Competition and Consumer Protection in the 21st Century

• Background |
• Resources

Summary

On June 20, 2018, the Federal Trade Commission announced that it will hold a series of hearings to examine "whether broad-based changes in the economy, evolving business practices, new technologies, or international developments might require adjustments to competition and consumer protection enforcement law, enforcement priorities, and policy." This marks the first time since 1995 that the FTC has held hearings to reexamine how it can fulfill its mission of safeguarding consumers and promoting competition.

Top News

• FTC Fails to Address Privacy in Settlement with Zoom: The FTC has reached a settlement with Zoom requiring the company to address data security but fails to address user privacy. Writing in dissent, Commissioner Slaughter said, "When companies offer services with serious security and privacy implications for their users, the Commission must make sure that its orders address not only security but also privacy." Commissioner Chopra, also dissenting, wrote "The FTC’s status quo approach to privacy, security, and other data protection law violations is ineffective." In July 2019, EPIC sent a detailed complaint to the FTC citing the flaws with Zoom and warning that the company had "exposed users to the risk of remote surveillance, unwanted video calls, and denial-of-service attack." In April 2020, EPIC wrote to Chairman Simons urging the FTC to open an investigation. EPIC has long advocated for the creation of a U.S. data protection agency. (Nov. 9, 2020)
• Report on Trump Tax Records Reinforces EPIC's Calls for Presidential Tax Return Disclosure: A blockbuster report from the New York Times revealing details of President Trump's tax history underscores the need for transparency of presidential tax returns, which EPIC has repeatedly advocated. The Times reports that the President paid little or no income tax in many years; is due to repay hundreds of millions of dollars in loans in the near term; and that he has "received more money from foreign sources and U.S. interest groups than previously known." The Times also reports that Trump and the Internal Revenue Service reached a tentative agreement in 2014 over a disputed $70 million tax refund—a deal that may have been struck under the IRS's offer in compromise procedures. In EPIC v. IRS II, EPIC is currently litigating for the release of offer in compromise records involving the President and his associated businesses. By law, these records "shall be disclosed to members of the general public." In March, EPIC filed an amicus brief in Trump v. Vance urging the Supreme Court to allow the release of President Trump's tax returns to a New York grand jury. EPIC wrote that the "longstanding practice of disclosing presidential tax returns reflects a central principle of modern democracies: privacy must sometimes yield to accountability." The Court ultimately rejected the President's effort to categorically shield his tax returns from state prosecutors. EPIC also sought public release of President Trump's tax returns in EPIC v. IRS I, arguing that disclosure was necessary to correct numerous factual misstatements made by the President. (Sep. 29, 2020)

More top news

Senate Republicans Introduce Weak 'SAFE DATA Act' + (Sep. 18, 2020)

Senators Roger Wicker, John Thune, Marsha Blackburn, and Deb Fischer have introduced the “SAFE DATA Act,” which relies on an outdated notice-and-choice model that allows companies to diminish the rights of consumers and use personal data to benefit the company but not the individual. "Senator Wicker’s SAFE DATA Act allows companies to collect any personal data it pleases as long as it discloses it in its privacy policy,” said EPIC Policy Director Caitriona Fitzgerald. "And it prohibits states from adopting or enforcing any data privacy or data security laws. The SAFE DATA Act is very weak compared to Senator Gillibrand’s Data Protection Act, Senator Brown’s discussion draft, and the Online Privacy Act introduced in the House.” EPIC's recent report on federal privacy legislation Grading on a Curve: Privacy Legislation in the 116th Congress evaluates federal privacy bills. EPIC has called for comprehensive baseline, federal legislation and the creation of a data protection agency.

IoT Security Bill Passed in House of Representatives + (Sep. 15, 2020)

The House of Representatives has passed a bill governing the security of the Internet of Things. The "Internet of Things Cybersecurity Improvement Act of 2019" sets baseline cybersecurity standards for IoT devices purchased by the federal government. The bipartisan measure is sponsored by Rep. Will Hurd (R-Texas) and Rep. Robin Kelly (D-Ill.) “The Internet of Things grows every single day, and, by the end of next year, it will include more than 20 billion devices. The result is an astounding, unimaginable amount of data—90% of the data in the entire world was created in the last two years. America needs to keep up with this incredible trend, and that means ensuring proper security and protections—the IoT Cybersecurity Improvement Act is a step in that direction,” said Hurd. The Senate Homeland Security Committee advanced a similar bill last year. EPIC recently told Congress that "the IoT network is the weak link in consumer products" and urged the establishment of of mandatory privacy and security standards.

EPIC: "Regulators Failed and Google Turned The Internet Into a Surveillance Machine" + (Sep. 15, 2020)

In advance of a Senate Judiciary Committee hearing on "Stacking the Tech: Has Google harmed competition in online advertising?," EPIC argued in a Medium post that the answer to that question is obviously yes, but Congress shares some of the blame. "There are many problems with today's online advertising systems," EPIC wrote, "[b]ut it didn't have to be this way. More active regulation by the government could have sustained online advertising models that were good for advertisers and businesses and for consumers, journalism, and democracy." In 2000, EPIC opposed Doubleclick's acquisition of Abacus. In 2007, EPIC told the FTC that Google's proposed acquisition of DoubleClick would lead to consumers being tracked and profiled by advertisers across the web.

Schrems Files 101 Complaints Targeting US-EU Data Transfers + (Aug. 18, 2020)

None of Your Business, the privacy NGO established by EPIC Advisory Board member Max Schrems, has filed complaints in all 30 EU and EEA member states against 101 European companies that still forward data about each visitor to Google and Facebook. “We have done a quick search on major websites in each EU member state for code from Facebook and Google. These code snippets forward data on each visitor to Google or Facebook. Both companies admit that they transfer data of Europeans to the US for processing, where these companies are under a legal obligation to make such data available to US agencies like the NSA. Neither Google Analytics nor Facebook Connect are essential to run these webpages and are services that could have been replaced or at least deactivated by now.” says Max Schrems, honorary chair of noyb.eu. The complaints come in the wake of a recent the European Court of Justice (CJEU) decision which found the Privacy Shield, which permitted companies to freely transfer users' personal data, illegally infringed EU residents' data protection and privacy rights. EPIC participated as an amicus curiae in the case, arguing that U.S. surveillance law does not provide adequate privacy protections or remedies for non-U.S. persons abroad.

Public Health Emergency Privacy Act Introduced + (May. 14, 2020)

Representatives Anna G. Eshoo (CA-18), Jan Schakowsky (IL-09), Suzan DelBene (WA-01), and U.S. Senators Richard Blumenthal (D-CT), and Mark Warner (D-VA) today today introduced the Public Health Emergency Privacy Act. The bill would protect personal data collected in connection with COVID-19 from being used for non-public health purposes, and provides for both public and private enforcement. “The Public Health Emergency Privacy Act shows that privacy and public health are complementary goals. The bill requires companies to limit the collection of health data to only what is necessary for public health purposes, and crucially, holds companies accountable if they fail to do so,” said Caitriona Fitzgerald, EPIC Interim Associate Director and Policy Director.

Senators Call on FTC to Investigate Ed Tech, Advertising Aimed at Children + (May. 8, 2020)

A bipartisan group of Senators has urged the Federal Trade Commission to launch an investigation into children's data practices in the educational technology and digital advertising sectors. In a letter to the FTC, Senators Edward Markey (D-Mass.), Josh Hawley (R-Mo.), Richard Blumenthal (D-Conn.), Bill Cassidy (R-La.), Dick Durbin (D-Ill.), and Marsha Blackburn (R-Tenn.) said "The FTC should use its investigatory powers to better understand commercial entities that engage in online advertising to children—especially how those commercial entities are shifting their marketing strategies in response to the Coronavirus pandemic and increased screen time among children." In December 2019, EPIC submitted comments to the FTC on the agency's regulatory review of the Children's Online Privacy Protection Act (COPPA) Rules. EPIC said the FTC should : (1) maintain the strong safeguards for children's data, (2) reject the "school official exception", (3) the FTC define the term "commercial purpose" and ensure that children's personal data collected in schools is not transferred to EdTech companies; and (4) the FTC require notification within forty-eight hours of a data breach of children's data by a company subject to COPPA.

EPIC Urges FTC to Investigate Zoom, Issue Best Practices for Online Conferencing + (Apr. 5, 2020)

In a letter to FTC Chairman Joe Simons, EPIC urged the FTC to "open an investigation of Zoom's business practices and to issue, as soon as practicable, Best Practices for Online Conferencing Services." The EPIC letter followed a 2019 complaint from EPIC warning that Zoom had "placed at risk the privacy and security of the users of its services." EPIC also explained to the FTC that Zoom had "exposed users to the risk of remote surveillance, unwanted videocalls, and denial-of-service attack." In the April 2020 letter to the Commission, EPIC reminded the Commission that it acted on similar complaints from EPIC concerning Facebook and Google but failed to act on the Zoom complaint. EPIC cited widespread reports of privacy and security flaws with the online conferencing service. EPIC wrote, "Now more than ever, the Federal Trade Commission has a responsibility to safeguard American consumers. We urge you to act."

EPIC Files Complaint with FTC about Airbnb's Secret "Trustworthiness" Scores + (Feb. 27, 2020)

EPIC has filed a complaint with the FTC, alleging that Airbnb has committed unfair and deceptive practices in violation of the FTC Act and the Fair Credit Reporting Act. Airbnb secretly rates customers “trustworthiness" based on a patent that considers such factors as “authoring online content with negative language.” The company’s opaque, proprietary algorithm also considers "posts on the person’s social network account" as well the individual's relationships with others, and adjusts the "trustworthiness" score based on the scores of those associations. EPIC said the company failed to comply with "established public policies" for AI decision-making, such as the OECD AI Principles and the Universal Guidelines for AI. EPIC has recently brought complaints to the FTC about the employment screening firm HireVue and the Universal Tennis Rating secret scoring technique. EPIC has also petitioned the FTC to conduct a rulemaking for "the use of artificial intelligence in commerce." The EPIC AI Policy Sourcebook includes the OECD AI Principles, the Universal Guidelines for AI, and other AI policy frameworks.

BREAKING - Sen. Gillibrand Introduces U.S. Data Protection Agency Bill + (Feb. 13, 2020)

Senator Kirsten Gillibrand (D-NY) has introduced S. 3300, The Data Protection Act of 2020 which would create an independent Data Protection Agency in the United States to safeguard the personal data of Americans. EPIC, many leading consumer and civil rights organizations, privacy experts, and scholars support Senator Gillibrand's non-partisan bill. "The US confronts a privacy crisis. Our personal data is under assault. Congress must establish a data protection agency. Senator Gillibrand has put forward a bold, ambitious proposal to safeguard the privacy of Americans," said Caitriona Fitzgerald, EPIC Policy Director. EPIC has long advocated for the creation of a U.S. Data Protection Agency, arguing that the Federal Trade Commission is an ineffective agency, lacking basic competence for privacy protection. EPIC's recent report, Grading on a Curve: Privacy Legislation in the 116th Congress sets out the key elements of a modern privacy law, including the creation of a Data Protection Agency. [Bill text] [EPIC PRESS RELEASE]

"A Big Victory for Privacy Groups" - Facebook Settlement + (Jan. 30, 2020)

This week Facebook agreed to pay $550 million to settle a lawsuit about the use of facial recognition technology. The New York Times called the settlement "A Big Victory for Privacy Groups." In 2010, EPIC objected to Facebook's collection of biometric data and urged the FTC to modify a proposed settlement to limit Facebook's use of facial recognition. EPIC filed similar complaints about facial recognition with the FTC in 2016 and 2018. EPIC also filed several amicus briefs stating that the violation of a federal privacy law is sufficient to confer "standing," the right of consumers to bring lawsuits. In response to Facebook's challenge to the Illinois Biometric Privacy Act, EPIC wrote, "Judicial second-guessing of statutory protections for biometric data established by the state legislature, following a careful weighing of the public safety concerns, will come at an enormous cost to the privacy of Illinois residents." EPIC's views were adopted by a federal court in this case, which led to the recent settlement with Facebook. The text of the Illinois privacy law is available in the 2020 EPIC Privacy Law Sourcebook at the EPIC Bookstore. And EPIC's objections to the current FTC settlement with Facebook are now pending in federal court.

