Focusing public attention on emerging privacy and civil liberties issues

Federal Trade Commission

Latest News

  • FTC Ignores Public Comments on Safe Harbor Settlements: The Federal Trade Commission has settled charges against fourteen companies that misrepresented compliance with the EU-US Safe Harbor privacy arrangement. In response to the FTC's request for public comment on the pending settlements, EPIC recommended that the Commission: (1) require the companies to comply with the Consumer Privacy Bill of Rights; (2) publish the companies' consent order compliance reports as they are submitted; and (3) strengthen the sanctions against a DNA testing firm, whose misrepresentations puts genetic information at risk. However, the FTC declined to make any changes. EPIC has previously stated that the Commission's ongoing failure to modify consent orders in response to public comments is "contrary to the interests of American consumers." An Irish Court has recently asked the European Court of Justice to determine whether the Safe Harbor Arrangement still provides adequate protection for EU consumer. For more information, see EPIC: EU Data Protection Directive and EPIC: Federal Trade Commission. (Jun. 27, 2014)
  • Facebook to Profile User Browsing, May Violate FTC Consent Order: Facebook has announced that it will collect detailed browser history on users for advertising purposes. Users who object were told to opt-out. The plan may violate a Federal Trade Commission order, prohibiting Facebook from changing its business practices without users’ express consent. The FTC order follows from complaints filed by EPIC and other consumer privacy organizations in 2009 and 2010. In issuing the order, the FTC found that Facebook "deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public." A recent Consumer Reports poll found that consumers overwhelmingly object to having their online activities tracked for advertising purposes. For more information, see EPIC: Facebook Privacy, EPIC: FTC Facebook Settlement, EPIC: Online Tracking and Behavioral Profiling, and EPIC: Practical Privacy Tools. (Jun. 12, 2014)
  • EPIC Urges FTC to Protect Snapchat Users' Privacy: EPIC has submitted comments to the Federal Trade Commission, urging the agency to require Snapchat to safeguard consumer privacy. Following a 2013 EPIC complaint, the FTC signed a consent order with Snapchat, the publisher of a mobile app that encourages users to share intimate photos and videos. Snapchat claimed that pictures and videos would "disappear forever," but that was false. As EPIC explained, "Snapchat photos and videos remain available to others even after users are informed that the photos and videos have been deleted." EPIC expressed support for the findings in the proposed FTC Settlement with Snapchat. But EPIC recommended that the FTC require Snapchat to implement the Consumer Privacy Bill of Rights and make Snapchat's independent privacy assessments publicly available. EPIC pursued similar claims involving false promises about data deletion with AskEraser. EPIC has also made similar recommendation for other proposed FTC consumer privacy settlements. For more information, see EPIC: In re Google, EPIC: In re Facebook, and EPIC: FTC. (Jun. 10, 2014)
  • Federal Trade Commission Urges Court to Protect Student Privacy: The Federal Trade Commission is opposing the sale of student data in a bankruptcy proceeding for ConnectEDU. The company privacy policy promises it will give students "reasonable notice and an opportunity to remove personally identifiable information" from its website. The FTC said that the sale of student information "without reasonable notice to users and an opportunity to remove personal information would contradict the privacy statements originally made to users." The FTC letter also cites consent agreements with Snapchat, Google, and Facebook. Each of these consent orders was a result of an EPIC FTC complaint. Last year, EPIC filed an extensive complaint concerning Scholarships.com's business practices. The company encourages students to divulge sensitive medical, sexual, and religious information to obtain financial aid information. For more information, see EPIC: Student Privacy, EPIC: In re Google Buzz, EPIC: In re Facebook, and EPIC: Federal Trade Commission. (May. 29, 2014)
  • FTC Report on Data Brokers Fails to Address Consumer Privacy Concerns: The Federal Trade Commission has published "Data Brokers: A Call for Transparency and Accountability." The report follows from a FTC Investigation of the data broker industry. The report describes the unbounded collection of personal information about American consumers that is then widely sold in the private sector. The Commission recommended modest legislative changes and failed to address many of consumers' privacy concerns, including profiling and "scoring" of consumers. Commissioner Julie Brill issued a statement, calling for more substantial consumers safeguards. Senators Rockefeller and Markey have also introduced The Data Broker Accountability and Transparency Act of 2014 (DATA Act), which would regulate data brokers and other companies that profit from the sale of consumer information. In 2005, EPIC testified before the the House Commerce Committee on "Identity Theft and Data Broker Services" and Urged Congress to establish comprehensive regulation of the data broker industry following the disclosure that Choicepoint was selling personal information to criminals engaged in identity theft. For more information, see EPIC: Choicepoint, EPIC: Privacy and Consumer Profiling, and EPIC: FTC. (May. 27, 2014)
  • Sprint Pays FCC A Record $7.5M For Violating Do Not Call: Sprint has reached a $7.5 million settlement with the Federal Communications Commission for violations of the Do Not Call national registry. It is the FCC's largest Do Not Call settlement ever. The settlement follows a 2011 consent decree between Sprint and the FCC which also arose out of complaints from Do Not Call registrants. Under the terms of the current settlement, Sprint must develop a compliance plan, and file two years of compliance reports with the Commission. Additionally, Sprint must designate a Do Not Call Compliance Officer and retrain all employees. EPIC has spent 20 years helping to establish and enforce the Telephone Consumer Protection Act. In 2002, EPIC and ten leading advocacy groups filed comments to both the FCC and the Federal Trade Commission, advocating the creation of the Do-Not-Call Registry. EPIC has also recommended that Congress establish a National Do Not Track registry for online consumers. For more information, see EPIC: Do Not Call Registry Timeline, EPIC: Illegal Sale of Phone Records, and EPIC: Federal Trade Commission. (May. 20, 2014)
  • EPIC's Snapchat Privacy Complaint Results in 20-Year FTC Consent Order: Following a 2013 EPIC complaint, the FTC has signed a consent order with Snapchat, the publisher of a mobile app that encourages user to share intimate photos and videos. Snapchat claimed that pictures and videos would "disappear forever." However, the images could be retrieved by others. As EPIC wrote in the complaint "Snapchat photos and videos remain available to others even after users are informed that the photos and videos have been deleted." In announcing the settlement, FTC Chairwoman Edith Ramirez said, "If a company markets privacy and security as key selling points in pitching its service to consumers, it is critical that it keep those promises. Any company that makes misrepresentations to consumers about its privacy and security practices risks FTC action." Under the settlement, Snapchat will be subject to 20 years of privacy audits, and will be prohibited from making false claims about its privacy policies. EPIC pursued similar claims involve false promises about data deletion with AskEraser. The FTC will be accepting Public Comments on the proposed Snapchat consent order. For more information, see EPIC: In re Google, EPIC: In re Facebook and EPIC: FTC. (May. 8, 2014)
  • Facebook Introduces New Privacy Features: Amidst growing concern about Facebook's disclosure of user information to third parties, the company has announced two new privacy options. Users may now decide how much of their information to disclose to Facebook apps before signing up. Users may also test apps anonymously - without transmitting the Facebook User ID to the developer. The changes appear to be a response to the 2011 Consent Order, pursued by EPIC and a coalition of privacy organization, that requires the company to obtain express affirmative consent from users before disclosing personal information to third parties. In the first report on Internet privacy, "Surfer Beware: Personal Privacy and the Internet" (1997), EPIC said web sites should "support anonymity while developing policies and practices to protect information privacy." For more information, see EPIC: Facebook Privacy, EPIC: Internet Anonymity, and EPIC: FTC. (May. 1, 2014)
  • Patent to Block Facial Recognition Follows Sale of Google Glass: A patent for a technology that shields users from nearby video cameras has emerged. The patent describes a detector that would blur the images of people on portable camera displays, preventing video surveillance. The patent surfaced following Google's release of Google Glass for sale by the general public. Google is seeking a patent for a contact lens style for Glass that would escape public detection. Google is also seeking to trademark the word "glass," which the US Patent and Trademark Office opposes. EPIC previously submitted comments to the Federal Trade Commission recommending the suspension of facial recognition techniques pending the establishment of privacy safeguards. For more information, see EPIC: Google Glass and Privacy, EPIC: Facial Recognition and EPIC: Federal Trade Commission. (Apr. 25, 2014)
  • Report Reveals Rise in Teens' Desire for Online Privacy: A report released by the Intelligence Group, a "youth-focused, research-based consumer insights company," reveals that teens want more online privacy than ever before. According to the report, only 11% of teens currently share "a lot about themselves online" - a 7% decrease from the same age group last year. By contrast, 17% of young adults aged 19- to 24 and 27% of adults aged 25 to 34 currently share "a lot about themselves online." The report also indicates that "about 18% of teens share content on social media at least once a day, including status updates, photos, pins, or articles, compared with 28% of 19- to 24-year-olds and 35% of 25- to 34-year-olds." Recently, EPIC objected to a settlement agreement that would allow Facebook to use images of teens in online advertising. EPIC has also filed comments with the FTC supporting stronger regulations to protect children's data online. For more information, see EPIC: Fraley v. Facebook, EPIC: COPPA and EPIC: FTC. (Apr. 25, 2014)
  • Court Upholds FTC Authority to Safeguard Data Privacy: A federal judge has ruled that the Federal Trade Commission has the power to enforce data security standards. In the case FTC v. Wyndham, the Commission alleged that criminals stole hundreds of thousands of credit card numbers from hotel guests because Wyndham Hotels maintained lax data security. Wyndham responded that the FTC could not bring an enforcement action against the company without first publishing regulations. Judge Esther Salas held that the FTC's authority to investigate "unfair or deceptive" business practices included data protection. FTC Chairwoman Edith Ramirez stated earlier, "Companies should take reasonable steps to secure sensitive consumer information. When they do not, it is not only appropriate, but critical, that the FTC take action on behalf of consumers." For more information, see EPIC: Federal Trade Commission, and EPIC: Big Data and the Future of Privacy. (Apr. 11, 2014)
  • FTC Responds to EPIC Complaint on WhatsApp and Privacy: The Federal Trade Commission has notified Facebook and WhatsApp that they must honor their privacy commitments to users. According to the letter from the Director of the FTC Bureau of Consumer Protection, "if the acquisition is completed and WhatsApp fails to honor these promises, both companies could be in violation of Section 5 of the FTC Act and potentially the FTC's order against Facebook." The FTC letter followed a detailed complaint from EPIC and CDD concerning the privacy implications of the $19B sale to Facebook. WhatsApp had assured users of strong privacy safeguards prior to the sale. The FTC letter concludes "hundreds of millions of users have entrusted their personal information to WhatsApp. The FTC staff continue to monitor the companies' practices to ensure that Facebook and WhatsApp honor the promises they have made to those users." For more information, see EPIC: In re: WhatsApp, EPIC: In re: Facebook and EPIC: Federal Trade Commission. (Apr. 10, 2014)
  • FTC Commissioner Wright Meets with Industry Lobbyists, Not Consumer Representatives: Through a Freedom of Information Act request, EPIC obtained the appointment calendar of FTC Commissioner Wright. The Commissioner's calendar reveals many meetings with corporate presentatives but no meetings with public interest organizations representing consumers. One of FTC's primary missions is to protect consumers from unfair and deceptive business practices. Commissioner Wright became an FTC Commissioner in January 2013. Since then he has met with representatives from Apple, Microsoft, Verizon, Qualcomm, the Network Advertising Initiative, and the Consumer Data Industry Association. He has attended industry conferences and given talks at trade association meetings. EPIC tried several times to arrange a meeting between Commissioner Wright and the Privacy Coalition—a nonpartisan coalition of consumer, civil liberties, educational, family, library, and technology organizations. The Privacy Coalition has hosted meetings with many FTC commissioners over the past decade. After repeatedly declining a meeting with the consumer privacy organizations, EPIC filed a FOIA request for the FTC Commissioner's appointment calendar. For more information, see EPIC: Federal Trade Commission. (Apr. 8, 2014)
  • Fandago and Credit Karma Settle FTC Charges for Weak App Security: Two companies have settled Federal Trade Commission charges that they misrepresented the security of their mobile apps. Fandango and Credit Karma failed to enable SSL encryption, leaving user data vulnerable on mobile apps. "Our cases against Fandango and Credit Karma should remind app developers of the need to make data security central to how they design their apps," FTC Chairwoman Edith Ramirez said in a statement. The settlements require the companies to establish data security programs, and to undergo security assessments by the Commission for the next 20 years. EPIC recently brought a complaint to the FTC concerning Scholarship.com, a company that failed to establish adequate security safeguards. Not long after the complaint from EPIC, the company implemented SSL. EPIC had earlier recommended that the Commission require encryption for all cloud-based services. For more information, see EPIC: Federal Trade Commission, and EPIC: EPIC Online Guide to Practical Privacy Tools. (Mar. 28, 2014)
  • Federal Trade Commission Backs Users in Facebook Privacy Case: The FTC has filed an amicus brief in a case before a federal appeals court concerning Facebook users. If a controversial settlement is approved, Facebook will display the images of users, including young children, in Facebook advertising without consent. Several Facebook users formally objected to the plan, arguing that it would violate state laws. A children's advocacy organization also objected, stating that the "settlement is actually worse than no settlement." The FTC brief explains that state privacy laws do prevent the display of children's images without consent. EPIC also filed an amicus brief in support of the users, explaining that the settlement is unfair and should be rejected. EPIC and a coalition of consumer privacy organizations filed an extensive complaint with the Federal Trade Commission that eventually required Facebook to improve its privacy practices. For more information, see EPIC: In re Facebook and EPIC: Fraley v. Facebook. (Mar. 21, 2014)
  • FTC Adopts EPIC's Recommendations on Improved FOIA Processing: The Federal Trade Commission has issued a final rule updating its Freedom of Information Act fee provisions. EPIC submitted extensive comments to the agency, supporting proposed fee reductions but also recommending changes to strengthen open government. The FTC adopted nearly all of EPIC's proposals. The FTC announced that all "Commission decisions, orders, and other public materials" will be electronically available to all requesters without charge. The FTC also said it would grant requesters additional time to assess fees associated with FOIA requests rather than simply terminate processing. The FTC agreed to be more lenient in resolving unpaid FOIA fees. The Commission also adopted EPIC's recommendation to disclose private sector contract rates for FOIA processing. EPIC routinely comments on agency proposals that impact FOIA requesters' rights. For more information, see EPIC: Open Government and EPIC: Federal Trade Commission. (Mar. 21, 2014)
  • EPIC Updates Facebook Complaint, Urges Careful Review of WhatsApp Acquisition: EPIC has filed a supplemental complaint regarding Facebook's $19 b purchase of WhatsApp. WhatsApp users had relied on the messing app's pro-privacy practices to protect their personal information, while Facebook regularly incorporates user data from the companies it acquires. In the initial complaint, EPIC urged the Federal Trade Commission to block the sale unless adequate privacy safeguard for WhatsApp user data were established. In the supplemental complaint, EPIC provided more evidence that WhatsApp users object to the acquisition. EPIC also highlighted the importance of the FTC's pre-merger review process. Recently, the Commission approved Google's purchase of Nest Labs without considering the privacy implications for consumers. For more information, see EPIC: In re WhatsApp and EPIC: Federal Trade Commission. (Mar. 21, 2014)
  • WhatsApp Founder Responds to EPIC Privacy Complaint: Following Facebook's announced plan to purchase WhatsApp, a popular pro-privacy messaging services, EPIC urged the FTC to block the acquisition. EPIC explained to the Commission that Facebook incorporates user data from companies it acquires, and that WhatsApp users objected to the acquisition. WhatsApp founder Jan Koum has now published a blog post in response to the EPIC Complaint. Koum wrote, "Above all else, I want to make sure you understand how deeply I value the principle of private communication. For me, this is very personal." He added, "Make no mistake: our future partnership with Facebook will not compromise the vision that brought us to this point." For more information, see EPIC: In re WhatsApp, EPIC: Federal Trade Commission, and EPIC: In re Facebook. (Mar. 18, 2014)
  • EPIC Urges FTC to Strengthen Safe Harbor Settlements: EPIC has submitted comments to the Federal Trade Commission, urging the agency to improve pending settlements in several Safe Harbor enforcement actions. According to the FTC, twelve companies misrepresented compliance with the EU-US privacy arrangement. EPIC recommended that the Commission revise the proposed orders to: (1) require the companies to comply with the Consumer Privacy Bill of Rights; (2) publish the companies' consent order compliance reports as they are submitted; and (3) strengthen the sanctions against a DNA testing firm, whose misrepresentations puts genetic information at risk. EPIC also noted that the Commission's ongoing failure to modify consent orders in response to public comments is "contrary to the interests of American consumers." For more information, see EPIC: EU Data Protection Directive and EPIC: Federal Trade Commission. (Feb. 21, 2014)
  • Senators Rockefeller and Markey Propose Data Broker Legislation: Senators Rockefeller and Markey have introduced the The Data Broker Accountability and Transparency Act of 2014 (DATA Act). The proposed Act imposes transparency and accountability requirements on data brokers and other companies that profit from the collection and sale of consumer information. Under the DATA Act, consumers would be able to access their personal information, make corrections, and opt out of marketing schemes. The DATA Act would empower the FTC to impose civil penalties on violators, and would prohibit data brokers from collecting consumer data in deceptive ways. In 2009, EPIC testified in support of new legislation to regulate the data broker industry. In 2005, EPIC's complaint to the FTC against data broker Choicepoint lead to a $10 million settlement. For more information, see EPIC: Federal Trade Commission, EPIC: Choicepoint and EPIC: Privacy and Consumer Profiling. (Feb. 13, 2014)
  • FTC Chair Ramirez Urges Senate to Act on Data Security Legislation: The Senate Judiciary Committee hearing on "Privacy in the Digital Age: Preventing Data Breaches and Combating Cybercrime" followed a series of major data breaches at Target, Neiman Marcus, and Michaels, which compromised the personal data of tens of millions of consumers. Senator Leahy, who has introduced important data privacy legislation, said "In the digital age, Americans face threats to their privacy and security unlike any time before in our Nation's history." FTC Chair Edith Ramirez expressed strong support for federal data security legislation. (2h18m). In 2012 President Obama set out a framework for consumer privacy protection, the Consumer Privacy Bill of Rights, which is supported by consumer privacy organizations. For more information, see EPIC: Privacy Legislation, EPIC: Identity Theft, and EPIC: Federal Trade Commission. (Feb. 5, 2014)
  • French Data Protection Authority Fines Google for Data Consolidation: The CNIL, the French data protection authority, has fined Google 150,000 Euro (approximately $200,000) for consolidating user data. The decision follows an investigation triggered by the collapse of the Google privacy policy in March 2012, which allowed the company to combine user data across 60 Internet services to create detailed profiles on Internet users. In 2012, EPIC sued the Federal Trade Commission to force the FTC to enforce the terms of a settlement with Google that would have prohibited Google's changes in business practices. Google's consolidation also prompted objections from state attorneys general, members of Congress, and IT managers in the government and private sectors. For more information, see EPIC: Google Buzz and EPIC: Enforcement of Google Consent Order. (Jan. 9, 2014)
  • Snapchat Data Breach Exposes 4.6 Million Usernames: A data breach has exposed the usernames and partial phone numbers of 4.6 million users of Snapchat, a popular photo- and video-sharing app. The breach was accomplished by exploiting a flaw that was previously brought to company's attention by security researchers. Last year, EPIC filed a complaint with the Federal Trade Commission regarding Snapchat's deceptive claim that photos would "disappear forever" after a set period of time. The Federal Trade Commission has thus far failed to take action on the EPIC complaint. For more information, see EPIC: Federal Trade Commission. (Jan. 2, 2014)
  • Senate Report Shines Light on How Data Brokers Operate: A Senate Committee Majority Staff report released today highlights the oft-concealed practices of Data Brokers. The report finds that data brokers lack transparency and collect sensitive personal information, while individuals lack basic rights to know what data is collected or how it is used. The brokers, the report notes, prevent business customers from revealing how data is obtained. The report also exposed how personal information is often used to target the financially vulnerable. Thus far, the data broker industry has largely escaped federal regulation. In 2009, EPIC testified in support of new legislation to regulate the data broker industry. In 2005, EPIC's complaint to the FTC against data broker Choicepoint lead to a $10 million settlement. For more information, see EPIC: ChoicePoint and EPIC: Federal Trade Commission. (Dec. 18, 2013)
  • Lights Out for Flashlight App Developer in Privacy Case: The Federal Trade Commission announced a settlement with the developer of a flashlight app for Android mobile devices that deceptively collected and then disclosed consumers' personal information to third parties. "Brightest Flashlight Free" secretly collected location information and unique identifiers from users and then provided that information to third parties, including advertising networks. The developer even even included a dummy privacy setting that had no actual effect. The settlement prohibits the company from misrepresentations and requires it to obtain the affirmative express consent of consumers before using and disclosing personal information. Jessica Rich, Director of the FTC’s Bureau of Consumer Protection, said the flashlight app left users "in the dark about how their information was going to be used." EPIC has previously commented on mobile privacy issues before the FTC, emphasizing the importance of the Fair Information Practices. For more information, see EPIC: Federal Trade Commission. (Dec. 5, 2013)
