Newsroom

Washington, DC: The key framework that is supposed to protect EU citizens’ privacy when their data is collected by U.S. companies—known as the U.S.-EU Safe Harbor—is failing to provide them the safeguards that were promised, according to a complaint filed today by a leading U.S. consumer privacy group—the Center for Digital Democracy (CDD). The complaint, filed at the U.S. Federal Trade Commission (FTC), details how these companies are compiling, using, and sharing EU consumers’ personal information without their awareness and meaningful consent, in violation the Safe Harbor framework. Overseen by the U.S. Department of Commerce, the Safe Harbor is based on a voluntary “self-certification” process, in which companies that promise to provide clear “notice” (of their data-collection practices and data uses) and “choice” (giving consumers the opportunity to “opt out” of practices they did not previously agree to) are then allowed to collect information from European consumers without strictly following the EU’s higher data-protection standards. The EU has itself recognized that the current Safe Harbor regime is inadequate, and has called for its revision. CDD’s filing at the FTC, which is the agency that is supposed to ensure that the Safe Harbor system protects EU consumers’ privacy, calls for an investigation of 30 companies involved in data profiling and online targeting, including data brokers that have compiled vast amounts of sensitive information on individual consumers; data management platforms that allow their corporate clients to analyze their own consumer information and combine it with outside data sources to produce detailed marketing insights; and mobile marketers that track devices and tie them to user profiles in order to identify the most profitable consumers for personalized advertising. “The U.S. is failing to keep its privacy promise to Europe,” said Jeff Chester, CDD’s executive director. “Instead of ensuring that the U.S. lives up to its commitment to protect EU consumers, our investigation found that there is little oversight and enforcement by the FTC. The Big Data-driven companies in our complaint use Safe Harbor as a shield to further their information-gathering practices without serious scrutiny. Companies are relying on exceedingly brief, vague, or obtuse descriptions of their data collection practices, even though Safe Harbor requires meaningful transparency and candor. Our investigation found that many of the companies are involved with a web of powerful multiple data broker partners who, unknown to the EU public, pool their data on individuals so they can be profiled and targeted online.” Although the companies cited for FTC investigation differ in their various approaches to data collection for the purposes of profiling and targeting individual consumers, the filing identified five broad concerns that illustrate the inadequacy of the Safe Harbor regime: (1) the failure of Safe Harbor declarations and required privacy policies in particular to provide accurate and meaningful information to EU consumers; (2) an overall lack of candor from the companies about the nature of their data collection apparatus, including their networks of data broker partners and even their corporate affiliations; (3) the general failure to provide meaningful opt-out mechanisms that EU consumers can find and use to remove themselves fully from privacy-harming data collection and processing; (4) the myth of “anonymity” at a time when marketers—armed with vast amounts of details about consumers’ personal needs and interests, employment and social status, location and income—do not need-to-know one’s name in order to track and target that particular individual online; and (5) the false claim made by several companies named in the complaint that they act as “data processors” on behalf of others, when in fact they play a central role in bringing the power of their Big Data-driven services to bear on consumer profiling and targeting. As CDD Legal Director Hudson Kingston explained, “CDDs complaint describes the systemic failure of the Safe Harbor to function as it was intended. Companies are flouting standards that the Department of Commerce agreed to and the Federal Trade Commission pledged to enforce. Safe Harbor has to be overhauled to make sure it actually works; until that time, it should be suspended. We call on the FTC to investigate and sanction the companies named in our complaint. The fundamental privacy right of 500 million Europeans has been ignored and must be acknowledged and protected going forward.” “The U.S. and EU are currently negotiating a trade agreement that will enable U.S. companies to gather even more data on Europeans,” Chester added. “Reform of Safe Harbor is urgently required before it becomes a ‘Get Out of Protecting Privacy’ card used by American companies under the forthcoming Transatlantic Trade and Investment Partnership (T-TIP).” The 30 companies cited in CDD’s filing include Acxiom, Adara Media, Adobe, Adometry, Alterian, AOL, AppNexus, Bizo, BlueKai, Criteo, Datalogix, DataXu, EveryScreen Media, ExactTarget, Gigya, HasOffers, Jumptap, Lithium, Lotame, Marketo, MediaMath, Merkle, Neustar, PubMatic, Salesforce.com, SDL, SpredFast, Sprinklr, Turn, and Xaxis. The Center for Digital Democracy is a nonprofit group working to protect the public in the digital era from unfair practices that threaten their privacy, especially in the financial and health sectors. --30--

