Recent Updates

  • NIST Releases First Final Draft of AI Risk Management Framework
    NIST today published a final draft of its AI Risk Management Framework 1.0. The document is a “a guidance document for voluntary use by organizations designing, developing, deploying or using AI systems to help manage the many risks of AI technologies.” EPIC had submitted feedback on two prior drafts released by NIST. EPIC’s feedback recognized … Continued
  • EPIC Urges Colorado Supreme Court to Rule Reverse Keyword Warrants are Unconstitutional, Points Toward Effects on Abortion Rights
    EPIC submitted an amicus brief in the case Colorado v. Seymour, urging the Colorado Supreme Court to rule that reverse keyword warrants are unconstitutional in the the first case in the country to evaluate such warrants. Reverse keyword warrants are a dangerous new technique the police use that force technology companies like Google to search … Continued
  • Public Benefits, Private Vendors: How Private Companies Help Run our Welfare Programs
    If you’ve been following EPIC’s work on the algorithms used in public benefits programs, you may have caught something unusual: although we talk about public welfare programs, most of the systems we’ve uncovered are developed by private companies. That isn’t a coincidence. While a few state agencies have developed their own technical systems for public … Continued
  • Privacy, Surveillance, and AI in the FY’23 National Defense Authorization Act (NDAA)
    Each year, Congress passes the National Defense Authorization Act (NDAA), which designates specific budgets and policies for the U.S. military and a host of other government entities. The NDAA, while at its core a national defense bill, is sweeping in scale, with this year’s version providing $816,700,000,000.00 in funding to the Department of Defense. Given … Continued
  • EPIC Submits Comments to Strengthen CFPB Proposals for Financial Data Rights Rulemaking
    Today EPIC called for enhanced personal financial data rights in response to the Consumer Financial Protection Bureau (CFPB)’s outline of proposals under consideration for its upcoming rulemaking implementing Section 1033 of the Dodd-Frank Act. EPIC urged the CFPB to promulgate rules that enable consumers to access, understand and control their own financial information, and “prohibit … Continued
  • EPIC Urges NIST to Emphasize Differential Privacy in Paper on De-Identifying Government Data Sets
    In comments to the National Institute of Standards and Technology, EPIC urged NIST to endorse the adoption of differential privacy in its revised paper on de-identifying government data sets. The paper will provide guidance to federal agencies on deidentification techniques, strategy, and implementation. EPIC commended NIST on its recommendations, which include detailed guidance for federal … Continued
  • PRESS RELEASE: EPIC Announces Organizational Updates for 2023
    WASHINGTON, DC – On January 1, 2023, the Electronic Privacy Information Center (EPIC) was thrilled to welcome three new members to its Board of Directors, as well as a new slate of officers who will lead the Board for the 2023 – 2024 term. The guidance and support of the EPIC Board of Directors ensure … Continued
  • EPIC Submits Comments to Strengthen Consumer Privacy in Colorado Privacy Rulemaking
    Yesterday EPIC submitted comments to the Colorado Attorney General recommending edits to their most recently proposed rules implementing the Colorado Privacy Act. EPIC was represented by the Samuelson-Glushko Technology Law and Policy Clinic (TLPC) at Colorado Law. In addition to proposing specific line edits, EPIC provided feedback about Data Rights, Controller Obligations, Loyalty Programs, Privacy … Continued
  • EPIC Comments to the Colorado Department of Law
    The Electronic Privacy Information Center (EPIC) is a public interest research center based in Washington, D.C. that was established in 1994 to focus public attention on emerging privacy and related human rights issues and to protect privacy, the First Amendment, and constitutional values.[1] EPIC has a long history of promoting transparency and accountability for information … Continued
