federal Trade Commission was asked by members of Congress to investigate Google's secretive collection of wifi data as part of Street View, a mapping program characterized by the collection of digital imagery. In a letter to Federal Communications Commission, EPIC further explained that Google's conduct likely violated federal wiretap law. Subsequent investigations in other countries revealed that Google secretly collected passwords, email, and sensitive medical data from millions of Internet users, and also built an extensive database of personal information associated with private residential wifi routers. However, the Federal Trade Commission never pursued an independent investigation of Street View, examined the data collected by Google in the United States, or even acknowledged the findings of other agencies. Investigations are still pending in several countries and 37 states in the U.S. For more information, see EPIC: Google Street View. (Oct. 27, 2010)
  • FTC Proposes Consent Decree in U.S. Search Case +
    The FTC is asking for comments on a proposed settlement of the agency's complaint against the company U.S. Search for deceptive practices. U.S. Search sold customers a "privacy lock" service that the company falsely claimed would prevent customers' personal information from appearing on the U.S. Search website. The proposed settlement requires U.S. Search to refund fees and bars the company from further deceptive practices, but does not stop them from charging a fee for an opt-out service. For more information, see EPIC: FTC. (Oct. 20, 2010)
  • EPIC Urges Federal Trade Commission to Strengthen Childrens' Privacy Rule +
    EPIC filed comments urging the Federal Trade Commission to improve the Childrens' Online Privacy Protection Act Rule. The rule is the principal federal protection for childrens' privacy, and limits how companies may collect and disclose childrens' personal information. "The need for the COPPA Rule has become increasingly urgent in light of new business practices and recent technological developments, such as social networking sites and mobile devices," EPIC wrote. "Existing provisions need to be strengthened and new provisions need to be added." In April, EPIC testified before Congress concerning childrens' privacy. For more, see EPIC: COPPA and EPIC: FTC. (Jul. 9, 2010)
  • Congressional Leaders Write to Google's Schmidt About "Spy-Fi" +
    Congressmen Henry Waxman (D-CA), Joe Barton (R-TX), and Ed Markey (D-MA) have sent a detailed letter to Google CEO Eric Schmidt about the reports that Google Street View vehicles scarfed up Wi-Fi data in thirty countries, including the United States. The letter follows a complaint that EPIC has sent to the Julius Genachowski, chairman of the Federal Communications Commission, suggesting that Google may have violated federal wiretap laws. For more information, see Congress Urges FTC to Investigate Google. (May. 26, 2010)
  • New Facebook Privacy Complaint Filed with Trade Commission +
    Today, EPIC and 14 privacy and consumer protection organizations filed a complaint with the Federal Trade Commission, charging that Facebook has engaged in unfair and deceptive trade practices in violation of consumer protection law. The complaint states that changes to user profile information and the disclosure of user data to third parties without consent "violate user expectations, diminish user privacy, and contradict Facebook’s own representations." The complaint also cites widespread opposition from Facebook users, Senators, bloggers, and news organizations. In a letter to Congress, EPIC urged the Senate and House Committees with jurisdiction over the FTC to monitor closely the Commission's investigation. The letter noted the FTC's failure to act on several pending consumer privacy complaints. For more information, see EPIC: Facebook Privacy. (May. 5, 2010)
  • EPIC Recommends Effective Consumer Privacy Standards, Calls Notice and Choice a "Failed Experiment" +
    At the third FTC Privacy Roundtable, EPIC senior counsel John Verdi will recommend that the Commission push forward with effective and meaningful privacy safeguards for American consumers. Mr. Verdi will say that the "notice and choice" approach has failed, and will recommend that the FTC enforce Fair Information Practices, such as the OECD Privacy Guidelines. The discussion can be viewed via webcast. Additional information on the FTC roundtable event can be found here. For more information, see EPIC In re Google Buzz, EPIC In re Facebook, and EPIC In re Google and Cloud Computing. (Mar. 17, 2010)
  • Senate Confirms Julie Brill as FTC Commissioner +
    The Senate confirmed Julie Brill, former Vermont Assistant Attorney General, to fill a vacancy for FTC Commissioner. Brill served for over 20 years as Vermont’s Assistant Attorney General for Consumer Protection and Antitrust, and currently serves as Senior Deputy Attorney General and Chief of Consumer Protection and Antitrust for the North Carolina Department of Justice. Brill has had experience with several important consumer protection issues, including tobacco, food and drug, antitrust, and privacy and identity theft. Senator Leahy (D-VT) expressed support for Brill’s confirmation, proclaiming, “We again have an FTC that is on the side of the consumers. Julie Brill will help revitalize an FTC that has languished while consumers’ interests have given way to special interests.” (Mar. 4, 2010)
  • Federal Trade Commission Sets out Priorities But Lacks Strategy for Privacy Protection +
    The Federal Trade Commission released the Congressional budget justification summary for FY 2011 and performance plan for FY 2010-11. The FTC documents list three strategic goals: protect consumers, maintain competition, and advance performance. Objectives include improving consumer education, identifying and stopping “fraud, deception and unfair practices,” and “protecting American consumers in the global marketplace.” Although the FTC Implementation Plan includes the development of approaches to implement OECD Guidelines on consumer protection in the context of electronic commerce, there is no mention of implementing OECD Guidelines on privacy protection(Feb. 4, 2010)
