Newsroom
Program Areas
-
By Adam Rubenfire (link is external) March 18, 2015 The cyberattack against Premera Blue Cross disclosed this week affects significantly fewer people than this year's Anthem (link is external) hack, but the value of the information exposed could pose a bigger threat to the insurer. Premera discovered in January that a May 2014 cyberattack breached a system holding 11 million people's records, the company announced on Tuesday. The records exposed may have included clinical and financial records, in addition to personal information like addresses and Social Security numbers. Anthem has said it believes the theft of data on nearly 80 million customers and employees was confined to the latter category. Medical-record theft can be particularly costly for the victims (link is external). A February 2015 report from the Ponemon Institute surveying medical-identity theft victims found that about two-thirds said they had paid money to resolve the theft. Those patients paid an average of $13,500. Patients may be able to seek damages for identity theft that occurs years after the free identity-theft protection the company is offering has ended, said Ken Dort, a partner in the law firm Drinker Biddle who specializes in information technology. The plaintiffs, however, would have to prove that the theft was linked to the Premera hack, which could be difficult. Eric Earling, Premera's vice president of communications, said it's too early to say whether the breach will significantly affect Premera's bottom line. He declined to say whether Premera had a cybersecurity insurance policy. Anthem has said its cybersecurity policy would limit the damage to its financial results (link is external). “We're in a position as a company even before any of this where we're successful as a business and we have strong reserves to provide for our customers,” Earling said. Though Premera is offering customers two years of free credit-monitoring and identity-theft protection, that will do little to protect them against identity thieves who may wait a few years to use or sell the data. Plus, experts say, most credit-monitoring programs don't protect customers against the effects of medical-identity theft, which can be far more harmful. When asked what Premera was doing to protect its members' clinical information from being used fraudulently, a Premera spokesman referred the inquiry to Experian, the company hired to provide credit-monitoring for affected customers. An Experian spokeswoman said the product would track whether an individual's medical-record number or insurance card is used to purchase medical services that go unpaid because that would appear on an individual's credit report. Experian does not track changes in the medical record, and it does not monitor the use of information to make claims for medical services until those services go unpaid. Changes to medical records caused by medical-identity theft can be particularly harmful to patients, Modern Healthcare reported earlier this month (link is external). Fraudulent use can even be lethal if it means allergies or conditions aren't properly noted in the record. Having an individual's personal, clinical and financial information gives identity thieves a more convincing profile, allowing them to engage in what's called “total identity theft,” said Pamela Dixon, executive director of the World Privacy Forum, a San Diego-based non-for-profit organization. The trifecta of data accessed in this case is the “worst-case scenario," Dixon said. "The people who were exposed in this breach will have to be on guard for at least a decade." The company says that it has no evidence that hackers actually removed data from its systems, only that the systems were breached. But Dixon said there are ways the attackers could have stolen data without a trace and that she wouldn't be surprised if they did given the length of time they had access. Although companies are under pressure to be more proactive about data security (link is external), the number and size of recent breaches suggest it's increasingly likely consumers will have their information exposed at some point. “You now have a situation where to be a reasonable consumer you almost need to sign up with one of the (credit protection) bureaus on a nonstop basis,” Dort said. Follow Adam Rubenfire on Twitter: @arubenfire (link is external) insurer.
-
In December, CDD urged the FTC to reject the verifiable parental consent mechanism for COPPA (Children's Online Privacy Protect Act) proposed by AgeCheq. The comments are attached. Ensuring meaningful parental consent so their child's data can be gathered and used requires a robust and effective system. Parents need to understand precisely what data is collected and by what means; how it is to be used--now and in the future--as well as the business models and online marketing practices that can affect them. CDD and its attorneys at Georgetown Law Center found a range of problems with AgeCheq's submission. The commission should decline approving its parental system for COPPA. Yesterday, the commission announced (link is external) it agreed with CDD and rejected Agecheq's proposal. Eric Null, Staff Attorney at the Institute for Public Representation, Georgetown Law Center, which represented CDD, said that "We are pleased that the FTC followed CDD's recommendation to reject AgeCheq's application for a verifiable parental consent mechanism. This is a true victory for parents and children and sends the message that future applicants must ensure their system meets the COPPA standards."
-
Blog
Network Neutrality, Protecting Privacy & placing limits on the power of the "old" &"new" media: Net Freedom
Jeff Chester on the links between the Network Neutrality and Privacy Bill of Rights issue. Originally posted on Alternet.
