CDD

CDD Filings Digital Citizen

  • Press Release

    Groups Tell FTC to Investigate TikTok’s Failure to Protect Children’s Privacy

    TikTok gathers data from children despite promise made to commission

    Contact: Jeff Chester, CDD (jeff@democraticmedia.org (link sends e-mail); 202-494-7100) David Monahan, CCFC (david@commercialfreechildhood.org (link sends e-mail);) Advocates Say TikTok In Contempt of Court Order More kids than ever use the site due to COVID19 quarantine, but TikTok flouts settlement agreement with the FTC WASHINGTON, DC and BOSTON, MA—May 14, 2020—Today, a coalition of leading U.S. child advocacy, consumer, and privacy groups filed a complaint (link is external) urging the Federal Trade Commission (FTC) to investigate and sanction TikTok for putting kids at risk by continuing to violate the Children’s Online Privacy Protection Act (COPPA). In February 2019, TikTok paid a $5.7 million fine for violating COPPA, including illegally collecting personal information from children. But more than a year later, with quarantined kids and families flocking to the site in record numbers, TikTok has failed to delete personal information previously collected from children and is still collecting kids’ personal information without notice to and consent of parents. Campaign for a Commercial-Free Childhood (CCFC), the Center for Digital Democracy (CDD), and a total of 20 organizations demonstrated in their FTC filing that TikTok continues to violate COPPA by: failing to delete personal information related to children under 13 it obtained prior to the 2019 settlement order; failing to give direct notice to parents and to obtain parents’ consent before collecting kids’ personal information; and failing to give parents the right to review or delete their children’s personal information collected by TikTok. TikTok makes it easy for children to avoid obtaining parental consent. When a child under 13 tries to register using their actual birthdate, they will be signed up for a “younger users account” with limited functions, and no ability to share their videos. If a child is frustrated by this limited functionality, they can immediately register again with a fake birthdate from the same device for an account with full privileges, thereby putting them at risk for both TikTok’s commercial data uses and inappropriate contact from adults. In either case, TikTok makes no attempt to notify parents or obtain their consent. And TikTok doesn’t even comply with the law for those children who stick with limited “younger users accounts.” For these accounts, TikTok collects detailed information about how the child uses the app and uses artificial intelligence to determine what to show next, to keep the child engaged online as long as possible. The advocates, represented by the Communications & Technology Law Clinic in the Institute for Public Representation at Georgetown Law, asked the FTC to identify and hold responsible those individuals who made or ratified decisions to violate the settlement agreement. They also asked the FTC to prevent TikTok from registering any new accounts for persons in the US until it adopts a reliable method of determining the ages of its users and comes into full compliance with the children’s privacy rules. In light of TikTok’s vast financial resources, the number and severity of the violations, and the large number of US children that use TikTok, they asked the FTC to seek the maximum monetary penalties allowed by law. Josh Golin, Executive Director of Campaign for a Commercial-Free Childhood, said “For years, TikTok has ignored COPPA, thereby ensnaring perhaps millions of underage children in its marketing apparatus, and putting children at risk of sexual predation. Now, even after being caught red-handed by the FTC, TikTok continues to flout the law. We urge the Commission to take swift action and sanction TikTok again – this time with a fine and injunctive relief commensurate with the seriousness of TikTok’s serial violations.” Jeff Chester, Executive Director of the Center for Digital Democracy, said “Congress empowered the FTC to ensure that kids have online protections, yet here is another case of a digital giant deliberately violating the law. The failure of the FTC to ensure that TikTok protects the privacy of millions of children, including through its use of predictive AI applications, is another reason why there are questions whether the agency can be trusted to effectively oversee the kids’ data law.” Michael Rosenbloom, Staff Attorney and Teaching Fellow at the Institute for Public Representation, Georgetown Law, said “The FTC ordered TikTok to delete all personal information of children under 13 years old from its servers, but TikTok has clearly failed to do so. We easily found that many accounts featuring children were still present on TikTok. Many of these accounts have tens of thousands to millions of followers, and have been around since before the order. We urge the FTC to hold TikTok to account for continuing to violate both COPPA and its consent decree.” Katie McInnis, Policy Counsel at Consumer Reports, said "During the pandemic, families and children are turning to digital tools like TikTok to share videos with loved ones. Now more