Today was the deadline (link is external) for Comments to be filed in the President's Big Data and privacy proceeding. CDD filed the attached comments, and also joined with a NGO coalition on thie issue representing the civil rights, consumer and privacy communities. CDD's filing urged the following:The Obama Administration should offer legislation that ensures its Consumer Privacy Bill of Rights framework actually provides individuals with the control over how their personal information is collected and used. Individuals should have the ability to make meaningful decisions about their information, regardless of whether it is collected by a social network, mobile operator, app network, financial institution, etc.Legislation should provide regulatory rulemaking authority to the Federal Trade Commission (FTC) on consumer privacy issues to develop these new rights. Legislation should require the FTC to conduct the necessary proceedings leading to a rulemaking within one year from the enactment of legislation. The same legislation should also call on agencies that currently have rulemaking authority, including the Consumer Financial Protection Bureau (CFPB), the Federal Communications Commission (FCC) and the Food and Drug Administration (FDA), to immediately initiate proceedings on consumer financial, telecommunications, and digital health privacy, respectively. Other agencies with sectorial authority on privacy issues not covered by the FTC and others should also be mandated to develop regulations.The current “multistakeholder” process convened by the NTIA should be replaced by the relevant agency rulemakings. The legislation should acknowledge the threats that much of Big Data-related collection pose to Americans today, and strongly state that it is in the best interests of the nation that businesses refrain from their current practice of ubiquitous data collection and profiling. It should accept that self-regulation has failed.The FTC, CFPB, FCC, and FDA should be mandated to report to the Nation, within six months after legislation is enacted, on how commercial Big Data practices are currently being used in ways that may be harmful to the public and not in the national interest. These reports should identify how current practices can discriminate against Americans, based on their race/ethnicity, sexual orientation, income status, age, residence, and other key variables.Based on these reports, the agencies will propose special regulatory safeguards as required to address sensitive data concerns.

"Amazon’s policies of making it simple for children to accidentally spend hundreds of dollars in a “kids” app, and its apparent refusal to refund the money to complaining parents, are irresponsible and unfair. Today’s FTC action shows that consumers who have been charged for their kids unauthorized in-app purchases should not have to foot the bill. Amazon’s failure to deal fairly with people who purchased its devices and use its apps suggests it places making money as quickly as possible over serving the interests of their consumers. As Amazon gears up to release a new phone, and expands its impact on the mobile industry and consumers, the FTC’s complaint should serve as a wake-up call for better corporate ethics.” Hudson B. Kingston Legal Director Center for Digital Democracy

As part of the Children's Online Privacy Protection Act (COPPA), the federal law protecting the digital privacy of kids 12 and under (and which empowers parents or other key caregivers to control the data collected from children), a so-called "Safe Harbor" system was created. The theory being that companies joining a FTC approved Safe Harbor regime, which is commited to ensuring meaningful compliance with COPPA, is an effective way to have companies follow the law. Yesterday was the deadline for Safe Harbor reports to be submitted to the FTC, and the first once since the new stronger safeguards on COPPA (covering multiple devices and applications, for example), went into effect. CDD has many concerns about how COPPA Safe Harbor is working, which we have explained to the FTC. Our legal and research team is focusing on how these Safe Harbor systems actually operate--so expect to see this issue heat up in next year. We requested all the Safe Harbor reports, including from the: kidSAFE Seal Program, Aristotle International Inc., Children’s Advertising Review Unit (CARU), Entertainment Software Rating Board (ESRB), Privacy Vaults Online, Inc. (PRIVO), and TRUSTe. Here's a statement from Eric Null, staff attorney at the Institute for Public Representation at Georgetown University Law Center. Eric serves as counsel to CDD: "The safe harbor annual reports provide vital information about the conduct of the COPPA safe harbor programs. Without seeing these reports, parents and the public will remain uninformed about how effective the safe harbors are at protecting children against harmful online data practices. Jeff Chester, CDD's executive director, explained that this work is part of our ongoing "Unsafe Harbor" consumer and privacy protection initiative, which is also examining how the U.S. protects the privacy of European citizens through a Safe Harbor program operated by the Department of Commerce.