  • FTC Announces 2014 Privacy Workshops: The Federal Trade Commission has announced a series of workshops on emerging consumer privacy issues. The series will "shine a light on new trends in Big Data and their impact on consumer privacy" and includes three topics: the use of mobile devices to track users in real space; predictive scoring algorithms that determine access to products and offers; and consumer-generated health data that falls outside HIPAA. The FTC has invited comments from the public on the proposed topics for the spring workshops. The FTC recently concluded a workshop on the Internet of Things, for which EPIC submitted comments. EPIC has also urged the Commission to enforce its prior consent orders, to incorporate the Consumer Privacy Bill of Rights in privacy settlements, and to respect public comments on proposed settlements. For more information, see EPIC: Federal Trade Commission. (Dec. 2, 2013)
  • EPIC Files FOIA Request with FTC About Facebook Investigation: EPIC filed a Freedom of Information Act request with the Federal Trade Commission for documents concerning the FTC's recent "investigation" of Facebook's policy changes. The investigation concerned changes to Facebook’s Data Use Policy that permit the use of the names, images, and content of Facebook users for commercial endorsement without user consent. Following announcement of the proposed change, EPIC and several several privacy groups wrote to the FTC objecting to the changes as a violation of a 2011 consent order with Federal Trade Commission. Senator Markey also expressed concern about the policy changes. The Commission opened an investigation which was then quietly closed allowing Facebook to go forward with the changes. For more information, see EPIC: Federal Trade Commission and EPIC: FOIA. (Nov. 19, 2013)
  • Google Announces Plan to Post Names and Photos of Users for Advertising Without Consent, May Violate 2011 FTC Consent Order: Google announced changes to its Terms of Service that will allow “your Profile name, Profile photo, and actions you take on Google or on third-party applications” to be used in advertisements. The changes will not require Google to seek the affirmative consent of users before putting their personal information to commercial use. Minors, however, will not be subject to the changes. A 2011 Consent Order with the Federal Trade Commission prohibits Google from making misrepresentations and requires the company to obtain user consent before disclosing information to third parties. EPIC recently objected to similar practices by Facebook that would allow the company to routinely use the names, images, and content of Facebook users for commercial advertising without consent. For more information, see EPIC: Federal Trade Commission and EPIC: In re Google. (Oct. 11, 2013)
  • Facebook Removes Crucial Privacy Setting for Users’ Names : Facebook has begun removing a privacy setting that allowed users to opt-out from their name being included in its “Graph Search” feature. All users, even those who had previously decided to remove their name from searches, will now be included in Graph Search results. Facebook is currently under a 20 year consent decree from the FTC that requires express affirmative consent from users before disclosing personal information which exceeds the restrictions imposed by users' privacy settings. Facebook announced the change last year, at which point EPIC warned about the consequences of Facebook removing privacy settings for its users. In 2012, EPIC sent a letter to Facebook requesting a reversal of policy changes that automatically shared users’ private information. For more information, see EPIC: Facebook and EPIC: In re Facebook. (Oct. 11, 2013)
  • Consumer Privacy Groups Ask Congress to End Secret Hearings on Data Industry: EPIC, joined by a coalition of consumer privacy groups, has asked the House of Representatives Privacy Task Force to open to the public meetings that are now taking place in secret in the hearing rooms of Congress. "We recognize that there is value in private meetings among Members and staff and with constituents," the group wrote, but said that "with public matters of common concern" meetings should be held "in the open, a public record should be created, and various viewpoints should be heard." The groups thanked Representatives Blackburn and Welch for examining "the enormously important issue of consumer privacy" but said “there is simply no reason for your task force to hold closed-door sessions." Last year, both the White House and the Federal Trade Commission recommended enactment of consumer privacy legislation. (Oct. 2, 2013)
  • Pressure Mounts on Facebook to Withdraw Proposed Changes, New Scrutiny of "Faceprints": Facebook is under increasing pressure to withdraw proposed changes that would allow the company to use the names, images, and content of Facebook users for advertising without consent. After EPIC and several privacy groups wrote to the Federal Trade Commission that the changes would violate a 2011 Consent Order, the Commission has opened an investigation. Senator Ed Markey also wrote to the FTC, stating that Facebook's changes "raise[] a number of questions about whether Facebook is improperly altering its privacy policy without proper user consent and, if the changes go into effect, the degree to which Facebook users will lose control over their personal information." Senator Al Franken has called on Facebook to reconsider expansion of its facial recognition activity. In a letter to Mark Zuckerberg, Senator Franken asked "How many face prints does Facebook have?" For more information, see EPIC: EPIC: Federal Trade Commission and EPIC: Facebook Privacy. (Sep. 13, 2013)
  • EPIC, Privacy Groups, Urge FTC to Block Facebook Policy Changes: EPIC, joined by several leading privacy and consumer protection organizations, has called on the Federal Trade Commission to enforce the terms of a 2011 settlement with Facebook. Facebook recently announced changes that would allow the company to routinely use the names, images, and content of Facebook users for commercial advertising without consent. The changes arise from a flawed class action settlement over Facebook’s Sponsored Stories program. In the letter, the privacy groups explain that Facebook’s changes violate the terms of a 2011 settlement with the FTC. For more information, see EPIC: Federal Trade Commission and EPIC: Facebook Privacy. (Sep. 5, 2013)
  • EPIC Asks FTC To Investigate "Magna Carta" App: EPIC filed a complaint with the Federal Trade Commission against Samsung, the publisher of a mobile app for Jay-Z's new album "Magna Carta Holy Grail." The Magna Carta App collects massive amounts of personal information from users, including location data and data pulled from other accounts and other apps on the users phones. The Magna Carta app also includes hidden spam techniques that force users to promote the album. Well known music critic John Pareles wrote "Jay-Z Is Watching, and He Knows Your Friends." EPIC asked the Commission to require Samsung to suspend the distribution of the app until the privacy problems are fixed and to implement the privacy protections contained in the Consumer Privacy Bill of Rights. Previously, EPIC filed an FTC complaint against Snapchat, the publisher of a mobile app that falsely claimed to delete photos and videos "forever." For more information, see EPIC: Federal Trade Commission and EPIC: Samsung "JAY-Z Magna Carta" App. (Jul. 14, 2013)
  • EU Officials Recommend Do Not Track by Default: The International Working Group on Data Protection released a white paper on online behavioral advertising. The group of leading privacy experts from around the world noted that web tracking allows companies to "monitor every single aspect of the behavior of an identified user across websites." The Working Group also observed that the current efforts of the W3C to develop a DNT track standard could "remain a sugar pill instead of being a proper cure and would such be useless." The Working Group recommended "the default setting should be such that the user is not tracked" and that there be no invisible tracking of users. Senator Rockefeller, the Commerce Committee Chairman, has introduced legislation to regulate the commercial surveillance of consumers online. For more information, see EPIC: Online Tracking and Behavioral Advertising and EPIC: Federal Trade Commission. (Jun. 28, 2013)
  • Google Bans Facial Recognition Glass Apps: Google announced that it will not approve any facial recognition apps for Google Glass, pending the development of privacy safeguards. "[W]e won't add facial recognition features to our products without having strong privacy protections in place," the company said in a blog post. In comments on facial recognition to the Federal Trade Commission last year, EPIC recommended that the Federal Trade Commission enforce Fair Information Practices against commercial actors when collecting, using, or storing facial recognition data. "In the absence of guidelines and legal standards, EPIC recommends a moratorium on the commercial deployment of facial recognition techniques," EPIC wrote to the FTC in early 2012. For more information, see EPIC: Facial Recognition and EPIC: Federal Trade Commission. (Jun. 3, 2013)
  • EPIC Submits Comments on the "Internet of Things": EPIC has submitted comments to the Federal Trade Commission in advance of a workshop on the Internet of Things. The "Internet of Things" refers to the growing capacity of devices to communicate via the Internet. EPIC’s comments listed several privacy and security risks posed by the Internet of Things, such as the collection of data about sensitive behavior patterns and an increase in the power imbalance between consumers and service providers. EPIC then made several recommendations, such as requiring companies to adopt Privacy Enhancing Techniques, respect a consumer’s choice not to tracked, profiled, or monitored, minimize data collection, and ensure transparency in both design and operation of Internet-connected devices. For more information see EPIC: Federal Trade Commission. (Jun. 3, 2013)
  • FTC Opens Investigation into Google Advertising Dominance: The Federal Trade Commission has reportedly opened a new antitrust investigation into Google’s display advertising business. The Commission is investigating whether Google used its dominant position in the display advertising market, following the acquisition of Doubleclick, to harm competition. EPIC previously opposed Google's acquisition of online advertiser Doubleclick, which was approved by the FTC over the objection of former FTC Commissioner Pamela Harbor. EPIC later testified before the Antitrust committee on Google's growing dominance of essential Internet services. Earlier this year, the Commission closed an antitrust investigation into Google’s search practices. For more information, see EPIC: Federal trade Commission and EPIC: Google/DoubleClick. (May. 29, 2013)
  • EPIC Asks FTC to Investigate Snapchat: EPIC filed a complaint with the Federal Trade Commission against Snapchat, the publisher of a mobile app that encourages user to share intimate photos and videos. The company represents that users can make photos and videos "disappear forever." In fact, the photos can be retrieved by others after they should have vanished. The EPIC complaint implicates Privacy Enhancing Technologies, which if properly implemented would minimize or eliminate the collection of personally identifiable information. The FTC described similar methods in a 2012 privacy report. Previously, EPIC filed a complaint at the FTC against AskEraser, which falsely represented that search queries would be deleted when in fact they were retained by the company and made available to law enforcement agencies. For more information, see EPIC: Federal Trade Commission. (May. 17, 2013)
  • FTC Rejects Industry Effort to Delay Children’s Privacy Rules: The Federal Trade Commission has rejected an effort by several trade groups to delay implementation of the Children’s Online Privacy Protection Act Rule, currently scheduled to take effect on July 1. In voting unanimously to retain the date, the FTC noted that it had given covered entities at least 6 months to prepare for the Rule and that industry had "not raised any concrete facts to demonstrate that a delay is necessary." The new Rule expands the definition of personal information to include geolocation information and persistent identifiers (or cookies), and prevents third-party advertisers from secretly collecting children's personal information without parental consent for behavioral advertising purposes. EPIC joined a coalition of consumer, privacy, and children's advocates in urging the FTC to keep the original implementation date. EPIC also commented in support of both the proposed rule, and a revised version introduced in August 2012. The revised rule follows a report by the FTC finding that many child-directed mobile apps did not disclose their data practices. For more information, see EPIC: FTC and EPIC: Children's Online Privacy. (May. 6, 2013)
  • EPIC Pursues Public Release of Facebook and MySpace Privacy Reports: EPIC has submitted Freedom of Information Act requests for the release of the privacy assessments of Facebook and MySpace submitted to the Federal Trade Commission. As a result of privacy violations, both companies are required to implement comprehensive privacy programs and submit to independent, biennial evaluations for 20 years. Previously, EPIC obtained a copy of Google's initial privacy assessment that redacted information about the standards by which the assessment was completed, the test procedures used to assess the effectiveness of Google's privacy controls, the procedures Google uses to identify privacy risks, and the types of personal data Google collects from users. The FTC settlements with Facebook and Google arose from complaints brought by EPIC and other consumer organizations. In comments to the agency on the proposed settlements, EPIC recommended that the privacy assessments be publicly available. For more information, see EPIC: Federal Trade Commission and EPIC: Open Government. (Apr. 26, 2013)
  • Consumer Groups Oppose Delay for New Children’s Privacy Rules: A group of consumer, privacy, and children's advocates wrote to the Federal Trade Commission to oppose an industry effort to delay implementation of the new Children's Online Privacy Protection Act rule. The groups noted that two-and-a-half years have passed since the Commission proposed the updates to COPPA. They said there was no "compelling reason for giving the industry more time to comply with the law." The new Rule expands the definition of personal information to include geolocation information and persistent identifiers (or cookies), and prevents third-party advertisers from secretly collecting children's personal information without parental consent for advertising purposes. EPIC previously commented in support of the proposed rule and a revised version. The new safeguards follow a report by the FTC finding that many child-directed mobile apps conceal their data collection practices. For more information, see EPIC: FTC and EPIC: Children’s Online Privacy. (Apr. 23, 2013)
  • FTC Releases 2013 Report: The Federal Trade Commission has released its annual report for the period from April 2012-2013. The report begins with a description of the FTC’s accomplishments on consumer privacy, and lists the data-breach lawsuit against Wyndham, Google’s $22.5 million fine for tracking Safari users, settlements with the data brokers Equifax and Spokeo, and a survey of the credit reporting industry. EPIC has previously recommended that the FTC enforce its consent orders with Google and Facebook, require adoption of the Consumer Privacy Bill of Rights, and modify proposed settlements in response to public comment. For more information, see EPIC: Federal Trade Commission. (Apr. 16, 2013)
  • EPIC Comments on FTC's FOIA Procedures: EPIC has submitted comments to the Federal Trade Commission, supporting several of the agency's changes to its FOIA regulations. EPIC applauded the agency for reducing fees for requesters. EPIC also urged the Committee to: (1) update its definition for news media representative; (2) clarify which documents are public information and ensure that hyperlinks to those records work properly; (3) disclose private sector contract rates for FOIA processing; (4) refrain from prematurely closing FOIA requests; and (5) adopt alternative dispute resolution or arbitration when resolving delinquent FOIA fees. EPIC routinely comments on agency proposals that impact the rights of FOIA requesters. Last year, EPIC submitted extensive comments to theDepartment of Defense, warning the agency not to erect new obstacles for FOIA requesters. For more information, see EPIC: Open Government. (Apr. 4, 2013)
  • EU Takes Action Against Google for Privacy Policy Meltdown: Data protection agencies in six European countries have announced enforcement actions against Google. The agencies acted after Google ignored recommendations to comply with European data protection law. "It is now up to each national data protection authority to carry out further investigations according to the provisions of its national law transposing European legislation," the French data protection authority said. The enforcement action follows from Google's March 2012 decision to combine user data across 60 Internet services to create detailed profiles on Internet users. Last year, EPIC sued the Federal Trade Commission to force the FTC to enforce the terms of a settlement with Google that would have prohibited Google's changes in business practices. Google's revised privacy policies also prompted objections from state attorneys general, members of Congress, and IT managers in the government and private sectors. For more information, see EPIC: Google Buzz and EPIC: Enforcement of Google Consent Order. (Apr. 2, 2013)
  • EPIC, Consumer Privacy Groups Call on FTC Chair to Appoint Consumer Advocate for Key Office: Over thirty privacy and consumer groups wrote to the FTC Chair Edith Ramirez, urging her to appoint a Director of the Bureau of Consumer Protection who is "independent of industry" and has a "well-established consumer rights and public interest background." The letter comes after the departure of former director David Vladeck. EPIC has also urged the Commission to require compliance with the Consumer Privacy Bill of Rights for companies that violate consumer privacy. For more information, see EPIC: Federal Trade Commission. (Mar. 19, 2013)
  • FTC Approves Final Settlement over Consumer Tracking, Fails to Enforce FIPs or Suggest Best Practices for Anonymization: The Federal Trade Commission adopted a proposed settlement with Compete, Inc., over allegations that Compete failed to adopt reasonable data security practices and deceived consumers about the amount of personal information that its toolbar and survey panel would collect. The FTC also charged Compete with deceptive practices for falsely claiming that the data it kept was anonymous. The settlement requires Compete to obtain consumers' express consent before collecting any data through its software, to delete personal information already collected, and to provide directions for uninstalling its software. In comments to the agency, EPIC recommended that the FTC also require the Compete to implement Fair Information Practices similar to those contained in the Consumer Privacy Bill of Rights, and develop a best practices guide to de-identification techniques. The FTC declined to adopt EPIC’s recommendations, stating that it "does not provide specific technical guidance in areas like [anonymization], which are constantly changing," and "may not impose additional obligations that are not reasonably related to such conduct or preventing its recurrence." For more information, see EPIC: Federal Trade Commission and EPIC: Re-Identification. (Feb. 26, 2013)
  • FTC Reaches Settlement with Mobile App Path over Privacy Violations: The Federal Trade Commission announced a settlement with the social networking app Path over charges that the app secretly collected information from mobile users' address books without their consent. The FTC also fined the company $800,000 for violating the Children's Online Privacy Protection Act, which prohibits the collection of personal information from a children without obtaining parental consent. The consent order requires Path to implement a comprehensive privacy program and to submit to independent privacy assessments for the next 20 years. The FTC has released a series of reports documenting privacy problems with mobile apps that collect the personal information of children. Recently, EPIC submitted comments supporting the FTC’s proposed improvements to the children’s online privacy rule, which the agency ended up adopting. For more information, see EPIC: FTC and EPIC: Children's Online Privacy. (Feb. 1, 2013)
  • FTC Denies White House Involvement in Decision to Close Google Investigation: In response to a FOIA request filed by EPIC, the Federal Trade Commission has stated that there are no records of "communications . . . between the White House and the FTC regarding the Commission's antitrust inquiry into Google." In a closely watched proceeding, the Federal Trade Commission announced in early January that it had closed an antitrust inquiry into Google's business practices. EPIC has previously expressed concern about anticompetitive practices by Internet firms. In 2000, EPIC filed a complaint with the Federal TradeCommission regarding the proposed merger of Doubleclick, an Internet advertising company and Abacus, a catalog database firm. In 2007, EPIC opposed Google's acquisition of DoubleClick, which was approved by the FTC over the objection of former FTC Commissioner Pamela Harbor. In 2011, EPIC wrote to the FTC about Google's use of YouTube search rankings to give preferential treatment to its proprietary content over non-Google content. EPIC has also testified before the Senate Judiciary Committee regarding growing market concentration of essential Internet services. For more information, see EPIC: Open Government and EPIC: Federal Trade Commission. (Jan. 18, 2013)
  • FTC Closes Investigation into Google Search Bias: The Federal Trade Commission announced that it had concluded its investigation into allegedly anticompetitive practices by Google. The Commission reached a settlement with Google that would give competitors access to patents necessary to make smart phones, laptops, and other devices, and Google voluntarily agreed to stop borrowing others' content for use in its own services. On the issue of search bias, however, the Commission decided to close the investigation without taking action. Despite finding some evidence that changes to the company's search algorithm harmed competitors, the Commission said that these changes "could be plausibly justified as innovations that improved Google's product and the experience of its users." In 2011, EPIC wrote to the Commission about Google's use of Youtube search rankings to give preferential treatment to its own video content over non-Google content. EPIC had also opposed Google's acquisition of online advertiser Doubleclick, which was approved by the FTC over the objection of former FTC Commissioner Pamela Harbor. EPIC later testified before the Antitrust committee on Google's growing dominance of essential Internet services. For more information, see EPIC: Federal Trade Commission and EPIC: Google/DoubleClick. (Jan. 3, 2013)
  • FTC Releases Updated Children’s Online Privacy Rule: The Federal Trade Commission has updated the Children's Online Privacy Protection Act. The new Rule expands the definition of personal information to include geolocation information and persistent identifiers (or "cookies)", and prevents third-party advertisers from secretly collecting children’s personal information without parental consent for behavioral advertising purposes. EPIC supported the changes and responded to criticisms from industry groups. In 2010, EPIC testified before the United States Senate that the 1998 law was critical to protect the privacy of children but that updates were also essential in light of new business practices, the emergence of social networks, smartphone apps. A subsequent FTC report found that many child-directed mobile apps lack adequate privacy safeguards. For more information, see EPIC: FTC and EPIC: Children's Online Privacy. (Dec. 19, 2012)
  • FTC Pursues Investigation of Data Brokers: The Federal Trade Commission has issued orders requiring nine data brokerage companies to provide the agency with information about how they collect and use data about consumers. The agency said it will use the information to study privacy practices in the data broker industry. In 2009, EPIC testified in support of new legislation to regulate the data broker industry. In 2005, EPIC brought a complaint to the FTC against the data broker Choicepoint that produced a $10 million settlement, then the largest in the FTC's history for a violation of federal privacy law. For more information, see EPIC: ChoicePoint and EPIC: Federal Trade Commission. (Dec. 19, 2012)