The Internet and our digital media are quietly becoming a pervasive and manipulative interactive surveillance system. Leading U.S. online companies, while claiming to be strong supporters of an open and democratic Internet, are working behind the scenes to ensure that they have unlimited and unchecked power to “shadow” each of us online. They have allied with global advertisers to transform the Internet into a medium whose true ambition is to track, influence and sell, in anever-ending cycle (link is external) [6], their products and political ideas. While Google, Facebook and other digital giants claim to strongly support a “democratic” Internet, their real goal is to use all the “screens” (link is external) [7]we use to empower a highly commercialized and corporatized digital media culture. Last Thursday was widely viewed as a victory for “Internet Freedom” and a blow to a “corporatized” Internet as the Federal Communications Commission (FCC) endorsed a historic public utility framework for Network Neutrality (NN). It took the intervention of President Obama last year, who called (link is external) [8] for “the strongest possible rules to protect net neutrality,” to dramatically transform the FCC’s plans. Its chairman, Thomas Wheeler, a former cable and telecom lobbyist, had previously been ambivalent about endorsing strong utility-like regulations. But feeling the pressure, especially from the president, he became a “born again” NN champion, leading the agency to endorse (link is external) [9] “strong, sustainable rules to protect the Open Internet.” But the next day, the Obama White House took another approach to Internet Freedom, handing the leading online companies, including Google, Facebook, and their Fortune-type advertising clients, a major political victory. The administration released its long-awaited “Consumer Privacy Bill of Rights (link is external) [10]” legislation. The bill enables the most powerful corporations and their trade associations to greatly determine what American privacy rights will be. By giving further control over how data are gathered and used online, the administration basically ceded more clout to a corporate elite that will be able to effectively decide how the Internet and digital applications operate, today and in the near future. How do privacy rules impact the openness of the Internet, and the ability to promote and sustain progressive and alternative perspectives? While much of the public debate on pervasive data mining has focused on the role of the NSA and other intelligence agencies that were exposed by Edward Snowden, there has not been as much discussion on the impact of the commercial data system that is at the core of the Internet today. Google, Facebook, and others use our data as the basis of an ever-expanding global system of commercial surveillance. This information is gathered from our mobile devices, PCs, apps, social networks, and increasingly even TVs—and stored in digital profiles. These far-reaching dossiers—which can be accessed and updated in milliseconds—can include information on our race/ethnicity, financial status, health concerns, location, online behavior, what our children do, whom we communicate with on social media, and much more. The major online companies are continually expanding their commercial data gathering practices. They now merge and use our online and offline data (what we do online and information collected from store loyalty cards, etc.); track us across all the devices we use (PCs, mobile, etc.); and amass even more data about us supplied by a vast network of data broker (link is external) [11] alliances and partnerships (such asFacebook (link is external) [12] with its myriad of data partners, including Acxiom and Epsilon). A U.S. digital data industry “arms race,” with companies vying to own the most complete set of records on every consumer, has also led to a wave [13] of mergers and acquisitions, where companies that have already compiled huge datasets on Americans (and global consumers) being swallowed up by even larger ones. Leading corporations are investing vast sums to harvest and, in their own words, make “actionable” information we now generate nearly 24/7. So-called “Big Data” technologies enable companies to quickly analyze and take advantage of all this information, including understanding how each of us uses online media and mobile phones. A score of “Math Men and Women”-led advertising-technology companies have pioneered the use of super fast computers that track where we are online and, in milliseconds, crunch through lots of our data to decide whether to target us with advertising and marketing (regardless of whether we use a PC or mobile device and, increasingly, using our geolocation information). These machines are used to “auction” us off individually to the highest bidder, so we can be instantly delivered some form of marketing (or even political) message. Increasingly, the largest brands and ad agencies are using all this data and new tactics to sell us junk food, insurance, cars, and political candidates. For example, these anonymous machines can determine whether to offer us a high-interest pay day loan or a lower interest credit card; or an ad from one political group versus another. But it’s not just the ability to harvest data that’s the source of increased corporate clout on the Internet. Our profiles are tied to a system of