  • CyberScoop: LastPass breach exposes how US breach notification laws can leave consumers in the lurch
    “It’s really messy,” says Chris Frascella, who studies consumer privacy at the Electronic Privacy Information Center, a nonprofit research group. “What you’re required to report in Alabama may not be something that you have to report in Connecticut.” Because many technology companies are based in California or collect significant amounts of data on the state’s … Continued
  • EPIC, EFF, and CDT to New Jersey Supreme Court: Don’t Let Police Sleight-of-Hand Avoid Wiretap Requirements
    In an amicus brief submitted in Facebook v. New Jersey, EPIC, EFF, and CDT—with help from Davis Wright Tremaine, urged the New Jersey Supreme Court to rule that police need a wiretap order if they want Facebook to provide them with users’ future communications in 15-minute increments. When police request prospective communications, they need a … Continued
  • EPIC Urges FTC to Regulate Surveillance Tech Companies Using Police as Promoters
    On Monday, EPIC filed comments with the Federal Trade Commission supporting the agency’s proposal for a trade regulation rule based on its Endorsement Guides. EPIC urged the agency to incorporate the full scope of the Endorsement Guides into its rule, as the FTC had included in its proposed rule undisclosed incentives (i.e., situations in which … Continued
  • MIT Technology Review: Roomba testers feel misled after intimate images ended up on Facebook
    Experts say companies are well aware that people rarely read privacy policies closely, if we read them at all. But what iRobot’s global test agreement attests to, says Ben Winters, a lawyer with the Electronic Privacy Information Center who focuses on AI and human rights, is that “even if you do read it, you still … Continued
  • South Carolina Supreme Court Strikes Down Six Week Abortion Ban, Citing State Constitution’s Right to Privacy
    In a 3-2 decision, South Carolina’s Supreme Court held that the state’s constitutional right to privacy protects the decision to terminate a pregnancy, rendering the state’s previous six-week abortion ban unconstitutional. The court held that “the decision to terminate a pregnancy rests upon the utmost personal and private considerations imaginable, and implicates a woman’s right … Continued
  • Bloomberg Law: Meta’s EU Privacy Fine Fight Muddles Outlook for Targeted Ads
    Meta might have a hard time meeting the criteria of the balancing test between business interests and individual interests, according to John Davisson, senior counsel and litigation director at the nonprofit Electronic Privacy Information Center. Asking consumers to agree to targeted advertising as part of the terms of using a service “relies on coercive consent,” … Continued
  • Ninth Circuit Revives Children’s Privacy Class Action Against Google
    The Ninth Circuit Court of Appeals recently held that Google will have to face a class action lawsuit alleging that their data collection practices violated the laws of six states. The plaintiffs, a class of guardians appearing on behalf of their children, claim that Google and YouTube violated state children’s privacy laws by tracking behavior … Continued
  • FCC Proposes $300 Million Fine for Car Warranties Robocall Scam
    On December 21, the Federal Communications Commission released a Notice of Apparent Liability (NAL) for $299,997,000 against a scam robocall operation involving more than ten corporate defendants initially prosecuted by the Ohio Attorney General’s Office. In the first three months of 2021 alone, the scam operation called more than half a billion American phones about … Continued
  • Meta Fined €390M Over Targeted Advertising, Ordered to Comply With GDPR
    Ireland’s Data Protection Commission today ordered Meta to pay fines of €390 million for unlawfully collecting personal data and targeting ads at Facebook and Instagram users. The fines follow last month’s ruling by the European Data Protection Board that Meta cannot use its terms of service as a legal basis for targeted advertising. The Irish … Continued
  • FCC Limits Unconsented-to Robocalls to Residential Lines, After Advocacy by NCLC and Consumer Groups Including EPIC