  • Instagram Privacy Change Raises Legal Questions: Instagram recently announced several changes to the terms of service that will allow the company to use pictures in advertisements without notifying or compensating users, and to disclose user data to Facebook and to advertisers. Instagram also proposed that the parents of minors implicitly consent to the use of their childrens' images for advertising purposes. The changes The changes will take effect January 16, 2013, and will not apply to pictures uploaded before that date. Instagram’s parent company, Facebook, is under a 2011 consent order with the Federal Trade Commission that that prohibits the company from changing privacy settings without the affirmative consent of users or misrepresenting the privacy or security of users’ personal information. Using an individual’s name or likeness for commercial purposes without consent is also prohibited in most states. EPIC had recently urged Facebook users to vote for "Existing Documents," warning that under the changed terms of service, Facebook would loosen privacy controls and that would impact Instagram. For more information, see EPIC: Facebook and EPIC: FTC. (Dec. 18, 2012)
  • FTC Report Finds Privacy Problems for Children’s Mobile Apps: A report by the Federal Trade Commission found little progress on transparency for child-directed mobile applications. The FTC surveyed apps from Google Play and Apple App stores and concluded that "many apps included interactive features or shared kids' information with third parties without disclosing these practices to parents." The report commits the FTC to another review of the app marketplace and indicates that the agency has launched "multiple non-public" investigations to determine whether certain apps had engaged in unfair and deceptive trade practices or violated the Children’s Online Privacy Protection Act. The FTC recently proposed revisions to the COPPA Rule, which EPIC supported. For more information, see EPIC: Children’s Online Privacy and EPIC: Federal Trade Commission. (Dec. 10, 2012)
  • EPIC: Hearing on FTC Nominee Should Address FTC's Settlement Process for Privacy Violations: In a letter to the Senate Commerce Committee, EPIC has recommended that Congress require the Federal Trade Commission to consider more carefully the public's views on proposed privacy settlements. EPIC also recommended that the FTC require compliance with the Consumer Privacy Bill of Rights for companies that violate consumer privacy. The Committee is holding a hearing on the nomination of Joshua Wright to the FTC. The letter states that EPIC takes no position on the nomination of Dr. Wright, but encourages Congress to take the opportunity to explore the Commission's response to growing public concerns about privacy. EPIC routinely submits comments to the FTC on proposed consent orders, most recently on the Compete, Inc. settlement. EPIC has also recommended that the FTC promote the Consumer Privacy Bill of Rights in privacy settlements. For more information, see EPIC: Federal Trade Commission. (Dec. 4, 2012)
  • Privacy Groups Ask Facebook to Withdraw Proposed Changes: EPIC, along with the Center for Digital Democracy, has asked Facebook to withdraw proposed changes that will impact the privacy of users and their ability to participate in site governance. Facebook recently proposed to end the voting part of the site governance process, restrict users' ability to prevent unwanted messages, and combine personal information from Facebook with Instagram. In the letter, the groups say "[b]ecause these proposed changes raise privacy risks for users, may be contrary to law, and violate your previous commitments to users about site governance, we urge you to withdraw the proposed changes." Facebook users may also comment directly on the proposed changes. Facebook is subject to the terms of a recent settlement with the Federal Trade Commission that prohibits the company from changing privacy settings without the affirmative consent of users or misrepresenting the privacy or security of users' personal information. For more information, see EPIC: Facebook. (Nov. 26, 2012)
  • Pew Survey Finds Most Parents Concerned About Children's Online Privacy: A new report from the Pew Research Center and the Berkman Center for Internet & Society finds that 81% of parents are concerned about how much information advertisers can learn about their child's online behavior. Also, 69% of parents of online teens are concerned about how their child’s online activity might affect their future academic or employment opportunities. And 63% of parents of teens ages 12-13 say they are "very" concerned about their child's interactions with people they do not know online. Many parents reported taking steps to address these risks, such as talking to their children or helping them configure privacy settings. The Federal Trade Commission is considering new privacy rules to strengthen the Children’s Online Privacy Protection Act. EPIC strongly supports the proposed changes. For more information, see EPIC: Children's Online Privacy and EPIC: Federal Trade Commission. (Nov. 21, 2012)
  • FTC Releases 2012 Performance Report: The Federal Trade Commission has released its performance and accountability report for 2012. The report summarizes the agency’s activities, shows how the agency has managed its resources, and explains how it plans to address future changes. Regarding consumer privacy, the agency cites the release of a new privacy report, the adoption of a consent order with Facebook, and a $22.5 million fine against Google as its primary accomplishments . The Commission reported that it acted on 90.6% of all consumer complaints that it received, though it did not indicate how many of these actions concerned consumer privacy. The agency’s goals for the coming year include “promot[ing] stronger privacy protections through policy initiatives on a range of topics such as data brokers, mobile devices, and comprehensive online data collection.” Earlier this year, EPIC brought suit against the Federal Trade Commission for its failure to enforce a 2011 consent order. EPIC has also routinely urged the FTC to take account of public comments when the agencies sets out proposed settlements and asks for public comments. For more information, see EPIC: Federal Trade Commission and EPIC: EPIC v. FTC (Enforcement of Google Consent Order). (Nov. 20, 2012)
  • EPIC Submits Comments to FTC on Consumer Tracking Settlement: EPIC submitted comments to the Federal Trade Commission on a recent settlement with Compete, Inc. The settlement arises from allegations that Compete failed to adopt reasonable data security practices and deceived consumers about the amount of personal information that its toolbar and survey panel would collect. The FTC also charged Compete with deceptive practices for falsely claiming that the data it kept was anonymous. The proposed settlement requires Compete to obtain consumers’ express consent before collecting any data through its software, to delete personal information already collected, and to provide directions for uninstalling its software. EPIC expressed support for the settlement, but recommended that the FTC also require the Compete to implement Fair Information Practices similar to the Consumer Privacy Bill of Rights, make the compliance reports publicly available, and develop a best practices guide to de-identification techniques, as anonymization has become more critical for online privacy. For more information, see EPIC: Federal Trade Commission and EPIC: Re-Identification. (Nov. 20, 2012)
  • Senate Reauthorizes SAFE WEB Act: The Senate has approved a House bill to reauthorize the SAFE WEB Act. The SAFE WEB Act gives the Federal Trade Commission additional tools to combat cross-border fraud, spam, and spyware. EPIC previously testified before both the House Committee on Energy and Commerce and the Senate Committee on Commerce, Science and Transportation on the SAFE WEB Act. EPIC said that it supported legislation that safeguards privacy and ensures government oversight while enabling the FTC to work more closely with consumer protection agencies in other countries. For more information, see EPIC: Federal Trade Commission. (Nov. 15, 2012)
  • Lawmakers Gain "Partial Glimpse" into Data Brokers' Business Practices: Members of the Congressional Bi-Partisan Privacy Caucus released the responses of several data brokers to an inquiry into their business practices. Data brokers collect and sell the personal information of consumers to third parties, typically without the knowledge of the consumers themselves. The lawmakers reported that most of the companies did not consider themselves "data brokers," and that "[m]any questions about how these data brokers operate have been left unanswered, particularly how they analyze personal information to categorize and rate consumers." The Federal Trade Commission recently called for data-broke legislation in a report on consumer privacy. In 2005, EPIC brought a complaint against the data broker Choicepoint that produced a $10 million settlement, the largest in the FTC's history for a violation of federal privacy law. For more information, see EPIC: ChoicePoint and EPIC: Federal Trade Commission. (Nov. 8, 2012)
  • EPIC Comments on FTC Rent-to-Own Computer Spying Settlement: EPIC has submitted comments on a series of settlements between the Federal Trade Commission and companies that offered computers on a rent-to-own basis, typically to low-income consumers. The companies installed surveillance technology that secretly recorded keystrokes, location information, screenshots, and even took webcam photos. The settlements prohibit the companies from deceptively collecting information from consumers or collecting location information without consent, and require them to destroy the illegally-gathered data. EPIC expressed support for the settlements, and also recommended that the FTC also require the companies to implement Fair Information Practices similar to the Consumer Privacy Bill of Rights; make the compliance reports publicly available, and hold a workshop on privacy and inequality. EPIC routinely comments on the FTC's proposed settlements concerning consumer privacy. For more information, see EPIC: Federal Trade Commission. (Oct. 26, 2012)
  • Federal Trade Commission Proposes "Best Practices" for Facial Recognition Technology: The Federal Trade Commission has released a report recommending practices that businesses using facial recognition technology should follow in order to protect the privacy and security of consumers. The report noted that facial recognition techniques range from simple face detection to the identification of previously anonymous individuals. The FTC recommended several practices for all businesses, such as privacy by design, data deletion, and security standards. In services involving facial recognition to identify individuals, the FTC recommended that companies obtain the affirmative express consent of consumers, and in certain sensitive locations, such as health care facilities, the FTC said that the technology should not be used at all. In earlier comments to the Commission, EPIC recommended a moratorium on the use of facial recognition until adequate privacy safeguards are developed. A similar recommendation is found in the Madrid Privacy Declaration, which is endorsed by more than 100 civil society organizations worldwide. Facebook has ended the use of facial recognition in the European Union and suspended use in the United States. For more information, see EPIC: Face Recognition and EPIC: Federal Trade Commission. (Oct. 22, 2012)
  • Verizon Begins Invasive Marketing Program: Verizon has begun selling the personal information of Verizon users, including location information and web browsing activity. The collection of content information implicates federal wiretapping law, although some have suggested that Verizon escapes liability by allowing users to opt-out. EPIC previously filed a complaint with the Federal Trade Commission regarding Verizon’s business practices, which EPIC described as “unfair and deceptive, contrary to the privacy and security interests of Verizon Wireless customers, and actionable by the Federal Trade Commission.” For more information, see EPIC: Federal Trade Commission, and EPIC: Electronic Communications Privacy Act. (Oct. 22, 2012)
  • FTC Holds "Robocall Summit": A Federal Trade Commission workshop on automated telephone calls focused on the legal and technical aspects of robocalls, including the current state of telephonic technology, call authentication technology, and call blocking technology. The Federal Communications Commission recently established new penalties for Caller ID "spoofing," the practice of faking caller ID information. In comments to the FCC and testimony before Congress, EPIC recommended, and Congress and the FCC agreed, that intent to do harm is necessary in order to trigger the penalties, because spoofing can also be used to maintain anonymity, and to protect, for example, victims of domestic violence. For more information, see EPIC: FTC and EPIC: Caller ID. (Oct. 18, 2012)
  • EPIC FOIA Uncovers Google’s Privacy Assessment: Through a Freedom of Information Act request to the Federal Trade Commission, EPIC has obtained Google's initial privacy assessment. The assessment was required by a settlement between Google and the FTC that followed from a 2010 complaint filed by EPIC over Google Buzz. The FTC has withheld from public disclosure information about the audit process, procedures to assess privacy controls, techniques to identify privacy risks, and the types of personal data Google collects from users. EPIC intends to challenge the agency withholdings. For more information, see EPIC: Federal Trade Commission, EPIC: Google Buzz, and EPIC: Open Government. (Sep. 28, 2012)
  • Consumer Groups Ask FTC to Investigate Facebook-Datalogix Data-Matching Arrangement: EPIC, joined by the Center for Digital Democracy, has asked the Federal Trade Commission to investigate whether Facebook's data-matching arrangement with Datalogix violates a settlement between the FTC and Facebook. Facebook is matching the personal information of users with personal information held by Datalogix. The settlement, adopted in August, prohibits Facebook from changing privacy settings without the affirmative consent of users or misrepresenting the privacy or security of users’ personal information. EPIC had previously asked the FTC to determine whether "Timeline," which made archived user data widely available, or biometric tagging of user photos violated the terms of the consent order. The FTC has not made a determination on the EPIC Timeline request, and Facebook has suspended facial recognition in the US. For more information, see EPIC: Federal Trade Commission and EPIC: Facebook and Datalogix. (Sep. 27, 2012)
  • EPIC Supports New Children’s Privacy Rule: EPIC submitted comments on the Federal Trade Commission's revisions to the proposed Children’s Online Privacy Protection Act Rule. EPIC said that it supported the new definitions of "operator" and "website or online service directed to children," which hold child-directed websites and third-party services responsible for the collection of children’s personal information, but asked the FTC to monitor age-screening and to clarify the scope of a provision on using persistent identifiers, such as "cookies." EPIC supported the original FTC rule in September 2011, noting that the proposed revisions take "account of the increased use of mobile devices by users and new data collection practices by businesses." For more information, see EPIC: Children's Online Privacy Protection Act and EPIC: Federal Trade Commission. (Sep. 27, 2012)
  • Facebook Ceases Facial Recognition in European Union: The Irish Data Protection Commissioner issued a report finding that Facebook has implemented many of the Commissioner’s recommendations, such as halting the automatic use of facial recognition through "tag suggestions." Facebook has agreed to give users the choice over the use of facial recognition, to grant users access to their facial recognition template, and to delete the facial recognition data of EU citizens by October 15. The report also found that Facebook had implemented recommendations for improving transparency, enhancing the ability for users to delete data, and allowing users to access their data. On recommendations concerning user education, data deletion, and as targeting based on sensitive terms, the report found that "full implementation has not yet been achieved but is planned to be achieved by a specific deadline." The Federal Trade Commission recently adopted a proposed settlement with Facebook that prohibits Facebook from changing privacy settings without the affirmative consent of users or misrepresenting the privacy or security of users' personal information. In November 2011, EPIC recommended that the FTC prevent Facebook from creating facial recognition profiles without users' consent. In February 2012. EPIC recommended "the suspension of facial recognition technology deployment until adequate safeguards and privacy standards are established." For more information, see EPIC: Federal Trade Commission and EPIC: Facebook and Facial Recognition. (Sep. 21, 2012)
  • FTC Finalizes Settlement with Myspace: The Federal Trade Commission has finalized the terms of a settlement with Myspace. The settlement follows from allegations that Myspace allowed advertisers to access personally-identifying information after promising to keep such information private. The settlement requires Myspace to implement a comprehensive privacy program, submit to independent audits, and refrain from privacy misrepresentations. EPIC commented on the settlement, recommending that the FTC make the settlement at least as protective as a previous settlement with Facebook. Additionally, EPIC said, the FTC should require Myspace to implement practices consistent with the White House’s Consumer Privacy Bill of Rights. In response to EPIC’s comments, the FTC decided to accept the proposed settlement without modification but said that “the privacy program mandated under the consent order will require Myspace to address many of the consumer protections discussed in your comment.” For more information, see EPIC: Federal Trade Commission and EPIC: Social Networking Privacy. (Sep. 11, 2012)
  • FTC Finalizes Settlement with Facebook: The Federal Trade Commission has finalized the terms of a settlement with Facebook first announced in November of 2011. The settlement follows from complaints filed by EPIC and other consumer and privacy organizations in 2009 and 2010 over Facebook’s decision to change its users' privacy settings in a way that made users' personal information more widely available to the public and to Facebook's business partners. The settlement bars Facebook from changing privacy settings without the affirmative consent of users or misrepresenting the privacy or security of users' personal information. In comments filed with the FTC, EPIC recommended strengthening the settlement by requiring Facebook to restore the privacy settings users had in 2009; giving users access to all of the data that Facebook keeps about them; preventing Facebook from creating facial recognition profiles without users’ consent; and publicizing the results of the government privacy audits. Although the FTC decided to adopt the settlement without any modifications, in a response to EPIC, the Commission said that facial recognition data is included within the settlement's definition of "covered information," that the audits would be publicly available to the extent permitted by law, and that the terms of the settlement "are broad enough to address misconduct beyond that expressly challenged in the complaint." Commissioner Rosch dissented from the final settlement, citing concerns that the provisions might not adequately cover deceptive statements made by Facebook apps. For more information, see EPIC: In re Facebook, and EPIC: Federal Trade Commission. (Aug. 10, 2012)
  • FTC Proposes Additional Changes to Children’s Online Privacy Rule: The Federal Trade Commission proposed additional changes to the Children's Online Privacy Protection Act Rule. The revised rule would clarify that operators of websites who choose to use advertising services and plug-ins that collect data about children would have to comply with COPPA. The rule would also allow mixed-audience websites to age-screen visitors, and would clarify the circumstances in which persistent identifiers such as cookies or IP addresses are considered "personal information." The revisions modify an earlier rule that was proposed by the FTC in September 2011. EPIC commented on the September 2011 rule, noting that "the proposed revisions update the COPPA Rule by taking better account of the increased use of mobile devices by users and of new data collection practices by businesses." For more information, see EPIC: Children's Online Privacy Protection Act and EPIC: Federal Trade Commission. (Aug. 1, 2012)
  • EPIC Urges FTC to Develop Meaningful Privacy Protections for Mobile Services: EPIC has submitted comments to the Federal Trade Commission concerning "Advertising and Privacy Disclosures in a Digital World". The FTC is currently exploring ways businesses could improve privacy notices for mobile devices. EPIC pointed out that many of the techniques, such as privacy icons, suffer from the same problems as traditional privacy notices. EPIC recommended that the FTC focus instead on substantive privacy protections, such as those found in the federal Privacy Act, sectoral privacy laws, and the Consumer Privacy Bill of Rights, proposed by the White House. An earlier FTC report called for new privacy legislation and an FTC investigation documented privacy problems with mobile applications for children. For more information, see EPIC: Federal Trade Commission. (Jul. 11, 2012)
  • EPIC Calls On FTC to Investigate Facebook Email Changes: EPIC has asked the Federal Trade Commission to review Facebook's decision to change the default email address of Facebook users. The company recently removed email addresses, selected by users, with a @facebook.com address assigned by Facebook. EPIC asked the FTC to review this practice as it finalizes the terms of a settlement with Facebook. "Facebook's willingness to disregard user choice . . . raise[s] important questions about the company's ability to comply with the terms of the proposed Consent Order," EPIC wrote. EPIC also said that the change is a deceptive business practice because Facebook did not tell users that their preferred email address could be removed by the company. And EPIC noted that the change would result in user email being sent to Facebook's servers that would otherwise have gone to the user's email service. The FTC's settlement with Facebook follows from complaints filed by EPIC and other consumer and privacy organizations in 2009 and 2010. The settlement would bar Facebook from changing privacy settings without the affirmative consent of users or misrepresenting the privacy or security of users' personal information. For more information, see EPIC: Facebook Privacy, and EPIC: FTC Facebook Settlement. (Jun. 27, 2012)
  • Spokeo to Pay $800, 000 to Trade Commission to Settle Privacy Violations: The data broker Spokeo agreed to pay $800,000 to settle a complaint filed by the Federal Trade Commission that the company marketed its data profiles to employers in violation of federal privacy law. The FTC alleges that Spokeo violated the Fair Credit Reporting Act by failing to ensure that its information was accurate, failing to ensure that it would be used only for legally permissible purposes, and failing to tell users if adverse decisions were made based on the information. The FTC also alleged that Spokeo created its own endorsements on news and technology websites and represented them as independent endorsements. The FTC's settlement bans Spokeo from future FCRA violations and misrepresentations. In 2004, EPIC successfully urged the FTC to investigate the compilation and sale of personal dossiers by the data broker ChoicePoint. That investigation produced a $10 m settlement, the largest in the FTC's history for a violation of federal privacy law. For more information, see EPIC: Federal Trade Commission and EPIC: Choicepoint. (Jun. 12, 2012)
  • EPIC Urges FTC to Protect Privacy of Myspace Users: EPIC submitted comments to the Federal Trade Commission on a proposed settlement with Myspace. The settlement follows from allegations that Myspace allowed advertisers to access personally-identifying information after promising to keep such information private. The settlement requires Myspace to implement a comprehensive privacy program, submit to independent audits, and refrain from privacy misrepresentations. EPIC expressed support for the settlement in general, but recommended that the FTC make the settlement at least as protective as a previous settlement with Facebook. Additionally, EPIC said, the FTC should require Myspace to implement practices consistent with the White House's Consumer Privacy Bill of Rights. For more information, see EPIC: Federal Trade Commission and EPIC: Social Networking Privacy. (Jun. 8, 2012)