micro-persuasion, the 21st century updating of traditional “Madison Avenue” advertising tactics that relied on “subliminal” and cultural influence. Today, online ads are constructed by connecting our information to a highly sophisticated digital marketing apparatus. At places like Google’s BrandLab (link is external) [14], AT&T’s Adworks (link is external) [15] Lab, or through research efforts such as Facebook IQ (link is external) [16], leading companies help their well-heeled clients take advantage of the latest insights from neuromarketing (link is external) [17] (to deliberately influence our emotions and subconscious), social media monitoring (link is external) [18], new forms of corporate product placement (link is external) [19], and the most effective ways to use all (link is external) [20] of our digital platforms. The online marketing industry is helping determine the dimensions of our digital world. Much of the Internet and our mobile communications are being purposely developed as a highly commercialized marketplace, where the revenues that help fund content go to a select, and largely ad-supported, few. With Google, Facebook, major advertisers and agencies all working closely together throughout the world to further commercialize our relationship to digital media, and given their ownership over the leading search engines, social networks, online video channels, and how “monetization” of content operates, these forces pose a serious obstacle to a more democratic and diverse online environment. One of the few barriers standing in the way of their digital dominance is the growing public concern (link is external) [21] about our commercial privacy. U.S. companies have largely bitterly opposed proposed privacy legislation—in the U.S. and also in the European Union (link is external) [22] (where data protection, as it is called, is considered a fundamental (link is external) [23] right). Effective regulations for privacy in the U.S. would restore our control of the information that has been collected about us, versus the system now in place that, for the most part, enables companies to freely use it. But under the proposed Obama plan, Google, Facebook and other data-gathering companies would be allowed to determine the rules. Through a scheme the White House calls a “multi-stakeholder” process, industry-dominated meetings—with consumer and privacy groups vastly outnumbered and out-resourced—would develop so-called self-regulatory “codes of conduct” to govern how the U.S. treats data collection and privacy. Codes would be developed to address, for example, how companies can track and use our location information; how they compile dossiers about us based on what we do at the local grocery store and read online; how health data can be collected and used from devices like Fitbit; and more. This process is designed to protect the bottom line of the data companies, which the Obama White House views as important to the economy and job growth. (Stealing other people’s data, in other words, is one of America’s most successful industries). Like similar self-regulatory efforts, stakeholder codes are really designed to sanction existing business practices and enable companies to continue to accumulate and use vast data assets unencumbered. The administration claims that such a stakeholder process can operate more effectively than legislation, operating quickly in “Internet time.” Dominated by industry (link is external) [24] as they are, stakeholder bodies are incapable of doing anything that would adversely impact their own future—which currently depends on the ability to gather and use all our data. The administration’s bill also strips away the power of the Federal Trade Commission (FTC), which now acts as the leading federal watchdog on privacy. Instead of empowering the FTC to develop national rules that enable individuals to make their own privacy decisions, the bill forces the agency to quickly review (in as little as 90 days) the proposed stakeholder codes—with little effective power to reject them. Companies become largely immune to FTC oversight and enforcement when they agree to abide by the self-regulatory policies their lobbyists basically wrote. In a rare rebuke to the administration, the FTC, (link is external) [25] leading Congressional Democrats (link is external) [26], and the majority of consumer and privacy [27] organizations rejected the White House’s privacy plan. But the administration does not appear to be willing, for now, to change its support for the data companies; and as we know, Silicon Valley and their business allies have strong support in Congress that will prevent any privacy law from passing for now. To see how the online lobby has different views on Internet Freedom, compare, for example the statements of the “Internet Association”—the lobbying trade organization that represents (link is external) [28] Google, Facebook, Amazon and dozens of other major online data-gathering companies—on last week’s two developments. It praised (link is external) [29] the FCC NN decision for creating “strong, enforceable net neutrality rules … banning paid prioritization, blocking, and discrimination online.” But the group rejected (link is external) [30] the Administration’s privacy proposal, as weak as it was, explaining that “today’s wide-ranging legislative proposal outlined by the Commerce Department casts a needlessly