  • EPIC Urges FTC to Protect Users' Privacy On Cloud Computing and Social Networking Services +
    EPIC submitted comments to the FTC prior to the agency’s second privacy roundtable. EPIC warned of the ongoing privacy risks associated with cloud computing and social networking privacy, highlighting the Google cloud computing complaint and Facebook privacy complaint filed by EPIC in 2009. The comments note that the FTC has failed to take any meaningful action with respect to either complaint, demonstrating the Commission's “lack of leadership and technical expertise.” EPIC's comments also draw attention to the success of international privacy initiatives, in hopes of encouraging the FTC to take meaningful action to protect American consumers. For more information, see EPIC: Cloud Computing and EPIC: Social Networking Privacy. (Jan. 28, 2010)
  • EPIC Defends Privacy of Facebook Users: Files Complaint with the Federal Trade Commission +
    EPIC has filed a complaint with the Federal Trade Commission, urging the FTC to open an investigation into Facebook’s revised privacy settings. The EPIC complaint, signed by nine other privacy and consumer organizations, states that the  "changes violate user expectations, diminish user privacy, and contradict Facebook’s own representations." EPIC cites widespread opposition from Facebook users, security experts, bloggers, and news organizations. A previous EPIC complaint to the FTC, concerning the data broker industry, produced the largest settlement in the FTC's history.  For more information, see EPIC: In re Facebook, Frequently Asked Questions Regarding EPIC's Facebook Complaint, and EPIC Facebook Privacy. EPIC PRESS RELEASE. (Dec. 17, 2009)
  • FTC Considers Emerging Privacy Concerns at First Privacy Roundtable +
    The Federal Trade Commission held the first of three privacy roundtables this week in Washington, DC. The well-attended event featured privacy and security experts from around the country, with each panel consisting of at least one industry representative and one privacy advocate. The failure of the current notice and choice model, the need to regulate behavioral targeting, concerns about government access to data, and the high privacy expectations of consumers were among recurring topics throughout the day. EPIC's Marc Rotenberg said it was important for the Commission to focus on emerging business practices and the impact on consumer privacy. The second privacy roundtable will be held on Data Privacy Day - January 28, 2010 - at the University of California, Berkeley School of Law. The FTC welcomes comments from the public in advance of the roundtable. (Dec. 9, 2009)
  • President Obama Nominates Brill and Ramirez for Federal Trade Commission +
    President Obama nominated Julie Brill and Edith Ramirez to be commissioners of the Federal Trade Commission. Brill, North Carolina’s top consumer advocate, serves as the senior deputy attorney general and chief of consumer protection and antitrust for the North Carolina Department of Justice. Ramirez, who specializes in intellectual property and complex litigation matters, is a partner in a Los Angeles, California law firm and has experience representing companies such as Mattel, Inc. and Northrop Grumman Corp. In a press release, President Obama stated, “These individuals bring a depth of experience to their respective roles, and I am confident they will serve my administration and the American people well. I look forward to working with them in the months and years ahead.” (Nov. 17, 2009)
  • EPIC to FTC: "Parental Control" Software Firm Gathers Data for Marketing +
    EPIC filed a complaint with the Federal Trade Commission against Echometrix, the developer of parental control software that monitors children’s online activity. Echometrix analyzes the information collected from children and sells the data to third parties for market-intelligence research. The EPIC complaint alleges that Echometrix engages in unfair and deceptive trade practices by representing that the software protects children online while simultaneously collecting and disclosing information about children's online activity. The complaint further alleges that Echometrix’s practices violate the Children’s Online Privacy Protection Act by collecting and disclosing information from children under the age of 13. The EPIC complaint asks the FTC to stop these practices, seek compensation for victims, and ensure that Echometrix’s collection and disclosure practices comply with COPPA. For more information on the Children’s Online Privacy Protection Act, see EPIC COPPA. (Sep. 29, 2009)
  • Federal Trade Commission to Host Privacy Roundtables +
    The Federal Trade Commission has announced a series of roundtables on consumer privacy, beginning December 7. These discussions will explore many issues, including consumer information collection, information management practices, new business practices, and the adequacy of existing privacy laws. Roundtable participants will include individuals from a wide range of related fields, including privacy and technology experts. The meetings are open and public comments are encouraged. EPIC has supported the FTC's privacy mission, but has also said that the agency needs to do a lot more to safeguard consumer privacy. For more information, see EPIC FTC page. (Sep. 16, 2009)
  • Trade Commission Prohibits Robocalls +