Supreme Court to Review Constitutionality of Federal Robocall Ban + (Jan. 11, 2020)

The Supreme Court has aqreed to hear a challenge to the constitutionality of the Telephone Consumer Protection Act, a federal law that prohibits unwanted robocalls. The law generally restricts the use of autodialers, but in 2015 Congress created an exception for robocalls to collect debts guaranteed by the federal government. Several groups have since challenged the law on First Amendment grounds, arguing that the TCPA discriminates against particular speakers. The Court will now consider the issue in Barr v. American Association of Political Consultants. EPIC filed an amicus brief in Gallion v. Charter Communications, a related case, arguing that “these challenges represent a systematic effort by companies to undermine the purpose of the TCPA and to inundates consumers with unwanted calls.” EPIC routinely files amicus briefs on consumer privacy issues, including several amicus briefs on the TCPA.

Department of Transportation Releases Voluntary Guidelines for Driverless Vehicles + (Jan. 10, 2020)

The Department of Transportation announced AV 4.0, voluntary guidelines for driverless vehicles. The guidelines "use a holistic, risk-based approach to protect the security of data and the public's privacy as AV technologies are designed and integrated." EPIC commented on an earlier version of the guidelines, saying the agency "should promulgate mandatory rather than voluntary cybersecurity guidelines." EPIC warned that "the very real possibility of remote car hacking poses substantial risks to driver safety and security." EPIC also testified before Congress in 2015, explaining that "current approaches, based on industry self-regulation, are inadequate and fail to protect driver privacy and safety."

FTC Announces Non-Penalty in Cambridge Analytica Case + (Dec. 7, 2019)

The FTC issued a press release today about Cambridge Analytica, the company blamed for the Brexit vote that harvested the personal data of 87 m Facebook users for voter profiling and tracking. The misuse of personal data occurred while Facebook was under a consent order and subject to the supervision of the FTC. EPIC urged the FTC to reopen the investigation of Facebook after news of the Cambridge Analytica breach in early 2018. More than 18 months after the scandal broke, the FTC found that Cambridge Analytica, a company now bankrupt, deceived consumers through its data-gathering practices. EPIC previously told Congress that the Cambridge Analytica scandal could have been avoided if the FTC had enforced its own Consent Order.

Bill to Establish Data Protection Agency Introduced in Congress + (Nov. 5, 2019)

Representatives Eshoo and Lofgren have introduced the Online Privacy Act, a comprehensive framework for data protection in the United States. The bill would establish a data protection agency, create meaningful privacy safeguards for consumers, and hold companies accountable for the collection and use of personal data. The bill is based on Fair Information Practices and includes a provision on algorithmic accountability. "The Online Privacy Act sets out strong rights for Internet users, promotes innovation, and establishes a data protection agency. This is the bill that Congress should enact,” EPIC Policy Director Caitriona Fitzgerald said in a statement. EPIC's legislative report graded the Online Privacy Act the #1 privacy bill in Congress.

EPIC to Oppose Google-Fitbit Deal + (Nov. 4, 2019)

In a statement released today, Marc Rotenberg said that EPIC would oppose Google's proposed acquisition of the fitness tracking company Fitbit. Mr. Rotenberg said the deal should not be approved. "There is no reason to trust Google's assurances about privacy protection," Mr. Rotenberg said, citing previous matters involving Doubleclick, YouTube, Google HomeMini, and Nest. Noting statements antitrust enforcement by the the FTC Chairman and the Assistant Attorney General, Mr. Rotenberg also said, "The Google-Fitbit deal is a test of their commitment to competition, innovation, and data protection." EPIC brought the 2012 case against the FTC for the agency's failure to enforce the 2011 consent order against Google after the company consolidated user data across multiple services.

Ralph Nader, Color of Change Endorse US Data Protection Agency + (Nov. 3, 2019)

In a New York Times article, consumer advocate Ralph Nader endorsed the creation of a data protection agency. Nader told the Times that the U.S. needs a "new agency when the abuse pattern is so expansive that the authority in the existing agencies is obsolete and inadequate.” Rashid Robinson, President of Color of Change, said "We need to have a new data protection agency, an agency that examines the social, ethical impact of high-risk data practices.” EPIC and consumer groups have urged Congress to establish a data protection agency. EPIC has long advocated for a U.S. Data Protection Agency, noting that the United States is one of the few democracies in the world that does not have a federal data protection agency.

EPIC to Congress: Consumers Must Be Protected in Merger Reviews + (Oct. 18, 2019)

In a statement to the House Judiciary Committee, EPIC told lawmakers that merger review should consider data protection. EPIC wrote that "companies that protect user privacy are being absorbed by companies that do not protect privacy." EPIC pointed to the Facebook-WhatsApp deal and the failure of the FTC to protect the personal data of WhatsApp users after the merger. EPIC previously testified before the Senate Judiciary Committee about mergers in the online advertising industry after EPIC told the FTC that Google's acquisition of DoubleClick would diminish privacy and stifle innovation. EPIC earlier opposed Doubleclick's acquisition of Abacus, explaining that the deal would lead to increased profiling of American consumers. EPIC, Color of Change, the Open Markets Institute, and others have also urged the FTC to require Facebook to spin-off WhatsApp and Instagram.

EPIC Renews Call for Antitrust Agencies to Unwind Bad Mergers + (Sep. 23, 2019)

In a second statement to the Senate Judiciary Committee, EPIC urged lawmakers to unwind bad mergers such as Facebook's acquisition of WhatsApp and Google's acquisition of YouTube and Nest. EPIC wrote that "companies that protect user privacy are being absorbed by companies that do not protect privacy." EPIC pointed to the Facebook-WhatsApp deal and the failure of the FTC to protect the personal data of WhatsApp users after the merger. EPIC previously testified before the Senate Judiciary Committee about mergers in the online advertising industry after EPIC told the FTC that Google's acquisition of DoubleClick would diminish privacy and stifle innovation. EPIC also warned that Google's acquisition of YouTube would skew search results. EPIC, Color of Change, and the Open Markets Institute urged the FTC to require Facebook to spin-off WhatsApp and Instagram as part of the recent enforcement action. The FTC failed to do so.

EPIC Urges Antitrust Agencies to Unwind Bad Mergers + (Sep. 16, 2019)

In a statement to the Senate Judiciary Committee, EPIC urged lawmakers to press the FTC and the Department of Justice on Enforcement of the Antitrust Laws. EPIC wrote that "companies that protect user privacy are being absorbed by companies that do not protect privacy." EPIC pointed to the Facebook-WhatsApp deal and the failure of the FTC to protect the personal data of WhatsApp users after the merger. EPIC previously testified before the Senate Judiciary Committee about mergers in the online advertising industry after EPIC told the FTC that Google's acquisition of DoubleClick would diminish privacy and stifle innovation. EPIC also warned that Google's acquisition of YouTube would skew search results. EPIC, Color of Change, and the Open Markets Institute urged the FTC to require Facebook to spin-off WhatsApp and Instagram as part of the recent enforcement action. The FTC failed to do so.

FTC Opens Antitrust Investigation of Facebook + (Jul. 25, 2019)

Facebook has disclosed that the Federal Trade Commission opened an antitrust investigation into the company. In a recent statement for a Senate Judiciary committee hearing on antitrust, EPIC wrote that "companies that protect user privacy are being absorbed by companies that do not protect privacy." EPIC pointed to the Facebook-WhatsApp deal and the failure of the FTC to protect the personal data of WhatsApp users after the merger. EPIC previously testified before the Senate Judiciary Committee about mergers in the online advertising industry after EPIC told the FTC that Google's acquisition of DoubleClick would diminish privacy and stifle innovation. EPIC earlier opposed Doubleclick's acquisition of Abacus, explaining that the deal would lead to increased profiling of American consumers. This year, EPIC, Color of Change, the Open Markets Institute, and others urged the FTC to spin off WhatsApp as a remedy for violations of the 2011 consent order. In a settlement announced this week, the Commission failed to do so.

BREAKING - FTC Issues Facebook Fine, EPIC - "Too little, too late." + (Jul. 24, 2019)

The Federal Trade Commission announced today the first fine against Facebook since EPIC and a coalition of privacy organizations filed a complaint with the Commission about the company’s businesses practices back in 2009. In a 2011 consent order the FTC said it would bar Facebook "from making any further deceptive privacy claims.” But in the years that followed, the FTC failed to act even as complaints emerged about marketing to children, privacy settings, tracking users, gathering health data, and facial recognition. Earlier this year, EPIC determined that there were 26,000 complaints against Facebook pending at the Commission. EPIC President Marc Rotenberg said today, “The FTC’s action is too little, too late. American consumers cannot wait another decade for the Commission to act against a company that violates their privacy rights. Congress should move quickly to establish a data protection agency."

EPIC Urges Antitrust Agencies to Raise their Game + (Jul. 18, 2019)

In a statement to the Senate Judiciary committee, EPIC urged lawmakers to press the FTC and the Department of Justice on Enforcement of the Antitrust Laws. EPIC wrote that "companies that protect user privacy are being absorbed by companies that do not protect privacy." EPIC pointed to the Facebook-WhatsApp deal and the failure of the FTC to protect the personal data of WhatsApp users after the merger. EPIC previously testified before the Senate Judiciary Committee about mergers in the online advertising industry after EPIC told the FTC that Google's acquisition of DoubleClick would diminish privacy and stifle innovation. EPIC earlier opposed Doubleclick's acquisition of Abacus, explaining that the deal would lead to increased profiling of American consumers. EPIC, Color of Change, the Open Markets Institute, and others have also urged the FTC to require Facebook to spin-off WhatsApp and Instagram.

Tim Wu Testifies Before House Antitrust Committee + (Jul. 15, 2019)

Former EPIC Advisory Board member Tim Wu will testify this week before a House committee regarding online platforms and market power. EPIC previously told the Subcommittee on Antitrust that "the internet advertising system today is not healthy. Two companies dominate the market. The privacy of Internet users is under assault. The revenue model that sustained journalism is broken. The current model is not sustainable. Privacy rules can help level the playing field." In 2000, EPIC opposed Doubleclick's acquisition of Abacus. In 2007, EPIC told the FTC that Google's proposed acquisition of DoubleClick would lead to consumers being tracked and profiled by advertisers across the web.

EPIC Advises Senate Commerce Committee on Federal Privacy Legislation + (Apr. 30, 2019)

Prior to a hearing on "Consumer Perspectives: Policy Principles for a Federal Data Privacy Framework," EPIC has sent a statement and related materials to the Senate Commerce Committee advising on federal privacy legislation. EPIC Executive Director Marc Rotenberg recently wrote in the New York Times, "There is still much that Congress can do to strengthen privacy protections for Americans. Enacting federal baseline legislation and establishing a data protection agency would be a good start." EPIC also sent the Committee EPIC commentaries from the Financial Times, Techonomy, the OECD Observer, and the Harvard International Review. EPIC recently joined 16 organizations in support of "A Framework for Privacy Protection in the United States."

Senator Blumenthal Calls on FTC to Unwind Big Tech Mergers + (Mar. 7, 2019)

In a Senate Judiciary Committee hearing earlier this week, Senator Richard Blumenthal said that antitrust enforcers must consider unwinding anticompetitive mergers. “Over the past decade tech companies have in effect been given a free pass by antitrust regulators,” Senator Blumenthal said. "Facebook perhaps should never been allowed to acquire Instagram, Google to acquire DoubleClick. I have come to the conclusion that maybe post merger, some of these transactions should be challengeable, rarely done, but still challengeable, especially when the merger is approved on conditions that are then violated.” Earlier this year, EPIC joined a coalition of groups urging the FTC to unwind the Facebook-WhatsApp merger, citing promises the companies made at time of the merger.

California AG Proposes Stronger Enforcement for State Privacy Law + (Feb. 28, 2019)

The attorney general of California has unveiled legislation that would strengthen the California Consumer Privacy Act. The new bill would enable consumers to enforce their rights in court. The proposal comes as California seeks to implement the Consumer Privacy Act. In testimony for the US Congress, EPIC has explained that the “most effective way to improve data security is to establish a private right of action.” At present, there are hundreds, perhaps thousands, of substantial privacy complaints pending before the Federal Trade Commission. The EPIC State Policy Project monitors privacy bills nationwide.

FTC Announces Task Force on Competition in Tech + (Feb. 26, 2019)

The FTC announced a new task force dedicated to monitoring U.S. technology markets and investigating anticompetitive conduct. FTC Chairman Joe Simons said "it makes sense for us to closely examine technology markets to ensure consumers benefit from free and fair competition." According to the FTC, the Technology Task Force will examine "prospective merger reviews" and will review "consummated technology mergers." EPIC objected to Facebook's acquisition of Whatsapp in 2014 and Google's acquisition of DoubleClick in 2007. EPIC has called on the FTC to require Google to divest Nest, after reports that the company hid listening devices in the home thermostat, and pressed the Commission to use its equitable authorities, including divestiture, to enforce consent orders.