  • Facebook Users Force Vote on Privacy Changes: Facebook users have registered enough comments on Facebook's proposed privacy changes to force a vote on the issue. A provision in Facebook’s Statement of Rights and Responsibilities states that Facebook will allow users to vote on proposed alternatives if more than 7,000 users comment on a proposed change. The vote is binding if "more than 30 percent of all active registered users as of the date of the notice vote." Facebook's Data Use Policy accumulated 10,500 comments in English. The group Europe v. Facebook generated 30,000 comments on the German version of the page. The FTC recently issued a proposed settlement with Facebook that follows from complaints filed by EPIC and other consumer and privacy organizations in 2009 and 2010. The settlement bars Facebook from changing privacy settings without the affirmative consent of users or misrepresenting the privacy or security of users' personal information. For more information, see EPIC: Facebook Privacy, and EPIC: FTC Facebook Settlement. (May. 22, 2012)
  • EPIC Calls on FTC to Develop Substantive Privacy Protections at Workshop on Mobile Advertising: EPIC submitted comments to the Federal Trade Commission for the May 30 workshop on mobile advertising disclosures. EPIC recommended that the agency focus on the development of substantive privacy protections, such as the Consumer Privacy Bill of Rights announced by the President earlier this year, for mobile services. EPIC also recommended that the workshop address a series of problems with the "notice and consent" approach, as well as the merits of innovative, nonverbal approaches proposed by privacy scholars. The workshop follows an FTC report calling for privacy legislation and an investigation that documented privacy problems with mobile applications for children. For more information, see EPIC: Federal Trade Commission. (May. 11, 2012)
  • Myspace Settles With FTC Over Deceptive Practices Complaint: The Federal Trade Commission has reached a settlement with the social networking service Myspace over charges that Myspace allowed advertisers to access personally-identifying information after promising to keep such information private. Advertisers were able to access the unique "Friend ID" of users and link this identifier to other personal information. The settlement requires Myspace to implement a comprehensive privacy program, submit to independent audits, and refrain from privacy misrepresentations. For more information, see EPIC: Federal Trade Commission and EPIC: Social Networking Privacy. (May. 8, 2012)
  • FTC Announces $30 Million Penalty Against Deceptive Robocallers: The Federal Trade Commission announced that a federal judge has ordered the defendants behind a deceptive robocall scheme to pay a $30 million civil penalty and surrender more than $1.1 million in ill-gotten gains. The scheme promised "cash grants" to individuals—many of whom were on the Do No Call Registry--but merely referred them to grant-related websites that charged a fee for providing general information about obtaining grants from private sources. The FTC determined that the robocalls violated the FTC Act and the Telemarketing Sales Rule. For more information, see EPIC: Federal Trade Commission and EPIC: Telephone Consumer Protection Act. (Apr. 2, 2012)
  • FTC Announces Settlement with RockYou Over Security Flaws, COPPA Violations: The Federal Trade Commission announced a settlement with the social game site RockYou over charges that the site's poor security allowed hackers to access the personal information of 32 million users. The FTC also alleged that RockYou violated the Children's Online Privacy Protection Act Rule by knowingly collecting approximately 179,000 children's email addresses and associated passwords without the consent of their parents. The settlement prohibits future deceptive claims by the company regarding privacy and data security and future violations of the COPPA Rule, and requires the company to implement a data security program and to pay a $250,000 civil penalty. Last year, the FTC proposed new COPPA rules to better protect children, about which EPIC submitted comments. For more information, see EPIC: Children’s Online Privacy and EPIC: FTC. (Mar. 27, 2012)
  • Federal Trade Commission Calls for Privacy Legislation: Today the Federal Trade Commission released Protecting Consumer Privacy in an Era of Rapid Change. The FTC report called for the enactment of baseline privacy legislation and for legislation that gives consumers the right to access personal information held by data brokers. However, the framework is not as extensive as the White House Consumer Privacy Bill of Rights and depends on industry self-regulation. EPIC previously commented on an earlier draft of the framework, pointing out that the FTC "mistakenly endorses self-regulation and 'notice and choice,' and fails to explain why it has not used its current Section 5 authority to better safeguard the interests of consumers." For more information, see EPIC: Federal Trade Commission. (Mar. 26, 2012)
  • Facebook Policy Changes Raises Questions About Compliance with 2011 Consent Order: Facebook has begun to review comments on changes to its Statement of Rights and Responsibilities. Among other changes, Facebook now states that a user's information is disclosed to apps used by his or her friends, that Facebook software or plugins that users download may automatically download updates, upgrades, and additional features, and that users may not tag others who do not wish to be tagged. The FTC recently issued a proposed settlement with Facebook after finding that Facebook "deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public." In particular, the FTC found that Facebook had misled users about the extent to which their personal information would be made available to apps used by their friends. The settlement follows from complaints filed by EPIC and other consumer and privacy organizations in 2009 and 2010 and bars Facebook from changing privacy settings without the affirmative consent of users or misrepresenting the privacy or security of users' personal information. In comments filed with the FTC, EPIC said that the settlement is "insufficient to address the concerns originally identified by EPIC and the consumer coalition, as well as those findings established by the Commission." For more information, see EPIC: Facebook Privacy, and EPIC: FTC Facebook Settlement. (Mar. 23, 2012)
  • Twitter to Sell Two Years' Worth of Old Tweets: Twitter recently announced a deal with the analytics firm Datasift that authorizes Datasift to sell the content of public tweets posted over the last two years. Companies who buy the data from Datasift will be able to market to users based on the topic or location of the tweets. DataSift will be required to regularly remove tweets that users delete. Previously, Twitter gave the Library of Congress access to every public tweet since the company’s inception in 2006. In 2011, the Federal Trade Commission reached a settlement with Twitter over charges that inadequate security measures allowed computer criminals to gain administrative access to the company. For more information, see EPIC: Federal Trade Commission. (Mar. 2, 2012)
  • European Justice Minister Says Google Now in Violation of EU Law: European Justice Minister Vivian Reding said today that Google's March 1 changes to its terms of service violate European Union law "in numerous respects." Commissioner Reding pointed to the failure of the company to obtain user consent, the lack of transparency, and the fact that most users do not read privacy policies. European privacy officials recently concluded that the changes do not comply with the European Union Data Protection Directive and asked the company to suspend its planned changes. In the US, EPIC has urged a federal court to require the Federal Trade Commission to determine whether Google's changes changes violate a 2011 Consent Order. The court denied the motion. The case is now on appeal. For more information, see EPIC v. FTC (Google Consent Order). (Mar. 1, 2012)
  • Identity Theft Remains Top Concern of US Consumers: According to the Federal Trade Commission, identity theft was the top source of consumer complaints in 2011 comprising 15 percent of the 1.8 million total complaints filed. This is the 12th year in a row in which identity theft has occupied the top position. The report contains data on 30 complaint categories, which are broken down by metropolitan areas and provided to state and local law enforcement offices. For more information, see EPIC: FTC and EPIC: Identity Theft. (Feb. 29, 2012)
  • FTC Chairman: Google Users Face a "brutal choice" -- Europeans: "Google's new policy does not meet the requirements of the European Directive on Data Protection.": Pressure is building as the March 1 deadline for Google's planned changes in user privacy approaches. In an interview with C-Span, the Chairman of the Federal Trade Commission said that users of Google services face a "brutal" choice." The head of the French Data Protection Agency, on behalf of European privacy agencies, has warned that Google's proposed change violates European Union privacy law. She is reiterated the recommendation of Europe's Justice Minister that Google suspend the change. In Washington, DC, EPIC has filed an emergency appeal with the DC Circuit Court of Appeals to force the FTC to enforce the 2011 consent order against Google. For more information, see EPIC v. FTC (Google Consent Order). (Feb. 28, 2012)
  • EPIC Appeals Court Ruling in Google Privacy Case: Within hours after a federal court in Washington, DC ruled that it could not require the Federal Trade Commission to enforce a consent order against Google, EPIC filed an emergency appeal with the Court Appeals for the DC Circuit. EPIC has asked the appellate court to overturn the lower court decision before March 1, when Google will change its terms of service and consolidate user data without consent. For more information, see EPIC - EPIC v. FTC (Google Consent Order). (Feb. 27, 2012)
  • Privacy Groups to Rep. Bono-Mack: "Hold *Public* Hearings on Google Privacy Changes": Five privacy organizations, including EPIC, wrote today to Rep. Bono-Mack to urge the Chairwoman of a powerful Congressional committee to hold a public hearing on Google's proposed changes in business practices that will take effect March 1. Rep. Bono-Mack has held closed-door meetings with the Internet giant, but so far has scheduled no public hearings on the plan to consolidate user data, which EPIC alleges violates a 2011 Consent Order with the Federal Trade Commission. The consumer groups also asked the Congresswoman to urge Google to suspend its plan pending an investigation. They said there would be "overwhelming public support for this action" and cited recent statements from Members of Congress, Attorneys General, European Justice Officials, the President, technical experts, and IT managers in government and the private sector. For more information see EPIC: EPIC v. FTC. (Feb. 24, 2012)
  • Judge Rules that Courts Lacks Jurisdiction over FTC, Acknowledges "Serious Concerns" with Google Privacy Changes: A federal court today dismissed EPIC's lawsuit against the FTC, because the "decision to enforce the Consent Order is committed to agency discretion and is not subject to judicial review." However, the Judge also said "the Court has not reached the question of whether the new policies would violate the consent order or if they would be contrary to any other legal requirements." And she said "the FTC, which has advised the Court that the matter is under review, may ultimately decide to institute an enforcement action." EPIC will appeal the decision on judicial review, asking the DC federal appeals court to rule that courts can require federal agencies to enforce final orders. For more, see EPIC: EPIC v. FTC (Google Consent Order). (Feb. 24, 2012)
  • White House Sets Out Consumer Privacy Bill of Rights: The Obama Administration put forward a comprehensive privacy framework with principles designed to establish new safeguards for consumers and new responsibilities for companies that collect and use personal information. The principles include (1) individual control over the collection and use of personal data; (2) transparency; (3) respect for the context in which data is collected; (4) security; (5) access and correction rights for consumers; (6) data limitation; and (7) accountability. President Obama stated that "even though we live in a world in which we share personal information more freely than in the past, we must reject the conclusion that privacy is an outmoded value. It has been at the heart of our democracy from its inception, and we need it now more than ever." EPIC praised the framework and the President's support for privacy, and said that the challenge ahead would be implementation and enforcement. For more information, see EPIC: Commerce Department and EPIC: Federal Trade Commission, and EPIC: White House - Consumer Privacy Bill of Rights. (Feb. 23, 2012)
  • EPIC Urges Federal Court To Hold FTC Accountable for Failure to Enforce Google Consent Order: In a reply brief filed today in Washington, DC, EPIC said that the Federal Trade Commission's failure to enforce the Consent Order against Google prior to March 1 would cause "irreparable injury." EPIC cited Google's plans to combine user data without consent, and pointed to numerous cases that establish the need for the Court to assess the FTC's failure to act. Dismissing arguments asserted by the government that "FTC enforcement decisions are not subject to judicial review," EPIC said that Congress has clearly told the Federal Trade Commission to enforce its final orders. And in response to a claim that EPIC's request for action by March 1 is "arbitrary," EPIC wrote "If the government is unaware that Google plans to make a substantial change in its business practices on March 1, 2012, it should turn on a computer connected to the Internet." For more information, see EPIC, EPIC v. FTC (Google Consent Order). (Feb. 21, 2012)
  • FTC Files Opposition / Motion to Dismiss in EPIC v FTC: The Federal Trade Commission today filed an opposition and a motion to dismiss in response to EPIC's complaint to compel the agency to enforce the October 2011 Consent Order against Google. The government stated that EPIC would "deprive the Commission of the discretion to exercise its enforcement authority." The government also charged that EPIC's lawsuit is "completely baseless." The papers were filed in federal District Court on the same day that the Wall Street Journal reported that Google had subverted the privacy settings of millions of users of the Internet browser software Safari. For more information see: EPIC: EPIC v. FTC (Google Consent Order). (Feb. 17, 2012)
  • "FOIA Matters" - EPIC Obtains Google Privacy Compliance Report: As the result of a Freedom of Information Act request to the Federal Trade Commission, EPIC has obtained a full copy of Google's first Privacy Compliance Report. Last year, spurred by a complaint pursued by EPIC, the FTC reached a settlement with Google and required the company to file regular reports with the Commission detailing its steps to comply with the Consent order. However, the report obtained by EPIC raises new questions about the company's efforts to safeguard user privacy. EPIC has recently filed a lawsuit against the FTC to compel the agency to enforce the Consent Order. For more information see: EPIC: EPIC v. FTC (Google Consent Order) and EPIC: In re Google Buzz. (Feb. 17, 2012)
  • EPIC to FTC: Enforce the Google Consent Order: Today EPIC wrote to the Federal Trade Commission urging it to enforce the consent order with Google in light of a recent Wall Street Journal article based on research from Stanford's Jonathan Mayer that described how Google had been circumventing the privacy settings of Safari users despite Google's promise to respect such settings. EPIC said that Google "took elaborate measures to circumvent the Safari privacy safeguards, and it benefited from the misrepresentations by the commercial value it surreptitiously obtained." EPIC has filed a lawsuit to force the FTC to require Google to comply with the Consent Order to protect the privacy interests of Google users. The FTC's Response to the EPIC motion is due February 17; EPIC's reply is due February 21, 2012. For more information, see EPIC: EPIC v. FTC (Google Consent Order). (Feb. 17, 2012)
  • FTC Report Shows Privacy Problems with Mobile Apps: The Federal Trade Commission issued a report today that found widespread failure among app stores and app developers to provide information to parents about the collection and use of children's data. The report noted that there are currently more than 500,000 apps in the Apple App Store and 380,000 in the Android Market, and that young children and teens are increasingly using smartphones for entertainment and educational purposes. The FTC report recommends that apps provide simple, short disclosures about their information collection and use practices, and that app stores assume greater role in providing information about the apps that they sell. EPIC previously submitted comments to the FTC on a proposed rule for the Children's Online Privacy Protection Act. For more information, see EPIC: Children's Online Privacy Protection Act and EPIC: Federal Trade Commission. (Feb. 16, 2012)
  • Google Report Raises New Questions About Compliance with Consent Order: The Google privacy compliance report, made public today, raises new questions about the company's failure to comply with an FTC Consent Order. The Order required Google to answer detailed questions about how it protects the personal information of Google users. But Google chose not to answer many of the questions. Most significantly, the company did not explain to the Commission the impact on user privacy of the proposed changes that will take place on March 1. EPIC has filed a lawsuit to force the Federal Trade Commission to require Google to comply with the Consent Order to protect the privacy interests of Google users. For more information, see EPIC v. FTC (Google Consent Order). (Feb. 10, 2012)
  • EPIC Sues Federal Trade Commission to Enforce Google Consent Order: EPIC today filed a Complaint and a Motion for Temporary Restraining Order and Preliminary Injunction in Federal District Court in Washington, DC. EPIC is seeking to compel the Federal Trade Commission to act prior to March 1, when Google plans to make changes in its terms of service that will make it possible for the company to combine user data without user consent. EPIC alleges that this change in business practice is in clear violation of the consent order that Google entered into on October 13, 2011. The consent order arises from a complaint that EPIC brought to the Commission in February, 2010 concerning Google Buzz and a similar attempt by Google to combine user data without user consent. For more information, see EPIC - In re Google Buzz, FTC - "FTC Charges Deceptive Privacy Practices in Google's Rollout of Its Buzz Social Network." (Feb. 8, 2012)
  • EPIC Seeks Public Release of Google's Privacy Report : EPIC has filed a Freedom of Information Act request with the Federal Trade Commission for the Privacy Report that Google was recently required to submit to the agency. The Commission had previously investigated Google after EPIC filed a complaint regarding Google's Buzz product, which transformed private user contacts into publicly available social network data. Last fall the Commission reached a settlement with Google and, as a result, the company is subject to a consent order that requires it to file regular reports with the Commission. EPIC has requested that Google's first report, filed on January 26, 2012, be released to the public. Because of Google's plan to change its business practice on March 1, 2012, EPIC has asked the FTC to expedite the disclosure of the report. For more information see EPIC: In re Google Buzz. (Feb. 1, 2012)
  • EPIC Calls for Moratorium on Facial Recognition Technology: In detailed comments to the Federal Trade Commission, EPIC today recommended the suspension of facial recognition technology deployment until adequate safeguards and privacy standards are established. EPIC said that facial recognition is often used by strangers to determine a person's actual identity and that this poses a risk to privacy and personal security. EPIC also noted that some companies have adopted techniques that are more favorable to privacy as they allow users to control the image database while others undermine privacy, as the image database is centrally maintained. EPIC previously submitted a complaint to the FTC about Facebook's use of facial recognition technology to build a secret database of users' biometric data and allowing the company to automatically tag users in photos. The comments follow an FTC workshop exploring the privacy and security issues raised of facial recognition technology. For more information, see EPIC: Federal Trade Commission, EPIC: Face Recognition, and EPIC: Facebook and Face Recognition. (Feb. 1, 2012)
  • Google Changes Privacy Practices, Consolidates User Data: Google announced that it would begin combining data gathered on users of over 60 Google products and services, including Gmail, Google+, Youtube, and the Android mobile operating system. Previously, users could use one Google service, such as Google+, without having their information combined with that gathered from other services, such as Youtube. Users cannot opt out of having their data combined unless they avoid signing into their user accounts or stop using Google’s services altogether. Google’s changes come after the company began surfacing personal information from Google+ in Google search results, a move that EPIC said raised privacy and antitrust issues. In 2010, EPIC, along with other privacy groups, wrote a letter to Google over the company's decision to combine user data among 12 Google services. Google is subject to a settlement with the Federal Trade Commission that establishes new privacy safeguards for users of all Google products and services and subjects the company to regular privacy audits. For more information, see EPIC: Federal Trade Commission and EPIC: Google Search. (Jan. 25, 2012)
  • FTC Adds Google+ to Antitrust Investigation: Bloomberg News has reported that the Federal Trade Commission has expanded its antitrust investigation of Google to include Google's social networking service, Google+. The report comes after Google announced that it would include personal data gathered from Google+ in the results of users' searches, a move that led EPIC to urge the FTC to investigate the company. EPIC said that "Google's business practices raise concerns related to both competition and the implementation of the Commission’s consent order," referring to a settlement that the FTC reached with Google that establishes new privacy safeguards for users of all Google products and services and subjects the company to regular privacy audits. Google first confirmed the FTC’s antitrust investigation in June 2011. Recently, the Senate held a hearing on Google's use of its dominance in the search market to suppress competition, and EPIC urged the Federal Trade Commission to investigate Google's use of Youtube search rankings to give preferential treatment to its own video content over non-Google content. For more information, see EPIC: Google/DoubleClick and EPIC: Federal Trade Commission. (Jan. 13, 2012)
  • EPIC Urges FTC Investigation into Facebook Timeline: EPIC sent a letter requesting that the Federal Trade Commission determine whether changes Facebook has made to the profiles of its users are consistent with the terms of a settlement reached between Facebook and the FTC. EPIC's letter states that "with Timeline, Facebook has once again taken control over the user's data from the user and has now made information that was essentially archived and inaccessible widely available without the consent of the user." The settlement requires Facebook to give users clear and prominent notice and obtain users' express consent before changing their privacy settings. EPIC sent a similar letter to the FTC about Timeline and the secret tracking of users in September 2011. For more information, see EPIC: Facebook Privacy, and EPIC: FTC Facebook Settlement. (Dec. 28, 2011)
  • EPIC Submits Comments on FTC Facebook Privacy Settlement: EPIC submitted comments to the FTC on a proposed settlement with Facebook. The settlement follows from complaints filed by EPIC and other consumer and privacy organizations in 2009 and 2010 over Facebook’s decision to change its users' privacy settings in a way that made users' personal information more widely available to the public and to Facebook's business partners. The settlement bars Facebook from changing privacy settings without the affirmative consent of users or misrepresenting the privacy or security of users' personal information. However, EPIC said that the settlement is "insufficient to address the concerns originally identified by EPIC and the consumer coalition, as well as those findings established by the Commission." In order to address the issues raised by the complaints, respond to recent changes in Facebook's business practices like Timeline, and fulfill the FTC's duty to act in the public interest, EPIC recommended that the settlement be improved. Specifically, EPIC recommended that the FTC require Facebook to restore the privacy settings users had in 2009; give users access to all of the data that Facebook keeps about them; stop making facial recognition profiles without users' consent; make the results of the government privacy audits public; and stop secretly tracking users across the web. For more information, see EPIC: Facebook Privacy, and EPIC: FTC Facebook Settlement. (Dec. 28, 2011)