    The Federal Trade Commission is prohibiting commercial telemarketing calls to consumers after September 1, 2009. The agency amended the Telemarketing Sales Rule, which imposes a penalty of $16,000 per call, to cover sellers and telemarketers who transmit prerecorded messages to consumers who have not agreed in writing to accept such messages. The Telemarketing Rule is authorized under the Telemarketing and Consumer Fraud and Abuse Prevention Act. The new rule does not prohibit informational messages or calls by politicians, banks, telephone carriers, and charities. EPIC has urged the FCC to require strong privacy safeguards for telephone customers' personal information, and protect wireless subscribers from telemarketing. See also EPIC Telemarketing and Telephone Consumer Protection Act. (Aug. 28, 2009)
  • FTC Issues Final Breach Notification Rule for Electronic Health Information +
    The Federal Trade Commission issued a final rule requiring breach notification by vendors of medical records and related entities. In June, EPIC submitted comments recommending that all entities handling electronic health records be subject to the regulation and that the FTC should establish a central location to track and announce breaches. The FTC modified the rule accordingly. EPIC had also recommended that information "accessed" be treated as "acquired", substitute media notices be used as supplemental notification, verification of data breach notices be required, minimum security standards be created, penalties for violations be assessed, and the creation of "safe-harbors" for de-identified data be opposed. The rule was mandated under the American Recovery and Reinvestment Act. See EPIC Medical Privacy and EPIC Identity Theft. (Aug. 21, 2009)
  • Privacy and Consumer Groups Seek New FTC Commissioner +
    EPIC joined other privacy and consumer organizations on a letter to President Obama urging the appointment of a pro-consumer Commissioner to the Federal Trade Commission (FTC). The groups called for the appointment of someone with a “distinguished record of achievement in consumer affairs, with a demonstrated commitment to protecting the public.” The Commission has been one person short of its full membership since former Chair Deborah Platt Majoras left the agency last year. The President appointed Jon Leibowitz to serve as the current chair of the FTC. For more information, see EPIC’s page on the Federal Trade Commission. (Apr. 27, 2009)
  • Federal Trade Commission to Review EPIC Cloud Computing Complaint +
    The Federal Trade Commission will review EPIC's March 17, 2009 complaint, which describes Google's unfair and deceptive business practices concerning the firm's Cloud Computing Services. EPIC's complaint describes numerous data breaches involving user-generated information stored by Google, including the recently reported breach of Google Docs. EPIC's complaint "raises a number of concerns about the privacy and security of information collected from consumers online," federal regulators said. EPIC urged the Commission to take "such measures as are necessary" to ensure the safety and security of information submitted to Google. Previous EPIC complaints have led the Commission to order Microsoft to revise the security standards for Passport and to require Choicepoint to change its business practices and pay $15 m in fines. For more information, see EPIC's complaint to the FTC. EPIC's Cloud Computing Page. (Mar. 19, 2009)
  • EPIC Petitions FTC to Investigate Google, Cloud Computing Services +
    EPIC has formally asked the Federal Trade Commission to open an investigation into Google's Cloud Computing Services -- including Gmail, Google Docs, and Picasa -- to determine "the adequacy of the privacy and security safeguards." The petition follows the recent report of a breach of Google Docs. EPIC cited the growing dependence of American consumers, businesses, and federal agencies on cloud computing services, and urged the Commission to take "such measures as are necessary" to ensure the safety and security of information submitted to Google. Previous EPIC complaints have led the Commission to order Microsoft to revise the security standards for Passport and to require Choicepoint to change its business practices and pay $15 m in fines. (Mar. 17, 2009)
  • Trade Commission Issues Voluntary Guidelines for Online Tracking, Targeting, and Advertising +
    Today, the Federal Trade Commission released voluntary guidelines for Internet advertising and behavioral targeting. The guidelines set out four principles: "1) transparency and consumer control; 2) reasonable security and limited data retention for consumer data; 3) affirmative express consent for material retroactive changes to privacy promises; and 4) affirmative express consent to (or prohibition against) use of sensitive data." There is no means to enforce the guidelines, and Commissioners Jon Leibowitz and warned that they are insufficient to ensure consumers' privacy. Commissioner Harbour cautioned that the guidelines "focus too narrowly" and urged rulemakers to "take a more comprehensive approach to privacy." The guidelines are in part a response to EPIC's 2007 Complaint regarding the Google-Doubleclick merger raising concerns about the profiling of Internet users and the need to establish clear privacy safeguards as a condition of the merger. For more information, see EPIC's Complaint regarding the Google/DoubleClick merger and page Privacy? Proposed Google/DoubleClick Deal. (Feb. 12, 2009)
  • Consumer Groups Urge Trade Commission to Investigate Mobile Marketing +
    The Center for Digital Democracy and the U.S. Public Interest Research Group filed a complaint with the Federal Trade Commission to investigate the growing threat to consumer privacy in the mobile advertising world. Certain services track, analyze, and target the public and build secret profiles. Users are targeted based on their online behavior and their location. The complaint urges the Commission to define and clarify practices, review self-regulation, require notice and disclosure and also protect the public. Earlier, thirty Privacy Coalition members sent a letter to President-elect Barack Obama highlighting the importance of protecting consumer privacy in new network services. For more information, see EPIC's page on Privacy and Consumer Profiling. (Jan. 13, 2009)