than ever, effective protection of children's personal information requires robust enforcement in order to incentivize companies, including TikTok, to comply with COPPA and any relevant consent decrees. We urge the FTC to investigate the matters raised in this complaint" Groups signing on to the complaint to the FTC are: Campaign for a Commercial-Free Childhood, the Center for Digital Democracy, Badass Teachers Association, Berkeley Media Studies Group, Children and Screens: Institute of Digital Media and Child Development, Consumer Action, Consumer Federation of America, Consumer Reports, Defending the Early Years, Electronic Privacy Information Center, Media Education Foundation, Obligation, Inc., Parent Coalition for Student Privacy, Parents Across America, ParentsTogether Foundation, Privacy Rights Clearinghouse, Public Citizen, The Story of Stuff, United Church of Christ, and USPIRG. ###
  • Press Release

    FTC must impose maximum fine and ensure Google’s YouTube business practices obey children’s privacy law, say groups

    Google’s unprecedented violation requires an unprecedented FTC response and a 20-year consent decree to ensure Alphabet Inc. acts responsibly when it comes to serving children and parents; Google executives should also be held accountable.

    June 25, 2019 The Honorable Joseph Simons The Honorable Noah Phillips Chairman Commissioner Federal Trade Commission Federal Trade Commission 600 Pennsylvania Avenue, NW 600 Pennsylvania Avenue, NW Washington, DC 20580 Washington, DC 20580 The Honorable Rohit Chopra The Honorable Rebecca Slaughter Commissioner Commissioner Federal Trade Commission Federal Trade Commission 600 Pennsylvania Avenue, NW 600 Pennsylvania Avenue, NW Washington, DC 20580 Washington, DC 20580 The Honorable Christine Wilson Commissioner Federal Trade Commission 600 Pennsylvania Avenue, NW Washington, DC 20580 Dear Chairman Simons, Commissioner Phillips, Commissioner Chopra, Commissioner Slaughter, and Commissioner Wilson: The Campaign for a Commercial-Free Childhood (CCFC) and Center for Digital Democracy (CDD) have been encouraged by recent media reports that the Federal Trade Commission is preparing to take action against Google and YouTube for violating the Children’s Online Privacy Protection Act (COPPA). CCFC and CDD, represented by the Institute for Public Representation at Georgetown Law (IPR), are the organizations responsible for drafting the Request to Investigate Google and YouTube filed with the FTC on April 9, 2018. Previously, IPR filed on behalf of CCFC and CDD Requests to Investigate YouTube’s promotion of unfair and deceptive influencer marketing to children (October 21, 2016) and unfair and deceptive marketing practices on YouTube Kids (April 7, and November 24, 2015). As you are aware, YouTube has profited enormously by hosting channels and videos of nursery rhymes, unboxing videos, popular cartoons, and other content specifically designed for children on the main YouTube platform. But instead of getting the verifiable parental consent required before collecting children’s personal information, Google claims that YouTube is not for children under thirteen, and therefore, no consent is required. This defense is outlandish given that YouTube is the number one online destination for kids. In short, Google has profited by violating the law and the privacy of tens of millions of children. For this reason, the FTC must sanction Google at a scale commensurate with the company’s unprecedented and unparalleled violations of COPPA. As we pointed out in our Request to Investigate, the maximum civil penalties should be imposed because: Google had actual knowledge of both the large number of child-directed channels on YouTube and the large numbers of children using YouTube. Yet, Google collected personal information from nearly 25 million children in the U.S over a period of years, and used this data to engage in very sophisticated digital marketing techniques. Google’s wrongdoing allowed it to profit in two different ways: Google has not only made a vast amount of money by using children’s personal information as part of its ad networks to target advertising, but has also profited from advertising revenues from ads on its YouTube channels that are watched by children. [April 9, 2018 Request to Investigate at 26-27 (footnotes omitted)]. Moreover, any consent order must mandate meaningful changes to YouTube’s business practices. For example, all child-directed content should be placed on a separate platform where targeted advertising, commercial data collection, links to other sites or content, and autoplay are prohibited. Google must also live up to its Terms of Service – which stipulate YouTube is only for persons thirteen and older – by removing all kids’ content from the main YouTube platform. By ensuring such changes, the Commission will do a tremendous service to America’s families seeking to provide a healthy media environment for their children, while sending a clear message to all online and mobile operators that no one is above the law. Google’s disregard of children’s welfare is demonstrated not only by the evidence in our complaints, but by numerous reports of violent, sexual and other inappropriate content available