  • EPIC Submits Comments on Children's Online Privacy Rule: EPIC submitted comments to the FTC on a proposed rule for the Children's Online Privacy Protection Act. The proposed rule would revise the definition of Personally Identifiable Information to include identifiers such as cookies, IP addresses, and geolocation information. The new rules also contain data minimization and deletion requirements and simplified methods of obtaining parental consent for data collection. "The proposed revisions update the COPPA Rule by taking better account of the increased use of mobile devices by users and of new data collection practices by businesses," EPIC said. However, EPIC urged the FTC to further improve the rule by applying it to SMS and MMS messaging services, extending the definition of "personal information" to cover the combination of date of birth, gender, and ZIP code, and adding a data-breach notification requirement. EPIC previously testified before the Senate and filed comments with the agency. For more information, see EPIC: Children's Online Privacy Protection Act and EPIC: Federal Trade Commission. (Dec. 22, 2011)
  • Senate Opens Investigation Into Google Search: Senator Herb Kohl (D-WI) and Mike Lee (R-UT), Chairman and Ranking member of the Judiciary Antitrust Subcommittee, have sent a letter to FTC Chairman Jon Leibowitz, expressing concern about Google's business practices and the company's impact on competition in Internet search and commerce. In September, EPIC wrote to the FTC and described how Google biased YouTube search rankings to give preferential treatment to its own content following the acquisition of the Internet's largest video service provider. The EPIC letter preceded a Senate hearing on "The Power of Google: Serving Consumers or Threatening Competition?" EPIC testified before the Senate Antitrust Subcommittee in 2007 on Google's growing dominance of essential Internet services. (Dec. 20, 2011)
  • EPIC Launches Campaign Urging Public Comment on Facebook Privacy Settlement: EPIC launched the "Fix FB Privacy Fail" campaign to encourage the public to support improvements to a settlement between Facebook and the FTC. The settlement follows from complaints filed by EPIC and other consumer and privacy organizations in 2009 and 2010 over Facebook’s decision to change its users' privacy settings in a way that made users' personal information more widely available to the public and to Facebook's business partners. Although the proposed settlement is far-reaching, there are several ways in which it could be improved. EPIC has recommended that the FTC require Facebook to restore the privacy settings users had in 2009; give users access to all of the data that Facebook keeps about them; stop making facial recognition profiles without users' consent; make the results of the government privacy audits public; and stop secretly tracking users across the web. The period for public comment on the proposed settlement ends on December 30. The campaign also allows users to sign on to the petition without using Facebook. For more information, see EPIC: FTC Facebook Settlement. (Dec. 13, 2011)
  • Federal Trade Commission Releases 2011 Do Not Call List, Warns of Do Not Call Scams: The FTC has released the 2011 National Do Not Call Registry Data Book, which includes extensive information on the Do Not Call Registry as well as tips for consumers. Over 209 million telephone numbers are now listed on the Do Not Call Registry. In 2011, over 2 million consumers filed complaints over unwanted telemarketing calls. In announcing the Data Book, the FTC also warned consumers that scammers are calling consumers and claiming to sign them up for the National Do Not Call Registry. The FTC said that these calls were not coming from the Commission or the Registry, and that consumers should ignore them. For more information, see EPIC: Federal Trade Commission, or EPIC: Telemarketing and the Telephone Consumer Protection Act. (Dec. 5, 2011)
  • Federal Trade Commission Announces Settlement in EPIC Facebook Privacy Complaint: The Federal Trade Commission has announced an agreement with Facebook that follows from complaints filed by EPIC and other consumer and privacy organizations in 2009 and 2010. In 2009, the EPIC first asked the FTC to investigate Facebook's decision to change its users' privacy settings in a way that made users' personal information, such as Friend lists and application usage data, more widely available to the public and to Facebook’s business partners. The violations are also detailed in the FTC’s 8-count complaint against the company. The proposed settlement agreement bars Facebook from making future changes privacy settings without the affirmative consent of users and requires the company to implement a comprehensive privacy protection program and submit to independent privacy audits for 20 years. The settlement does not adopt EPIC's recommendation that Facebook restore users' privacy settings to pre-2009 levels. Facebook CEO Mark Zuckerberg reacted to the settlement in a post on Facebook's blog, saying that he was "first to admit that we've made a bunch of mistakes." For more information, see EPIC: In re Facebook, and EPIC: Federal Trade Commission. (Nov. 29, 2011)
  • Federal Trade Commission to Announce Settlement in EPIC Facebook Privacy Complaint: The Federal Trade Commission has scheduled a 1:00 pm EDT press conference to announce a privacy settlement with Facebook, following a complaint that was filed by EPIC and other consumer and privacy organizations. More news to follow. (Nov. 29, 2011)
  • FTC Releases Agenda for Facial Recognition Workshop: The Federal Trade Commission has announced the agenda and panelists for a workshop exploring the privacy and security issues raised by the increased use of facial recognition technology. The workshop will be held December 8, 2011 at the FTC Conference Center, and will feature diverse panelists with consumer protection, privacy, business, international, and academic backgrounds. EPIC Senior Counsel John Verdi will speak on the panel "Facial Detection & Recognition: Exploring the Policy Implications." EPIC has a complaint pending before the FTC over Facebook's use of facial recognition technology to build a secret database of users' biometric data and to enable the company to automatically tag users in photos. For more information, see EPIC: In re Facebook, and EPIC: Federal Trade Commission. (Nov. 22, 2011)
  • FTC Publishes Performance Report: The Federal Trade Commission has issued the 2011 Performance and Accountability Report. The report summarizes the agency’s accomplishments, shows how the agency has managed its resources, and explains how it plans to address future changes. According to the FTC, during 2011 the agency exceeded its privacy goals by providing 52 comments to foreign consumer protection and privacy agencies, conducting 14 technical assistance missions, and hosting one international consumer protection fellow. The agency’s privacy goals for the coming year include "issu[ing] a final report on protecting consumer privacy," and "examin[ing] malware and spyware threats to mobile devices . . . and malware distributed through social networks." The FTC report made no mention of several pending complaints, including EPIC's 2009 complaint regarding the changes by Facebook to its users' privacy settings. For more information, see EPIC: Federal Trade Commission and EPIC: Facebook and Facial Recognition. (Nov. 22, 2011)
  • WSJ: Facebook Close to Settlement with FTC over EPIC Complaint : The Wall Street Journal reports that the Federal Trade Commission is finalizing a settlement with Facebook that follows from a complaint from EPIC and a coalition of US consumer and privacy organizations. In 2009, the organizations urged the Commission to investigate Facebook's decision to change its users' privacy settings which made the personal information of Facebook users more widely available to Facebook's business partners and the public. According to the Wall Street Journal, the settlement would require Facebook to obtain "express affirmative consent" if Facebook makes "material retroactive changes," and to submit to independent privacy audits for 20 years. For more information, see EPIC: In re Facebook, EPIC: Facebook Privacy and EPIC: Federal Trade Commission. (Nov. 10, 2011)
  • EPIC Files Complaint, Urges FTC to Investigate Verizon's Recent Changes to Privacy Practices: EPIC filed a complaint with the Federal Trade Commission charging that Verizon Wireless has engaged in unfair and deceptive trade practices in violation of consumer protection law. After consumers entered into long-term contracts with Verizon Wireless, the company changed its business practices, and revealed detailed personal information of its customers, including location data, web browsing and search histories, and demographic data, to other companies EPIC also charges that Verizon Wireless has failed to establish adequate techniques to deidentify its customers. "Such practices are unfair and deceptive, contrary to the privacy and security interests of Verizon Wireless customers, and actionable by the Federal Trade Commission," the complaint states. EPIC's complaint regarding Facebook's facial recognition is still pending before the FTC. (Oct. 31, 2011)
  • EPIC-Led Coalition Calls for FTC Facebook Investigation: EPIC, joined by other privacy, consumer, and civil liberties groups, which include the American Civil Liberties Union, Consumer Action, American Library Association, and the Center for Digital Democracy asked the Federal Trade Commission to investigate Facebook. Facebook had been secretly tracking users after they logged off of Facebook’s webpage, and had recently announced changes in business practices that “[gave] the company far greater ability to disclose the personal information of its users to its business partners...” EPIC’s complaint regarding Facebook’s facial recognition is still pending before the FTC. For more information, see EPIC: Facebook Privacy and EPIC: Federal Trade Commission. (Sep. 29, 2011)
  • Lawmakers Say Undeletable Supercookies Raise "Serious Privacy Concerns": Representatives Joe Barton (R-TX) and Ed Markey (D-MA) wrote a letter asking the FTC to investigate whether the use of "supercookie" - cookies placed on users' computers by websites such as Hulu.com that cannot be deleted -constitutes an unfair or deceptive business practice. The representatives called this kind of tracking "unacceptable" and said that the cookies "take away consumer control over their own personal information." EPIC had earlier opposed the White House's use of persistent Google Analytics cookies that track users for up to two years and supported opt-in requirements for Internet tracking techniques that are transparent for the user and easily disabled. For more information, see EPIC: Cookies and EPIC: Federal Trade Commission. (Sep. 27, 2011)
  • Senate Holds Hearing on Google’s Anticompetitive Practices: Today's Senate Judiciary Committee hearing "The Power of Google: Serving Consumers or Threatening Competition?” examined Google’s use of its dominance in the search market to suppress competition. The company’s executive chairman, Eric Schmidt, testified on the first panel, while witnesses from Google’s rivals Yelp and Nextag appeared on the second panel. The hearing covered a wide range of issues, including search bias, Google’s proprietary search algorithm, and the downgrading of search rankings. EPIC testified before the the same committee in 2009 on Google’s growing dominance of essential Internet services, and recently sent a letter to the Federal Trade Commission regarding Google’s biasing of Youtube search rankings to give preferential treatment to its own video content. For more information, see EPIC: Google/DoubleClick and EPIC: Federal Trade Commission. (Sep. 21, 2011)
  • Federal Trade Commission Proposes New Rules for Children’s Online Privacy: Today the FTC proposed new rules for the Children’s Online Privacy Protection Act. The FTC rules would revise the definition of Personally Identifiable Information to include identifiers such as cookies and IP addresses, video and audio files containing a child's image or voice, and geolocation information. The new rules also contain data minimization and deletion requirements that promote Internet security, as well as simplified methods of obtaining parental consent for data collection, such as electronic submission and video verification. EPIC Executive Director Marc Rotenberg said that the proposed rules were "a well-reasoned and innovative approach to online privacy." EPIC had previously testified before the Senate and submitted comments to the agency. EPIC’s complaint regarding Facebook’s facial recognition is still pending before the FTC. For more information, see EPIC: Children’s Online Privacy. (Sep. 15, 2011)
  • US and European Consumer Groups Oppose Latest Industry Proposal for Self-Regulation: The Transatlantic Consumer Dialogue has sent a letter to U.S. and European Union officials, urging them to reject an advertising industry proposal to protect online privacy through self-regulation. The industry proposal relies on opt-out techniques that force consumers to click on small icons, hidden on the websites they visit. The TACD letter described the icon regime as “inadequate,” and said that it “is an insufficient means of [giving] notice to a user about the wide range of data collection that they routinely face.” In 1998, EPIC conducted the first evaluation of industry self-regulation to protect online privacy and concluded that "Notice is Not Enough." For more information, see EPIC: Online Tracking and Behavioral Profiling, and EPIC: FTC. (Sep. 9, 2011)
  • EPIC Urges FTC to Examine YouTube Search Rankings Following Google Acquisition: EPIC sent a letter to the FTC urging the Trade Commission to investigate the extent to which Google has used its dominance in the search market to influence the marketplace of online video content. EPIC pointed specifically to the Google acquisition of YouTube and the change in the YouTube search rankings that followed. EPIC said that Google substituted its own subjective, "relevance" ranking in place of objective search criteria, such as "Hits" or "Rankings," to preference Google's own video material over non-Google material. EPIC's letter includes detailed examples using the search term "privacy." Google has acknowledged that the Commission has opened an investigation into the company's business practices for possible antitrust violations. EPIC previously testified before the Senate Judiciary Antitrust Subcommittee on Google's growing dominance of essential Internet services. For more information, see EPIC: Google/DoubleClick and EPIC: Federal Trade Commission. (Sep. 8, 2011)
  • EPIC Settles Street View Case with Trade Commission: EPIC and the Federal Trade Commission have agreed to settle an open government lawsuit concerning the FTC's decision to close the investigation of Google Street View. EPIC sought documents from the Commission after Members of Congress had urged the agency to pursue an aggressive investigation and many privacy agencies around the world found that Google violated national privacy laws. The agency turned over to EPIC agency records which suggested that the agency believed it lacked enforcement authority. However, the closing letter in the case also indicated that the Commission never undertook an independent investigation to determine whether other violations of law may have occurred. The case is EPIC v. FTC, No. 11-cv-00881 (D.C. Dist. Ct 2011). For more information, see EPIC: Google Street View. (Aug. 26, 2011)
  • FTC Finds Mobile Phone App Violated Children's Privacy Law: W3 Innovations, a company that develops mobile phone games, settled charges with the Federal Trade Commission for violations of the Children's Online Privacy Protection Act (COPPA). In the first settlement concerning a mobile application, the Commission imposed a fine of $50,000 against the company for "illegally collecting and disclosing personal information from tens of thousands of children under age 13 without their parents prior consent." EPIC previously testified before the Senate Commerce Committee and submitted comments to the FTC on the need to update COPPA and to clarify the law's application to mobile and social networking services. EPIC also has pending complaints at the FTC regarding Facebook's facial recognition program and changes Facebook made to user privacy settings. For more information, see EPIC: FTC and EPIC: COPPA. (Aug. 16, 2011)
  • Federal Trade Commission Launches Google Antitrust Investigation: Google has acknowledged that the Federal Trade Commission has opened an investigation into the search company's business practices for possible antitrust violations. The investigation likely focuses on whether Google uses its dominance in the search field to inhibit competition in other areas. EPIC had previously opposed Google's acquisition of online advertiser Doubleclick, which was approved by the FTC over the objection of then Commissioner Pamela Harbor. EPIC later testified before the Senate Judiciary Antitrust Subcommittee on Google's growing dominance of essential Internet services. For more information, see EPIC: Google/DoubleClick and EPIC: Federal Trade Commission. (Jun. 27, 2011)
  • FCC and FTC Announce Public Meeting on Locational Privacy: The Federal Communications Commission and the Federal Trade Commission will co-host a Location Based Services Forum on June 28, 2011. The event will include representatives from industry, consumer advocacy groups, and academia discussing the benefits and risks of location based services and industry best practices. The agencies are calling for public comment on location based services. EPIC previously submitted comments to the FCC on locational privacy in 2001 and 2006, requesting that the Commission establish guidelines for the protection of users' locational privacy. In 2010, EPIC specifically warned two Congressional committees about the privacy risks of location services in mobile phones. For more information, see EPIC: Locational Privacy. (May. 25, 2011)
  • EPIC Briefing to Explore Google Street View and Wi-Fi Privacy: EPIC will host a Capitol Briefing on Wednesday, May 18, 2011 on "Street View, Privacy, & the Security of Wireless Networks." The luncheon symposium will feature a panel with FTC Director of Consumer Protection David Vladeck and Former FTC Commissioner Pamela Harbour, and other experts. Sky Hook CEO Ted Morgan will demonstrate Wi-Fi scanning. Many countries have launched investigations of Google Street View after investigators found that Google unlawfully collected Wi-Fi data and intercepted private communications traffic. EPIC has recommended that the US FCC undertake an investigation. The Briefing will be held at the Capitol Visitor’s Center in room HVC-201 from 11:30 am to 1:30 pm. Registration information. For More Information, see EPIC: Street View and EPIC: FTC and follow #wifiprivacy. (May. 17, 2011)
  • EPIC Sues Federal Trade Commission for Details on Spy-Fi Investigation: EPIC filed a Freedom of Information Act lawsuit against the Federal Trade Commission over the agency's failure to disclose to EPIC information about the FTC's decision to end the Google Spy-Fi investigation. EPIC is specifically seeking documents that the FTC widely circulated to members of Congress and their staff that provide the basis for the agency's decision. Privacy agencies around the world found that Google unlawfully intercepted private communications traffic. Yet documents obtained earlier by EPIC under the FOIA suggest that the FTC did not even examine the data Google gathered from private residential Wi-Fi routers in the United States. EPIC is hosting a Capitol Briefing on May 18th on "Street View, Privacy, and the Security of Wireless Networks." For more information, see EPIC: Street View and EPIC: FTC. (May. 12, 2011)
  • EPIC Proposes "Fair Information Practices" for Google: Today EPIC submitted detailed comments on a landmark privacy agreement that requires Google to adopt a "Comprehensive Privacy Plan" to safeguard the privacy and personal information of Internet users. In comments to the Federal Trade Commission, EPIC recommended that the FTC require Google to adopt and implement comprehensive Fair Information Practices, as part of the Privacy Program. EPIC also recommended encryption for Google's cloud-based services, new safeguards for reader privacy, limitations on data collection, and warrant requirements for data disclosures to government officials. EPIC said that similar privacy safeguards should be established for other Internet companies. The FTC investigation and settlement arises from a complaint filed by EPIC with the Commission in February 2010. For more information, see EPIC: In re Google Buzz and FTC - Public Comments on In Re Google. (May. 3, 2011)
  • Public Submits Comments on Proposed Google Consent Order: Today marks the end of the public comment period for the Federal Trade Commission's landmark Consent Order with Google regarding Buzz, Gmail, and all Google products and services. As part of the legal order, Google must adopt a "Comprehensive Privacy Plan" to safeguard its users data and personal information. EPIC launched an online petition and a "Fix Google Privacy" page to promote public participation in the FTC's deliberations. The FTC's action against Google follows a Complaint and an Amended Complaint, filed by EPIC on behalf of Gmail subscribers and other users. For more information, see EPIC: In re Google Buzz. (May. 2, 2011)
  • Senators Kerry and McCain introduce Internet Privacy Legislation: Senators John Kerry (D-MA) and John McCain (R-AZ) have introduced the "Commercial Privacy Bill of Rights Act of 2011," aimed at protecting consumers' privacy both online and offline. The Bill endorses several "Fair Information Practices," gives consumers the ability to opt-out of data disclosures to third-parties, and restricts the sharing of sensitive information. But the Bill does not allow for a private right of action, preempts better state privacy laws, and includes a "Safe Harbor" arrangement that exempts companies from significant privacy requirements. EPIC has supported privacy laws that provide meaningful enforcement, limit the ability of companies' to exploit loopholes for behavioral targeting, and ensure that the Federal Trade Commission can investigate and prosecute unfair and deceptive trade practices, as it did with Google Buzz. For more information, see EPIC: Online Tracking and Behavioral Profiling and EPIC: Federal Trade Commission. (Apr. 12, 2011)
  • EPIC Launches "Fix Google Privacy" Campaign: In response to the recent announcement that Google has agreed to adopt a "Comprehensive Privacy Plan," EPIC has launched "Fix Google Privacy," a campaign to encourage Internet users to offer their suggestions to improve safeguards for Google's products and services. Submissions to EPIC will be forwarded to the Federal Trade Commission and considered by the agency as part of the final Privacy Plan. All comments must be sent before May 2, 2011. For more information, see EPIC - In Re Google Buzz and FTC - Analysis to Aid Public Comments. (Apr. 5, 2011)
  • FTC Releases Annual Report, Highlights Consumer Protection: The Federal Trade Commission released the 2011 Annual Report, which emphasized the agency's actions in the consumer protection and anti-trust areas. The agency highlighted its work on privacy, data security, and technology and noted the settlement of several privacy cases, including Echometrix, Lifelock, Twitter, and U.S. Search. EPIC filed a complaint with the Commission concerning Echometrix, and still has complaints pending regarding changes in Facebook's privacy settings and Google cloud computing. For more information, see EPIC: Federal Trade Commission. (Apr. 1, 2011)
  • FTC Announces Agreement in EPIC Google Buzz Complaint: The Federal Trade Commission has reached a agreement with Google regarding Buzz, the social network service launched in early 2010. The FTC action follows a complaint and an amended complaint filed by EPIC on behalf of Gmail subscribers and other Internet users. The FTC agreement with Google is far-reaching. It is the most significant privacy decision by the Commission to date. For Internet users, it should lead to higher privacy standards and better protection for personal data. EPIC has pursued similar successful complaints at the FTC in the past, including Microsoft Passport and Choicepoint, the databroker firm. For more information, see EPIC - In re Google Buzz. (Mar. 30, 2011)
  • Senate Antitrust Agenda Includes Google, FTC Oversight: Senator Kohl (D-WI) has announced the agenda for the Senate Subcommittee on Antitrust, Competition Policy, and Consumer Rights. Among other issues, the Subcommittee will focus on competition in online markets and internet search, as well as oversight of the Justice Department and the Federal Trade Commission. EPIC had opposed Google's acquisition of online advertiser Doubleclick, which was approved by the FTC over the objection of former FTC Commissioner Pamela Harbor. EPIC later testified before the Antitrust committee on Google's growing dominance of essential Internet services. For more information, see EPIC: Google/DoubleClick and EPIC: Federal Trade Commission. (Mar. 14, 2011)