EPIC, Open Markets, Civil Rights Groups Press FTC on Facebook Consent Order + (Jan. 23, 2019)

EPIC joined a coalition of groups urging the FTC to issue strong penalties in Facebook matter. "Given that Facebook’s violations are so numerous in scale, severe in nature, impactful for such a large portion of the American public and central to the company’s business model, and given the company’s massive size and influence over American consumers, penalties and remedies that go far beyond the Commission’s recent actions are called for,” the letter stated. The groups said the FTC should 1) impose substantial fines; 2) establish structural remedies; 3) require compliance with Fair Information Practices; 4) reform hiring and management practices; and 5) restore democratic governance.

Consumer Organizations Announce New Framework for US Privacy Protection, Propose Privacy Agency + (Jan. 17, 2019)

EPIC joined 16 organizations in support of a “A Framework for Privacy Protection in the United States." The consumer groups outlined a new approach to privacy protection: (1) enact baseline federal legislation; (2) enforce fair information practices; (3) establish a data protection agency; (4) ensure robust enforcement; (5) establish algorithmic governance; (6) prohibit “take it or leave it” terms; (7) promote privacy innovation; and (8) limit government access to personal data. The consumer framework states that the Federal Trade Commission has failed to enforce the orders it has established. "The US needs a federal agency focused on privacy protection, compliance with data protection obligations, and emerging privacy challenges.” [Press Release]

D.C. Attorney General Sues Facebook + (Dec. 20, 2018)

The D.C. Attorney General filed a complaint against Facebook under the D.C. Consumer Protection Procedures Act, making D.C. the first U.S. jurisdiction to take action against the company for the mishandling of user data that led to Cambridge Analytica. The AG's complaint alleges that Facebook failed to monitor third-party use of personal data and failed to ensure users’ data was deleted. The D.C. lawsuit seeks financial penalties, and an injunction to ensure Facebook puts in place protocols and safeguards to protect users’ data and easier for users to control their privacy settings. AG Karl Racine said: “Facebook put users at risk of manipulation by allowing companies like Cambridge Analytica and other third-party applications to collect personal data without users’ permission. Today’s lawsuit is about making Facebook live up to its promise to protect its users’ privacy.” EPIC filed a D.C. Consumer Protection Procedures Act lawsuitchallenging the unlawful collection, use, and disclosure of personal location data by AccuWeather through its mobile iOS app.

EPIC Urges Antitrust Agencies to Raise their Game + (Dec. 12, 2018)

In a statement to the House Judiciary committee, EPIC urged lawmakers press the FTC and the Department of Justice at a hearing on "Oversight of the Antitrust Enforcement Agencies." EPIC emphasized the risks of mergers to American consumers, stating that "companies that protect user privacy are being absorbed by companies that do not protect privacy." EPIC pointed to the Facebook-WhatsApp deal and the failure of the FTC to protect the personal data of WhatsApp users after the merger. EPIC testified before the Senate Judiciary Committee about mergers in the online advertising industry after EPIC told the FTC that Google's acquisition of DoubleClick would diminish privacy and stifle innovation. EPIC earlier opposed Doubleclick's acquisition of Abacus, explaining that the deal would lead to increased profiling of American consumers. Consumer organizations in the US and the European Union recently urged antitrust authorities on both sides of the Atlantic to subject mergers to greater scrutiny.

EPIC Comments on NTIA’s Consumer Privacy Framework + (Nov. 9, 2018)

EPIC submitted comments to the National Telecommunications and Information Administration—the agency that advises the White House on Internet policy—on the proposed framework for consumer privacy. EPIC backed the "Desired Outcomes:" (1) transparency, (2) control, (3) minimization, (4) security, (5) access and correction, (6) risk management, and (7) accountability. But EPIC urged the agency to support federal baseline legislation, the creation of a data protection agency, and the ratification of the International Privacy Convention. EPIC explained, "These are not policy preferences or partisan perspectives. These are the steps that modern societies must take to safeguard the personal data of their citizens.” NTIA Secretary David Redl met with the Privacy Coalition last month.

Consumer and Privacy Organizations Propose Framework for U.S. Data Protection + (Oct. 9, 2018)

EPIC joined a group of twelve consumer and privacy organizations that submitted a statement to the Senate Commerce Committee in advance of a consumer privacy hearing. The groups outlined a draft framework for data protection in the U.S., advocating that Congress (1) enact baseline federal data protection legislation; (2) limit government access to personal data; (3) establish algorithmic transparency and end discriminatory profiling; (4) prohibit “take it or leave it” and other unfair terms; (5) ensure robust enforcement; (6) promote privacy innovation; and (7) establish a data protection agency. EPIC also submitted a statement to the Committee that highlighted recent breaches at Google and Facebook and the FTC's failure to enforce its own consent orders.

EPIC, Consumer Groups Urge Senate Commerce to Invite Privacy Witnesses to Privacy Hearing + (Sep. 20, 2018)

EPIC joined a coalition of 28 consumer privacy groups in a letter to Senate Commerce Committee Chairman John Thune (R-S.D.) and ranking member Bill Nelson (D-Fla.) that asked the Senators to include consumer advocates in an upcoming hearing on consumer privacy. At this time, the Committee has invited, AT&T, Amazon, Google, Twitter, Apple and Charter Communications. The consumer privacy groups wrote, "the absence of consumer representatives all but ensures a narrow discussion, focused on policy alternatives favored by business groups." Proposals endorsed by consumers include, "federal baseline legislation, heightened penalties for data breaches, the end of arbitration clauses, the establishment of a privacy agency in the U.S., techniques for data minimization, [and] algorithmic transparency to prevent the secret profiling of American consumers." The groups also noted that a recent Harris survey found that "78 percent of U.S. respondents say a company's ability to keep their data private is 'extremely important,' but only 20 percent 'completely trust' organizations they interact with to maintain the privacy of their data."

EPIC Urges Safety Commission to Regulate Privacy and Security of IoT Device + (Jun. 15, 2018)

EPIC submitted comments to the Consumer Product Safety Commission, urging the agency to regulate the privacy and security of Internet of Things devices. EPIC advised the Commission to require IoT manufacturers to (1) minimize data collection, (2) conduct privacy impact assessments, and (3) implement Privacy Enhancing Techniques (“PETs”). EPIC recently told Congress that “CPSC should establish mandatory privacy and security standards, and require certification to these standards before IoT devices are allowed into the market stream.” EPIC has also called out the CPSC for its reluctance to address the privacy and security challenges of IoT. In the statement to Congress, EPIC described the increasing risks to American consumers.

Amazon Echo Secretly Recorded And Disclosed User's Private Conversation + (May. 24, 2018)

"Alexa" secretly recorded the private conversation of a Portland woman and sent it to one of her contacts, according to a news report. The Federal Wiretap Act makes it a crime to intentionally intercept a private communication. In 2015, EPIC urged the Federal Trade Commission and the Department of Justice to investigate whether "always on" smart home devices violated federal wiretap law. EPIC recently warned the Consumer Product Safety Commission that the Google Home Mini continuously record users' private conversations because of a product defect. And EPIC recently testified before the CPSC on the need to regulate privacy and security hazards posed by Internet of Things devices.

EPIC Urges Congress to Focus on Consumer Privacy and Data Security in Antitrust Hearing + (Dec. 12, 2017)

In a statement to the Senate Judiciary committee, EPIC urged lawmakers to consider consumer privacy at a hearing on "The Consumer Welfare Standard in Antitrust." EPIC emphasized the privacy risks of mergers, stating that "when companies merge, they combine not only their products, services, and finances, but also their vast troves of personal data." EPIC reminded Congress that the United States is experiencing an epidemic of data breaches, and large databases of personal data are more vulnerable to attack. EPIC testified before the Senate Judiciary Committee in 2007 about the growing risks to competition and privacy of mergers in the online advertising industry. EPIC also warned the FTC about the consumer privacy risks of high profile mergers. In 2000, EPIC opposed Doubleclick's acquisition of Abacus. In 2007, EPIC told the FTC that Google's proposed acquisition of DoubleClick would lead to consumers being tracked and profiled by advertisers across the web. And in 2014 EPIC urged the FTC to mandate privacy safeguards for Facebook's acquisition of WhatsApp.

Senators Question Privacy and Safety of Facebook’s "Messenger Kids" App + (Dec. 7, 2017)

Senators Edward Markey (D-Mass) and Richard Blumenthal (D-Conn) wrote to Facebook CEO Mark Zuckerberg with questions about Facebook’s Messenger Kids app, aimed at children 6-12. The Senators said, “we remain concerned about where sensitive information collected through this app could end up and for what purpose it could be used.” The Children’s Online Privacy Protection Act specifically limits the collection and use of data on children under the age of 13. Concerns about the misuse of children data remains high. EPIC and several consumer privacy organizations filed a complaint with the FTC in 2016 alleging that the Internet-connected doll Cayla spied on children. EPIC also backed a L6 recent campaign to recall Mattel’s Aristotle, a device that collected data from young children. The campaign led Mattel to cancel the sale of Aristotle.

EPIC Amicus - Ninth Circuit Holds Violation of Video Privacy Law Establishes 'Standing' + (Nov. 29, 2017)

The Ninth Circuit issued an opinion today that addressed standing — the right to bring a lawsuit — under the Video Privacy Protection Act. The court found that the law protects a "substantive right to privacy that suffers any time a video service provider discloses otherwise private information." The court stated that a "plaintiff need not allege any further harm to have standing." EPIC filed an amicus letter brief in response to the court's request for parties to discuss standing following the Supreme Court decision in Spokeo v. Robbins. EPIC urged the court to recognize that "Congress intended to protect consumers' concrete interests in the confidentiality of their video viewing records." Contrasting with the Spokeo decision concerning the Fair Credit Reporting Act, the federal appeals court agreed that the video privacy law protects a "substantive interest." However, the court found that "personally identifiable information" was not disclosed by ESPN. EPIC has filed amicus briefs defending consumers in several cases after the Spokeo decision, including in Attias v. Carefirst, Gubala v. Time Warner Cable, and In re SuperValu Customer Data Security Breach Litigation.

Consumer Bureau Proposes Policy Guidance for Data Aggregation Services + (Nov. 16, 2017)

The Consumer Financial Protection Bureau recently set out guidance for financial services that aggregate consumer data. The Bureau outlined Consumer Protection Principles that "express the Bureau's vision for realizing a robust, safe, and workable data aggregation market that gives consumers protection, usefulness, and value." The Consumer Protection Principles for aggregated consumer data services are: (1) consumer access to information, (2) usability and limited scope of access by third parties, (3) consumer control and informed consent, (4) authorizing payments, (5) security (6) access transparency, (7) accuracy, (8) ability to dispute and resolve unauthorized access, and (9) efficient and effective accountability mechanisms. EPIC has urged Congress to establish privacy and data security standards for consumer services and has championed algorithmic transparency. In testimony before Congress, EPIC Board member Professor Frank Pasquale explained that the use of secret algorithms often have adverse consequences for consumers.

Senator Leahy Introduces Legislation To Protect Consumer Privacy + (Nov. 15, 2017)

Senator Patrick Leahy (D-VT), joined by six other Senators, introduced comprehensive legislation to protect consumers from data breach and identity theft. The Consumer Privacy Protection Act of 2017 requires companies to provide notice to consumers after a data breach and meet certain baseline privacy and data security standards. The Consumer Privacy Act also prohibits companies from using a data breach to force consumers into individual arbitration, and would punish companies for concealing security breaches. Senator Leahy stated, "Companies that profit from our personal information should be obligated to take steps to keep it safe." Senator Leahy added, "In today's world, data security is no longer just about protecting our identities and our bank accounts; it is about protecting our privacy and even our national security." EPIC recently testified before the Senate Banking Committee in the wake of Equifax breach calling for consumer control over their personal data. EPIC President Marc Rotenberg also outlined several steps for Congress to reform the credit reporting industry in the Harvard Business Review.

Communications Privacy Directive Moves Forward in European Parliament + (Oct. 23, 2017)

European Parliament Committee on Civil Liberties, Justice and Home Affairs - or LIBE Committee - has approved an update to EU communications privacy law in a key step toward finalizing the regulation. The proposed e-Privacy Regulation would extend consumer safeguards to users of all online communications services, cover content and metadata, and limit tracking of internet users. The Members recommended "privacy by default" settings be standardized, strong encryption by providers, and that users' consent obtained before the use of any personal data. In the U.S., EPIC has urged the Federal Communication Commission to bring U.S. law up to date with a similar, comprehensive approach to communications privacy. Next, the full European Parliament will vote on the legislation this week.