to children on both YouTube Kids and on the main YouTube platform. Moreover, the company refused to turn off recommendations on videos featuring young children in leotards and bathing suits even after researchers demonstrated YouTube’s algorithm was recommending these videos to pedophiles. These ongoing and serious issues require that the FTC take strong action. We believe that Google should repay America’s families by creating a truly safe space for kids and fostering the production of quality non-commercial children’s programming. Attached you will find a list of recommended penalties and conditions to be included in a final consent order. We would be happy to meet with you to discuss our proposed remedies in greater detail. Thank you. Sincerely, Jeffrey Chester Executive Director Center for Digital Democracy Josh Golin Executive Director Campaign for a Commercial-Free Childhood Angela J. Campbell Director Institute for Public Representation Georgetown Law Encl.: Proposed Consent Order Penalties and Conditions Proposed Consent Order Penalties and Conditions The FTC should seek a 20-year consent decree which includes the following forms of relief: Injunctive relief Destroy all data collected from children under 13, in all forms in Google’s possession, including inferences drawn from this data, custody, or control of YouTube and all of Alphabet’s subsidiaries engaged in online data collection or commercial uses (e.g. advertising), including, but not limited to, Google Ads, Google Marketing Platform and their predecessors. Immediately stop collecting data from any user known to be under age 13, and any user that a reasonable person would likely believe to be under age 13, including, but not limited to, persons that are viewing any channel or video primarily directed to children, persons who have been identified for targeted ads based on being under 13 or any proxy for under 13 (e.g., grade in school, interest in toys, etc.), or any other factors. Identify, as of the date of this consent order, as well as on an ongoing basis, any users under age 13, and prohibit them from accessing content on YouTube. Prohibit users under age 13 from accessing content on YouTube Kids unless and until YouTube has provided detailed notice to parents, obtained parental consent, and complied with all of the other requirements of COPPA and this consent order. Remove all channels in the Parenting and Family lineup, as well as any other YouTube channels and videos directed at children, from YouTube. YouTube may make such channels and videos available on a platform specifically intended for children (e.g. YouTube Kids) only after qualified human reviewers have reviewed the content and determined that the programming comply with all of the policies for YouTube’s child-directed platform, which must include, but are not limited to: No data collection for commercial purposes. Any data collected for “internal purposes” must be clearly identified as to what is being collected, for what purpose, and who has access to the data. It may not be sold to any third parties. No links out to other sites or online services. No recommendations or autoplay. No targeted marketing. No product or brand integration, including influencer marketing. Consumer education Require Google to fund independent organizations to undertake educational campaigns to help children and parents understand the true nature of Google’s data-driven digital marketing systems and its potential impacts on children’s wellbeing and privacy. Require Google to publicly admit (in advertising and in other ways) that it has violated the law and warn parents that no one under 13 should use YouTube. Record keeping and monitoring provisions Google must submit to an annual audit by a qualified, independent auditor to ensure that Google is complying with all aspects of the consent decree. The auditor must submit their report to the FTC. The FTC shall provide reports to Congress about the findings. All of the annual audits must be publicly available without redaction on the Commission’s website within 30 days of receipt. Google may not launch any new child-directed service until the new service has been reviewed and approved by an independent panel of experts – including child development and privacy experts – to be appointed by the FTC. Google must retain, and make available to the FTC on request, documentation of its compliance with the consent decree. Civil penalties and other monetary relief Google will pay the maximum possible civil penalties – $42,530 per violation. Whether violations are counted per child or per day, the total amount of the penalty must be sufficiently high to deter Google and YouTube from any further violations of COPPA. Google to establish a $100 million fund to be used to support the production of noncommercial, high-quality, and diverse content for children. Decisions about who receives this money must be insulated from influence by Google. In addition, we ask the FTC to consider using its authority under Section 13(b) of the FTC Act to require Google and YouTube to disgorge ill-gotten gains, and to impose separate civil penalties on the management personnel at Google and YouTube who knowingly allowed these COPPA violations to occur.