  • EPIC Says FTC Has Failed to Safeguard Consumer Privacy: In response to a request for comments on an FTC report on future action, EPIC criticized the Commission for failing to act on numerous privacy complaints currently pending before the Commission, including those involving Facebook privacy settings, Google Buzz, and Cloud Computing Services. EPIC recommended a comprehensive federal privacy law based on Fair Information Practices, support for Privacy Enhancing Technologies, and the establishment of an independent privacy agency.  The FTC report recommended the creation of a Do Not Track mechanism, the adoption of "privacy by design" techniques, and the use of simplified consumer privacy notices. For more information, see EPIC - Federal Trade Commission. (Feb. 18, 2011)
  • EPIC Pursues Investigation of FTC's Spy-Fi Noninvestigation: EPIC has filed an administrative appeal with the Federal Trade Commission, challenging the agency's failure to disclose to information about the FTC's decision to end the Google Spy-Fi investigation. EPIC is specifically seeking a slide presentation that the FTC provided to Congress about the matter. The agency has claimed that the presentation to Congress is exempt from disclosure under the Freedom of Information Act. Privacy agencies around the world found that Google intercepted private communications traffic. Yet documents obtained earlier by EPIC under the FOIA suggest that the FTC did not even examine the data Google gathered from private residential wifi routers in the US. For more information, see Google: Street View. (Feb. 11, 2011)
  • Federal Trade Commission Extends Deadline for Comments on Privacy Report: To provide business groups more time to express their views on consumer privacy, the FTC has extended the deadline for submitting comments on the agency's Internet privacy report to February 18th. The preliminary staff report "Protecting Consumer Privacy in an Era of Rapid Change: a Proposed Framework for Businesses and Policy Makers" recommends the creation of a Do Not Track mechanism, the adoption of "privacy by design" techniques, and the use of simplified consumer privacy notices. However, the FTC's report did not address the privacy implications of cloud computing and social networking, the need for a US privacy agency, or a comprehensive federal privacy law based on "Fair Information Practices," as privacy groups had urged. For more information, see EPIC: Federal Trade Commission and EPIC: Online Tracking and Behavioral Profiling. (Jan. 24, 2011)
  • FTC: Investigating Google Street View is a "waste of summer": In documents obtained by EPIC through a Freedom of Information Act request, a senior attorney with the Federal Trade Commission describes the Google WiFi investigation as a "wasted summer" and hopes that a Hill briefing on Google WiFi "won't be too much of a time suck." EPIC sought these documents after the FTC dropped its investigation of Google Streetview. Several countries, including the U.K., Germany, Spain, and Canada, have conducted similar investigations and determined that Google violated their privacy laws. In the U.S., the Federal Communications Commission opened an investigation after EPIC filed a complaint, asking the Commission to investigate violations of US wiretap law and the Communications Act. For more information, see EPIC: Google Street View. (Jan. 20, 2011)
  • Federal Trade Commission Recommends Do Not Track, Privacy by Design, and Short Privacy Notices: The Federal Trade Commission released a preliminary staff report on privacy, following a series of public roundtable discussions. The report recommends the establishment of a Do Not Track mechanism, the adoption of a "privacy by design" techniques, and the use of simplified consumer privacy notices. However, the FTC report did not address the privacy implications of cloud computing and social networking, the need for a US privacy agency, or a comprehensive federal privacy law based on "Fair Information Practices," as privacy groups had urged. For more information, see EPIC: Federal Trade Commission. (Dec. 2, 2010)
  • Wall Street Journal Confirms FCC Investigation of Google Street View Following EPIC Complaint: The Wall Street Journal reported today that the Federal Communications Commission has opened an investigation into Google's secretive interception and collection of wifi data collection. This occurred in thirty countries over a three year period and is linked to Google "Street View" vehicles which many thought simply captured digital images. In May, EPIC filed a complaint with the Commission, asking it to investigate Google's possible violations of federal wiretap law and the U.S. Communications Act. Investigations in other countries have revealed that Google secretly collected passwords, email, and sensitive medical data from millions of Internet users, and also built an extensive database of personal information associated with private residential wifi routers. The Federal Trade Commission recently ended its inquiry into Google Street View, even though members of Congress had urged a comprehensive investigation. For more information, see EPIC - Investigation of Google Street View. (Nov. 10, 2010)
  • FTC Appoints Executive Director, Chief Technology Officer: The Federal Trade Commission has announced that Eileen Harrington will be rejoining the Commission as the Executive Director. Harrington was recently the Chief Operating Officer at the U.S. Small Business Administration, following a 25-year stint at the Commission in a variety of positions. The Commission has also announced that Princeton University professor Dr. Edward W. Felton has been named as Chief Technologist, a new position that will focus on evolving technology and policy issues. Dr. Felten was the founding director for Princeton’s Center for Information Technology Policy. For more information, see EPIC: Federal Trade Commission. (Nov. 9, 2010)
  • Federal Trade Commission Closes Noninvestigation of Google Street View: The Federal Trade Commission has sent a letter to Google, ending an investigation that never began. In May, the Federal Trade Commission was asked by members of Congress to investigate Google's secretive collection of wifi data as part of Street View, a mapping program characterized by the collection of digital imagery. In a letter to Federal Communications Commission, EPIC further explained that Google's conduct likely violated federal wiretap law. Subsequent investigations in other countries revealed that Google secretly collected passwords, email, and sensitive medical data from millions of Internet users, and also built an extensive database of personal information associated with private residential wifi routers. However, the Federal Trade Commission never pursued an independent investigation of Street View, examined the data collected by Google in the United States, or even acknowledged the findings of other agencies. Investigations are still pending in several countries and 37 states in the U.S. For more information, see EPIC: Google Street View. (Oct. 27, 2010)
  • FTC Proposes Consent Decree in U.S. Search Case: The FTC is asking for comments on a proposed settlement of the agency's complaint against the company U.S. Search for deceptive practices. U.S. Search sold customers a "privacy lock" service that the company falsely claimed would prevent customers' personal information from appearing on the U.S. Search website. The proposed settlement requires U.S. Search to refund fees and bars the company from further deceptive practices, but does not stop them from charging a fee for an opt-out service. For more information, see EPIC: FTC. (Oct. 20, 2010)
  • EPIC Urges Federal Trade Commission to Strengthen Childrens' Privacy Rule: EPIC filed comments urging the Federal Trade Commission to improve the Childrens' Online Privacy Protection Act Rule. The rule is the principal federal protection for childrens' privacy, and limits how companies may collect and disclose childrens' personal information. "The need for the COPPA Rule has become increasingly urgent in light of new business practices and recent technological developments, such as social networking sites and mobile devices," EPIC wrote. "Existing provisions need to be strengthened and new provisions need to be added." In April, EPIC testified before Congress concerning childrens' privacy. For more, see EPIC: COPPA and EPIC: FTC. (Jul. 9, 2010)
  • Congressional Leaders Write to Google's Schmidt About "Spy-Fi": Congressmen Henry Waxman (D-CA), Joe Barton (R-TX), and Ed Markey (D-MA) have sent a detailed letter to Google CEO Eric Schmidt about the reports that Google Street View vehicles scarfed up Wi-Fi data in thirty countries, including the United States. The letter follows a complaint that EPIC has sent to the Julius Genachowski, chairman of the Federal Communications Commission, suggesting that Google may have violated federal wiretap laws. For more information, see Congress Urges FTC to Investigate Google. (May. 26, 2010)
  • New Facebook Privacy Complaint Filed with Trade Commission: Today, EPIC and 14 privacy and consumer protection organizations filed a complaint with the Federal Trade Commission, charging that Facebook has engaged in unfair and deceptive trade practices in violation of consumer protection law. The complaint states that changes to user profile information and the disclosure of user data to third parties without consent "violate user expectations, diminish user privacy, and contradict Facebook’s own representations." The complaint also cites widespread opposition from Facebook users, Senators, bloggers, and news organizations. In a letter to Congress, EPIC urged the Senate and House Committees with jurisdiction over the FTC to monitor closely the Commission's investigation. The letter noted the FTC's failure to act on several pending consumer privacy complaints. For more information, see EPIC: Facebook Privacy. (May. 5, 2010)
  • EPIC Recommends Effective Consumer Privacy Standards, Calls Notice and Choice a "Failed Experiment": At the third FTC Privacy Roundtable, EPIC senior counsel John Verdi will recommend that the Commission push forward with effective and meaningful privacy safeguards for American consumers. Mr. Verdi will say that the "notice and choice" approach has failed, and will recommend that the FTC enforce Fair Information Practices, such as the OECD Privacy Guidelines. The discussion can be viewed via webcast. Additional information on the FTC roundtable event can be found here. For more information, see EPIC In re Google Buzz, EPIC In re Facebook, and EPIC In re Google and Cloud Computing. (Mar. 17, 2010)
  • Senate Confirms Julie Brill as FTC Commissioner: The Senate confirmed Julie Brill, former Vermont Assistant Attorney General, to fill a vacancy for FTC Commissioner. Brill served for over 20 years as Vermont’s Assistant Attorney General for Consumer Protection and Antitrust, and currently serves as Senior Deputy Attorney General and Chief of Consumer Protection and Antitrust for the North Carolina Department of Justice. Brill has had experience with several important consumer protection issues, including tobacco, food and drug, antitrust, and privacy and identity theft. Senator Leahy (D-VT) expressed support for Brill’s confirmation, proclaiming, “We again have an FTC that is on the side of the consumers. Julie Brill will help revitalize an FTC that has languished while consumers’ interests have given way to special interests.” (Mar. 4, 2010)
  • Federal Trade Commission Sets out Priorities But Lacks Strategy for Privacy Protection: The Federal Trade Commission released the Congressional budget justification summary for FY 2011 and performance plan for FY 2010-11. The FTC documents list three strategic goals: protect consumers, maintain competition, and advance performance. Objectives include improving consumer education, identifying and stopping “fraud, deception and unfair practices,” and “protecting American consumers in the global marketplace.” Although the FTC Implementation Plan includes the development of approaches to implement OECD Guidelines on consumer protection in the context of electronic commerce, there is no mention of implementing OECD Guidelines on privacy protection.  (Feb. 4, 2010)
  • EPIC Urges FTC to Protect Users' Privacy On Cloud Computing and Social Networking Services: EPIC submitted comments to the FTC prior to the agency’s second privacy roundtable. EPIC warned of the ongoing privacy risks associated with cloud computing and social networking privacy, highlighting the Google cloud computing complaint and Facebook privacy complaint filed by EPIC in 2009. The comments note that the FTC has failed to take any meaningful action with respect to either complaint, demonstrating the Commission's “lack of leadership and technical expertise.” EPIC's comments also draw attention to the success of international privacy initiatives, in hopes of encouraging the FTC to take meaningful action to protect American consumers. For more information, see EPIC: Cloud Computing and EPIC: Social Networking Privacy. (Jan. 28, 2010)
  • EPIC Defends Privacy of Facebook Users: Files Complaint with the Federal Trade Commission: EPIC has filed a complaint with the Federal Trade Commission, urging the FTC to open an investigation into Facebook’s revised privacy settings. The EPIC complaint, signed by nine other privacy and consumer organizations, states that the  "changes violate user expectations, diminish user privacy, and contradict Facebook’s own representations." EPIC cites widespread opposition from Facebook users, security experts, bloggers, and news organizations. A previous EPIC complaint to the FTC, concerning the data broker industry, produced the largest settlement in the FTC's history.  For more information, see EPIC: In re Facebook, Frequently Asked Questions Regarding EPIC's Facebook Complaint, and EPIC Facebook Privacy. EPIC PRESS RELEASE. (Dec. 17, 2009)
  • FTC Considers Emerging Privacy Concerns at First Privacy Roundtable: The Federal Trade Commission held the first of three privacy roundtables this week in Washington, DC. The well-attended event featured privacy and security experts from around the country, with each panel consisting of at least one industry representative and one privacy advocate. The failure of the current notice and choice model, the need to regulate behavioral targeting, concerns about government access to data, and the high privacy expectations of consumers were among recurring topics throughout the day. EPIC's Marc Rotenberg said it was important for the Commission to focus on emerging business practices and the impact on consumer privacy. The second privacy roundtable will be held on Data Privacy Day - January 28, 2010 - at the University of California, Berkeley School of Law. The FTC welcomes comments from the public in advance of the roundtable. (Dec. 9, 2009)
  • President Obama Nominates Brill and Ramirez for Federal Trade Commission: President Obama nominated Julie Brill and Edith Ramirez to be commissioners of the Federal Trade Commission. Brill, North Carolina’s top consumer advocate, serves as the senior deputy attorney general and chief of consumer protection and antitrust for the North Carolina Department of Justice. Ramirez, who specializes in intellectual property and complex litigation matters, is a partner in a Los Angeles, California law firm and has experience representing companies such as Mattel, Inc. and Northrop Grumman Corp. In a press release, President Obama stated, “These individuals bring a depth of experience to their respective roles, and I am confident they will serve my administration and the American people well. I look forward to working with them in the months and years ahead.” (Nov. 17, 2009)
  • EPIC to FTC: "Parental Control" Software Firm Gathers Data for Marketing: EPIC filed a complaint with the Federal Trade Commission against Echometrix, the developer of parental control software that monitors children’s online activity. Echometrix analyzes the information collected from children and sells the data to third parties for market-intelligence research. The EPIC complaint alleges that Echometrix engages in unfair and deceptive trade practices by representing that the software protects children online while simultaneously collecting and disclosing information about children's online activity. The complaint further alleges that Echometrix’s practices violate the Children’s Online Privacy Protection Act by collecting and disclosing information from children under the age of 13. The EPIC complaint asks the FTC to stop these practices, seek compensation for victims, and ensure that Echometrix’s collection and disclosure practices comply with COPPA. For more information on the Children’s Online Privacy Protection Act, see EPIC COPPA. (Sep. 29, 2009)
  • Federal Trade Commission to Host Privacy Roundtables: The Federal Trade Commission has announced a series of roundtables on consumer privacy, beginning December 7. These discussions will explore many issues, including consumer information collection, information management practices, new business practices, and the adequacy of existing privacy laws. Roundtable participants will include individuals from a wide range of related fields, including privacy and technology experts. The meetings are open and public comments are encouraged. EPIC has supported the FTC's privacy mission, but has also said that the agency needs to do a lot more to safeguard consumer privacy. For more information, see EPIC FTC page. (Sep. 16, 2009)
  • Trade Commission Prohibits Robocalls: The Federal Trade Commission is prohibiting commercial telemarketing calls to consumers after September 1, 2009. The agency amended the Telemarketing Sales Rule, which imposes a penalty of $16,000 per call, to cover sellers and telemarketers who transmit prerecorded messages to consumers who have not agreed in writing to accept such messages. The Telemarketing Rule is authorized under the Telemarketing and Consumer Fraud and Abuse Prevention Act. The new rule does not prohibit informational messages or calls by politicians, banks, telephone carriers, and charities. EPIC has urged the FCC to require strong privacy safeguards for telephone customers' personal information, and protect wireless subscribers from telemarketing. See also EPIC Telemarketing and Telephone Consumer Protection Act. (Aug. 28, 2009)
  • FTC Issues Final Breach Notification Rule for Electronic Health Information: The Federal Trade Commission issued a final rule requiring breach notification by vendors of medical records and related entities. In June, EPIC submitted comments recommending that all entities handling electronic health records be subject to the regulation and that the FTC should establish a central location to track and announce breaches. The FTC modified the rule accordingly. EPIC had also recommended that information "accessed" be treated as "acquired", substitute media notices be used as supplemental notification, verification of data breach notices be required, minimum security standards be created, penalties for violations be assessed, and the creation of "safe-harbors" for de-identified data be opposed. The rule was mandated under the American Recovery and Reinvestment Act. See EPIC Medical Privacy and EPIC Identity Theft. (Aug. 21, 2009)
  • Privacy and Consumer Groups Seek New FTC Commissioner: EPIC joined other privacy and consumer organizations on a letter to President Obama urging the appointment of a pro-consumer Commissioner to the Federal Trade Commission (FTC). The groups called for the appointment of someone with a “distinguished record of achievement in consumer affairs, with a demonstrated commitment to protecting the public.” The Commission has been one person short of its full membership since former Chair Deborah Platt Majoras left the agency last year. The President appointed Jon Leibowitz to serve as the current chair of the FTC. For more information, see EPIC’s page on the Federal Trade Commission. (Apr. 27, 2009)
  • Federal Trade Commission to Review EPIC Cloud Computing Complaint: The Federal Trade Commission will review EPIC's March 17, 2009 complaint, which describes Google's unfair and deceptive business practices concerning the firm's Cloud Computing Services. EPIC's complaint describes numerous data breaches involving user-generated information stored by Google, including the recently reported breach of Google Docs. EPIC's complaint "raises a number of concerns about the privacy and security of information collected from consumers online," federal regulators said. EPIC urged the Commission to take "such measures as are necessary" to ensure the safety and security of information submitted to Google. Previous EPIC complaints have led the Commission to order Microsoft to revise the security standards for Passport and to require Choicepoint to change its business practices and pay $15 m in fines. For more information, see EPIC's complaint to the FTC. EPIC's Cloud Computing Page. (Mar. 19, 2009)
  • EPIC Petitions FTC to Investigate Google, Cloud Computing Services: EPIC has formally asked the Federal Trade Commission to open an investigation into Google's Cloud Computing Services -- including Gmail, Google Docs, and Picasa -- to determine "the adequacy of the privacy and security safeguards." The petition follows the recent report of a breach of Google Docs. EPIC cited the growing dependence of American consumers, businesses, and federal agencies on cloud computing services, and urged the Commission to take "such measures as are necessary" to ensure the safety and security of information submitted to Google. Previous EPIC complaints have led the Commission to order Microsoft to revise the security standards for Passport and to require Choicepoint to change its business practices and pay $15 m in fines. (Mar. 17, 2009)
  • Trade Commission Issues Voluntary Guidelines for Online Tracking, Targeting, and Advertising: Today, the Federal Trade Commission released voluntary guidelines for Internet advertising and behavioral targeting. The guidelines set out four principles: "1) transparency and consumer control; 2) reasonable security and limited data retention for consumer data; 3) affirmative express consent for material retroactive changes to privacy promises; and 4) affirmative express consent to (or prohibition against) use of sensitive data." There is no means to enforce the guidelines, and Commissioners Jon Leibowitz and warned that they are insufficient to ensure consumers' privacy. Commissioner Harbour cautioned that the guidelines "focus too narrowly" and urged rulemakers to "take a more comprehensive approach to privacy." The guidelines are in part a response to EPIC's 2007 Complaint regarding the Google-Doubleclick merger raising concerns about the profiling of Internet users and the need to establish clear privacy safeguards as a condition of the merger. For more information, see EPIC's Complaint regarding the Google/DoubleClick merger and page Privacy? Proposed Google/DoubleClick Deal. (Feb. 12, 2009)
  • Consumer Groups Urge Trade Commission to Investigate Mobile Marketing: The Center for Digital Democracy and the U.S. Public Interest Research Group filed a complaint with the Federal Trade Commission to investigate the growing threat to consumer privacy in the mobile advertising world. Certain services track, analyze, and target the public and build secret profiles. Users are targeted based on their online behavior and their location. The complaint urges the Commission to define and clarify practices, review self-regulation, require notice and disclosure and also protect the public. Earlier, thirty Privacy Coalition members sent a letter to President-elect Barack Obama highlighting the importance of protecting consumer privacy in new network services. For more information, see EPIC's page on Privacy and Consumer Profiling. (Jan. 13, 2009)
  • EPIC Complaint Leads to Halt of Stalker Spyware Distribution. Following an EPIC complaint, a federal court has ordered CyberSpy Software to stop selling malicious computer software. In March, EPIC filed a complaint with the Federal Trade Commission alleging that the spyware purveyor engages in unfair and deceptive practices by: (1) promoting illegal surveillance; (2) encouraging "Trojan Horse" email attacks; and (3) failing to warn customers of the legal dangers arising from misuse of the software. The federal regulators agreed, and asked the court for a permanent injunction barring sales of CyberSpy's "stalker spyware," over the counter surveillance technology sold for individuals to spy on other individuals. The court entered a temporary restraining order on November 6, 2008. Further litigation is expected before the court rules on the government's request for a permanent ban. For more information, see EPIC's Personal Surveillance Technologies Page and Domestic Violence and Privacy Page. (Nov. 17, 2008)
  • EPIC Urges FTC to Establish Privacy Safeguards for RFID Tags. In comments to the Federal Trade Commission, EPIC reiterated recommendations (pdf) it made in 2004 to the consumer protection agency to address the risks to consumer safety of the unregulated use of RFID tags that reveal personal data. The FTC is hosting a "Transatlantic RFID Workshop on Consumer Privacy and Data Security" to discuss consumer concerns. The workshop follows an event, organized by the US Department of Commerce, promoting the benefits of RFID. Comments on RFID may be submitted to the FTC until October 23. For more, see EPIC's RFID Privacy page. (Sept. 22, 2008).