EU Parliament Releases Draft Report on ePrivacy Directive + (Jun. 19, 2017)

The European Parliament's Committee on Civil Liberties, Justice, and Home Affairs has released a draft report on regulations for privacy and electronic communications. The draft contains several proposals to strengthen online privacy, including end-to-end encryption in all electronic communications and a ban on encryption backdoors. Protecting the privacy of communications is "an essential condition for the respect of other related fundamental rights and freedoms," according to the report. EPIC has urged the FCC to follow developments with the ePrivacy Directive and has recommended the use of end-to-end encryption in applications including commercial e-mail and connected cars.

EPIC to Congress: Data Protection Needed for Financial Technologies + (Jun. 9, 2017)

EPIC submitted a statement to a House Committee hearing on financial technologies on the risks with new financial services. Companies now use social media data and secret algorithms to make determinations about consumers. They are also reaching out, through the "Internet of Things," to control consumers. EPIC's recently filed a complaint with the CFPB about "starter interrupt devices," deployed by auto lenders to remotely disable cars when individuals are late on their payments.

Spending Measure Increases FTC Funding by $6 Million + (May. 4, 2017)

The spending measure recently approved by Congress allocates $313 million to the FTC for fiscal 2017. According to the Senate summary, the allocation is for the FTC "to detect and eliminate illegal collusion, prevent anticompetitive mergers, combat consumer fraud, fight identity theft and promote consumer privacy." The amount is an increase of $6 million, or about 2 percent, over 2016 levels. EPIC has consistently urged the FTC to exercise its full authority in protecting consumers and has filed numerous consumer privacy complaints with the FTC, including a recent complaint about "toys that spy." Earlier this year, an EPIC-led coalition detailed 10 steps for the FTC to protect consumers in 2017.

Senators Blumenthal and Udall Introduce Online Privacy Bill + (Apr. 27, 2017)

Senators Richard Blumental (D-CT) and Tom Udall (D-NM) have introduced the Managing Your Data Against Telecom Abuses (MY DATA) Act. The MY DATA Act would grant the FTC jurisdiction over broadband providers, as well the authority to establish rules for privacy and data security online. "In the 21st century, internet access is a basic necessity. And signing up for a basic necessity should never mean you have to sign away your rights to privacy," said Senator Blumenthal. EPIC has previously told Congress that the FTC has not done enough to safeguard consumer privacy, citing the Commission's failure to enforce settlement agreements or to modify proposed settlements based on public comments. EPIC has also proposed comprehensive consumer privacy laws to combat the growing threats of data breaches, identity theft, and financial fraud.

EPIC Recommends Privacy Safeguards for Vehicle Networks + (Apr. 14, 2017)

In comments to the National Highway Traffic Safety Administration, EPIC recommended stronger privacy protections for vehicle-to-vehicle communications. EPIC urged the agency to allow consumers to turn off pre-installed V2V communications and to required automobile manufacturers to be transparent about the collection of personal data. EPIC also urged that agency to establish basic cybersecurity safeguards and require encryption for all vehicle networks and ensure data minimization techniques. EPIC has previously submitted comments to NHTSA on connected cars and has submitted several statements to Congress.

Privacy Poll - Users More Concerned about Google and Facebook than ISPs + (Apr. 11, 2017)

According to a POLITICO / Morning Consult poll, Americans trust Google and Facebook less than ISPs to protect personal data. Only 43% of respondents trusted broadband companies with personal information "a great deal" or "a fair amount." But trust in internet companies was much lower: 31% said they trust Facebook, 21% trust Twitter, 39% trust Google, and 35% trust other websites they visit regularly. The poll also shows public opposition to web tracking, with 70% respondents saying they were "somewhat uncomfortable" or "very uncomfortable" with companies tracking the web sites people visit and 77% being uncomfortable with companies selling people's data for advertising purposes. EPIC had urged the FCC to adopt a comprehensive approach to privacy protection and maintains an extensive page on Privacy and Public Opinion.

Trump Repeals Broadband Privacy Safeguards + (Apr. 4, 2017)

Donald Trump signed a congressional resolution rescinding the FCC's broadband privacy rules. The rules required internet service providers to obtain consumers' consent before accessing sensitive information and to notify consumers of data breaches. The resolution nullifies the FCC's rules and blocks the FCC from enacting similar rules in the future. EPIC had urged the FCC to establish comprehensive safeguards for consumer privacy, and also explained to Congress that the FTC does not effectively safeguard consumer privacy. EPIC also has a petition pending before the FCC to end the mandatory retention of private customer telephone records.

EPIC Seeks Documents on Trump - Pai White House Meeting + (Mar. 9, 2017)

EPIC has filed an urgent FOIA request with the FCC for information on the recent meeting between FCC Chairman Ajit Pai and President Donald Trump. EPIC is seeking memos, briefing papers, emails, and talking points relating to the White House meeting that took place on March 6, 2017. EPIC said in the FOIA request that public disclosure of this is critical as President Trump has described the media, which is subject to FCC regulation, as the "enemy of the people." FCC Chair Pai also recently suspended parts of a broadband privacy order that protects Internet users from invasive tracking and profiling. EPIC has urged the FCC to establish comprehensive safeguards for consumer privacy. EPIC also has a long-standing petition before the FCC to end the mandatory retention of customer telephone records.

EPIC, Children's Advocates Oppose Requests to End FCC Broadband Privacy Rules + (Mar. 6, 2017)

EPIC and a coalition of children's advocates have filed a comment opposing petitions that ask the FCC to revoke its broadband privacy rules. The coalition urged the FCC to retain rules that treat children's data, web browsing histories, and app usage data as sensitive and to retain opt-in requirements for all categories of sensitive information. EPIC previously urged the FCC to establish comprehensive safeguards for consumer privacy, to ban pay-for-privacy schemes, and to prohibit mandatory arbitration. EPIC has frequently defended FCC privacy rules and currently has a petition pending before the FCC to end the mandatory retention of customer telephone records.

Congressman Pallone Asks Government Accounting Office to Study Costs of Eliminating Privacy Rules + (Feb. 27, 2017)

Congressman Frank Pallone has asked the U.S. Government Accounting Office to study the harms of eliminating rules that protect consumer privacy. "With the near universal use of the internet, and the rapid expansion of connected devices, corporations now have more information about American consumers than ever before," Pallone wrote in his letter. "It is, therefore, more important than ever that Americans' privacy and security be protected online." Pallone asked the GAO to report on whether the "notice and choice" approach to privacy regulation works, what challenges consumers face in protecting their information, and how the FCC, FTC, and other agencies approach privacy regulation. EPIC has urged the FCC to establish comprehensive safeguards for consumer privacy. EPIC also explained in comments to the FTC and FCC and in testimony before Congress that "notice and choice" is insufficient to protect consumer privacy.

EPIC, Coalition Recommend 10 Steps for the FTC to Protect Consumers in 2017 + (Feb. 16, 2017)

EPIC and a coalition of consumer groups sent a letter to the Federal Trade Commission recommending 10 steps the agency should take to protect consumers and promote competition in 2017. "American consumers today are at great risk of identity theft, financial fraud, and data breaches," the coalition wrote, arguing that "proactive efforts to strengthen data protection will spur innovation and support business models that are sustainable over time." The letter asks the FTC to increase its enforcement efforts, promote transparency, and pursue actions based on unfairness instead of relying on "notice and choice." EPIC has consistently urged the FTC to exercise its full authority in protecting consumers. EPIC has also filed numerous consumer privacy complaints with the FTC, including a recent complaint about "toys that spy."

States Recognize Data Privacy Day + (Feb. 10, 2017)

Several states across the U.S., including Michigan, Montana, North Carolina, and Ohio, recognized international Data Privacy Day, held annually on January 28 to commemorate the first international treaty for privacy and data protection. State efforts to raise awareness about privacy and other consumer protection issues are published monthly in The State Center Consumer Protection Report. The Report also noted that Mississippi is pursuing legal action against Google over student data collected from public schools. The lawsuit accuses Google of collecting students' personal information and search history for its own business interests in violation of the Mississippi Consumer Protection Act.

Acting FTC Chair Outlines Consumer Protection Priorities + (Feb. 6, 2017)

In a recent speech, Acting Federal Trade Commission Chairwoman Maureen Ohlhausen outlined her priorities for consumer protection. Ohlhausen recognized that "a notice-and-choice approach to privacy may not adequately protect consumers" but advocated a market-focused "harms-based approach" to privacy. She pointed to recent settlements with Ashley Madison and Eli Lilly as cases involving significant non-financial harm to consumers. Ohlhausen also proposed making the results of all FTC data security investigations public, not only those that result in enforcement actions. EPIC supports increased transparency in FTC actions but has explained in comments to the FTC and FCC and in testimony before Congress that "notice and choice" and "harms based" approaches are insufficient to protect consumer privacy.

Trump Order Threatens Consumer Protection, Public Safety + (Jan. 31, 2017)

The President has issued an executive order requiring every new regulation to be offset by the repeal of at least two existing regulations. The Order could directly impact rules that safeguard consumers against data breach, financial fraud, and identity theft. EPIC has also recommended new public safety regulations concerning aerial drones, connected vehicles, and the Internet of Things. In EPIC v. FAA, EPIC is challenging the failure of the agency to protect the public from aerial surveillance.

FTC Issues Report on Cross-Device Tracking + (Jan. 26, 2017)

The Federal Trade Commission has issued Cross-Device Tracking: An FTC Staff Report, which describes online tracking technology used to link a consumer's activity across smartphones, laptops, tablets, and other internet-connected devices. The report follows from an FTC workshop on this emerging practice. EPIC filed comments with the Commission urging limits on cross-device tracking, which presents significant privacy challenges due to the "lack of transparency and control in this undetectable online tracking scheme." EPIC explained how "notice and choice" fails to protect consumers from this surreptitious activity. The FTC's report recommends continued industry-self regulation and application of the unworkable "notice and choice" approach to this new practice.

EPIC Urges Senate Committee to Safeguard Consumer Privacy in Internet of Things and Telemarketing Bills + (Jan. 24, 2017)

EPIC sent a letter to the Senate Commerce Committee on Monday about privacy and security concerns in two pending bills. The DIGIT Act would "encourage the growth" of the Internet of Things and "help identify barriers to its advancement." The Spoofing Prevention Act would extend the laws prohibiting Caller ID spoofing to text messages, international calls, and Voice-over-IP calls. EPIC pointed out the "significant privacy and security risks" to American consumers of the Internet of Things. EPIC also argued for "a requirement that any automated calls reveal (1) the actual identity of the caller and (2) the purpose of the call." EPIC has been at the forefront of policy work on the Internet of Things, recommending safeguards for connected cars, "smart homes," consumer products, and "always on" devices. EPIC also supports robust telephone privacy protections and recently advised Congress on modernizing telemarketing rules.

EPIC Calls on FCC to Prohibit Forced Arbitration + (Jan. 12, 2017)

EPIC and a coalition of privacy advocates have submitted comments asking the FCC to prohibit forced arbitration clauses in communications contracts. Arbitration clauses require consumers to settle complaints in private proceedings out of court, often in inconvenient locations and before arbitrators of the company's choosing. The comments note that forced arbitration clauses allow corporations to "escape accountability for systemic harms" such as overbilling. The FCC's broadband privacy rules, adopted in October 2016, did not address forced arbitration clauses, but Chairman Wheeler announced at the FCC's October meeting that the agency had begun an internal process for rulemaking on that issue. EPIC has urged the FCC to establish comprehensive safeguards for consumer privacy, to ban pay-for-privacy schemes, and to prohibit mandatory arbitration. EPIC has frequently defended FCC privacy rules and currently has a petition pending before the FCC to end the mandatory retention of customer telephone records.

FTC Responds to EPIC, Consumer Groups About Toys That Spy + (Jan. 11, 2017)

The Federal Trade Commission has responded to EPIC's complaint about toys that spy, promising to "carefully review" the filing. EPIC's complaint, filed last month and joined by the Campaign for Commercial Free Childhood, the Center for Digital Democracy, and Consumers Union, alleges that the internet-connected children's toys My Friend Cayla and i-Que Intelligent Robot violate federal privacy laws. The complaint is part of coordinated, international efforts to ban these toys from the marketplace. Walmart, Toys "R" Us, and stores across Europe have already pulled the toys from their shelves. EPIC's complaint has also spurred a congressional investigation by Sen. Edward Markey (D-MA) into the data practices of toymaker Genesis Toys and speech technology developer Nuance Communications.