    On December 27, 2022, the Federal Communications Commission affirmed that callers making artificial or prerecorded calls to residential lines that do not require consent. Callers from tax-exempt nonprofits, or those making non-commercial or non-telemarketing calls, will be allowed to make no more than three calls in any thirty-day period without consent. If the call is … Continued
  • EPIC and EFF Urge California Supreme Court to Review Lower Court Opinion Barring Plaintiffs’ Privacy Suit
    In an amicus letter brief filed in late December, EPIC and EFF urged the California Supreme Court to take up a case recently decided by the California Court of Appeals that harms Californians’ ability to vindicate their rights in court. In the case, Limon v. Circle K Inc., the lower court threw out the plaintiffs’ … Continued
  • Updated Privacy Laws Now in Effect
    A spate of state laws come into effect in 2023 and, for some, the effective date is already upon us. The California Privacy Rights Act (CPRA), which amends the California Consumer Privacy Act (CCPA), and the Virginia Consumer Data Protection Act (VCDPA) both went into affect on January 1, 2023. The VCDPA is also now … Continued
  • The Inquirer: Experts Warn Smart Toys Could Collect And Sell Your Kids’ Data
    The Electronic Privacy Information Center (EPIC) called on the US Federal Trade Commission (FTC) to strictly regulate data collection on children. EPIC’s executive director Alan Butler explained his calls for more limits on smart toys. “It’s just not really realistic, for a parent, as you say, to be able to parse these legal documents,” he … Continued
  • Tell Me Best: One Google Feature Can Now Stop Spam Calls
    Chris Frascella, a law fellow at the Electronic Privacy Information Center, said, “Until it becomes more costly to assist criminal fraud than to stop it, scammers will continue to find providers willing to accept payment for passing these dangerous and illegal calls to our phones.” Read the full article here.
  • JPSO used facial recognition technology to arrest a man. The tech was wrong.
    Some critics have argued that the technology is so perilous in government hands that it should be banned. The Electronic Privacy Information Center argued this year that facial recognition is “inherently dangerous,” enabling “comprehensive public surveillance.” Read the full article here.
  • SlashGear: Google Voice Gets Suspected Spam Call Alerts: Here’s How To Turn Them On
    According to the National Consumer Law Center (NCLC) and the Electronic Privacy Information Center (EPIC), more than 33 million scam robocalls were made every day in 2021. The problem has become so bad that the FCC and mobile carriers have implemented new initiatives to combat spam calls, and now it seems we can add Google … Continued
  • CBS Mornings: Privacy advocates warn about smart toys, urge FTC to do more
    EPIC’s Alan Butler was featured on CBS Mornings about toys that collect data on kids. Watch here.
  • CBS News: Experts warn smart toys could be collecting user data that might be sold
    “I mean it’s just a staggering amount of information that’s collected online,” said EPIC’s executive director Alan Butler. He said that information is used to track children’s behavior. “It’s just not really realistic, for a parent, as you say, to be able to parse these legal documents, understand what’s happening technologically and what’s happening with … Continued
  • EPIC Urges GSA to Prevent Privacy Harms from New Fraud Prevention Tools on
    In comments to the General Services Administration, EPIC urged the agency to limit contracts for fraud prevention to a single third-party provider and to investigate and consider abandoning behavioral analytics techniques. is a sign-on service for members of the public to access information and services from various federal agencies. The GSA currently contracts with data broker LexisNexis for … Continued
  • Forbes: TikTok Spied On Forbes Journalists
    Both Uber and Facebook also reportedly tracked the location of journalists reporting on their apps. A 2015 investigation by the Electronic Privacy Information Center found that Uber had monitored the location of journalists covering the company. Read the full article here.