EPIC's work on consumer privacy includes the following subject areas:

Internet of Things

IoT image"The Internet of Things" (IoT) refers to the capability of everyday devices to connect to other devices and people through the existing Internet infrastructure. This increased connectivity raises a myriad of consumer privacy and data security issues.

Featured Pages

Featured Agency Comments

EPIC's Comments to the Federal Trade Commission

EPIC's FTC Complaints

In re: Samsung 'SmartTVs'

EPIC's complaint concerns the consumer privacy violations of Samsung's "always on" SmartTV.


EPIC's Testimony and Letters

  • Testimony on "The Internet of Cars" before the U.S. House of Representatives Committee on Oversight and Government Reform, Nov. 18, 2015
  • EPIC Letter to FTC re: "Always-On" Devices (July 10, 2015). EPIC urged the FTC and DOJ to investigate "Always-On" Consumer Devices that record and store private communications

Additional Resources

Internet Privacy, Online Tracking & Big Data

Cybersecurity imageOnline tracking continues to grow increasingly complex and pervasive, and it poses a great threat to consumer privacy. Companies are amassing huge volumes of data with little understanding of the consequences and too few safeguards. Too often, the organizations gathering Big Data obtain the benefits, but the individuals bear the costs. This leads to asymmetries of power and new, more subtle means of control. EPIC fights to restore control to consumers over their personal data and to limit corporate abuse of consumer profiling and Big Data.

Featured Pages

Amicus

Litigation

Featured Agency Comments

EPIC Comments to the Federal Trade Commission

EPIC's Comments to the Dept. of Commerce

EPIC's Comments to the Office of Science and Technology Policy

EPIC's FTC Complaints

In re: Scholarships.com

EPIC's complaint concerns the business practices of Scholarships.com


In re: Google (Cloud Computing)

EPIC's complaint urged the FTC to open an investigation into Google's Cloud Computing Services -- including Gmail, Google Docs, and Picasa -- to determine "the adequacy of the privacy and security safeguards."


In re: Awarenesstech.com, RemotePCSpy.com, Covert-Spy.com, RemoteSpy.com, and Spy-guide.net

EPIC's Domestic Violence and Privacy Project filed a complaint with the Federal Trade Commission against several purveyors of stalker spyware.


In re: AskEraser

EPIC's complaint alleges that Ask.com is engaging in unfair and deceptive trade practices concerning AskEraser, a product that purports to protect Internet search privacy.


In re: Google and DoubleClick

EPIC's complaint urged the Commission to open an investigation into the proposed acquisition of DoubleClick by Google, specifically with regard to the ability of Google to record, analyze, track, and profile the activities of Internet users with data that is both personally identifiable and data that is not personally identifiable.


In re: ChoicePoint

EPIC's complaint urged the agency to investigate the compilation and sale of personal dossiers by data brokers such as ChoicePoint.


In re: JetBlue and Acxiom

EPIC's complaint alleges that JetBlue and Acxiom violated federal consumer law when they transferred information on passengers in violation of their own privacy policies.


In re: DoubleClick and Abacus

EPIC's complaint alleges that DoubleClick violated laws prohibiting unfair and deceptive business practices.


Additional Resources

Communications Privacy

Featured Pages

Amicus

Featured Agency Comments

EPIC's Comments to the FCC

EPIC's FTC Complaints

In re: Verizon Wireless

EPIC's complaint charges that Verizon Wireless has engaged in unfair and deceptive trade practices in violation of consumer protection law.