imprecise net.” At stake, as the Internet Association knows, is the ability of its members to expand their businesses throughout the world unencumbered. For example, high on the agenda for the Internet Association members (link is external) [31] are new U.S. brokered global trade deals, such as the Transatlantic Trade and Investment Partnership, which will free our digital giants from having to worry about strong privacy laws abroad. While the NN battle correctly viewed Comcast, Verizon, and other cable and phone giants as major opponents to a more democratic digital media environment, many of the online companies were seen as supporters and allies. But an “open” network free from control of our cable/telco monopolies is just one essential part for a more diverse and public interest-minded online system. Freedom must also prevent powerful interests from determining the very structure of communications in the digital age. Those companies that can collect and most effectively use our information are also gatekeepers and shapers of our Internet Future. The NN victory is only one key step for a public-interest agenda for digital media. We also must place limits on today’s digital media conglomerates, especially their ability to use all our data. The U.S is one of the only “developed” countries that still doesn’t (link is external) [32] have a national law protecting our privacy. For those concerned about the environment, we must also address how U.S. companies are using the Internet to encourage the global (link is external) [33] public to engage in a never-ending consumption spree that has consequences for sustainability and a more equitable future. There is ultimately an alignment of interests between the so-called “old” media of cable and the telephone industry with the “new” online media. They share similar values when it comes to ensuring the media they control brings eyeballs and our bank accounts to serve them and their advertising clients. While progressive and public interest voices today find the Internet accessible for organizing and promoting alternative views, to keep it so will require much more work. Jeffrey Chester is executive director of the Center for Digital Democracy (www.democraticmedia.org [34]). Source URL: http://www.alternet.org/media/under-radar-big-media-internet-giants-get-massive-access-everything-about-you (link is external) Links: [1] http://www.alternet.org/authors/jeffrey-chester (link is external) [2] http://alternet.org (link is external) [3] http://www.alternet.org/fear-america/9-social-panics-gripped-nation-were... (link is external) [4] http://www.alternet.org/fear-in-america (link is external) [5] http://www.alternet.org/fear-america/fear-dominates-politics-media-and-h... (link is external) [6] https://www.thinkwithgoogle.com/tools/customer-journey-to-online-purchas... (link is external) [7] http://www.nielsen.com/us/en/insights/reports/2014/shifts-in-viewing-the... (link is external) [8] http://www.whitehouse.gov/net-neutrality (link is external) [9] http://www.fcc.gov/document/fcc-adopts-strong-sustainable-rules-protect-... (link is external) [10] http://www.whitehouse.gov/the-press-office/2012/02/23/we-can-t-wait-obam... (link is external) [11] http://www.worldprivacyforum.org/2013/12/testimony-what-information-do-d... (link is external) [12] https://facebookmarketingpartners.com/marketing-partners/ (link is external) [13] http://www.democraticmedia.org/bigger-data-broker-mergers-oracle-swallow... [14] https://www.thinkwithgoogle.com/articles/let-go-six-brandlab-secrets.html (link is external) [15] http://adworks.att.com/lab/ (link is external) [16] http://insights.fb.com/ (link is external) [17] http://www.neurosense.com/index.php/clients (link is external) [18] http://www.crimsonhexagon.com/social-media-intelligence/forsight-platfor... (link is external) [19] http://admob.blogspot.com/2015/03/announcement-gdc.html (link is external) [20] https://www.thinkwithgoogle.com/platforms/ (link is external) [21] http://www.pewinternet.org/2014/11/12/public-privacy-perceptions/ (link is external) [22] http://www.ft.com/cms/s/0/e29a717e-6df0-11e2-983d-00144feab49a.html#axzz... (link is external) [23] http://ec.europa.eu/justice/fundamental-rights/charter/index_en.htm (link is external) [24] http://www.pcworld.com/article/2047775/critic-ntias-mobile-privacy-push-... (link is external) [25] http://www.nationaljournal.com/tech/obama-s-privacy-bill-of-rights-gets-... (link is external) [26] http://www.markey.senate.gov/news/press-releases/markey-white-house-priv... (link is external) [27] http://www.democraticmedia.org/leading-us-consumer-privacy-groups-call-p... [28] http://internetassociation.org/our-members/ (link is external) [29] http://internetassociation.org/022615netneutrality/ (link is external) [30] http://internetassociation.org/022715privacy/ (link is external) [31] http://internetassociation.org/05102013transatlantictrade/ (link is external) [32] https://cdt.org/insight/analysis-of-the-consumer-privacy-bill-of-rights-... (link is external) [33] http://www.google.com/about/careers/teams/markcomm/ (link is external) [34] http://www.democraticmedia.org [35] mailto:corrections@alternet.org?Subject=Typo (link sends e-mail) on Under the Radar, Big Media Internet Giants Get Massive Access to Everything About You [36] http://www.alternet.org/ (link is external) [37] http://www.alternet.org/%2Bnew_src%2B (link is external) -