  • CDD today joined the Electronic Privacy Information Center (EPIC) and six other consumer groups in calling on the Federal Trade Commission to investigate the misleading and manipulative tactics of Google and Facebook in steering users to “consent” to privacy-invasive default settings. In a letter to the FTC, the eight groups complained that the technology companies deceptively nudge users to choose less privacy-friendly options. The complaint was based on the findings in a report, “Deceived by Design,” published today by the Norwegian Consumer Council. It found that Google and Facebook steer consumers into sharing vast amounts of information about themselves, through cunning design, privacy invasive defaults, and “take it or leave it”-choices, according to an analysis of the companies’ privacy updates. A report by Consumer Report investigating Facebook settings for US users found “that the design and language used in Facebook's privacy controls nudge people toward sharing the maximum amount of data with the company.” Read the Norwegian report, “Deceived by Design” here: https://www.forbrukerradet.no/undersokelse/no-undersokelsekategori/deceived-by-design (link is external) Read the letter the eight groups sent to the FTC today here: http://thepublicvoice.org/wp-content/uploads/2018/06/FTC-letter-Deceived-by-Design.pdf (link is external) Read the report by Consumer Report here: https://www.consumerreports.org/privacy/cr-researchers-find-facebook-privacy-settings-maximize-data-collection (link is external)
  • The Center for Digital Democracy (CDD) respectfully urges the Federal Election Commission (FEC) to adopt regulations to ensure that voters will have meaningful transparency and control over the digital data and marketing practices used in elections today. The FEC must boldly act and use its legal authority and leadership position to enact—as well as recommend—much-needed safeguards. We call on the FEC to tell campaigns that they must refrain from using digital tactics that promote “voter suppression.” It should also urge federal candidates not to use viral and other forms of stealth communications to influence voters through misinformation—including “fake news.” The FEC should go on record saying that political campaigns should not deploy digital marketing tactics that have not been publicly assessed for their impact on the integrity of the voting process—such as the use of predictive artificial intelligence products (including bots) and applications designed to bypass conscious decision-making (through the use of neuromarketing and emotionally based psychometrics). Read more.