Europe to Update Consumer Privacy Rules + (Jan. 10, 2017)

The European Commission has released its proposal to update EU law on privacy and security safeguards for electronic communications. The revamped e-Privacy Regulation would extend important new safeguards to users of all online communications services, including email, instant messaging, and social media. The proposal would also protect both communications content and metadata, and would limit tracking of internet users. In the US, the FCC recently adopted modest privacy rules that apply only to broadband services offered by telecom companies, despite EPIC's repeated advice to the FCC to address "the full range of communications privacy issues facing US consumers." The Commission's update of the e-Privacy Directive follows the recently adopted General Data Protection Regulation, and must next be adopted by the European Parliament and European Council.

Center for Investigative Reporting: Uber Continues to Abuse Locational Data + (Dec. 21, 2016)

A recent report from the Center for Investigative Reporting finds that Uber continues to allow employees broad access to rider location data, raising questions of whether the transportation service is violating the terms of a settlement with New York’s Attorney General. According to the report, "Uber gave thousands of employees access to where and when each customer travels." Uber recently changed the terms of service and expanded the collection of users location data. Uber also faces legal action in Europe over whether it should be considered a transportation service or digital platform. Last year, EPIC filed a complaint with the FTC, charging that Uber’s plan to track users and gather contact details is an unlawful and deceptive trade practice. That complaint, like many other consumer privacy complaints, is still pending before the Federal Trade Commission.

EPIC Urges Amazon, Walmart, Target, and Toys "R" US to Stop Selling Toys That Spy + (Dec. 20, 2016)

EPIC has joined the Campaign for a Commercial-Free Childhood and the Center for Digital Democracy in letters to major U.S. retailers urging the companies to immediately discontinue sales of My Friend Cayla, an internet-connected doll that spies on young children. Earlier this month, EPIC filed a complaint with the Federal Trade Commission against toymaker Genesis Toys and speech recognition firm Nuance Communications over “toys that spy” on children in violations of federal privacy laws. The letters from the consumer groups, sent to Amazon, Walmart, Toys "R" Us, and Target, urge the companies "to put the welfare of children first, and to cease sales of My Friend Cayla pending investigation and action by the FTC." Toy stores across Europe have already removed Cayla from their shelves and are offering refunds to parents who purchased the toys.

EPIC, International Consumer Coalition Urges Recall on "Toys That Spy" + (Dec. 6, 2016)

EPIC has filed a landmark complaint with the Federal Trade Commission about “toys that spy.” The complaint alleges that My Friend Cayla and i-Que Robot violate federal privacy law. “The toys subject young children to ongoing surveillance,” EPIC said in a statement. The EPIC complaint targets manufacturer Genesis Toys and Nuance Communications and describes how Internet-connected toys pose ongoing serious safety threats to children. EPIC’s complaint, joined by the Campaign for Commercial Free Childhood, the Center for Digital Democracy, and Consumers Union, is part of coordinated effort to ban these toys from the marketplace. The complaint follows earlier efforts by the Norwegian Consumer Council. EPIC warned Congress about the risks of the Internet of Things, and filed complaints with the FTC about “always on” devices and “smart TVs.”

Congress Passes Consumer Review Fairness Act, Bans Gag Clauses + (Nov. 29, 2016)

Congress has passed the Consumer Review Fairness Act, a law protecting consumers' right to post negative reviews without fear of retaliation. The bipartisan measure would make it illegal for companies to include non-disparagement clauses in consumer contracts, or to impose penalties or fees for critical reviews. The Federal Trade Commission will enforce the new law, which now awaits President Obama's signature. "By ending gag clauses, this legislation supports consumer rights and the integrity of critical feedback about products and services sold online." said Senate Commerce Committee Chairman John Thune. EPIC has long supported free speech and access to information online.

EPIC Urges FTC to Strengthen "Safeguard Rule" + (Nov. 8, 2016)

In comments to the FTC, EPIC has asked the agency to strengthen the  Safeguards Rule, which sets out basic security standards for the processing of consumer information. EPIC urged the agency to expand the scope of the Rule, which now only applies to financial institutions. EPIC also recommended that the FTC mandate compliance with the Rule and require data minimization. EPIC has previously urged the Commission to enforce the Safeguards Rule against both financial and non-financial institutions and has also recommended data minimization to safeguard consumer privacy.

House Members Urge FTC to Examine Internet-of-Things + (Nov. 4, 2016)

In the wake of October's massive distributed denial of service attack, two members of Congress have sent a letter to Federal Trade Commission Chairwoman Edith Ramirez urging the FTC to protect consumers from insecure Internet of Things devices. Rep. Frank Pallone, Jr. and Rep. Jan Schakowsky, senior members of the House Energy and Commerce Committee, wrote that the FTC should "immediately use all the tools at its disposal to ensure that manufacturers of IoT devices implement strong security measures." EPIC is at the forefront of policy work on the Internet of Things, recommending safeguards for connected cars, "smart homes," 'consumer products, and "always on" devices. EPIC recently urged the federal government to establish legal requirements to promote Privacy Enhancing Technologies, limit user tracking, minimize data collection, and "ensure security in both design and operation of Internet-connected devices."

FCC Releases Revised Broadband Privacy Plan + (Oct. 6, 2016)

The Federal Communications Commission has released a fact sheet outlining a revised proposal for broadband privacy rules. The revised rules will require ISPs to obtain consumers consent only for use of "sensitive" information. The original proposal offered privacy protections for all consumer data. ISPs will also be permitted to charge higher prices for basic privacy protections, subject to FCC review. EPIC has said that the FCC should go further to safeguard consumer privacy. The Commission plans to vote on the proposal on October 27th.

Supreme Court Won't Review Privacy Violations by Facebook, Google + (Oct. 4, 2016)

The U.S. Supreme Court has declined to review two important consumer privacy cases: K.D. v. Facebook, a suit challenging Facebook’s use of young childrens’ names and images in advertising without consent, and Gourley v. Google, a suit opposing Google’s covert use of web cookies to track browsing habits. In K.D., consumers urged the Supreme Court to review a Ninth Circuit opinion, which upheld a controversial settlement. EPIC filed an amicus brief in a companion case, Fraley v. Facebook, explaining that a settlement is unfair that allows a company to continue to engage in privacy violations. In Gourley, consumers asked the Court to overrule a Third Circuit decision holding that Google's exploitation of browser privacy loopholes did not violate the Wiretap Act or Stored Communications Act.

India Joins International Opposition to WhatsApp Privacy Changes + (Sep. 30, 2016)

India’s Deli High Court has ordered WhatsApp not to transfer to Facebook any user data that was collected prior to September 25, 2016, and to delete data of users who opted out of WhatsApp’s new data transfer policy prior to that date. Last month, WhatsApp announced it would begin transferring user data, including verified phone numbers, to Facebook in violation of previous privacy promises. Germany has also ordered Facebook to immediately stop collecting and storing user data from WhatsApp, and to delete all WhatsApp user data already transferred. EPIC filed a complaint with the FTC over the policy change, and more than a dozen consumer groups have backed these efforts. The FTC’s latest response to the consumer coalition emphasized “FTC staff’s position that companies must obtain affirmative express (opt-in) consent before making material, retroactive changes to privacy promises.” The FTC has previously stated, “When companies tell consumers they will safeguard their personal information, the FTC can and does take law enforcement action to make sure that companies live up these promises.”

Germany Prohibits WhatsApp Data Transfer to Facebook + (Sep. 27, 2016)

Germany’s privacy regulator has ordered Facebook to immediately stop collecting and storing user data from WhatsApp, and to delete all WhatsApp user data that has already been transferred. In a statement, German officials said that WhatsApp’s new data transfer policy constitutes “an infringement of national data protection law.” EU Competition Commissioner Margrethe Vestager has also opened an investigation into WhatsApp’s privacy changes, which contradict previous commitments to users and regulators. EPIC filed a complaint with the FTC over the policy change, and more than a dozen consumer groups have backed these efforts. The FTC responded it would “carefully review” EPIC’s complaint. The FTC has previously stated, “When companies tell consumers they will safeguard their personal information, the FTC can and does take law enforcement action to make sure that companies live up these promises.”

EPIC Tells Congress FTC Must Do More for Consumer Privacy + (Sep. 26, 2016)

EPIC has sent a letter to the Senate Commerce Committee in advance of an oversight hearing on the Federal Trade Commission. EPIC explained that the FTC has not done enough to safeguard consumer privacy, citing the Commission's failure to enforce settlement agreements or to modify proposed settlements based on public comments. "The FTC’s failure to act in the face of mounting threats to consumer privacy and security could be catastrophic," EPIC warned. EPIC  also proposed comprehensive consumer privacy laws to combat the growing threats of data breaches, identity theft, and financial fraud. Public opinion polls show broad public support for new US privacy laws.

Consumer Groups Back Call for FTC to Investigate WhatsApp + (Sep. 22, 2016)

More than a dozen US consumer organizations have asked the Federal Trade Commission to pursue the complaint EPIC and the Center for Digital Democracy filed about WhatsApp’s plan to transfer user data to Facebook. The EPIC-CDD complaint said that the changes to WhatsApp contradict promises  to users that personal information would not be used for marketing purposes.  The FTC has said "When companies tell consumers they will safeguard their personal information, the FTC can and does take law enforcement action to make sure that companies live up these promises." The FTC responded that it would “carefully review” EPIC’s complaint. The consumer coalition letter urges the Commission to “fulfill its duty to protect consumer privacy, and to investigate and enjoin WhatsApp and Facebook’s proposed change in business practices.” 

U.S. Proposes Voluntary Guidelines for "Automated Vehicles," Privacy and Safety Issues Remain a Challenge + (Sep. 20, 2016)

The Department of Transportation has released federal guidelines for the automated vehicle industry. The Federal Automated Vehicles Policy backs the deployment of self-driving cars in the United States. The agency acknowledges privacy concerns and endorses the Consumer Privacy Bill of Rights, which EPIC supports, however the framework lacks compliance obligations and  enforcement mechanisms.  The agency also proposes to preempt existing state regulations that may provide stronger protections. Last year in testimony before Congress, EPIC warned of public safety risks associated with automated vehicles. And yesterday Secretary of Commerce Penny Pritzker warned the Commission on Enhancing National Cybersecurity that "as cars go driverless . . . the cyberthreats we face will only grow more widespread." The Transportation Department seeks public comments on the Guidelines for Automated Vehicles. The deadline is November 22, 2016.

EPIC Amicus - Appeals Court Finds Inaccurate Background Reports Violate Federal Privacy Law + (Sep. 14, 2016)

A federal appeals court has ruled that LexisNexis violated the Fair Credit Reporting Act by selling background reports that wrongly included criminal convictions for innocent individuals. EPIC filed an amicus brief in the case, highlighting the failure of crediting reporting agencies to adopt reasonable procedures to ensure accuracy. EPIC said that it is not enough to follow “industry standards” if  inaccurate reports still result. The court found that Lexis was negligent because it failed to “follow reasonable procedures to assure maximum possible accuracy” of the information.

FTC Seeks Comments on the "Disposal Rule" for Consumer Data + (Sep. 13, 2016)

The Federal Trade Commission is seeking public comments on the "Disposal Rule." The Disposal Rule requires that companies delete consumer data and to protect against unauthorized use of the data. The Commission seeks comment on a variety of issues including cost-benefits analysis and industry compliance. EPIC supported the implementation of the Disposal Rule in 2004 and continues to advocate for data protection measures. EPIC has also promoted Privacy Enhancing Techniques that minimize or eliminate the collection of personal information. Identity theft continues to be the top consumer complaint reported to the Commission.

European Commission Begins Investigation of WhatsApp Privacy About-Face + (Sep. 13, 2016)

Following the announcement that WhatsApp intends to transfer user data to Facebook in violation of earlier commitments, EU Competition Commissioner Margrethe Vestager has opened an investigation. Vestager stated, “That they didn’t merge data wasn’t the decisive factor when the merger was approved, but it was still a part of the decision” to approve the $19b Facebook acquisition in 2014. Last month, EPIC and the Center for Digital Democracy filed a complaint with the FTC, urging the Commission to Act. The FTC responded that it would “carefully review” EPIC’s complaint.