  • Trade Commission Approves Data Breach Settlements, But Fails to Impose Monetary Penalties. The Federal Trade Commission has finalized settlements with TJX, Reed Elsevier, and Seisint. The settlements arose from data breaches, which exposed the sensitive personal information of over 500,000 consumers and resulted in millions of dollars in financial fraud. Earlier this year, EPIC filed comments with the FTC urging the Commission to include civil penalties in the settlements. EPIC wrote that civil penalties are necessary to provide incentives for companies to safeguard personal data. EPIC also noted that the FTC imposed $10 million in civil penalties in the Choicepoint case. The final agreements impose security and audit responsibilities, but no financial penalties. For more on data breaches and ID theft, see EPIC's Identity Theft: Its Causes and Solutions Page. (Aug. 4, 2008)
  • EPIC v. FTC: EPIC Obtains Documents Detailing Conflict of Interest in Google-Doubleclick Merger Review. Pursuant to a settlement in a Freedom of Information Act lawsuit against the Federal Trade Commission, EPIC has obtained documents detailing former FTC Chairman Deborah Platt Majoras' conflict of interest in the Google-Doubleclick merger review. Majoras headed the Commission's review of the proposed $3.1 billion Google acquisition while her spouse's law firm represented Doubleclick. A July 17, 2007 memorandum obtained by EPIC flatly contradicts Majoras' claim that "no one at the FTC" knew of the conflict "until the afternoon of Tuesday, December 11, 2007." In 2007 EPIC and the Center for Digital Democracy urged the FTC to establish privacy safeguards as a condition of the merger. One week prior to the Commission's decision to approve the merger without conditions, EPIC learned that the Jones Day law firm represented Doubleclick. EPIC then submitted Freedom of Information requests to determine the role of the Jones Day firm in the merger review. For more, see EPIC's EPIC v. FTC Page. (July 8, 2008)
  • FTC Issues Additional CAN-SPAM Rules, Fails to Regulate Third-Party List Brokers This week, the Federal Trade Commission approved new rules for CAN-SPAM, the federal anti-spam law. The Commission stated that consumers cannot be charged a fee to opt out of spam. The FTC also determined that third-party list brokers (companies that sell email lists to spammers) are not subject to CAN-SPAM's opt-out requirements. In 2005, EPIC urged the FTC to impose opt-out requirements on third-party list brokers. EPIC stated that this requirement was consistent with CAN-SPAM's goal and was more effective than the present system, which requires consumers to opt out with individual companies. For more information, see EPIC's"SPAM - Unsolicited Commercial E-Mail Page." (May 15, 2008)
  • EPIC Urges Commission to Impose Civil Penalties in Data Breach Settlements. Today, EPIC filed comments with the Federal Trade Commission urging the FTC to include civil penalties in settlements with TJX, Reed Elsevier, and Seisint. The FTC recently concluded investigations of the companies' weak security policies, and reached preliminary settlements that would impose security and audit responsibilities, but no financial penalties. The FTC's investigations arose from the companies' unrelated 2004-2005 data breaches, which exposed the sensitive personal information of over 500,000 consumers and resulted in millions of dollars in alleged financial fraud. EPIC noted that civil penalties were necessary to provide incentives for companies to better safeguard personal consumer data in the future, and observed that the FTC imposed $10 million in civil penalties in the Choicepoint case. For more on data breaches and ID theft, see EPIC's Identity Theft: Its Causes and Solutions page. (Apr. 28, 2008)
  • EPIC Sues Trade Commission to Compel Disclosure of Documents Concerning Jones Day's Role in US Doubleclick Merger Review. Today, EPIC filed a Freedom of Information Act lawsuit (pdf) challenging the Federal Trade Commission's failure to make public documents relating to the role of the Jones Day law firm in the Google-Doubleclick merger review. The lawsuit follows EPIC's original request (pdf) and subsequent administrative appeal (pdf). During the FTC merger review, Jones Day publicly stated that it represented Doubleclick (pdf). After EPIC learned that Chairman Majoras' spouse is a Jones Day partner, EPIC moved for the recusal of the FTC Chairman, and emphasized that recusal had occurred in other similar matters involving conflicts of interest with the Jones Day firm. However, Chairman Majoras participated in the Google-Doubleclick review and voted to approve the merger without conditions, despite privacy groups' warnings that the merger would threaten consumer privacy. (Mar. 14, 2008)
  • European Commission Approves Google-Doubleclick Merger, But European Privacy Laws Will Apply. The European Commission today approved the proposed Google-Doubleclick merger under its competition authority. Though the Commission did not consider privacy in the merger review, it did reaffirm the obligation of Google-Doubleclick to comply with European privacy laws. "The Commission's decision to clear the proposed merger is based exclusively on its appraisal under the EU Merger Regulation. It is without prejudice to the merged entity's obligations under EU legislation in relation to the protection of individuals and the protection of privacy with regard to the processing of personal data and the Member States' implementing legislation." Last year, EPIC filed a complaint (pdf) with the US Federal Trade Commission, urging the FTC to open an investigation into the proposed acquisition, specifically with regard to the ability of Google to record, analyze, track, and profile the activities of Internet users. In January testimony (pdf) before the European Parliament, EPIC urged the European Commission to establish privacy safeguards as a condition of the merger. See EPIC's Privacy? Proposed Google/Doubleclick Deal Page. (Mar. 11, 2008)
  • EPIC Urges Investigation of "Stalker Spyware". EPIC filed a complaint with the Federal Trade Commission against several purveyors of stalker spyware. Stalker spyware products are over the counter surveillance technologies sold for individuals to spy on other individuals -- and can be used by abusers to spy on their victims. The complaint alleges that these companies engage in unfair and deceptive practices by: (1) promoting illegal surveillance by abusers of their victims; (2) promoting "Trojan Horse" email attacks; and (3) failing to warn their customers of legal dangers of misuse of stalker spyware. The EPIC complaint asks the FTC to stop these practices, seek compensation for victims, and investigate other harms that stalker spyware may cause. For more information see EPIC's pages on Personal Surveillance Technologies, and Domestic Violence and Privacy. (Mar. 7, 2008)
  • Data Broker Merger Threatens Privacy. Reed-Elsevier, corporate parents of Lexis-Nexis, has made a move to acquire Choicepoint, the databroker. Consumer privacy will be seriously affected if the merger is approved without any privacy safeguards. The previous Google-Doubleclick merger involving two large databases of personal information similarly raised privacy as well as antitrust issues. Choicepoint is a large player in the commercial databroker market and has been the target of an EPIC privacy complaint and an FTC investigation and fine for the privacy harms its business practices cause. For more see EPIC's page on Choicepoint. (Feb. 21, 2008)
  • EPIC Challenges Trade Commission's Failure to Produce Documents Concerning Jones Day's Role in US Doubleclick Merger Review. In a Freedom of Information Act appeal(pdf), EPIC challenged the Federal Trade Commission's failure to make public documents relating to the role of the Jones Day law firm in the Google-Doubleclick merger review. The appeal follows EPIC's original request. During the FTC review, Jones Day publicly stated that it represented Doubleclick but later denied representing Doubleclick, after EPIC learned that Chairman Majoras' husband, John M. Majoras, is a Jones Day partner. EPIC moved for the recusal of the Chairman, and noted that recusal had occurred in other matters involving apparent conflicts of interest with the Jones Day firm. However, Chairman Majoras participated in the review and voted to approve the merger without conditions, despite privacy groups' warnings that the merger would threaten consumer privacy. For more information, see EPIC's page Privacy? Proposed Google/Doubleclick Deal. (Feb. 13)
  • EPIC, Privacy Groups Renew Call for Investigation of Ask Eraser. EPIC filed a supplemental complaint (pdf) with the Federal Trade Commission today highlighting the ongoing consumer privacy threats posed by Ask.com's AskEraser product. The new complaint restates that Ask.com is engaging in an unfair and deceptive trade practice. Ask.com corrected one substantial problem with AskEraser following an earlier letter from EPIC, but EPIC makes clear in the new filing that Ask.com has failed to resolve the substantial threats to consumer privacy, and urges the FTC to move forward with an investigation. For more information, see the EPIC "Does Ask Eraser Really Erase?" Page. (Feb. 8, 2008)
  • Consumer Privacy Coalition Files FTC Complaint Against Ask.com. EPIC and five other groups filed a complaint (pdf) with the Federal Trade Commission alleging that Ask.com is engaging in unfair and deceptive trade practices with the representations concerning AskEraser, a search service that purports to protect privacy. Among the critical points highlighted by the consumer privacy coalition: (1) users must accept an AskEraser cookie and disable a genuine privacy feature in browsers that block cookies; (2) the AskEraser cookie is a unique persistent identifier that makes it easy for Ask.com, its business partners, and the government to track the activities of AskEraser users; and (3) Ask.com will disable the search delete feature -- the central purpose of the Ask Eraser service -- without notice to the user. The complaint follows a December letter (pdf) to Ask.com describing these security and privacy problems. (Jan. 19, 2008)
  • EPIC - "Federal Trade Commission failed to address the privacy implications of the Google-Doubleclick Merger". In a detailed statement issued today, EPIC said that the unique circumstances of the online advertising industry required the FTC to impose privacy safeguards as a condition of the Google- Doubleclick merger. EPIC said that the FTC "had reason to act and authority to act, and failed to do so." EPIC pointed out that the Commission ignored similar assessments from leaders in Congress and consumer protection agencies. EPIC said it would vigorously pursue Freedom of Information Act requests regarding the role of the Jones Day law firm in the merger review. EPIC concluded that the FTC's decision "does not end the discussion about competition and privacy protection in the context of merger review. Consumers around the world will be impacted by the business practices of the combined entity, and the consequences will have to be addressed." Attention turns next to a hearing before the European Parliament on January 21. EPIC has been invited to testify. (Dec. 20, 2008)
  • FTC Chair Dismisses Recusal Petition in Jones Day-Doubleclick Conflict of Interest Case, EPIC Files Expedited Open Government Request. FTC Chairman Deborah Majoras has refused to step down in the Commission's review of the Google-Doubleclick merger even though it was revealed this week that her husband's law firm is representing Doubleclick. EPIC and the Center for Digital Democracy have issued a statement. EPIC has also submitted a detailed Freedom of Information Act request seeking the expedited release of all documents concerning the participation of Jones Day in the Commission's review of Doubleclick as well as other matters involving consumer privacy. (Dec. 15, 2007)
  • EPIC, CDD Raise New Questions About FTC Chair's Possible Conflict of Interest. Today EPIC and the Center for Digital Democracy provided new information to the Federal Trade Commission concerning Jones Day's representation of Doubleclick in the pending merger review. The new filing makes clear that statements denying Jones Day participation in the matter are flatly contradicted by an earlier posting on the firm's web site. The EPIC/CDD filing also notes that the firm has subsequently removed the relevant web pages from its web site. The groups are filing a Freedom of Information Act request for all documents at the Commission regarding the matter and notifying Congressional oversight committees. See EPIC's page on Privacy? Proposed Google-DoubleClick merger. (Dec. 13, 2007)
  • Recusal of FTC Chairman Sought in Google-Doubleclick Case. In a motion (pdf) filed today with the Secretary of the Federal Trade Commission, EPIC and the Center for Digital Democracy seek the disqualification of FTC Chairman Deborah Platt Majoras from the pending review of the proposed Google-Doubleclick merger. The organizations recently learned that the husband of the FTC Chairman has taken on Doubleclick as a client for his Washington, D.C. law firm. See EPIC's page on Privacy? Proposed Google-DoubleClick Merger. (Dec. 12, 2007)
  • Leading Senators Urge Comprehensive Privacy Review of Proposed Google-Doubleclick Deal. In a letter (pdf) to the Federal Trade Commission, Senators Herb Kohl and Orrin Hatch, Chairman and Ranking Member of the Senate Judiciary Committee's Subcommittee on Antitrust, Competition Policy and Consumer Rights, urged the FTC to critically analyze the privacy and competition effects of Google's $3.1 billion proposed merger with Internet advertising company DoubleClick. "[T]his deal raises fundamental consumer privacy concerns worthy of serious scrutiny," the senators wrote. In complaints (pdf) to the FTC, EPIC, the Center for Digital Democracy and US PIRG have detailed the reasons why the FTC needs to establish substantial privacy safeguards as a condition of the merger. The European Commission Directorate on Competition has announced a four-month in-depth investigation into the proposed merger. For more information, see EPIC's page on Privacy? Proposed Google/DoubleClick Deal. (Nov. 20, 2007)
  • Google-Doubleclick Deal Looms Over Commission Workshop in DC. The Federal Trade Commission begins a two-day workshop today on Behavioral Targeting. EPIC has urged the Commission to establish meaningful privacy safeguards for consumers and impose conditions on the merger of the two Internet advertising giants, Google and Doubleclick. The Center for Digital Democracy and US PIRG have also recommend that the FTC protect consumers from harmful interactive marketing practices. See EPIC's page Privacy? Proposed Google/DoubleClick Deal. (Nov. 1, 2007)
  • EPIC Urges Congress to Monitor Google-Doubleclick Review. In a letter (pdf) to the Congressional Committee that funds the Federal Trade Commission, EPIC urged oversight of the Commission's review of the pending Google-Doubleclick merger. In complaints (pdf) to the FTC, EPIC, the Center for Digital Democracy and US PIRG have detailed the reasons why the FTC needs to establish substantial privacy safeguards as a condition of the merger. If the FTC fails to do so, "we believe there should be a comprehensive investigation of the factors that led to the FTC's decision," EPIC said. See EPIC's page on Privacy? Proposed Google/DoubleClick Deal. (Oct. 26, 2007)
  • EPIC to Senate: FTC Must Impose Privacy Standards Before Approving Google-Doubleclick Merger. In testimony (pdf) before the Senate Judiciary Committee on the pending Google-Doubleclick merger, EPIC Executive Director Marc Rotenberg said that the Federal Trade Commission should establish privacy safeguards as a condition of the merger. EPIC filed a complaint before the Commission (pdf) in April regarding the merger, similar to other complaints filed by EPIC in the Doubleclick-Abacus merger (pdf), the Microsoft Passport matter (pdf), and Choicepoint. Since the filing of the EPIC complaint, competition authorities around the world have opened investigations. Press Packet. More information at Privacy ? Google-Doubleclick. (Sept. 27, 2007)
  • EPIC, CDD, US PIRG File Additional Papers with FTC in Google-DoubleClick Merger. At the National Press Club today, EPIC, the Center for Digital Democracy, and US PIRG announced a second supplement (pdf) to the groups' original complaint (pdf) and subsequent supplement (pdf) with the Federal Trade Commission (FTC) concerning the proposed Google-DoubleClick merger. The amended complaint details new facts supporting the conclusion that the FTC should block Google's proposed acquisition of DoubleClick. Also today, the Canadian Internet Policy and Public Interest Clinic filed a formal complaint (pdf) with the Privacy Commissioner of Canada urging an investigation into the proposed merger. See EPIC's page on the proposed Google-DoubleClick merger. (Sept. 17, 2007)
  • Privacy Groups File Amended Complaint with FTC Regarding Google/DoubleClick Merger. EPIC, CDD, and US PIRG today filed a supplement (pdf) to the groups' original complaint (pdf) with the Federal Trade Commission (FTC) concerning the Google/DoubleClick merger. The new complaint explains the need for the FTC to consider consumer privacy interests in the context of a merger review involving the Internet's largest search profiling company and the Internet's largest targeted advertising company. The complaint provides additional evidence about Google and DoubleClick's business practices that fail to comply with generally accepted privacy safeguards, and proposes further steps that the Commission should take if the merger is to be approved. For more information see EPIC's page on Proposed Google/Doubleclick deal. (Jun. 6, 2007)
  • New York State Consumer Protection Board endorses EPIC's Google/DoubleClick Complaint. The New York State Consumer Protection Board has sent a letter to the Federal Trade Commission (FTC) endorsing EPIC's recent complaint to the FTC regarding the privacy implications of the Google/DoubleClick merger. The Board expressed its concern that the merger of these two companies would create "super-profiles" of users, exposing consumers to the risk of disclosure of their data to third-parties, as well as public disclosure as evidence in litigation or through data breaches. The Board urged the FTC to halt the merger until it has fully investigated Google's planned use of DoubleClick's data post-merger. For more information on the proposed merger, visit EPIC's FTC Google Complaint Page. (May 9, 2007)
  • EPIC Recommends Better Notification and Strong Privacy Safeguards for Security Breach Investigations. In comments (pdf) to the Federal Trade Commission today, EPIC urged the FTC to limit the disclosure of personal information related to security breach investigations. EPIC said that the Privacy Act exemption sought by the Commission was far too broad. EPIC recommended that the FTC significantly narrow the exemption by "creat[ing] tiers of access, allowing specific categories of individuals limited access to the data, according to the needs of the investigation." EPIC also said that the Commission should notify individuals whose personal data may have been improperly disclosed in a security breach before other government agencies are notified. For more information, see EPIC's Identity Theft Page. (Apr. 30, 2007)
  • White House ID Theft Report to be Released Today. Attorney General Gonzales and FTC Chairman Majoras will hold a press conference today to announce the release of the final report of President's Identity Theft Task Force. In January 2007, EPIC submitted comments to the Task Force that emphasized the need to establish better privacy and security practices to reduce the risk of identity theft, rather than simply expand law enforcement authority. EPIC criticized, "government and private agencies that collect and store excessive amounts of often unnecessary personal information in systems that lack adequate privacy and security safeguards." EPIC wrote, "The best long-term approach to the problem of identity theft is to minimize the collection of personal information and to develop alternative technologies and organizational practices." EPIC also recommended the adoption of privacy enhancing technologies, data minimization, and meaningful remedies when security breaches and privacy violations occur. See EPIC Identity Theft Page. (Apr. 23, 2007)
  • EPIC Files Complaint With FTC Regarding Google/DoubleClick Merger. EPIC, CDD and US PIRG today filed a complaint (pdf) with the Federal Trade Commission (FTC), urging the Commission to open an investigation into the proposed acquisition. The groups urged the FTC to assess the ability of Google to record, analyze, track, and profile the activities of Internet users with data that is both personally identifiable and data that is not personally identifiable. The groups further urged the FTC to require Google to publicly present a plan to comply with well-established government and industry privacy standards such as the OECD Privacy Guidelines. Pending the resolution of these and other issues, EPIC encouraged the FTC to halt the acquisition. See EPIC's FTC Google Complaint page. (Apr. 20, 2007)
  • Google Proposes Doubleclick Acquisition. The Internet search giant has announced a $3.1 billion purchase of the Internet advertising company Doubleclick that would make it possible to merge Internet user search histories and Internet user web site visits. In February 2000, when a similar acquisition was proposed, EPIC filed a complaint (pdf) with the Federal Trade Commission, alleging that Doubleclick was unlawfully tracking the online activities of Internet users and combining surfing records with detailed personal profiles contained in a national marketing database. The FTC opened an investigation and Doubleclick eventually acknowledged that it was a mistake to "merge names with anonymous user activity across Web sites in the absence of government and industry privacy standards" and backed off the plan. For more information, EPIC's Cookies Page and Double Trouble. (Apr. 17, 2007)
  • FTC Reports that Identity Theft Again Tops List of Consumer Complaints. The annual report (pdf) by the Federal Trade Commission finds identity theft complaints, for the seventh year in a row, the number one concern of US consumers, accounting for 36 percent of the 674,354 complaints received. According to the FTC, Credit card fraud (25 percent) was the most common form of reported identity theft, followed by phone or utilities fraud (16 percent), bank fraud (16 percent), and employment fraud (14 percent). In Spanish. The FTC report appears to repudiate an industry-funded study that suggested a decline in identity theft. (Feb. 8, 2007)