The Federal Trade Commission has issued a powerful and disturbing privacy wake-up call. The report reveals the largely invisible Big Data-driven complex that regularly spies on every American, comprehensively following our activities both online and off. It delivers a critical “black eye” to the data-broker industry, which has cynically expanded its surveillance on Americans without regard to their privacy. Unlike the White House’s Big Data reports issued earlier this month, the FTC study provides a much more realistic—and chilling—analysis of an out-of-control digital data collection industry. However, the commission’s calls for greater transparency and consumer control are insufficient. The real problem is that data brokers—including Google and Facebook—have embraced a business model designed to collect and use everything about us and our friends—24/7. Legislation is required to help stem the tide of business practices purposefully designed to make a mockery of the idea of privacy for Americans.******Here are the key findings from the FTC report that illustrate how the data industry requires major reform:VIII. FINDINGS AND RECOMMENDATIONS This report reflects the information provided in response to the Orders issued to nine data brokers, information gathered through follow-up communications and interviews, and information gathered through publicly available sources. Based primarily on these materials about a cross-section of data brokers, the Commission makes the following findings and recommendations: A. Findings 1. Characteristics of the Industry ⊲⊲ Data Brokers Collect Consumer Data from Numerous Sources, Largely Without Consumers’ Knowledge: Data brokers collect data from commercial, government, and other publicly available sources. Data collected could include bankruptcy information, voting registration, consumer purchase data, web browsing activities, warranty registrations, and other details of consumers’ everyday interactions. Data brokers do not obtain this data directly from consumers, and consumers are thus largely unaware that data brokers are collecting and using this information. While each data broker source may provide only a few data elements about a consumer’s activities, data brokers can put all of these data elements together to form a more detailed composite of the consumer’s life. ⊲⊲ The Data Broker Industry is Complex, with Multiple Layers of Data Brokers Providing Data to Each Other: Data brokers provide data not only to end-users, but also to other data brokers. The nine data brokers studied obtain most of their data from other data brokers rather than directly from an original source. Some of those data brokers may in turn have obtained the information from other data brokers. Seven of the nine data brokers in the Commission’s study provide data to each other. Accordingly, it would be virtually impossible for a consumer to determine how a data broker obtained his or her data; the consumer would have to retrace the path of data through a series of data brokers. ⊲⊲ Data Brokers Collect and Store Billions of Data Elements Covering Nearly Every U.S. Consumer: Data brokers collect and store a vast amount of data on almost every U.S. household and commercial transaction. Of the nine data brokers, one data broker’s database has information on 1.4 billion consumer transactions and over 700 billion aggregated data elements; another data broker’s database covers one trillion dollars in consumer transactions; and yet another data broker adds three billion new records each month to its databases. Most importantly, data brokers hold a vast array of information on individual consumers. For example, one of the nine data brokers has 3000 data segments for nearly every U.S. consumer. ⊲⊲ Data Brokers Combine and Analyze Data About Consumers to Make Inferences About Them, Including Potentially Sensitive Inferences: Data brokers infer consumer interests from the data that they collect. They use those interests, along with other information, to place consumers in categories. Some categories may seem innocuous such as “Dog Owner,” “Winter Activity Enthusiast,” or “Mail Order Responder.” Potentially sensitive categories include those that primarily focus on ethnicity and income levels, such as “Urban Scramble” and “Mobile Mixers,” both of which include a high concentration of Latinos and African Americans with low incomes. Other potentially sensitive categories highlight a consumer’s age such as “Rural Everlasting,” which includes single men and women over the age of 66 with “low educational attainment and low net worths,” while “Married Sophisticates” includes thirty-something couples in the “upper-middle class . . . with no children.” Yet other potentially sensitive categories highlight certain health-related topics or conditions, such as “Expectant Parent,” “Diabetes Interest,” and “Cholesterol Focus.” ⊲⊲ Data Brokers Combine Online and Offline Data to Market to Consumers Online: Data brokers rely on websites with registration features and cookies to find consumers online and target Internet advertisements to them based on their offline activities. Once a data broker locates a consumer online and places a cookie on the consumer’s browser, the data broker’s client can advertise to that consumer across the Internet for as long as the cookie stays on the consumer’s browser. Consumers may not be aware that data brokers are providing companies with products to allow them to advertise to consumers online based on their offline activities. Some data brokers are using similar technology to serve targeted advertisements to consumers on mobile devices.