  • WASHINGTON, DC – October 18, 2017—A number of brands of “smartwatches” intended to help parents monitor and protect young children have major security and privacy flaws which could endanger the children wearing them. A coalition of leading U.S. child advocacy, consumer, and privacy groups sent a letter to the Federal Trade Commission (FTC) today, asking the agency to investigate the threat these watches pose to children. Smartwatches for children essentially work as a wearable smartphone. Parents can communicate with their child through the mobile phone function and track the child’s location via an app. Some product listings recommend them for children as young as three years old. Groups sending the letter to the FTC are the Electronic Privacy Information Center (EPIC), the Center for Digital Democracy (CDD), the Campaign for a Commercial-Free Childhood (CCFC), the Consumer Federation of America, Consumers Union, Public Citizen, and U.S. PIRG. The advocacy groups are working with the Norwegian Consumer Council (NCC), which conducted research (link is external) showing that watches sold in the U.S. under the brands Caref and SeTracker have significant security flaws, unreliable safety features, and policies which lack consumer privacy protections. In the EU, groups are filing complaints in Belgium, Denmark, the Netherlands, Sweden, Germany, the UK, and with other European regulators. “By preying upon parents’ desire to keep children safe and, these smart watches are actually putting kids in danger,” said CCFC’s Executive Director Josh Golin. “Once again, we see Internet of Things products for kids being rushed to market with no regard for how they will protect children’s sensitive information. Parents should avoid these watches and all internetconnected devices designed for kids.” The NCC’s research showed that with two of the watches, a stranger can take control of the watch with a few simple steps, allowing them to eavesdrop on conversations the child is having with others, track and communicate with the child, and access stored data about the child’s location. The data is transmitted and stored without encryption. The watches are also unreliable: a geo-fencing feature meant to notify parents when a child leaves a specified area, as well as an “SOS” function alerting parents when a child is in distress, simply do not work. The manufacturers’ data practices also put children at risk. Some devices have no privacy policies at all, and the policies that do exist lack basic consumer protections, including seeking consent for data collection, notifying users of changes in terms, and allowing users to delete stored data. "The Trump Administration and the Congress must bring America’s consumer product safety rules into the 21st century,” said Jeff Chester of the Center for Digital Democracy. “In the rush to make money off of kids’ connected digital devices, manufacturers and retailers are failing to ensure these products are truly safe. In today’s connected world that means protecting the privacy and security of the consumer—especially of children. Both the FTC and the Consumer Product Safety Commission must be given the power to regulate the rapidly growing Internet of Things marketplace.” The Caref (branded Gator in Europe) and SeTracker smartwatches are available online through Amazon. The groups have asked the FTC to act quickly to investigate these products, and they advise parents to refrain from buying the products because of the danger they could pose to children. The NCC, which conducted the testing of the watches, advises consumers who have already purchased the watches to stop using them and uninstall the app. “The Federal Trade Commission must be proactive in protecting consumers—especially vulnerable young children—from harmful products that abuse technology for the sake of profit,” said Kristen Strader, Campaign Coordinator for Public Citizen. “Smartwatches and similar devices must be absolutely safe and secure before they are released to the public for sale.” Ed Mierzwinski, Consumer Program Director at U.S. PIRG, said, "Companies making any internet-connected devices, but especially for children, need to ensure that privacy and security are more than breakable — or worse, hackable — promises." Katie McInnis, technology policy counsel for Consumers Union, said, “When a company sells a smartwatch aimed at children, it must ensure the product is safe and secure. The FTC should launch an investigation into the privacy and security concerns surrounding these products to make sure families are safe.” The same trans-Atlantic coalition persuaded government authorities and retailers last December (link is external) that the internet-connected dolls Cayla and i-Que Robot were spying on children and threatening their welfare, and retailers removed the toys from store shelves. The FBI subsequently issued a warning to consumers (link is external) that internet-connected toys could put the privacy and safety of children at risk. --- For more information, please see the following: Letter to FTC by coalition of leading U.S. child advocacy, consumer, and privacy groups (link below) Press Release by US coalition of leading U.S. child advocacy, consumer and privacy groups (link below) #WatchOut Report by Norwegian Consumer Council (link below) Press Release by Norwegian Consumer Council (link below) #WatchOut English - YouTube (http://bit.ly/2ghNoD1 (link is external)) #WatchOut - longer video explainer on security flaws 4:30 mins - YouTube (http://bit.ly/2xLYSVv (link is external))
    Jeff Chester