  • FCW: Portman introduces two bills on facial recognition, AI in government
    Ben Winters, counsel at the nonprofit Electronic Privacy Information Center, told FCW via email that “specifically articulating that civil rights protections can’t be skirted by the use of AI is helpful and sends a message to people considering its use to make sure to do so responsibly,” although he added that he would “love to … Continued
  • Coalition Led by EPIC, NCLC, and NCL Applauds FTC Impersonation Scam Rule But Urges Commission to Broaden Scope
    Last week, EPIC, the National Consumer Law Center (NCLC), and the National Consumers League (NCL), joined by four additional consumer advocacy organizations, applauded the Federal Trade Commission’s proposed rule to combat fraudsters who impersonate government or business entities. The coalition also encouraged the FTC to expand its efforts to address other forms of impersonation (such … Continued
  • Sen. Wyden Asks FBI to Publish Information on Hacking Operations
    In a letter to FBI Director Christopher A. Wray, Sen. Ron Wyden requested that the FBI publish its policies governing its hacking operations, as well as provide annual aggregate statistics on the frequency of such operations. Sen. Wyden asked the FBI to provide a range of information, including statistics relating to the use of Network … Continued
  • Gizmodo: The Half-a-Billion Fortnite Fine Kicks Off a New Era of Regulating User Interfaces
    “The FTC has been doing work on deceptive design practices for years, but this is the biggest step up in terms of enforcement we’ve ever seen,” said John Davisson, director of litigation and senior counsel at the Electronic Privacy Information Center, better known as EPIC (unrelated to Epic Games). Read the full story here.
  • Members of Congress Ask FBI to Provide Information on Law Enforcement Face Surveillance
    In a letter to the Federal Bureau of Investigation (FBI), Representatives Ted Lieu (D-CA) and Rep. Yvette Clark (D-NY), along with Sen. John Ossoff (D-GA), requested information on the deployment of face surveillance by the FBI and state and local law enforcement. The letter asks the FBI for a range of information, including: a breakdown of … Continued
  • Consumers’ Sensitive Internet Metadata Sold to DOD-Funded Researchers
    In a letter to Federal Trade Commission (FTC) Chair Lina Khan, Sen. Ron Wyden revealed that Neustar, which provides recursive Domain Name System (DNS) services, sold consumers’ sensitive internet metadata to researchers funded by the Department of Defense. According to Sen. Wyden’s letter, U.S. federal agencies, including the FBI and DOJ, asked the Georgia Tech … Continued
  • FTC Announces $520 Million in Penalties for Fortnite Game Maker Over Privacy Violations, Dark Patterns
    The Federal Trade Commission today announced two historic settlements with Fortnite video game maker Epic Games for privacy and consumer protection violations. Fortnite has more than 400 million users worldwide, many of them minors. In addition to changing default privacy settings, Epic Games will be required “to pay a total of $520 million in relief … Continued
  • EPIC Urges FCC to Prohibit Providers from Charging Detained Persons and Their Families for Call Surveillance
    Yesterday EPIC sent a letter to the Federal Communications Commission, thanking the agency for its decision to extend call rate protections for “jails” and “prisons” to include juvenile detention facilities, ICE detention facilities, and secure mental health facilities. EPIC also applauded the FCC’s decision to reduce rate caps for ancillary services by more than 50% … Continued
  • OECD Countries Adopt Agreement on Government Access to Personal Data
    Today, the Organisation for Economic Co-operation and Development (OECD) announced the adoption of an agreement on government access to personal data held by private sector entities for national security and law enforcement purposes. The Declaration sets forth common principles on safeguarding privacy and rejects any approach to government access that is “inconsistent with democratic values … Continued
  • EPIC Commends FTC for Including Data Minimization & Data Rights in Chegg Settlement
    In comments to the Federal Trade Commission, EPIC commended the FTC for incorporating access and deletion rights and data minimization requirements into its settlement with edtech company Chegg. Chegg, which markets subscription-based study aids and a scholarship search service, collects and stores personal information from millions of users. Although Chegg represented to consumers that it … Continued
  • European Commission Publishes Draft Adequacy Decision on EU-U.S. Data Privacy Framework