Statement from Hudson Kingston, CDD Legal Director: CDD filed comments with the FTC on a proposed new COPPA safe harbor that would be run by iKeepSafe. The COPPA Rule allows entities that want to become a safe harbor to apply to formally certify that “operators” covered by the law are complying with all of its requirements. As such, it is imperative that each safe harbor ensure compliance by participating companies. CDD’s comments outline two major deficiencies in the application: the application, far from proving that the safe harbor will be properly staffed and show the requisite expertise and technical skill needed to do the job, suggests that this safe harbor is incapable of doing the job, since it does not demonstrate necessary expertise and institutional capacity to apply COPPA; secondly, the application is not as stringent as the COPPA Rule because it weakens operators’ legal duties and potentially muddles key regulatory standards. Such changes in operators’ COPPA duties making them less stringent or ambiguous suggests a safe harbor could be planning to provide lesser protection than the law—the COPPA Rule forbids such backsliding. “FTC should not approve safe harbor applications unless it is absolutely clear that the proposed safe harbor will provide equal or better protection of children’s information than the COPPA Rule, and this proposed system would fall far short of the standard,” said CDD’s legal director, Hudson Kingston. “Unless the existing and new safe harbors are held to an exacting standard the law will be undercut by inadequate enforcement—as the agency responsible for COPPA, FTC must not allow self regulation to work against its intended purpose.” and from Jeff Chester: Beyond the technical matters we raise in the attached comments, I also want to point out a few other issues. First, iKeepSafe claims on its website they "partner" (link is external)with the Federal Trade Commission. Here's what they say: NATIONAL GOVERNMENT PARTNERS FEDERAL TRADE COMMISSION (FTC) iKeepSafe is a contributor to the FTC’s NetCetera and a member of the Ad Council’s Internet Safety Coalition. As if somehow the Ad Council is the same as the FTC! Such a statement is misleading to parents. It's also noteworthy to point to their "corporate partners," (link is external) many of whom are major digital data collection companies with a stake in the youth targeting industry. They include AOL, (link is external) ATT, (link is external) Comcast, (link is external) Facebook (link is external), Fox (link is external), Google (link is external), McDonald's (link is external), Verizon (link is external)and Yahoo (link is external).

