- California Enacts Comprehensive Student Privacy Law: California has passed the "Student Online Personal Information Protection Act," a comprehensive student privacy law. Among other provisions, the new law: (1) prohibits K-12 mobile and online service operators from using student information to target advertisements to students; (2) prohibits online service providers from creating K-12 student profiles for commercial purposes; and (3) forbids companies from selling student information. The law also requires K-12 mobile and online service operators to establish security measures and to delete student information at the request of a school or district. California also passed a law requiring schools that outsource student records to include privacy in contracts, and a law governing school social media monitoring programs. The Student Online Personal Information Protection Act incorporates many proposals EPIC outlined in the Student Privacy Bill of Rights. For more information, see EPIC: Student Privacy, EPIC: EPIC v. Education Dept., and EPIC: Echometrix. (Oct. 2, 2014)
- Federal Trade Commission Acts Late and Ineffectively on EPIC Complaint Regarding Echometrix: The Federal Trade Commission announced a settlement of its charges against Echometrix, over one year after EPIC filed a complaint in this matter. Echometrix is a software company that sold "parental control software" that collected data on children using the Internet for marketing purposes. Under the settlement with the Agency, Echometrix agreed not to share any data and to destroy the information it had collected in its marketing database, but was not required to pay any fines. EPIC's complaint to the Agency highlighted several aspects of Echometrix products that threatened consumer privacy, and alleged that Echometrix had engaged in unfair and deceptive trade practices and violated the Children's Online Privacy Protection Act. In contrast to the Federal Trade Commission, the Defense Department quickly canceled a contract with Echometrix following EPIC's complaint, and the New York Attorney General filed charges against the company, which resulted in Echometrix paying a $100,000 penalty to the state of New York. For more information, see EPIC: Echometrix. (Nov. 30, 2010)
- Echometrix to Pay $100,000 Fine and Stop Unfair Practices in Settlement with NY AG: The New York Attorney General announced a settlement in a case against Echometrix, a software company that sold “Parental control software” that collected data on kids using the Internet for marketing purposes. EPIC filed a complaint with the FTC in 2009 alleging that Echometrix had engaged in unfair and deceptive trade practices and violated the Children's Online Privacy Protection Act. EPIC's complaint highlighted several aspects of Echometrix products that threatened consumer privacy. Documents obtained by EPIC, pursuant to a Freedom of Information Act request, revealed that the Defense Department canceled a contract with Echometrix following the EPIC FTC complaint. Under the settlement with the New York Attorney General's Office, Echometrix will pay a $100,000 penalty to the state of New York, and has agreed not to "analyze or share with third parties any private communications, information, or online activity to which they have access." For more information, see EPIC - Echometrix. (Sep. 17, 2010)
- Defense Department Pulls Parental Control Software Product Following EPIC Complaint: Documents obtained by EPIC, pursuant to a Freedom of Information Act (FOIA) request, revealed the Defense Department canceled a contract with Echometrix, following an EPIC complaint to the Federal Trade Commission earlier this year. According to the documents obtained by EPIC, the Army and Air Force Exchange Service pulled My Military Sentry, which collects data for marketing purposes, from its online store: “The collection of AAFES customer information (personal or otherwise) for any other purpose than to provide quality customer service is prohibited . . . . Giving our customers the ability to opt out does not address this issue.” For more information, see EPIC: In re Echometrix. (Dec. 4, 2009)
- EPIC to FTC: "Parental Control" Software Firm Gathers Data for Marketing: EPIC filed a complaint with the Federal Trade Commission against Echometrix, the developer of parental control software that monitors children’s online activity. Echometrix analyzes the information collected from children and sells the data to third parties for market-intelligence research. The EPIC complaint alleges that Echometrix engages in unfair and deceptive trade practices by representing that the software protects children online while simultaneously collecting and disclosing information about children's online activity. The complaint further alleges that Echometrix’s practices violate the Children’s Online Privacy Protection Act by collecting and disclosing information from children under the age of 13. The EPIC complaint asks the FTC to stop these practices, seek compensation for victims, and ensure that Echometrix’s collection and disclosure practices comply with COPPA. For more information on the Children’s Online Privacy Protection Act, see EPIC COPPA. (Sep. 29, 2009)
In 2004, SearchHelp, Inc., now Echometrix, Inc., announced the launch of parental control software products that allow parents to monitor their children’s online activities remotely. Echometrix develops FamilySafe and Sentry Parental Control products. These software products offer real-time alerts to parents when their children have encountered suspicious and potentially dangerous online material in chat rooms and instant message conversations, and allow parents to control, block, and filter their children’s computers.
In 2009, Echometrix launched PULSE, which is described as “a proprietary software engine that reads digital content from multiple sources across the web, including: instant messages (“IM”), blogs, social environment communities, forums, and chat rooms.” PULSE analyzes the data and provides market research intelligence about children to firms. Echometrix licenses the PULSE software for a fee.
EPIC conducted an in-depth study of these products and recognized several significant flaws with regard to consumer privacy protection. EPIC found that Echometrix (1) fails to fully disclose its information collection and disclosure practices on its websites; (2) collects sensitive information from children and simultaneously discloses it to third parties for marketing purposes; and (3) fails to warn users of the dangers of misusing the products.
EPIC filed a complaint to the FTC alleging that Echometrix engages in unfair and deceptive trade practices and also violates the Children's Online Privacy Protection Act (COPPA). The complaint asked the FTC to conduct an investigation into Echometrix’s products, enjoin its unfair and deceptive practices, and seek damages for aggrieved individuals. Further, EPIC requested that the FTC enjoin Echometrix from offering these products until the company verifiably establishes that its data collection, use, and disclosure practices comply with the FTC Act, COPPA, and other applicable federal laws.
EPIC's complaint describes the harm from Echometrix’s online data collection - harm that is experienced by the millions of children and teenagers in the United States who are not aware they are being monitored. The harm is also experienced by parents who unwittingly subject their children’s private information to third parties for marketing purposes. The deployer of the software is also harmed - in this case, a licensor of the PULSE software who is exposed to legal risks by using the software as advertised. Parental control software, if used for its narrow purposes as advertised, is not inherently deceptive. However, risks come with the company’s failure to disclose their practices concerning information collection, disclosure, and use.
The FTC's primary enforcement authority with regards to privacy is derived from 15 U.S.C. § 45, commonly known as section 5 of the Federal Trade Commission Act (FTCA). Section 5 of the FTCA allows the FTC to investigate "unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce." This law provides a legal basis for the FTC to regulate business activities that threaten consumer privacy.
The FTC has the authority to enforce the Children’s Online Privacy Protection Act (COPPA) under 15 U.S.C. §§ 6501-06. The FTC has used this enforcement authority to prosecute fourteen COPPA violators. Although many FTC COPPA cases concern violations by website operators, the FTC has also successfully penalized the “information collection practices of [one] online service in connection with a software product.”
- EPIC's Complaint to the FTC (pdf) (September 25, 2009)
- Brian Tarran, Privacy Group Logs FTC Complaint over Echometrix, Research (September 30, 2009).
- Wendy Davis, Company Allegedly Uses Monitoring Software to Collect Data from Children, MediaPost (September 29, 2009).
- Deborah Yao, Web-Monitoring Software Gathers Data on Kid Chats, ABC News (September 4, 2009).