Pokemon GO Developer Niantic Responds to Sen. Franken Inquiry into Privacy Concerns + (Sep. 8, 2016)

Pokemon GO developer Niantic has responded to Sen. Al Franken’s request for information concerning the company’s data practices. Sen. Franken’s letter, sent in early July, asked Niantic to clarify the scope, purpose, and necessity of its data collection practices. Niantic’s response letter indicates that it “collects and stores” user location data to place and position users on the game’s map, but fails to explain why and for how long location data is stored. Franken also directed the company to provide a current list of the "third party service providers" with whom user data is shared. Niantic’s letter confirms that it hires third parties to provide a variety of services, but does not specifically identify any of these companies. Privacy officials in Canada, Europe, and Asia, have begun investigations of Niantic, which is tied to the Google company Alphabet. The Niantic CEO led the Google project that captured private communications in more than 30 countries around the world. The initial Pokemon Go release provided Niantic full access to the user's Google account. EPIC sent a letter to the FTC urging the Commission to investigate the privacy risks posed by Pokemon GO,  Niantic’s data collection practices, and its ties to Google.

EPIC, Coalition Reject Calls to Further Weaken FCC's Modest Privacy Proposal + (Sep. 7, 2016)

EPIC and a coalition of consumer privacy advocates have sent a letter to the Federal Communications Commission in response to industry demands to further weaken the FCC's proposed broadband privacy rules. The groups rejects efforts  by Internet Service Providers to exempt anonymized consumer data from the privacy rules and to require opt-in consent only for sensitive information. The consumer groups also oppose mandatory arbitration and “pay-for-privacy” plans that would require consumers to pay fees for basic privacy safeguards. EPIC has called the FCC's proposed privacy rules a "modest first step" and repeatedly argued that the Commission can and should go further  to "address the full range of communications privacy issues facing US consumers."

EPIC, Consumer Coalition Tells FCC to Protect Privacy, Security in Connected Cars + (Aug. 30, 2016)

EPIC has joined a coalition of consumer groups in a letter to the FCC supporting safety rules for connected cars. The consumer groups endorsed a petition for rulemaking, filed earlier this year, that would establish safeguards for car communications networks. EPIC has testified before Congress on the risks of connected cars and recently filed an amicus brief in federal appeals court on vehicle-to-vehicle communications.

EPIC, CDD Charge WhatsApp Policy Change Unlawful, Urge FTC to Act + (Aug. 29, 2016)

EPIC and the Center for Digital Democracy have filed a complaint with the FTC concerning WhatsApp’s plan to transfer user data, including personal phone numbers, to Facebook. This reversal contradicts WhatsApp’s previous promises to users that their personal information would not be disclosed and would not be used for marketing purposes. EPIC said that WhatsApp change in business practices is unlawful and that the FTC is obligated to act. EPIC previously filed a complaint with the FTC over Facebook’s acquisition of WhatsApp in 2014. In response, the FTC warned the two companies they must honor their privacy promises to users. The FTC has said "When companies tell consumers they will safeguard their personal information, the FTC can and does take law enforcement action to make sure that companies live up these promises."

Facebook to Collect WhatsApp User Data, Violating FTC Order and Privacy Promises + (Aug. 25, 2016)

WhatsApp has announced plans to disclose user information to Facebook, including phone numbers and other user data, that will be connected with Facebook profiles. Facebook purchased WhatsApp in 2014, and the companies promised users of the privacy-protective messaging service that “nothing” will change for WhatsApp users' privacy. EPIC filed a complaint with the FTC over the deal, and the FTC responded by warning the two companies that they must honor their privacy promises to WhatsApp users. The letter explained that failure to obtain users' opt-in consent before changing data practices would be an unfair and deceptive trade practice and violate Facebook’s FTC Consent Order. WhatsApp’s recent announcement indicates users will have 30 days to opt-out of data transfers to Facebook, in violation of the law and the FTC’s Order.  In 2012, EPIC and a coalition of consumer privacy organizations also led a successful effort at the FTC after Facebook changed the privacy settings of its users. As a result, Facebook is subject to an FTC consent order.

Data Protection 2016: Nationwide Hotel Data Breach + (Aug. 15, 2016)

Sheraton, Hyatt, Westin, and Marriott hotels in 10 states and Washington, D.C. have announced that hotel payment records were breached beginning as early as March 2015. Malware discovered in at least 20 hotels across the country collected customers’ names and payment card numbers, card expiration dates, and verification codes. Surprisingly, the hotels said that they will not notify individual customers of the breach. Almost every state in the country has  a mandatory breach notification law. Hyatt announced another payment card breach earlier this year at 250 hotels in approximately 50 countries. EPIC launched “Data Protection 2016,” a non-partisan campaign to make data protection an issue in the 2016 election, calling it “the most important, least well understood issue” of this election.

EPIC’s Rotenberg Debates FBI Director at ABA Conference + (Aug. 7, 2016)

EPIC President Marc Rotenberg and FBI Director James Comey debated "Emerging Issues in National Security and Law Enforcement" at a plenary session of the ABA annual conference in San Francisco. Comey stated that Americans have "never had absolute privacy." Rotenberg replied that the Fifth Amendment grants absolute privacy as a Constitutional right. In response to the Director's comments that the FBI has 650 phones it can not decrypt, Rotenberg pointed out that in 2013, more than 3.1 million cell phones were stolen. "Crime would be much higher in United States if cell phone users did not have strong encryption," said Rotenberg. The EPIC amicus brief in Apple v. FBI highlighted the risk of weak encryption, and noted that stolen cell phones are tied to identity theft and financial fraud.

Appeals Court Affirms Consumers May Sue for Violations of Federal Law + (Aug. 5, 2016)

A federal appeals court has held that consumers can sue when companies fail to comply with legal obligations established by Congress. The case concerned a hospital that sent debt collection letters to consumers without disclosures required by the Fair Debt Collections Practices Act. The court concluded that “Congress has created a new right—the right to receive the required disclosures.” As a result, the consumer can bring a lawsuit when a company fails to comply with the law. EPIC has filed several amicus briefs defending the right of consumers to sue for violations of federal privacy laws.

EPIC Defends Drivers’ Right to Sue for Safety, Privacy Risks As Congress Warns of Risks to Public + (Aug. 5, 2016)

EPIC has filed an amicus brief in a case concerning the privacy and public safety risks of “connected” cars. EPIC warned that connected cars "expose American drivers to the risks of data breach, auto theft, and physical injury.” EPIC said a lower court was wrong to dismiss the case. EPIC urged a federal appeals court to allow consumers to "the opportunity to present legal claims stemming from the defendants’ sale of vehicles that place them at risk." This week researchers at Black Hat revealed new vulnerabilities in networked vehicles as Senators Blumenthal and Markey urged the FCC to establish “robust safety, cybersecurity, and privacy protections  before automakers deploy vehicle-2-vehicle . . . communication technologies.” EPIC has filed several amicus briefs defending consumers' rights to enforce their privacy rights.

EPIC, Consumer Coalition Oppose Robocalls by Government Contractors + (Jul. 26, 2016)

EPIC and a coalition of consumer groups have petitioned the FCC to reverse its recent decision to exempt federal contractors from restrictions on telemarketing and robocalls. The FCC incorrectly determined that the Telephone Consumer Protection Act (TCPA) “does not apply to calls made by or on behalf of the federal government in the conduct of official government business.” The petition, led by the National Consumer Law Center, warns of significant increases in unwanted robocalls from government contractors that consumers would be powerless to stop. EPIC supports robust telephone privacy protections and filed an amicus brief in support of the FCC’s 2015 order that strengthened consumer protections under the TCPA.

EPIC Explains to Federal Appeals Court that Mobile App Users Protected by Video Privacy Law + (Jul. 26, 2016)

EPIC has filed an amicus brief defending the privacy rights of users of  video apps. In the case, a CNN mobile app users challenged the disclosure of his video viewing history and personal information as a violation of federal privacy. In the brief for the federal appeals court, EPIC explained that that the privacy protections in the Video Privacy Protection Act apply to mobile apps that provide video service. EPIC said that the video privacy law covers the personal information collected by mobile apps, including the unique identifiers of the user’s device, and also that the privacy obligations apply to all companies that collect the viewing records of Internet users.  EPIC previously filed a brief in a similar case concerning the collection of video viewing records.

EPIC Tells FCC to Reject "Notice and Choice" Approach to Privacy + (Jul. 7, 2016)

EPIC has filed reply comments with the Federal Communications Commission on the proposed broadband privacy rules. EPIC said that the proposed rules are a modest first step and that the FCC has legal authority to do more to safeguard American consumers. EPIC also responded to erroneous statements from industry groups that the FTC's "notice and choice" framework safeguards consumer privacy. EPIC described numerous shortcomings, including lack of enforcement, frequent changes in privacy policies, and data breaches. "Notice and choice" is “directly at odds with baseline privacy standards,” EPIC said. EPIC previously urged the Commission to "address the full range of communications privacy issues facing US consumers" and to apply the Consumer Privacy Bill of Rights to communications data.

EPIC Calls for Strong Communications Privacy Rules + (May. 27, 2016)

EPIC has urged the Federal Communications Commission “to fully apply" the Consumer Privacy Bill of Rights to all communications services. The FCC's proposed privacy rules would regulate only broadband services and are based on the weak "notice and choice" framework.EPIC said the agency should endorse data minimization requirements, promote Privacy-Enhancing Technologies, and require opt-in consent. EPIC also urged the Commission to regulate all companies that gather consumer data for communications services.

EPIC to OPM: "If You Can't Protect It, Don't Collect It" + (May. 25, 2016)

In comments to the Office of Personnel Management, EPIC urged the federal agency to limit the personal data it collects from job applicants. OPM currently gathers detailed personal information, including biometric data, Social Security numbers, educational history, medical records, foreign travel, drug use, and financial records. In 2015, OPM lost the personal data of 21.5 million people in a massive data breach. The OPM Director and CIO were forced to resign. OPM now proposes to collect even more personal data on more people, including distant relatives of job applicants. EPIC has previously urged the Supreme Court to recognize a right of "information privacy" that would limit the ability of the federal government to collect personal information.

Senate Examines "Do Not Call" Law + (May. 19, 2016)

The Senate Commerce Committee held a hearing yesterday on the Telephone Consumer Protection Act. The "TCPA" bars telemarketers and robocallers from contacting consumers by phone or fax without prior express consent. In January, EPIC filed an amicus brief to provide greater TCPA protections for consumers.  EPIC said that widespread use of cellphones “has amplified the nuisance and privacy invasion caused by unwanted calls and text messages.” EPIC has testified before Congress about the TCPA and submitted many comments concerning the implementation of the consumer privacy law.

Lack of Privacy Impacts Internet Use, Economy, Says NTIA Survey + (May. 16, 2016)

A recent study by the National Telecommunications and Information Administration found that nearly half of Internet users in the US refrained from online activities due to privacy and security concerns. Identity theft was the top concern, cited by 63 percent of respondents, followed by financial fraud, noted by 45 percent. Nearly a quarter of Americans cited concerns about online tracking. “In addition to being a problem of great concern to many Americans, privacy and security issues may reduce economic activity and hamper the free exchange of ideas online,” NTIA concluded. EPIC has supported enactment of the Consumer Privacy Bill of Rights and recently launched “Data Protection 2016,” a non-partisan campaign to make data protection an issue in the 2016 election.

Supreme Court Remands Consumer Privacy Case for Further Consideration + (May. 16, 2016)

The Supreme Court has ruled in Spokeo v. Robins, a case brought under the Fair Credit Reporting Act concerning the sale of inaccurate personal data. The Court said it was necessary to determine whether plaintiffs injuries were sufficiently "concrete." Justice Ginsburg, in a dissenting opinion, wrote that remand was unnecessary, "Spokeo's misinformation 'cause[s] actual harm to [his] employment prospects.'" EPIC filed an amicus brief, joined by thirty-one technical experts and legal scholars, citing the national epidemic of data breaches. EPIC wrote  this is "not the time for the Supreme Court to limit the ability of individuals to seek redress for violations of privacy rights set out by Congress."

EPIC Urges Senate to Back Comprehensive Communications Privacy Protection + (May. 10, 2016)

EPIC has sent a letter to the Senate Judiciary Committee in advance of a hearing on "Examining the Proposed FCC Privacy Rules." EPIC pointed to growing public concerns about the loss of privacy and the need to update federal privacy laws. EPIC explained that the neither Federal Communications Commission or the  Federal Trade Commission has done enough to safeguard consumer privacy. EPIC warned that the "failure to modernize our privacy law is imposing an enormous cost on American consumers and businesses."

NY Attorney General Reports 40% Increase in Data Breaches + (May. 5, 2016)

New York Attorney General Eric Schneiderman announced that his office has received 459 notices of data breaches impacting New Yorkers so far in 2016, representing a 40 percent increase over the same period last year. The office expects to receive a record-setting thousand notices or more this year. "Data breaches are an escalating threat to our personal and national security, and companies need to do more to ensure reasonable security practices and best standards are in place to protect our most sensitive information," said Schneiderman. EPIC recently launched “Data Protection 2016,” a non-partisan campaign to make data protection an issue in the 2016 election.