General Mills has changed its privacy policy (link is external) to say, according (link is external) to the New York Times, so consumers now "give up their right to sue the company if they download coupons, “join” it in online communities like Facebook, enter a company-sponsored sweepstakes or contest or interact with it in a variety of other ways.Instead, anyone who has received anything that could be construed as a benefit and who then has a dispute with the company over its products will have to use informal negotiation via email or go through arbitration to seek relief, according to the new terms posted on its site." General Mills uses a wide range of digital media, including Facebook (link is external), mobile marketing (link is external), apps, (link is external) digital discount (link is external)coupons, contests (link is external) to help schools (Boxtops for Education), YouTube (link is external), Twitter, (link is external) specialized "target" marketing to Hispanics (link is external) and more as part of its marketing campaigns. Is it now saying that if a consumer wants to take advantage of any of the online offers that General Mills deliberately promotes, they must give up their consumer rights? And have you looked at its privacy (link is external)policy, where even teens can be targeted online, and which acknowledges that its partners may track you using behavioral eavesdropping tactics? However, this incident helps to uncover how food marketing companies are engaged in largely stealth digital tactics that unfairly collect our information, including from young people. Here are key and revealing excerpts from the General Mills privacy policy: Information we collect We may collect information about you (and the computer or device you use to access our Site) in a variety of ways: You may directly provide information to us You may choose to allow a social networking service to share information with us We may gather other information when you visit our Site or other services, or when you view our online ads We may obtain additional information about you from other sources where permitted by law... Information from social networking services If you choose to access or make use of third-party social networking services (such as Facebook or Twitter), we may receive personal information about you that you have made available to those services, including information about your contacts on those services. For example, some social networking services allow you to push content from our Site to your contacts or to pull information about your contacts so you can connect with them on our Site. Some social networking services also will facilitate your registration or log-in for our Site or enhance or personalize your experience on our Site. Your decision to use a social networking service will always be voluntary. However, you should make sure you are comfortable with the information social networking services may make available to our Site by visiting those services’ privacy policies. Information we gather when you visit our Sites, or when you view our online ads When you visit or use our Sites, or when you view our online ads, we may use cookies, web beacons, or other technologies to collect information about your computer or device and your online activity. The following are examples of the types of information we may collect in this way: Device type (such as desktop, tablet, or mobile device) Browser type (such as Internet Explorer) Operating system (such as Windows) IP address, MAC address, device ID, installed fonts, or similar information Websites or online services you visit before or after our Site Your interaction with our Site (such as the links you click and the pages and items you view) Whether you open or forward our emails or click on elements within these emails Information we may obtain from other sources We may obtain information about you from other sources, such as public databases, other brands and groups within General Mills, data aggregators, and other commercially available sources. This information may include: Name Email address Social networking user IDs Postal address Phone number Age Gender Demographic information Marital status and number and age of children Income level Purchasing behavior Interests, hobbies, and product preferences Interactions with media or advertising Publicly observable activities (such as blogs and online postings) Other information that has been collected by other brands or businesses within the General Mills family of companies... Cookies used for online behavioral advertising – and your choice to opt out Third parties that are involved in serving other companies’ advertising on our sites, or that are involved in determining which advertisements to show you on third-party websites, may use cookies to collect information about your online activities, such as the advertisements you have seen or the websites or pages you have visited, in order to draw inferences about what advertising might be relevant to you. These third parties may use the information gathered through these cookies to show you advertising they believe to be most relevant to you when you visit other websites not belonging to us. This practice is called “online behavioral advertising.” You have the ability to opt out of allowing these third parties to use cookies for online behavioral advertising by clicking here (link is external).

The Federal Trade Commission's Bureau of Consumer Protection sent a letter (link is external) to Facebook and Whatsapp [attached] requiring the companies to honor the latter's privacy promises (no advertising, highly limited data collection etc). Facebook is in the process of acquiring Whatsapp. The Electronic Privacy Information Center (EPIC) and CDD sent (link is external) two letters to the FTC urging the commission to address the privacy implications of the pending merger. The FTC's letter states that [excerpt]: WhatsApp has made a number of promises about the limited nature of the data it collects, maintains, and shares with third parties -promises that exceed the protections currently promised to Facebook users. We want to make clear that, regardless of the acquisition, WhatsApp must continue to honor these promises to consumers. Further, if the acquisition is completed and WhatsApp fails to honor these promises, both companies could be in violation of Section 5 of the Federal Trade Commission (FTC) Act and, potentially, the FTC's order against Facebook. Jeff Chester CDD's executive Director said: "We believe that despite claims that they would preserve Whatsapp's more privacy-friendly approach, the ultimate plan was to expand its mobile data collection practices and fully integrate it into Facebook. Facebook's future depends on its ability to successfully grow its mobile advertising, commerce, and payment applications. It did not spend $19 billion without planning to reap huge financial rewards by turning Whatsapp into an effective monetization machine for Facebook. The FTC is to be commended for sending a very strong signal that they will hold Facebook and Whatsapp accountable for their promises. The commission's action has likely spoiled, for now, the plans Facebook has developed to turn its $19b shopping spree into even more digital gold for themselves." News reports say that the FTC has approved Facebook's deal with Whatsapp. But the commission's letter clearly connects the privacy concerns that EPIC and CDD raised that should be addressed in its merger review.