  • Washington, DC (March 6, 2017): The Center for Digital Democracy (CDD), Campaign for a Commercial-Free Childhood, Common Sense Kids Action, Consumer Action and the Electronic Privacy Information Center (EPIC) called on the Federal Communications Commission (FCC) to reject industry requests to rescind the FCC’s broadband privacy rules, as this would leave parents effectively without any tools to protect their children’s privacy on broadband Internet Service Provider networks (ISPs). The groups warned that any attempts to modify the privacy rule would significantly weaken the privacy protections for children. The filing to the FCC was drafted by the Institute for Public Representation at Georgetown University Law Center (IPR). In October 2016, the Federal Communications Commission adopted ground-breaking privacy rules protecting the personal information of broadband internet service customers, including children. The FCC rules set limits on what internet service providers may do with the highly sensitive data that they collect in the course of providing internet service. These rules were intended to give consumers and parents the tools they need to make informed decisions about how their information, or the information of their children, is used by their ISP. Most significantly, the rules require ISPs to obtain opt-in approval for use and sharing of sensitive customer personal information for purposes other than providing broadband service. “Sensitive” information includes precise geo-location, financial information, health information, children’s information, social security numbers, web browsing history, app usage history and the content of communications. In their filing, the advocates oppose petitions filed by ISPs, including Comcast, Verizon and Time Warner, that ask the FCC to reconsider its broadband privacy Order. The advocates explain in their filing with the FCC: Treating children’s information as sensitive and requiring notice and opt-in consent is necessary to protect children and is consistent with the FTC’s practices. This aspect of the rules is necessary, although not sufficient to protect children’s privacy. All web browsing and application usage histories must be treated as sensitive information because children's information is mixed with that of adults. In order to protect children from targeted advertising, all users' browsing and application histories must receive protection as such histories reveal traits, characteristics, likes, and dislikes. Marketers, who are intensely interested in targeting children and adolescents, would have a much greater ability to take unfair advantage of children, without these rules in place. The FCC should retain opt-in requirements for use of all categories of sensitive information, such as for web browsing and application usage histories. Since this data is inextricably intertwined with adult activities, any required additional sorting of this data into sensitive and non-sensitive data would inevitably lead to further erosion of privacy of all ISP users. Most Americans are oblivious to modern day big data practices and to the resulting potential risks to themselves or society at large. When it comes to vulnerable children it must be the obligation of ISPs to make a convincing case to parents that opting into the ISP’s data practices is in the best interest of their children. The following can be attributed to Katharina Kopp, Deputy Director, Center for Digital Democracy: The FCC Privacy Rules protect the fundamental rights of children to enjoy privacy and freedom from age-inappropriate commercial exploitation. Any attempts to weaken these rules is an attempt to leave parents and their children defenseless against powerful corporate interests. Digital food marketing of unhealthy foods to children and teens, for example, has contributed to an obesity epidemic that harms us all. This is unfair, unjust and not in the public interest. We call on the FCC to implement the Privacy Order in its entirety without any delay. The following can be attributed to Josh Golin, Executive Director, Campaign for a Commercial-Free Childhood This is a crucial test for the FCC. Will the Commission insist that parents have a right to protect their children’s privacy online? Or will the FCC aid and abet the ISP’s efforts to build digital marketing profiles of vulnerable children? We call on the Commission to do the right thing and implement the Privacy Order. The following statement can be attributed to Linda Sherry, Director of National Priorities, Consumer Action: Consumer Action opposes efforts to rescind the FCC’s broadband privacy rules, which would jeopardize the privacy of all internet service customers and strip them of the right to assert control over their sensitive information including geo-location, financial, health, etc. We join the Center for Digital Democracy in highlighting the potential harm to children, a highly vulnerable and defenseless population that has gained important new rights under the rule, which specifically recognizes the sensitivity of children’s information. The Center for Digital Democracy is a leading nonprofit organization focused on empowering and protecting the rights of the public in the digital era. The Campaign for a Commercial-Free Childhood support parents’ efforts to raise healthy families by limiting commercial access to children. Consumer Action empowers low- and moderate-income and limited-English-speaking consumers nationwide to prosper through education and advocacy. EPIC is a public interest research center in Washington, DC, established in 1994 to focus public attention on emerging privacy and civil liberties issues and to protect privacy, freedom of expression, and democratic values in the information age.
  • The Center of Digital Democracy joins 28 other media and social justice, consumer protection, civil liberties and privacy groups, asking the FCC to implement its broadband privacy rules and to reject industry calls to repeal the Order.