  • FTC Fines Choicepoint for $15 Million in Consumer Privacy Case Following EPIC Complaint. The Federal Trade Commission has announced a settlement (pdf) with data broker Choicepoint, under which the company will pay $10 million to the Commission and $5 million to redress consumer harms. It is the largest civil penalty in FTC history. The Commision accused (pdf) Choicepoint of violating consumers' privacy rights and federal law through its shoddy security measures and record-handling procedures. Choicepoint will also have to institute better security procedures and be audited by an independent security firm every two years until 2026. The settlement does not, however, resolve EPIC's 2004 complaint that Choicepoint has been selling personal information outside of Fair Credit Reporting Act protections. For more information, see EPIC's Choicepoint page. (Jan. 26, 2006)
  • FTC Fines Directv $5.3M for Telemarketing Violations. The Federal Trade Commission today announced an agreement with satellite television provider Directv where the company agreed to pay $5.3 million to settle violations of the Do-Not-Call Telemarketing Registry. Directv was using telemarketing agents to call individuals on the Do-Not-Call Registry, and these agents were "abandoning" calls, that is, initiating a call and hanging up before the consumer can answer. Today's settlement was the largest amount levied against any company for violations of the Do-Not-Call rules. For more information, see EPIC's Telemarketing Page. (Dec. 13, 2005)
  • FTC Ends Experian Bait and Switch. The Federal Trade Commission has settled a complaint against credit reporting agency Experian for offering "free" credit reports that were actually expensive credit monitoring services. The company must change representations on its Web site and disgorge almost $1 million received in the bait and switch scam. EPIC filed a complaint against Experian with the FTC in September 2003, noting that although the company is legally responsible for the accuracy and security of credit reports, Experian was stoking consumers' fears on these issues in order to sell credit monitoring services. Individuals who want their free credit report can obtain it from www.annualcreditreport.com, the site established by Congress to provide three reports per year at no cost to the consumer. For more information, see EPIC's Fair Credit Reporting Act Page. (Aug. 16, 2005)
  • EPIC Urges FTC to Investigate Online Data Brokers. In a complaint to the Federal Trade Commission, EPIC urged the agency to investigate online data brokers, companies that promise to sell phone calling records, the identities of people who own private mail boxes, and the identities associated with AOL Screen names, Match.com profiles, and Lavalife profiles. The complaint argues that this information cannot be obtained without violating federal law or regulations. Both the Washington Post and Wall Street Journal have reported on the filing. (Jul. 8, 2005)
  • Groups to FTC: Kids' Privacy Improving, but Law Needs Enforcement. Consumer privacy groups have filed comments (also available in pdf) to the Federal Trade Commission as part of its review of the Children's Online Privacy Protection Act. The groups argue that COPPA has improved children's privacy online. There is a continuing need to continue to clarify COPPA via enforcement and research into the cutting edge techniques being used to direct websites at children. Further action is still needed to address the privacy concerns raised in the offline market for children's personal information. For more information, see EPIC's page on the Children's Online Privacy Protection Act. (Jun. 29, 2005)
  • Groups Urge FTC to Reevaluate FTC's Position on Choicepoint. EPIC and a coalition of privacy and consumer groups urged (pdf) Federal Trade Commission Chair Majoras to reevaluate the agency's position on commercial data brokers, as it was "very much in line with the views of the companies testifying before Congress, which had leaked or sold data to criminals, but was very far from the views expressed by consumer and privacy groups." The groups noted that the FTC itself contributed to current information privacy problems by approving self-regulatory principles authored by companies like Choicepoint and by allowing the sale of "credit headers" without privacy protections. The groups have called upon the FTC to "correct these extraordinary policy blunders and urge the application and enforcement of Fair Information Practices (FIPs) to the commercial data broker industry..." For more information, see EPIC's Choicepoint Page. (Mar. 17, 2005)
  • EPIC Report: FTC's Market Approach Has Failed to Protect Consumer Privacy. In conjunction with the opening of EPIC's first satellite office in San Francisco, California, EPIC has released a policy report arguing that self-regulation has failed to meaningfully address consumer privacy. New technologies and invasive practices from the online world are finding their way into the offline world and have dragged down the practices of ordinary retailers. This paper argues that the FTC and Congress should reevaluate their commitment to market approaches, and empower consumers with privacy law that incorporates Fair Information Practices. (Mar. 3, 2005)
  • EPIC Submits Comments to FTC Regarding Children's Online Activity. EPIC has submitted comments (pdf) to the Federal Trade Commission on its proposal to weaken the Children's Online Privacy Protection Act's parental notice requirements. EPIC challenged the underlying assumptions presented by the FTC in its proposal to make permanent the "Sliding Scale 2005" which addresses parental communications regarding their children's online activity. For more information see EPIC's Children's Online Privacy Protection Act Page. (Feb. 14, 2005)
  • Coalition Urges FTC to Unblock Links to Free Credit Site. EPIC and five privacy and consumer groups have called upon the FTC to order credit reporting agencies to stop blocking web hyperlinks to a site that provides free credit reports. The letter argues that blocking links violates federal regulations, and that, "Whether intentional or not, every subtle and not so subtle web design tactic has been employed to make www.annualcreditreport.com difficult to find and use." EPIC has posted a webpage that circumvents the blocking. For more information, see the EPIC FCRA Page. (Dec. 7, 2004)
  • Sen. Nelson Joins EPIC in Opposing Do-Not-Call Loophole. Senator Bill Nelson (D-FL) has called upon the Federal Trade Commission to abandon a proposed loophole to the telemarketing Do-Not-Call Registry. The loophole would allow companies to send recorded messages to persons with whom they have done business. In a letter (pdf) to the FTC, Nelson warned that the loophole threatens to erode consumer privacy and flood homes with unwanted messages. EPIC and Nelson are urging the public to comment on the loophole by January 10, 2005. For more information, see the EPIC Telemarketing Page. (Dec. 7, 2004)
  • Free Credit Report Site Blocks Web Links. Nationwide credit reporting agencies are required under federal law to provide a free credit report to residents of western states online starting December 1, 2004. However, the credit reporting agencies have blocked links to the free site, citing bogus security concerns. By blocking outside links, the companies create a greater risk of phishing because consumers have to type in the URL, and the companies can steer consumers to their expensive, unnecessary credit monitoring services, avoiding their duty to provide free reports. To get your free report, paste the following URL into your browser: http://www.annualcreditreport.com. (Dec. 4, 2004)
  • FTC Fails to Enforce Children's Privacy Law Against Amazon. Responding to a formal complaint from EPIC and several other privacy organizations, Federal Trade Commission staff have recommended (pdf) that the agency not pursue Amazon.com under the Children's Privacy Protection Act despite the fact that the "Toy Store" website targets children and collects personal information. The agency relied heavily on a single sentence in the company's privacy policy, and concluded that the site wasn't covered by the privacy law. For more information, see the EPIC COPPA Page. (Nov. 24, 2004)
  • FTC Files Brief Supporting Banks Against Privacy Law. The Federal Trade Commission and other federal agencies have filed an amicus brief (pdf) supporting national banks in their bid to invalidate a strong California financial privacy law. California Attorney General lamented that, 'These agencies are supposed to protect consumers. Apparently, they prefer protecting the profits of banks." For more information, see the EPIC ABA v. Lockyer Page. (Aug. 13, 2004)
  • EPIC Urges FTC to Safeguard Consumers' Interests at RFID Workshop. In testimony to the Federal Trade Commission on radio frequency identification technologies, EPIC called for the adoption of strong privacy guidelines to protect consumers against potential abuses of the tracking technology. For more information see the EPIC RFID web Page. (June 21, 2004)
  • FTC Urged to Create Privacy-Friendly Free Credit Report Site. In comments to the Federal Trade Commission, EPIC and Professor Dan Solove argued that the agency should implement a privacy-friendly central source for free credit reports. This centralized source, which was created by Congress in recent amendments to the Fair Credit Reporting Act, should provide free credit reports without allowing its users' data to be sold by credit reporting agencies. For more information, see the EPIC FCRA Page. (Apr. 16, 2004)
  • Court Upholds Do-Not-Call Registry. The U.S. Court of Appeals for the Tenth Circuit has upheld (pdf) the Federal Trade Commission Do-Not-Call Registry against a legal challenge brought by telemarketers. The decision allows the continued operation of the list, allows the government to levy fees on telemarketers for its operation, and recognizes that the FTC has the authority to create and operate the list. For more information, see the EPIC Telemarketing and Do-Not-Call Timeline Pages. (Feb. 17, 2004)
  • FCC Will Enforce DNC Registry. FTC Appeals Do Not Call Decision. Following the issuance of an order (pdf) by the 10th Circuit Court of Appeals denying a request to delay implementation of the Do-Not-Call Registry, the Federal Communications Commission announced that it will begin enforcing it beginning Wednesday, October 1. In a related case, the Federal Trade Commission has filed a notice that it will appeal (pdf) a Colorado district court's decision (pdf) that invalidated the Registry on First Amendment grounds. Individuals can still enroll in the registry by visiting donotcall.gov. For more information, see the EPIC Telemarketing Page. (Sept 29, 2003)
  • Federal Court Blocks FTC Do-Not-Call List. A federal court in Oklahoma has found (500k pdf) that the Federal Trade Commission exceeded its authority in creating the telemarketing Do-Not-Call registry. UPDATE: The House of Representatives has ratified the FTC's authority to create a Do-Not-Call list by a 412-8 vote. Senate action is still pending. The FTC has filed a stay to delay the effective date of the court's ruling. For more information, see the EPIC Telemarketing Page. (Sept 24, 2003)
  • UPDATE - EPIC Files Complaint with Federal Trade Commission about JetBlue and Acxiom, Also Seeks Government Records on Secret Government Profiling Program. Today EPIC filed a complaint with the Commission alleging that JetBlue and Acxiom violated federal consumer law when they transferred information on passengers in violation of their own privacy policies. EPIC also filed expedited Freedom of Information Act requests with several federal agencies. Press briefing at 1 pm EDT. For more information, see the EPIC Passenger Profiling page and the European Digital Rights Initiative. (Sept 22, 2003)
  • EPIC Urges FTC To Investigate Credit Reporting Marketing Practices. In a complaint filed with the Federal Trade Commission, EPIC has urged the agency to investigate the marketing practices of credit reporting agency Experian. The company broadly disseminates advertising offers for "free" credit reports, but actually provides an expensive credit monitoring service that individuals must cancel within thirty days. Experian's advertising is not only misleading, it also stokes fears of inaccuracy in credit reports in order to drive up sales of the company's products. For more information, see the EPIC FCRA Page. (Sept 17, 2003)
  • FTC Releases Strong ID Theft Findings, Weak Recommendations. The Federal Trade Commission released a report finding that identity theft imposes billions of dollars of costs, and millions of hours of wasted time upon society. However, the agency's recommendations to address identity theft were entirely reactive, and likely to exacerbate the crime. The recommendations primarily addressed how victims can recover from the crime, including the use of uniform identity theft affidavits. Additionally, the agency recommended that Congress preempt state credit laws, which will worsen the problem by preventing states from passing strong identity theft legislation. For more information, see the EPIC Privacy and Preemption Page. (Sept 5, 2003)
  • EPIC Comments on FTC Info Workshop. In comments submitted to the Federal Trade Commission's Information Flows Workshop, EPIC argued that there is strong support for Fair Information Practices to address business uses of personal information, and that businesses have used personal information to limit consumer choice, to raise prices, and to engage in fraud. The comments also question the integrity of industry-funded academics who have employed dubious research methods and specious arguments to stymie privacy regulations. EPIC's submission included a paper by Robert Gellman on the costs of not protecting privacy, and a law review article by Elizabeth Warren discussing the integrity of industry-funded academic groups, such as the Credit Research Center. For more information, see the EPIC Consumer Profiling Page. (Jun. 18, 2003)
  • FTC Holds Spam Forum. The Federal Trade Commission (FTC) has begun a three-day conference on spam. In anticipation of the event, the FTC released a study finding that 66% of spam in their sample contained a false claim. EPIC Deputy Counsel Chris Hoofnagle is participating in the forum on a panel addressing "Falsity in Sending of Spam." For more information, see the EPIC Spam Page. (Apr. 30, 2003)
  • Coalition Alleges Children's Privacy Violation. EPIC and 11 consumer organizations alleged in a complaint to the Federal Trade Commission (FTC) today that Amazon.com has illegally collected and disclosed children's personal information in violation of the Children's Online Privacy Protection Act (COPPA). The FTC has taken action in previous cases where companies direct web sites towards children and collect the personal information of children. For more information, see the press release and EPIC COPPA Page. (Apr. 22, 2003)
  • EPIC Urges Int'l Privacy Rules for FTC. EPIC has filed comments (pdf) recommending that the FTC address the privacy implications of the international transfer of personal information in consumer fraud investigations. The FTC is considering increasing data sharing (pdf) between the FTC, foreign law enforcement authorities, consumer protection agencies, ISPs and Web hosting companies. (Feb. 20, 2003)
  • FTC Considers Policies for WHOIS Data. On February 20, the Federal Trade Commission will explore "Cooperation Between the FTC and Domain Registration Authorities" (pdf) as part of a public workshop on partnerships against cross-border fraud. The FTC is considering the expanded use of information about Internet domain name registrants for law enforcement purposes. EPIC has filed comments (pdf) recommending that the FTC address the privacy, free speech, and consumer fraud implications of requiring domain name registrants to provide personal information. (Feb. 19, 2003)
  • FTC Announces National Do-Not-Call List. The FTC will establish a national DNC list that will accommodate both Internet and toll-free phone number enrollment. The new regulations also require telemarketers to transmit caller ID information, establish new rules for the use of preacquired account number information, and prohibit "abandoned" calls. For the list to operate, Congress will have to approve the levying of charges to the telemarketing industry in order to fund the program. EPIC and a coalition of consumer and civil liberties groups submitted detailed comments in favor of a DNC list. For more information, see the EPIC Telemarketing Page. (Dec. 18, 2002)
  • FTC Pursues Student Profilers. The FTC has settled a case with three student profiling companies for collecting information from schoolchildren in violation of federal law. The companies distributed surveys to children through teachers and guidance counselors under the pretense that the information was only for college admissions. However, the companies were selling the information to commercial marketers. For more information, see the EPIC Profiling Page and the EPIC FERPA Page. (Oct. 2, 2002)
  • EPIC Urges FTC to Adopt Effective Strategy for Passport. In comments to the Federal Trade Commission, EPIC and a coalition of advocacy groups urged the agency to amend its Consent Order regarding Microsoft Passport to include greater privacy protections. The groups commented that Passport users should have access to their entire profile, that security risks justify limits on the Passport system, and that the Commission should examine other developing authentication systems, such as AOL's Screen Name Service and Project Liberty. For more information, see the EPIC Passport Page. (Sept. 9, 2002)
  • FTC Announces Action Against Microsoft Passport. The Federal Trade Commission (FTC) has settled a privacy enforcement action against Microsoft for violations associated with the Passport identification and authentication system. The agreement (PDF) requires that Microsoft establish a comprehensive information security program for Passport, and that it must not misrepresent its practices of information collection and usage. In July and August 2001, EPIC and a coalition of consumer advocacy groups filed complaints detailing the privacy risks associated with Passport. For more information, see the FTC's complaint (PDF), the EPIC Passport Investigation Page and the EPIC Sign Out of Passport Page. (Aug. 8, 2002)
  • FTC Seeks Comment on Telemarketing Sales Rule. EPIC is urging individuals to comment on the Federal Trade Commission's (FTC) proposed changes to the Telemarketing Sales Rule (TSR). The TSR regulates how telemarketers can make sales calls. More information and suggested comments are available on the EPIC Telemarketing Page. (Feb. 7, 2002)
  • FTC Proposes Telemarketing Do-Not-Call List. The Federal Trade Commission has issued proposed changes to the Telemarketing Sales Rule (TSR) that would create a national Do-Not-Call (DNC) list for individuals who wish to avoid sales calls. The proposed changes would also prohibit the use of "pre-acquired account information" in telemarketing. The FTC has encouraged individuals to comment on the changes online. (Jan, 25, 2002)
  • Eli Lilly Settles with FTC over Privacy Violation. The Federal Trade Commission (FTC) has announced a settlement in a case involving Eli Lilly's accidental disclosure of the email addresses of 700 people who were subscribed to a mental health information list. Under the terms of the settlement the company will increase existing security and create an internal program to prevent future privacy violations. However, as the disclosure was unintentional, no fines will be imposed upon the company. The public may submit comments on the settlement for 30 days, after which the Commission will decide whether to make it final. The FTC acted in response to a July 2001 ACLU complaint highlighting Eli Lilly's negligence. (Jan. 18, 2002)
  • FTC Chairman Announces Privacy Agenda. On October 4, 2001, Timothy Muris, Chairman of the Federal Trade Commission (FTC) released a new privacy agenda for the agency. The agenda calls for a 50% increase in privacy resources, improved privacy complaint handling, more protection for consumers from spam, telemarketing, pretexting and ID theft, and increased enforcement of privacy policies and existing laws such as the Fair Credit Reporting Act (FCRA) and the Children's Online Privacy Protection Act (COPPA). The Chairman concluded, however, that it was "too soon" to recommend broad-based online privacy legislation. (Oct. 4, 2001)
  • Privacy Groups File Updated Complaint at FTC, Allege Microsoft Passport Constitutes an "Unfair and Deceptive Trade Practice." At a press conference on August 15 at the National Press Club, EPIC, Junkbusters, the Center for Media Education, and other organizations announced the filing of an updated complaint (PDF) with the Federal Trade Commission containing new allegations about Microsoft Passport, and urged the Commission to open an investigation. Last month, the organization filed the original complaint (PDF) that was acknowledged (PDF) by the FTC. (Aug. 15, 2001)
  • EPIC, Privacy Groups File Complaint at the FTC Regarding Windows XP. In a formal complaint (PDF) filed with the Federal Trade Commission, privacy and consumer groups allege that Microsoft is engaging in unfair and deceptive trade practices through the information collection capabilities of its new operating system.(Jul. 26, 2001)
  • Privacy Coalition Meets with New FTC Chairman. On July 17, members of the Privacy Coalition, a non-partisan coalition of consumer, civil liberties, educational, library, labor, and family-based groups met with FTC Chairman Timothy Muris. The Coalition presented a letter to the Chairman with recommendations for future FTC action on privacy issues. (Jul. 17, 2001)
  • EPIC Urges New FTC Chair to Focus on Privacy. EPIC and other public interest groups have sent a letter to Timothy Muris, the new Federal Trade Commission Chairman, urging him to take affirmative steps to protect individuals' privacy. (May 31, 2001)

Media Coverage

Resources

Overview of FTC Statutory Authority to Protect Privacy.

Internet and Consumer Privacy

  • The Federal Trade Commission held "computer database study" to examine personal information held by private companies used to locate individuals. A Public Workshop on Consumer Information Privacy was held on June 10-13, 1997.
  • Following the P-TRAK controversy, the Senate Commerce Committee sent a letter to the FTC on the Lexis-Nexis P-TRAK problem and other "violations of consumer privacy rights."
  • The FTC also held hearings in June 1996 on privacy issues. The conference report issued in December 1996 stresses "notice, choice, security, and access" but sidesteps major on-line privacy issues -- anonymity, spamming, sale of personal data. Transcripts from the hearings, June 4-5, 1996.
  • EPIC Letter to FTC urging strong support for on-line privacy, December 14, 1995.
  • Letter from Marc Klass to FTC supporting EPIC's call for an investigation of the direct marketing industry, Feb. 2, 1996.
  • Remarks of FTC Commissioner Christine A. Varney before the Privacy & American Business Conference, Washington, D.C., October 6, 1996.
  • Comments of FTC Commissioner Robert Pitofsky on Electronic Money, September 17, 1997.
  • Remarks of FTC Commissioner Christine A. Varney before the Privacy & American Business Conference, Washington, D.C., November 1, 1995.

Credit Reports

The FTC is also empowered to enforce the Fair Credit Reporting Act.