Twenty-eight consumer, child advocacy and public health groups submitted this letter today to President Obama's review on "Big Data" team. Among the groups signing the letter included the African American Colloboraative Obesity Research Network, American Academy of Child & Adolescent Psychiatry, Consumers Union, Children Now, Common Sense Media, CFA, Interfaith Center on Corporate Responsibility, Momsrising, National Consumers League, Praxis Project and Salud America! "A broad coalition of child, public health and consumer advocacy groups have come together to send a strong message that children and adolescents need serious protections in this age of Big Data, " explained CDD's associate director Joy Spencer. "The White House should adopt recommendations that ensure that this vulnerable group is protected from Big Data practices that undermine their health, well being and privacy."

Today is the deadline for Comments to be filed for the White House's forthcoming report on "Big Data." NGOs pressed the Administration to include public comments during its 90-day inquiry that is led by Senior WH Counselor John Podesta. Our comments are attached. Here's an excerpt: The inability to implement basic privacy rules in the United States to address Internet data collection practices has resulted in the ubiquitous commercial surveillance landscape that today threatens the privacy of Americans—as well as those in the European Union and other countries where U.S. companies collect and transport their information...CDD believes the Big Data report must address the realties of today’s commercial data gathering and analysis landscape. While we acknowledge the many positive uses of Big Data, and its potential, the Administration should not gloss over the threats as well. We fear that missing for the most part in the White House’s review will be a fact-based assessment of actual commercial data practices conducted by Google, Facebook, Yahoo, data brokers, and many others. Such a review would reveal an out-of-control commercial data collection apparatus, with no restraints, and which is leading to a commercial surveillance complex that should be antithetical in a democratic society. The report should show the consequences of such information gathering on Americans, where the data can be immediately made “actionable.” It should address the consequences when predictive analysis and other “insight” identification applications trigger real-time and future decisions about the products and services we are offered, the content we may receive, and even the online “experiences” with which we interact. The report should make clear how its Consumer Privacy Bill of Rights Principles should be interpreted when data collected from Americans are used to unfairly target them—and their families—for products and services that can be harmful to their well-being (such as the delivery of high-interest payday loans, promotion of questionable medical treatments, and the targeting of junk food ads to children, which contributes to the nation’s obesity epidemic). The filing covers 6 key issues: The Growth of Ubiquitous Cross-Platform and Across-Application Tracking of Individuals Online: The Emergence of Big-Data-derived Comprehensive Data Profiles on Individuals (Data Management Platforms): The Digital Data Collection Apparatus, Including the Use of Multiple Data Sources and the Real-time Buying and Selling of American Internet Users: The Growth of Commercial Digital Surveillance at the Community, Hyper-local Level: The Delivery of Financial, Health, and Other Products Linked to Sensitive Data and Uses that Raise Consumer Protection Concerns: The Failure of Industry Self-regulation and the Limits of the Multi-stakeholder Process:

Groups File Report with the White House “Big Data” Review Proceeding Washington, DC: U.S. PIRG Education Fund and the Center for Digital Democracy (CDD) released a comprehensive new report today focused on the realities of the new financial marketplace and the threats and opportunities its use poses to financial inclusion. The report examines the impact of digital technology, especially the unprecedented analytical and real-time actionable powers of “Big Data,” on consumer welfare. The groups immediately filed the report with the White House Big Data review headed by John Podesta, who serves as senior counselor to the President. The White House is to issue a report in April addressing the impact of “Big Data” practices on the public, including the possible need for additional consumer safeguards. In addition to the undeniable convenience of online and mobile banking, explains the report, the new financial environment poses a number of challenges, especially for lower-income consumers. Increasingly, the public confronts an invisible “e-scoring” system that may limit their access to credit and other financial services. “We are being placed under a powerful ‘Big Data’ lens, through which, without meaningful transparency or control, decisions about our financial futures are being decided,” the report explains. “Will big data tools be used to help banks and other financial firms offer lower-cost products that help the unbanked and underbanked join the insured financial system and build assets, or will big data simply make it easier for payday lenders and others seeking to extract money from consumers to win?” asked U.S. PIRG Education Fund Consumer Program Director Ed Mierzwinski. “We intend the report to stimulate a healthy debate among policymakers, industry and consumer and civil rights leaders.” Among the issues examined in the report, “Big Data Means Big Opportunities and Big Challenges: Promoting Financial Inclusion and Consumer Protection in the ‘Big Data’ Financial Era,” are the following:the plight of “underbanked and unbanked consumers,” who face special challenges in the new financial marketplace;the impact of data collection and targeted advertising on all Americans, most of whom have no idea that their personal data shape the offers they receive and the prices they pay online;the use of murky “lead generation” practices, especially by payday lenders and for-profit trade schools, to target veterans and others for high-priced financial and educational products; andthe need for new regulatory oversight to protect consumers from potentially discriminatory and deceptive practices online.The report, co-authored by Ed Mierzwinski, Consumer Program Director of the U.S. PIRG Education Fund, and CDD Executive Director Jeff Chester, reflects on the role that online financial marketing played in the recent economic crisis, and provides a blueprint for how such problems can be avoided in the future. “Technological advances that collect, analyze, and make actionable consumer data,” the report concludes, “are now at the core of contemporary marketing. The public is largely unaware of these changes and there are few safeguards in this new marketplace. Economically vulnerable consumers, and especially youth, will be continually urged to spend their limited resources. Conversely, there are opportunities to use the same tools to urge consumers to budget, save and build assets.” “Consumers increasingly face a far-reaching system that uses data about them to predict and determine the products and services they are offered in the marketplace. Federal safeguards that protect privacy and ensure members of the public are not subject to unfair and discriminatory financial practices are long overdue,” explained CDD’s Jeff Chester. “The White House ‘Big Data’ report should call for strong measures to ensure that the changing financial services marketplace operates in a fair and equitable manner.” A copy of the new report is available at www.democraticmedia.org and www.uspirgedfund.org (link is external) The Center for Digital Democracy is a nonprofit group working to educate the public about the impact of digital marketing on financial services, public health, consumer protection, and privacy. It has played a leading role at the FTC and in Congress to help promote the development of legal safeguards against behavioral targeting and other potentially invasive online data collection practices. U.S. PIRG Education Fund works to protect consumers and promote good government. We investigate problems, craft solutions, educate the public and offer Americans meaningful opportunities for civic participation.

Beginning a more informed discussion on the privacy and consumer protection implications of Facial Recognition Technology: NTIA Privacy Multi-stakeholder Process: The NTIA's present inquiry must be based on a solid foundation that objectively analyzes actual commercial FR developments, places its use in the context of the multi-dimensional and cross-platform contemporary data-driven practices, identifies its implications beyond consumer concerns to reflect upon its broader societal impact (such as civil liberties), and engages with legal frameworks or proposals that have or could address how FR should be properly regulated. Given that the focus of the Commerce Department-led proceeding is to help implement the Obama Administration’s Consumer Privacy Bill of Rights (CPBR), stakeholders should also address how FR should be dealt with in related legislation and identify the specific CPBR principles inherent in such a discussion (such as “Individual Control,” “Respect for Context,” “Accountability,” etc.). To help promote a more informed discussion of actual FR and related biometric data practices, CDD provides this overview on ten of the hundreds that could be cited. The report is attached.

EPIC and CDD filed this at the FTC today. Despite the protestations (link is external)of Whatsapp's founders, they cannot guarantee that Facebook won't eventually incorporate the rich vein of mobile, location and other data that flows from its services. If the Whatsapp founders are truly to commited to its user privacy, we ask them to enter into a voluntary 20 year consent decree with the FTC, placing on the record that they will maintain privacy practices without Facebook interference.