  • Cross-Device Privacy Must be Protected by FCC Proposed Rule on Broadband ISPs

    Geolocation & Cross Platform and Application Data is Sensitive information. AT&T expands cross-device targeting

    ... ISPs are engaged in cross-device tracking of its subscribers and customers which allow them to target advertising at the individual and household level. Exemplary for all ISPs, we are highlighting AT&T’s efforts in this area. AT&T is expanding its cross-device tracking in order to target individuals on their mobile device after collecting and analyzing their data using the company's internal data and analytics capabilities. In a recent interview, AT&T AdWorks President Rick Welday explained that by the end of this year AT&T will allow marketers to “advertise in 14 million addressable households, 30 million mobile devices and millions of streams within the DirecTV app.” While AT&T may claim that its cross-device tracking is done “anonymously,” that is merely a euphemism to obscure the invasion of privacy that underlies such practices. Mr. Welday explains that AT&T’s data-driven monitoring of its customers enables it to develop dossiers that reveal whether their users are a new homeowner, a new parent, or in the market for an automobile. In its trials with cross-device targeting, AT&T worked with leading Fortune 100 brands as well as promoting its own “AT&T Mobility Wireless” service. The Fortune 100 companies that AT&T worked with likely provided their own so-called first-party data to be used for such cross-device targeting. This illustrates the operational realities today for consumer profiling data, where data are no longer shared with advertisers, but rather advertisers provide such data to ad-delivery platforms (such as AT&T's) for increasingly granular targeting.[3] Linking devices (and the application history on and geolocation on of those devices) to a particular consumer via a unique identifier should be prohibited, unless the ISP has obtained affirmative, express consent (opt-in). The rule’s definition of ‘sensitive information’ must therefore reflect industry practices and include any data elements that allow for this kind of cross-device tracking. The final rule must give ISP customers control over their data, and before companies can proceed with targeted advertising, they must obtain an opt-in consent from their customers. We are particularly concerned that without such safeguards the rules would allow for a by-passing of requirements of the Children’s Online Privacy Protection Act, by using insights gained via cross device tracking to target children without parental consent. Finally, we urge the Commission to affirm in its final rule the need for safeguards against any unauthorized attempts to re-link devices (and its app usage history and geolocation information) to associate them with one user. CDD respectfully urges the FCC to enact its proposed safeguards as soon as possible to help address the further eroding of Americans’ privacy by ISPs.
  • Electronic Privacy Information Center & CDD Defend Privacy Rights of WhatsApp Users

    WhatsApp plan to transfer user data to Facebook is unlawful, groups tell Federal Trade Commission (FTC)

    Washington, DC (August 29, 2016) – The Electronic Privacy Information Center (EPIC) and the Center for Digital Democracy (CDD) today filed a complaint with the Federal Trade Commission, stating that the WhatsApp plan to transfer user data to Facebook is unlawful and that the FTC is obligated to block the proposed change in business practices. The EPIC-CDD complaint responds to a recent announcement from WhatsApp that the company plans to disclose the verified telephone numbers of WhatsApp users to Facebook for user profiling and targeted advertising. “When Facebook acquired WhatsApp, WhatsApp made a commitment to its users, to the Federal Trade Commission, and to privacy authorities around the world not to disclose user data to Facebook. Now they have broken that commitment,” said Marc Rotenberg, President of EPIC. “Clearly, the Federal Trade Commission must act. The edifice of Internet privacy is built on the FTC’s authority to go after companies that break their privacy promises.” Facebook and WhatsApp are the two largest social network services in the world. According to Wikipedia, WhatsApp has over one billion users. Facebook purchased the company in February 2014 for 19.3 billion dollars. EPIC Consumer Protection Counsel Claire Gartland explained, “In 2014, the FTC said that WhatsApp had to obtain affirmative consent to transfer user data to Facebook. There was an opt-out provision but that only applied to new information. Since WhatsApp intends to transfer user