Blog
Leading U.S. Consumer & Privacy Groups call on Pres. Obama to Revise Privacy Bill; Stronger Safeguards Needed
The letter (attached) was sent today to Pres. Obama. Jeff Chester, CDD's executive director, explained that the Administration's proposal--released last Friday--fails to give consumers the control over their data the President promised. It was signed by: It was signed by: Center for Democracy and Technology Center for Digital Democracy Alvaro Bedoya, Center on Privacy & Technology at Georgetown Law Common Sense Media Consumer Action Consumer Federation of America Consumers Union Consumer Watchdog Electronic Frontier Foundation National Consumers League New America’s Open Technology Institute Public Knowledge Privacy Rights Clearinghouse U.S. PIRG -
News
Obama Administration Consumer Privacy Bill Fails to Protect Consumers, Gives Greater Control of our Information to Data Companies
Three years ago, (link is external) President Obama promised that his administration would deliver a “Privacy Bill of Rights” to protect American consumers. The bill released today is a serious setback for privacy. Instead of effective rights that Americans can rely on to protect themselves and their families from the onslaught of online and offline data gathering, the administration proposal perversely reduces the power of the Federal Trade Commission to protect the public. It fails to give the FTC, the country’s key privacy regulator, “rule-making” authority to craft reasonable safeguards,and actually empowers the companies that now harvest our mobile, social, location, financial, and health data, leaving them little to fear from regulators. The legislation creates a huge loophole that practically eviscerates any real privacy protection and consumer control of their data. Its provisions are tied to a standard of both “risk” and “context” that enables a company to determine whether a person’s data require greater privacy control. Since the majority of today’s massive online data gathering is disingenuously considered by industry as “marketing” information—versus what it really is, highly detailed and continually updated profiles merging our online and offline data—very little of a consumer’s data will trigger stronger protections. The multi-stakeholder process at the core of this poorly constructed privacy bill has been flawed from the outset, dominated as it is by industry lobbyists whose real goal is to ensure their companies can continue their practices without any real safeguards. The proceedings have failed so far to generate any meaningful and widely adopted safeguards, and the prospects for a new “code of conduct” that offers genuine consumer protection are unlikely. Public interest and privacy groups are vastly outnumbered in the Department of Commerce-run multi-stakeholder process, which is notable for its lack of diverse representation, denying meaningful participation from civil rights, consumer, and other representatives. The bill limits the FTC’s “unfair trade practices” authority once companies that collect our data adopt a “multi-stakeholder code of conduct.” Once that code is developed, the FTC has at most 90 days (if adopted via a Department of Commerce process) to approve or deny it, giving the agency and the public insufficient time to analyze and address the code’s shortcomings. Hundreds of codes are predicted to be proposed, leaving the FTC at a disadvantage in performing its duty to protect American consumers. The bill also greatly reduces the ability of state attorneys general to protect our privacy precisely at a time when there is an explosion of hyperlocal data mining of our neighborhoods. The legislation also enables companies to create so-called “privacy review boards” that will most likely rubber-stamp their data practices, another example of how corporations have been further empowered to decide what the consumer privacy rules should be. While the bill touts that it provides rights to consumers, it gives real control to the companies that collect our information. Although the president’s Privacy Bill of Rights promised transparency and control, it creates a labyrinth-like process that consumers must navigate before they can actually access and correct their own data records held by companies. Data brokers and others can hide behind a convoluted system to determine whether individuals can access their files. Beyond its undermining FTC authority and empowering industry self-regulation, the process by which the bill was written also reflects poorly on the Administration. As a Commerce official said to advocates one week ago, the bill was deliberately drafted so as not to “disrupt [the commercial data] business—we are the Department of Commerce.” The majority of consumer and privacy advocates were given only a review of the near-final text a week ago today, with just less than 30 minutes to read the bill. Advocates told the White House early this week about some of the problems in the legislation, urging it to postpone slightly the release of the bill and to work with us to improve its consumer protections. But this proposal was rejected. Leading Congressional leaders on privacy issues were also denied access to the bill until yesterday, leaving them no time for meaningful engagement with the White House. Parts of the bill appear to have been drafted by the “Big Data” lobby itself, in order to protect industry’s current data practices, which raise serious questions about the influence the commercial sector has within the Department of Commerce. “Instead of supporting the FTC, the Administration has aided the data collection industry in its efforts to undermine that agency’s role,” explained Jeff Chester, CDD’s executive director. This bill fails to fulfill what the president promised. CDD and other consumer and privacy advocates will work to ensure Americans get the privacy rights they deserve.” -