We were pleased to learn that the FTC filed an Amicus brief in the 9th Circuit yesterday to help create the misleading record Facebook created in the so-called "Sponsored Stories" case. CDD, along with Public Citizens and the Children's Advovacy Institute (U of San Diego) have been closely working together on the case, to support an outcome that provides the privacy safeguards teens require. Here's what CDD's attorney Hudson Kingston said about the FTC's filing: "The Federal Trade Commission's brief in this case is a major development for the protection of teenagers' privacy. Facebook's attorneys tried to get this settlement through by using a law meant to protect children to block state law protection of teens – now the agency made clear that this is a wrong reading of the law, this settlement clearly harms teenagers by ignoring their rights under state laws. States play a vital role protecting teens from privacy violations. Settlements that are based on illegality cannot stand. While the agency did not officially support either party, its reading of the law undermines one of Facebook’s key arguments that it can get out of this case without first addressing its weak privacy protections for teens. We hope that the Ninth Circuit accepts this authoritative view and throws out the settlement." The FTC's Amicus is attached. So is the State of California's amicus.

Here's a summary from our attorney Eric Null at Institute for Public Representation, Georgetown University Law Center: CDD filed its initial complaint against Disney and Marvelkids.com in December 2013. Shortly thereafter, Disney updated Marvelkids' nearly two-year-old privacy policy with Disney's company-wide policy. Apparently, Disney thought this would solve its COPPA-related issues, but our investigation shows that it did not. Our review showed multiple deficiencies, including insufficient notice of data collection and use, as well as continued ability to collect and use data for unlawful purposes. Further, its violations include allowing well-known third party behavioral advertisers, such as Omniture and TapJoy, to collect information from Marvelkids.com users--these practices may violate the COPPA Rule. CDD calls on the FTC to take a close look at the new policy and practices, and to investigate Marvelkids.com and all Disney-operated child-directed websites to ensure COPPA compliance. PS: Disney has challenged our complaint, suggesting we are interested in headlines. What CDD is interested in is meaningful compliance with the key law protecting privacy and empowering parents. CDD suggests Disney engage in a more serious review of its digital data collection system--something we expect FTC action to help spur.

Summary: These scores have long been an area of research interest for the non-partisan non-profit organizations U.S. PIRG and the Center for Digital Democracy. The growing use of so-called “e-scores” —a form of invisible (to the consumer) online ratings — can help determine our credit worthiness, “lifetime value,” or even the prices we pay. These e-scores can be used to blacklist or engage in discriminatory practices against individuals or even groups of consumers. We are aware that there are numerous online scores being generated for a variety of generally non-controversial uses, including predicting identity theft or fraud. However, we remain concerned that the largest and most important uses of online scoring are to substitute for the highly-regulated pre-screening regime that for years has governed the use of consumer credit reports for marketing purposes. Its proponents claim that the files developed are not on individual consumers, but on clusters of consumers. Its proponents claim online scores are simply a method for establishing audiences for serving ads. Not subject to the Fair Credit Reporting Act FCRA) regulation, they assert, are scores and other products that identify consumers on an aggregate basis (which for them means information narrowed to a small cluster of households at the ZIP+4 level) or consumers not named by name. We disagree with these representations and commend FTC for its inquiry. For CDD and other comments on this issue, see FTC docket. (link is external)

We urge you to review the attached FTC complaint that was filed today by EPIC (link is external) and CDD. The millions of WhatsApp users who signed up for the service were promised--repeatedly as you will read in the complaint--that the company didn't want to gather and commercialize their data. They posed as the "unFacebook," deriding the commercial surveillance apparatus that lies at the core of contemporary online practices. Yet at the same time they made their public privacy promises, they were being wooed (link is external) by Mark Zuckerberg to join The Circle (link is external)--oops, I mean Facebook. Despite Facebook's denial that WhatsApp and its digital gold mine of mobile numbers, address books, and access to selling all kinds of financial services in real-time won't become part of its Big Data-driven (link is external) advertising machine, one only has to look at what happened with Instagram (link is external) (let alone the track record of the industry). The Dutch and Canadian data protection authorities raised serious questions (link is external) about WhatsApp's own data and privacy policies in January. The Dutch report (attached) provides insights into how WhatsApp operates. The FTC (which will likely review the merger) needs to stand up for privacy and act on the complaint. Otherwise, WhatsApp's users will be merely Facebook customers who have lost their privacy and consumer protection rights.