telephone numbers, which is not new data, it must obtain opt-in consent.” Gartland continued, “The phone number may also be the single most valuable piece of personal data obtained by WhatsApp. WhatsApp users are required to provide a verified phone number to use the service. And the phone number provides a link to a vast amount of personal information.” “The proposed change – an opt-out for data previously obtained – is exactly what the FTC said WhatsApp could not do,” said Gartland. “The transfer is only allowed if the consent is opt-in.” “The FTC has an obligation to protect WhatsApp users. Their personal information should not be incorporated into Facebook’s sophisticated data driven marketing business,” said Katharina Kopp, Ph.D., and CDD’s Director of Policy. “Data that was collected under clear rules should not be used in violation of the privacy promises that WhatsApp made. That is a significant change that requires an opt-in, according to the terms the FTC set out. It’s not complicated. If WhatsApp wants to transfer user data to Facebook, it has to obtain the user’s affirmative consent.” In 2011, EPIC, CDD and more than a dozen consumer privacy organizations pursued a successful complaint at the FTC that led to a twenty-year consent order after Facebook changed user privacy settings in a way that made users' personal information, such as Friend lists and application usage data, more widely available to the public and to Facebook’s business partners. Former FTC Chair John Liebowitz said at the time, “Facebook is obligated to keep the promises about privacy that it makes to its hundreds of millions of users. Facebook's innovation does not have to come at the expense of consumer privacy. The FTC action will ensure it will not." When Facebook proposed to acquire WhatsApp in 2014, EPIC and CDD said the FTC must protect the privacy of WhatsApp users. The FTC said that WhatsApp must continue to honor its privacy promises to consumers. The FTC warned, “If the acquisition is completed and WhatsApp fails to honor these promises, both companies could be in violation of Section 5 of the Federal Trade Commission (FTC) Act and, potentially, the FTC's order against Facebook.” The Federal Trade Commission has previously undertaken investigations against many firms that have engaged in unfair or deceptive trade practices. The Electronic Privacy Information Center (EPIC) (link is external) is a public interest research center in Washington, DC. EPIC was established in 1994 to focus public attention on emerging privacy and civil liberties issues and to protect privacy, freedom of expression, and democratic values in the information age. EPIC maintains one of the most popular privacy web sites in the world - epic.org (link is external) - and pursues a wide range of program activities including policy research, public education, litigation, publications, and advocacy. The Center for Digital Democracy (CDD) is recognized as one of the leading consumer protection and privacy organizations in the United States. Since its founding in 2001 (and prior to that through its predecessor organization, the Center for Media Education), CDD has been at the forefront of research, public education, and advocacy protecting consumers in the digital age. REFERENCES EPIC/CDD, In the Matter of WhatsApp: Complaint, Request for Investigation, Injunction, and Other Relief (Aug. 29, 2016), https://epic.org/privacy/ftc/whatsapp/EPIC-CDD-FTC-WhatsApp-Complaint-20... (link is external) FTC, “Enforcing Privacy Promises” (2016), https://www.ftc.gov/news-events/media-resources/protecting-consumer-priv... (link is external) FTC Press Release, “FTC Notifies Facebook, WhatsApp of Privacy Obligations in Light of Proposed Acquisition” (Apr. 10, 2014), https://www.ftc.gov/news-events/press-releases/2014/04/ftc-notifies-face... (link is external) FTC Letter to FB and WhatsApp, "Letter From Jessica L. Rich, Director of the Federal Trade Commission Bureau of Consumer Protection, to Erin Egan, Chief Privacy Officer, Facebook, and to Anne Hoge, General Counsel, WhatsApp Inc.” (Apr. 10, 2014), https://www.ftc.gov/news-events/press-releases/2014/04/ftc-notifies-face... (link is external) FTC, "Facebook Settles FTC Charges That It Deceived Consumers By Failing To Keep Privacy Promises” (2011), https://www.ftc.gov/news-events/press-releases/2011/11/facebook-settles-... (link is external) FTC Consent Order with FB (2011), https://www.ftc.gov/news-events/press-releases/2012/08/ftc-approves-fina... (link is external) EPIC, In re WhatsApp, https://epic.org/privacy/internet/ftc/whatsapp/ (link is external) EPIC, In re Facebook, https://epic.org/privacy/inrefacebook/ (link is external) ###