    Today, the European Commission published a draft adequacy decision on the new EU-U.S. Data Privacy Framework (EU-U.S. DPF), setting the stage for a likely challenge at the Court of Justice of the European Union (CJEU). The Commission found that the EU-U.S. DPF, along with the Biden administration’s implementing Executive Order and DOJ regulations, guarantees “essentially … Continued
  • EPIC, NCLC, and Sixteen Partners Urge Action from FCC on Unwanted and Scam Texts
    Last week, eighteen legal services and consumer advocacy organizations, led by EPIC and the National Consumer Law Center, submitted reply comments to the Federal Communications Commission urging the FCC to protect consumers from unwanted and scam text messages. The organizations urged the FCC to support existing private industry efforts to block mass texts sent without … Continued
  • EPIC Statement Expressing Concerns on the Inclusion of the Judicial Security and Privacy Act in the NDAA
    Congress is currently considering passing a narrow and ineffective privacy law; they should take a more comprehensive approach as EPIC has previously recommended. The Judicial Security and Privacy Act, currently integrated into the NDAA, would in practice do very little to protect the privacy of personal information about federal judges and their families. The bill as currently … Continued
  • MediaPost: Advocates Seek Lame-Duck Vote On Bill That Would Ban Behavioral Targeting
    Consumer advocacy groups are renewing their call for the House of Representatives to vote this month on a sweeping privacy bill that would outlaw a common form of online ad targeting. “The time is now to pass a comprehensive federal privacy law,” 23 organizations including the Center for Democracy & Technology, Electronic Privacy Information Center … Continued
  • Wired: What You Should Know Before Using the Lensa AI App
    “The internet is filled with a lot of images that will push AI image generators toward topics that might not be the most comfortable, whether it’s sexually explicit images or images that might shift people’s AI portraits toward racial caricatures,” says Grant Fergusson, an Equal Justice Works fellow at EPIC.  Read the full article here.
  • Law360: Biden Urged To Block Fed Aid For Anti-Abortion Enforcement
    “[T]he American Civil Liberties Union and Amnesty International also signed their names to the letter, as well as groups that generally advocate for electronic privacy rights like the Electronic Privacy Information Center.” Read the full article here.
  • EPIC and EFF Urge Appeals Court to Recognize that Customers May Sue When Companies’ Lax Data Security Practices Result in Data Breaches
    On November 22, EPIC and the Electronic Frontier Foundation filed an amicus brief in Peter Maldini v. Marriott International, Inc., urging the Fourth Circuit Court of Appeals to affirm that plaintiffs can sue companies that negligently allow hackers to steal customers’ sensitive personal data. In 2018, Marriott announced that its customers were the victims of … Continued
  • EPIC & Public Justice Urge Appeals Court to Confirm That Plaintiffs May Sue When Companies Use Their Identities to Advertise
    On December 5, EPIC and Public Justice filed an amicus brief in Martinez v. ZoomInfo Technologies, Inc., urging the Ninth Circuit Court of Appeals to affirm that plaintiffs can sue companies that violate people’s right to control how and when their identities are used to sell goods. The case involves a plaintiff, Ms. Kim Martinez, … Continued
  • CyberWire: Twitter’s ad pixel shares user data
    John Davisson, director of litigation and senior counsel at the Electronic Privacy Information Center, told the Washington Post, “It’s dangerous for any firm to collect this kind of … data about our browsing habits, but given that Twitter has a spotty privacy and data security history, it’s particularly alarming for Twitter to have that information.” … Continued
  • Washington Post: A Twitter data tracker inhabits tens of thousands of websites
    “They’re adding these code snippets and adding these functionalities and they think they’re getting a nifty analytics tool and a way to hone the targeting of their advertisements,” [EPIC’s John Davisson] said. “Meanwhile, the company is exposing itself to liability and putting the users at risk of significant privacy harm.” Read the full article here.
  • EPIC, Coalition Urge Congress to Include FISA Amici Reform in Spending Bill
    On November 29, EPIC joined a coalition of privacy and civil liberties groups in urging Congress to include the Lee-Leahy Amendment—the FISA Amici Curiae Reform Act of 2022—in any final spending bill. The Lee-Leahy Amendment would strengthen and expand the role of the FISA amici. The Amendment would further protect Americans’ First Amendment rights by … Continued