FTC Increases Scrutiny of Google's Practices, Implicating Antitrust and Privacy Interests + (Apr. 27, 2016)

The FTC has reportedly expanded its investigation into Google's use of the Android operating system to exclude or demote competing services. The Commission’s increased scrutiny comes shortly after the European Commission filed formal antitrust charges against Google. Last fall, the FTC began looking at whether Google unfairly prioritizes its own products after earlier ending a similar investigation in 2012 though staff recommended litigation. EPIC previously urged the Senate and the FTC to investigate Google's dominance of essential Internet services, warning that monopoly practices implicate privacy interests. EPIC had opposed Google's acquisition of online advertiser Doubleclick, which the FTC approved over the objection of Commissioner Pamela Harbor, who cited the connection between monopoly practices and privacy violations.

Google Wants User Data, Opposes FCC Privacy Rules + (Apr. 27, 2016)

Google has opposed new privacy rules for consumer data even as it backed the FCC's proposal to open up the set-top box. Google described new privacy safeguards as “unnecessary." The FCC’s proposal would allow Google to gain access to the TV market and consumer viewing data. EPIC has urged the FCC to enforce strong privacy rules for all companies seeking access to user data.

EPIC Urges FCC to Fully Enforce Cable Privacy, Extend Rules to All Set-Top Boxes + (Apr. 25, 2016)

In comments filed with the FCC on a proposal to unlock the set-top box market to retail manufacturers, EPIC urged the Commission to apply the Cable Act's privacy rules directly to all companies with access to cable subscriber data. EPIC explained that the Cable Subscriber Privacy Rules are "an effective model for privacy rules in the commercial sector, particularly concerning the collection of data about cable programming." However,  the FCC must clarify and enhance enforcement of these rules to address current business practices. EPIC has defended consumer privacy at the FCC for almost 20 years.

EPIC Defends Right of Data Breach Victims to Bring Suit + (Apr. 19, 2016)

EPIC has filed an amicus brief urging a federal appeals court to overturn a decision that limits the ability of data breach victims to sue. The plaintiffs sued a payroll company after their Social Security Numbers and other identifying information were exposed. A lower court dismissed the case because fraudulent transactions had not yet occurred. EPIC argued that data breach victims can sue without having to wait for specific damages. EPIC cataloged the epidemic of data breaches in the US, and explained why companies should be liable when they fail to protect the consumer data they collect. EPIC regularly files briefs defending consumer privacy.

Senate Examines FTC's Antitrust Enforcement + (Apr. 13, 2016)

The Senate Judiciary Committee recently examined the scope and application of the FTC's Section 5 antitrust enforcement authority at the hearing "Section 5 and 'Unfair Methods of Competition': Protecting Competition or Increasing Uncertainty?" EPIC Advisory Board member Tim Wu testified in support of the agency's approach, which he called "an important protection for competition." EPIC has urged the FTC to use Section 5 authority to protect consumers, arguing against Google's acquisition of DoubleClick and Facebook's acquisition of WhatsApp. EPIC has also recommended a transparent process for evaluation of substantial changes in business practices by companies subject to FTC consent orders.

EPIC to FTC: Google's April Fool's Disaster Likely Violates Consent Order + (Apr. 1, 2016)

Google's April Fool's joke — a change in the operation of Gmail without user consent — has backfired, spectacularly. Many Gmail users inadvertently enabled the "Mic Drop" button on important emails, allowing Google to insert a GIF into their reply and then irreversibly mute the conversation. Users were outraged and Google reversed the change. EPIC informed the FTC that Google's prank also likely violates the FTC's 2011 consent order with the company following the rollout of Google Buzz. EPIC has repeatedly urged the FTC to enforce this consent order against Google, which requires the company to obtain "express affirmative consent" before changing its business practices.

FCC Moves Forward With Narrow Privacy Rules + (Mar. 31, 2016)

The Federal Communications Commission has voted to adopt a Notice of Proposed Rulemaking on consumer privacy regulations. The proposal follows Chairman Wheeler's earlier draft proposal, which EPIC explained was too limited to safeguard online privacy. During the vote, Commissioner Ajit Pai echoed EPIC's view that the rulemaking should not focus solely on ISPs. EPIC has argued that the FCC proposal ignores invasive practices by Internet firms, including search companies and social media firms that track and profile Internet users. EPIC previously urged the Commission to "address the full range of communications privacy issues facing US consumers" and to apply the Consumer Privacy Bill of Rights to communications data.

FTC Issues Warning on Cross-Device Tracking and Surveillance Apps + (Mar. 22, 2016)

The Federal Trade Commission has issued warnings to 12 Android app developers that use audio beacons to track consumers across their devices and monitor TV viewing habits. The smartphone apps contain Silverpush software that constantly listens for inaudible signals emitted by TV commercials and secretly collects and transmits viewing data. The announcement appears to be a response to two earlier complaints filed by EPIC with the Commission. EPIC previously urged the FTC to limit "cross-device tracking" technology that links consumers' smartphone activity with what they see on their laptop or television. EPIC also urged the FTC and the Department of Justice to investigate "always-on" consumer devices for possible violations of the Wiretap Act, state privacy laws, or the FTC Act.

EPIC Urges FCC to Broaden Scope, Substance of Draft Privacy Rules + (Mar. 20, 2016)

EPIC has released a memo on the FCC's draft broadband privacy rules, urging the Commission to broaden its scope and strengthen its substantive data protections. The draft rules, previewed in a fact sheet on March 10, 2016, would apply to Internet service providers (ISPs) but not to email, search, or social media services. EPIC explained that the proposal's "framing of the communications privacy challenges facing US consumers is incomplete and fails to address the full range of activities that threaten online privacy." EPIC further explained that the proposal's focus on "choice, transparency and security" will fail to safeguard consumer privacy. EPIC has urged the Commission to apply the Consumer Privacy Bill of Rights to communications data.

FCC to Consider Privacy Rules for ISPs + (Mar. 10, 2016)

The FCC will consider a proposal for consumer privacy regulations on March 31st. According to a fact sheet, the rulemaking will "apply the privacy requirements of the Communications Act" to broadband internet access services (ISPs) but not Internet websites, search services, and social media platforms. While ISPs are engaged in invasive consumer tracking and profiling practices, focusing only on these providers misses a vast amount of data collection activities by other service providers. In a previous letter to the FCC, EPIC urged the Commission to establish a broad framework for communications privacy, based on Fair Information Practices. Separately, EPIC filed a petition with the FCC, joined by 29 organizations, to end the mandatory retention of consumer data.

EPIC, Consumer Privacy Groups Urge FCC to Protect Consumer Privacy + (Mar. 7, 2016)

EPIC, joined by nearly a dozen consumer privacy groups, submitted a letter to the FCC reviewing the invasive consumer tracking and consumer profiling practices of Internet service providers (ISPs), which "underscore the imperative for the FCC to exercise the full extent of its rulemaking authority to protect consumer privacy." The letter explained why encryption and virtual private networks ("VPNs") are insufficient to protect consumers from ISP surveillance. The letter described how the Federal Trade Commission's reactive, "notice and choice" approach to privacy fails to provide meaningful protections for consumers. EPIC previously urged the FCC to undertake a broad rulemaking on "the full range of communications privacy issues facing US consumers." EPIC has worked with the FCC to promote consumer privacy in the communications field for more than 20 years.

EPIC Files Brief in Support of Apple and Consumers in FBI iPhone Case + (Mar. 3, 2016)

Today EPIC filed a "friend of the court" brief, joined by eight other consumer privacy organizations, in support of Apple's challenge in the FBI iPhone case. In Apple v. FBI, EPIC argued that the "security features in dispute in this case were adopted to protect consumers from crime." EPIC explained that an order to compel Apple to take extraordinary measures to undo these features places at risk millions of cell phone users across the United States. EPIC routinely files amicus briefs in cases that raise novel privacy and civil liberties issues. EPIC has filed two briefs in the United States Supreme Court in the past year in cases concerning consumer privacy and also the Fourth Amendment.

EPIC Files Brief in Suit Over Faulty Background Checks + (Mar. 1, 2016)

EPIC has filed an amicus brief in Smith v. LexisNexis Screening Solutions. The case was brought by a job applicant who was denied employment after a background report incorrectly stated that he had a criminal record. A court found that LexisNexis had violated Fair Credit Reporting Act by failing to take reasonable steps to ensure "maximum possible accuracy" in the report. LexisNexis appealed. In the amicus brief, EPIC highlighted the industry practice of selling background reports with inaccurate information. EPIC argued that companies should be strictly liable when they fail to maintain accuracy in these reports. In 2005, EPIC filed a famous FTC complaint about the data broker ChoicePoint, which ultimately led to a $10 million dollar settlement.

California AG Releases 2016 Data Breach Report, Retail and Financial Sectors Most Vulnerable + (Feb. 18, 2016)

A new report from California Attorney General Kamala Harris examines data breaches in California from 2012 to 2015. There were 657 data breaches during the last four years, which compromised over 49 million records. The retail sector experienced the largest share of breaches at 25%, followed by the financial sector at 18%. Among several recommendations, the report recommends that organizations adopt strong encryption. "Government and the private sector have a shared responsibility to safeguard consumers from threats to their privacy, finances, and personal security," Attorney General Harris stated. The Attorney General received a 2015 EPIC Champion of Freedom Award. EPIC recently launched "Data Protection 2016," a non-partisan campaign to make data protection an issue in the 2016 election.

EPIC and Consumer Privacy Groups File Brief Supporting FCC in Telephone Privacy Case + (Jan. 25, 2016)

EPIC and six consumer privacy organizations have filed a "friend-of-the-court" brief in support of the Federal Communications Commission in ACA International v. FCC. The case was brought against the FCC by industry groups charged with violating the Telephone Consumer Protection Act. The FCC had made clear that companies cannot make automated or prerecorded calls to consumers without their consent. EPIC argued in its brief that widespread adoption of cell phones "has amplified the nuisance and privacy invasion caused by unwanted calls and text messages." EPIC and the consumer organizations urged the federal court to uphold the FCC order safeguarding consumers.

Supreme Court Rules Settlement Offers Can't Moot Consumer Class Actions + (Jan. 20, 2016)

The Supreme Court has ruled that a company cannot terminate class action litigation by strategically making a settlement offer of full relief to individual plaintiffs. The case, Campbell-Ewald Co. v. Gomez, involved a consumer who refused to drop his Telephone Consumer Protection Act lawsuit in exchange for such an offer. The defendant company argued that the offer, which exceeded the statutory damages under the TCPA, mooted his case. The Justices disagreed, ruling 6-3 that "an unaccepted settlement offer has no force. Like other unaccepted contract offers, it creates no lasting right or obligation." EPIC routinely works to protect consumer privacy interests in class action settlements.

EPIC Urges FCC to Establish Communications Privacy Protections for Consumers + (Jan. 20, 2016)

EPIC has submitted a letter to the Federal Communications Commission urging the agency to undertake a rulemaking to protect the communications privacy of consumers. EPIC asked the FCC to explore "the full range of communications privacy issues facing US consumers." EPIC proposed that the FCC implement Fair Information Practices and the Consumer Privacy Bill of Rights; adopt data minimization requirements; promote Privacy-Enhancing Technologies; and require opt-in consent for the use or disclosure of consumer data. EPIC suggested that the FCC model its communications privacy rules on the Code of Fair Information Practices for the National Information Infrastructure. EPIC has worked with the FCC to promote consumer privacy in the communications field for more than 20 years.

Uber, New York AG Reach Settlement Over Rider Data Privacy Practices + (Jan. 7, 2016)

The New York Attorney General’s office has announced a settlement in its investigation of Uber’s collection and misuse of rider locational data, as well as its failure to provide timely notice of a data breach affecting 50,000 Uber drivers. The investigation was prompted by public outcry over Uber’s “God View” tool that allowed Uber employees to obtain a specific rider’s real-time and historic location data without permission. The settlement requires the Uber to encrypt rider locational data and enhance its data security. EPIC previously filed a complaint with the FTC, charging that Uber’s plan to track users and gather contact details is an unlawful and deceptive trade practice. In the Huffington Post, EPIC also recommended privacy law to regulate Uber and other companies in the ride-sharing industry.