In re: Intelligent e-Commerce

EPIC's complaint concerns the illegal sale of personal information obtained from telephone carriers.


Additional Resources

Social Media and Apps

Featured Pages

Amicus

Litigation

  • EPIC v. FTC (Enforcement of the Google Consent Order)

Featured Agency Comments

EPIC's Comments to the Federal Trade Commission

EPIC's FTC Complaints

In re: WhatsApp, Inc.

Concerning WhatsApp's plan to transfer user data, including personal phone numbers, to Facebook.


In re: Facebook (Psychological Study)

EPIC's complaint concerns Facebook's "secretive and non-consensual use of personal information to conduct an ongoing psychological experiment on 700,000 Facebook users, i.e. the company purposefully messed with people's minds."


In re: WhatsApp

EPIC's complaint concerns Facebook's proposed purchase of WhatsApp


In re: Samsung

EPIC's complaint concerns Samsung's Magna Carta App, which collects massive amounts of personal information from users, including location data and data pulled from other accounts and other apps on the users phones.


In re: Snapchat

EPIC's complaint concerns Snapchat, the publisher of a mobile app that encourages user to share intimate photos and videos. The company represents that users can make photos and videos "disappear forever." In fact, the photos can be retrieved by others after they should have vanished.


In re Facebook II (Settings)

EPIC's complaint focuses on the unfair and deceptive trade practices of Facebook with respect to sharing of user information with third-party application developers.


In re: Google Buzz

EPIC's complaint focuses on the unfair and deceptive trade practices of Google with respect to Google's transformation of an email service to a social networking service without offering Gmail users meaningful control over their information or opt-in consent.


In re: Facebook

EPIC's complaint focuses on the unfair and deceptive trade practices of Facebook with respect to sharing of user information with third-party application developers.


FOIA

Additional Resources

Location Privacy

Featured Pages

EPIC's FTC Complaints

In re: Uber Privacy Policy

EPIC's complaint charges that Uber's plan to track users and gather contact details is an unlawful and deceptive trade practice.


Additional Resources

Financial Privacy

Featured Pages

Amicus

Featured Agency Comments

EPIC's Comments to the CFPB

EPIC's FTC Complaints

In re: Experian

EPIC's complaint urged the FTC to investigate the marketing practices of credit reporting agency Experian for broadly disseminating advertising that offers for "free" credit reports, but actually provides an expensive credit monitoring service that individuals must cancel within thirty days.


Additional Resources

Medical Privacy

Medical Privacy imageSince the creation of the Hippocratic oath about 400 B.C., protecting the privacy of patients has been an important part of physicians' code of conduct. Over time, health information has come into use by many organizations and individuals who are not subject to medical ethics codes, including employers, insurers, government program administrators, attorneys and others. As uses of medical information multiplied, so have regulatory protections for this highly sensitive and deeply personal information.

Featured Pages

Amicus

  • IMS Health v. Sorrell (concerning the use of prescriber-identifiable data for targeted marketing)
  • IMS Health v. Ayotte (concerning the use of prescriber-identifiable data for targeted marketing)
  • FAA v. Cooper (concerning government disclosure of HIV status; emotional injury as harm under the Privacy Act)

Featured Agency Comments

EPIC Comments to the Dept. of Health and Human Services

Additional Resources

Children's Privacy

The Children's Online Privacy Protection Act ("COPPA") specifically protects the privacy of children under the age of 13 by requesting parental consent for the collection or use of any personal information of the users. COPPA was passed in response to a growing awareness of Internet marketing techniques that targeted children and collected their personal information from websites without any parental notification.

Featured Pages

Featured Agency Comments

EPIC's Comments to the FTC

EPIC's FTC Complaints


In re: Echometrix

EPIC's complaint alleges that Echometrix engages in unfair and deceptive trade practices by representing that the software protects children online while simultaneously collecting and disclosing information about children's online activity.


In re: Amazon.com

EPIC's complaint urged the FTC to investigate Amazon.com for violations of the Children's Online Privacy Protection Act (COPPA).


Additional Resources

EPIC's Consumer Privacy Comments

Federal Trade Commission

Federal Communications Commission

Food and Drug Administration

Consumer Financial Protection Bureau

Department of the Treasury

Department of Commerce

Office of Science and Technology Policy

Office of the United States Trade Representative

Congress

State Agencies

International

Consumer Privacy Resources

Media Coverage

Share this page:

Defend Privacy. Support EPIC.
US Needs a Data Protection Agency
2020 Election Security