FTC Issues Enforcement Policy Statement on Deceptive "Native" Advertising + (Dec. 22, 2015)

The FTC has issued an enforcement policy statement on the use of "native" advertisements and other deceptive advertising that appear to be non-advertising content. The FTC's statement affirmed that ads must clearly be identifiable to consumers as advertising and not editorial content. EPIC previously filed an amicus brief in Fraley v. Facebook objecting to Facebook's "Sponsored Stories" that implied the user endorsed the brand to their friends. EPIC's prior complaint to the FTC regarding Facebook's privacy practices helped establish privacy rules for the social media network.

EPIC Urges FTC to Protect Consumers Amid Surge in Cross-Device Tracking + (Dec. 17, 2015)

EPIC filed comments with the FTC on a new advertising practice with significant privacy implications. EPIC urged the FTC to limit "cross-device tracking," linking what a person types on their phone with what they see on their laptop or television. EPIC said the FTC should use its enforcement authority to investigate device tracking practices. EPIC also said the FTC should prohibit the cross-device tracking of minors. EPIC has played a leading role in developing the FTC's privacy authority. Several EPIC complaints are currently pending before the FTC, concerning "always on" devices, Uber's privacy policy, and Facebook's Psychological Study.

Senators Blumenthal, Markey Propose Do Not Track Legislation + (Dec. 17, 2015)

Sen. Richard Blumenthal and Sen. Edward Markey have introduced the Do Not Track Online Act of 2015, to limit online tracking. The bill directs the FTC to develop a simple Do Not Track mechanism that would allow consumers to stop companies from collecting their personal information. The bill authorizes the FTC and state attorneys general to bring enforcement actions against companies that refuse to honor consumers' requests. EPIC has previously said that an effective mechanism must ensure that a consumer's decision is "enforceable, persistent, transparent, and simple."

Wyndham Settles FTC Charges Over Failure to Safeguard Customer Data + (Dec. 9, 2015)

Wyndham Hotels has settled charges with the FTC that the company's data security practices unfairly exposed the financial data of hundreds of thousands of customers to hackers. Earlier this year, in FTC v. Wyndham, a federal appeals court upheld the FTC's authority to enforce data security standards. EPIC's amicus brief filed in Wyndham played an important role in defending the FTC's "critical role in safeguarding consumer privacy and promoting stronger security standards." EPIC explained that data breaches, which have caused more than $500 million in damages last year alone, are one of the top concerns of American consumers.

Administrative Decision Tosses LabMD Data Security Case + (Nov. 21, 2015)

An administrative law judge has dismissed an FTC complaint alleging that LabMD failed to provide reasonable data security for personal information. The admin judge found that the FTC's regulation of unfair trade practices requires a showing that consumer harm was "probable," not just "possible." The decision--which is not binding on federal or state courts--leaves in place the decision in FTC v. Wyndham, which held that the FTC can enforce data security standards. EPIC filed an amicus brief in Wyndham, defending the FTC's "critical role in safeguarding consumer privacy and promoting stronger security standards."

Not So Picture Perfect: Snapchat Will Store User Content Forever + (Nov. 2, 2015)

Snapchat, a popular mobile app that promised "to vanish" user messages, photos, and videos, will now store user content forever, following changes to its terms and conditions. Snapchat now claims the right to "host, store, use, display, reproduce, modify, . . .and publicly display" users' content forever. This change may violate the 2014 consent order with the Federal Trade Commission, which prohibits Snapchat from making false claims about how the company protects user information. The FTC's 2014 consent order resulted from EPIC's complaint which stated that the company violated Section 5 because "Snapchat photos and videos remain available to others even after users are informed that the photos and videos have been deleted."

EPIC Pursues Investigation of FTC's 2012 Investigation of Google + (Mar. 26, 2015)

EPIC has filed a FOIA request with the Federal Trade Commission, reopening a 2013 FOIA request from EPIC regarding the Commission's Google antitrust investigation. After the agency closed the investigation in 2013, EPIC asked for agency communications with the White House. The FTC denied having any such records. Now, the Wall Street Journal has reported that the Chairman of the FTC attended White House meetings on the same day as Google lobbyists. EPIC also filed a request this week for the FTC staff reports recommending that the agency file an antitrust lawsuit against Google.

Senators Propose Law to Regulate Data Broker Industry + (Mar. 5, 2015)

Senators Markey, Blumenthal, Whitehouse and Franken have introduced the Data Broker Accountability and Transparency Act. The bill would give consumers the right to access their personal information held by data brokers and stop data brokers from disclosing or selling that information to others. Senator Markey said, "The era of data keepers has given way to the era of data reapers." In 2005, EPIC testified before Congress on "Identity Theft and Data Broker Services" and urged the regulation of data brokers following the disclosure that Choicepoint sold personal information to identity thieves. EPIC's FTC complaint lead to a $10 million settlement with Choicepoint.

White House (Commerce Dept.) Privacy Bill Not Helpful, Unworkable + (Mar. 2, 2015)

The White House has released a consumer privacy proposal, prepared by the Commerce Department. The bill falls far short of the recommendations for a “Consumer Privacy Bill of Rights” set out by President Obama in 2012 and broadly supported by consumer organizations. The draft proposal lacks meaningful protections for consumers, would preempt stronger state laws, and create unnecessary regulatory burdens for businesses. EPIC has long recommended enactment of consumer privacy legislation based on “Fair Information Practices,” the basic framework for modern privacy law.

Obama Announces New Consumer Privacy Initiatives + (Jan. 12, 2015)

Today the President announced several initiatives to help protect consumer privacy following many, many data breaches. The President will move forward the Consumer Privacy Bill of Rights, a model framework for federal consumer privacy legislation, that EPIC supported in comments to executive agencies, legislators, and the White House. The President also proposed that financial firms disclose credit scores and that Congress enact the Student Digital Privacy Act based on "Fair Information Practices."

EPIC's Snapchat Privacy Complaint Results in 20-Year FTC Consent Order + (May. 8, 2014)

Following a 2013 EPIC complaint, the FTC has signed a consent order with Snapchat, the publisher of a mobile app that encourages user to share intimate photos and videos. Snapchat claimed that pictures and videos would "disappear forever." However, the images could be retrieved by others. As EPIC wrote in the complaint "Snapchat photos and videos remain available to others even after users are informed that the photos and videos have been deleted." In announcing the settlement, FTC Chairwoman Edith Ramirez said, "If a company markets privacy and security as key selling points in pitching its service to consumers, it is critical that it keep those promises. Any company that makes misrepresentations to consumers about its privacy and security practices risks FTC action." Under the settlement, Snapchat will be subject to 20 years of privacy audits, and will be prohibited from making false claims about its privacy policies. EPIC pursued similar claims involve false promises about data deletion with AskEraser. The FTC will be accepting Public Comments on the proposed Snapchat consent order. For more information, see EPIC: In re Google, EPIC: In re Facebook and EPIC: FTC.

EPIC Urges FTC Investigation of WhatsApp Sale to Facebook + (Mar. 6, 2014)

EPIC has filed a complaint to the Federal Trade Commission concerning Facebook's proposed purchase of WhatsApp. WhatsApp is a messaging service that gained popularity based on its strong pro-privacy approach to user data. WhatsApp currently has 450 million active users, many of whom have objected to the proposed acquisition. Facebook regularly incorporates data from companies it has acquired.The Federal Trade Commission has previously responded favorably to EPIC complaints concerning Google Buzz, Microsoft Passport, Changes in Facebook Privacy Settings, and Choicepoint security practices. However, the FTC approved Google's acquisition of Doubleclick over EPIC's objection. Facebook is currently under a 20 year consent decree from the FTC that requires Facebook to protect user privacy and to comply with the US-EU Safe Harbor guidelines. For more information, see EPIC: In re Google Buzz, EPIC: Microsoft Passport, EPIC: In re Facebook, and Privacy? Proposed Google/DoubleClick Merger.

EPIC Files Amicus Brief in Facebook Consumer Privacy Case, Urges Rejection of Settlement + (Feb. 21, 2014)

EPIC has filed a amicus brief urging a federal appeals court to overturn a controversial consumer privacy settlement. If the Fraley v. Facebook settlement is approved, Facebook will display the images of Facebook users, including young children, for commercial endorsement without consent. Facebook users opposed "Sponsored Stories" and several have formally objected to the settlement, including a children's advocacy organization which said that the "settlement is actually worse than no settlement." The MacArthur Foundation also withdrew stating it should not have been designated to receive funds. EPIC's amicus brief in support of the objectors explains that the settlement is unfair to Facebook users and should be rejected. EPIC also notes that Chief Justice Roberts expressed concerns about a similar privacy settlement involving Facebook. EPIC and a coalition of consumer privacy organizations filed an extensive complaint with the Federal Trade Commission that eventually required Facebook to improve its privacy practices. For more information, see EPIC: In re Facebook and EPIC: Fraley v. Facebook.

Justice Department Restores Antitrust Enforcement + (May. 11, 2009)

Speaking at the Center for American Progress, Assistant Attorney General Christine Varney announced that the Antitrust Division will be "aggressively pursuing cases where monopolists try to use their dominance in the marketplace to stifle competition and harm consumers." Ms. Varney withdrew a 2008 Department report on monopolization offenses that generally allows monopoly practices to go unchallenged. In 2007, EPIC objected to the merger of Internet advertisers Google and Doubleclick, arguing that it was vital to impose privacy safeguards and to preserve a advertising options for web publishers. More information, see EPIC, "Privacy? Proposed Google/Doubleclick Deal."

Background

In 1995, the FTC held a series of hearings on "Global and Innovation-Based Competition" under then-Chairman Robert Pitofsky. EPIC participated in those hearings and helped the FTC develop its authority to address emerging privacy issues.

Nearly 25 years later, the FTC will again address how advancements in technology and changes to the economy require the FTC to change its approach to consumer protection and competition. The FTC will solicit input from "outside experts representing a broad and diverse range of viewpoints" as part of the series of hearings.

FTC Chairman Joseph Simons stated, "The FTC has always been committed to self-examination and critical thinking, to ensure that our enforcement and policy efforts keep pace with changes in the economy. When the FTC periodically engages in serious reflection and evaluation, we are better able to promote competition and innovation, protect consumers, and shape the law, so that free markets continue to thrive."

In advance of the hearings, the FTC solicited public comment on the following topics:

The state of antitrust and consumer protection law and enforcement, and their development, since the Pitofsky hearings;

Competition and consumer protection issues in communication, information, and media technology networks;

The identification and measurement of market power and entry barriers, and the evaluation of collusive, exclusionary, or predatory conduct or conduct that violates the consumer protection statutes enforced by the FTC, in markets featuring "platform" businesses;

The intersection between privacy, big data, and competition;

The Commission's remedial authority to deter unfair and deceptive conduct in privacy and data security matters;

Evaluating the competitive effects of corporate acquisitions and mergers;

Evidence and analysis of monopsony power, including but not limited to, in labor markets;

The role of intellectual property and competition policy in promoting innovation;

The consumer welfare implications associated with the use of algorithmic decision tools, artificial intelligence, and predictive analytics;

The interpretation and harmonization of state and federal statutes and regulations that prohibit unfair and deceptive acts and practices; and

The agency's investigation, enforcement, and remedial processes.

The hearings are scheduled to begin in September 2018 and are expected to continue through January 2019, consisting of 15 to 20 public sessions. The FTC is inviting public comment on the hearings in three stages:

Through August 20, 2018, the FTC will accept public comment on the topics identified in the announcement

Additionally, the FTC will invite comments on the topic of each hearing session.

Finally, the FTC will invite comments upon completion of the entire series of hearings.

Resources

• Federal Trade Commission, "FTC Announces Hearings On Competition and Consumer Protection in the 21st Century," Press Release (Jun. 20, 2018)
• Comments of EPIC, "FTC Releases Draft Strategic Plan for Fiscal Years 2018 to 2022," (Dec. 5, 2017)
• Comments of EPIC, Cross-Device Tracking Workshop, (Dec. 16, 2015)
• Comments of EPIC, "Assessment of the FTC's Prior Actions on Merger Review and Consumer Privacy" (Mar. 17, 2015)
• Comments of EPIC, "On the Privacy and Security Implications of the Internet of Things," (Jun. 1, 2013)
• P Jones Harbour, Dissenting Statement In the Matter of Google/DoubleClick, FTC File No 071-0170 (2007)
• European Data Protection Supervisor (EDPS), Privacy and Competitiveness in the Age of Big Data: The Interplay Between Data Protection, Competition law and Consumer Protection in the Digital Economy (Preliminary Opinion), EDPS/2014/06 (2014) 30.
• Tim Wu, The Master Switch: The Rise and Fall of Information Empires, Vintage 2011
• Shoshana Zuboff, The Age of Surveillance Capitalism, Public Affairs 2018