News
Big Data Gets Bigger: Consumer and Privacy Groups Call on FTC to Play Greater Role in Data Mergers/ Investigation and Public Workshop Needed
Washington, DC: The Center for Digital Democracy (CDD), along with U.S. PIRG, Consumer Watchdog, and Public Citizen, called on the Federal Trade Commission to launch an investigation into the impact on the American public of growing consolidation in consumer offline and online data sources and digital marketing applications. The groups also asked for the FTC to hold a public workshop focused on ensuring Americans receive 21st century safeguards protecting their privacy in online transactions, and a truly competitive marketplace.The letter comes after the approval by the Department of Justice of the “Big Data”-driven acquisition by the Oracle Corporation of data broker Datalogix. The merger—announced in late December and approved just three weeks later—would create, in Oracle’s words, “the world’s most valuable data cloud” for digital marketing, connecting and unifying “a consumer’s various identities across all devices, screens and channels.” The deal is the second recent major data broker acquisition by Oracle, which purchased leading online consumer information firm BlueKai last year. The Oracle/Datalogix transaction should have triggered involvement by the FTC, given its expertise on the digital data industry, the groups noted.The letter to FTC Chairwoman Ramirez also underscored that the Oracle/Datalogix merger raised serious privacy and consumer concerns, which required scrutiny by the Bureau of Consumer Protection as well. The combined companies’ datasets include financial, racial, location, and other sensitive data, as well as issues involving the EU/U.S. Safe Harbor agreement and the Google and Facebook Consent Decree settlements. The merger also implicates a number of consumer-protection matters, such as financial marketing and auto sales, where the FTC has a congressional mandate to protect the public.The group’s letter to the FTC (attached below) provides an inside look at the role of consumer data in today’s digital marketplace, in which companies not only amass enormous amounts of information on consumers’ online and offline activities, but exchange that information with partners and affiliates for the purposes of analytical scrutiny and personalized targeting. “This transaction,” the letter explains, “highlights the crosscutting dimensions of the contemporary ‘Big Data’ digital marketplace, where competition and consumer-protection issues are intertwined.”“The American public deserves to know how the consolidation and use of their information affects their daily lives,” the letter concludes, “from the prices they pay and the services they are offered to what this transaction means for their privacy. We urge the FTC to develop a more effective approach to identifying new problems and threats to competition and consumer protection in the Big Data era.”“The Oracle/Datalogix deal reflects the digital data ‘arms race’ underway where companies are amassing powerful and detailed sets of information to track and target a consumer anywhere, anytime,” explained Jeff Chester, CDD’s executive director. “Control over an individual’s information, and the capabilities to use it effectively in today’s Big Data era, are falling into fewer hands. Unfortunately, these critical mergers suffer from ‘premature approval syndrome,’ sanctioned by regulators without adequate analysis and discussion. As the country’s chief regulatory agency protecting privacy and the online consumer marketplace, the FTC needs to show greater leadership by fostering 21st Century safeguards.”“Our letter also urges antitrust authorities to update their market analysis to reflect that digital markets aren’t the same as markets for groceries or steel,” said Ed Mierzwinski, consumer program director for U.S. PIRG. “21st century markets need a 21st century analysis that takes into account the unique ways that fewer, bigger firms leverage even greater market power over consumer data through partnerships and joint ventures.”“The Oracle/Datalogix deal is an example of how powerful companies are amassing unprecedented amounts of data, distorting traditional markets, limiting competition and consumer control,” said John M. Simpson, Consumer Watchdog’s Privacy Project director. “The FTC needs to act quickly and decisively to ensure its regulatory procedures keep pace with the threats of 21st century data-driven markets.”“As evidenced now by Oracle’s acquisition of Datalogix, a handful of Data Titans hope to aggregate personal and private data about everyone, so they know where we go, what we do, whom we see, what we want, what we think and what we say,” said Rob Weissman, president of Public Citizen. “The marketers’ intrusion on our privacy is vastly outpacing public protections, or even public awareness. Consumer protection authorities need to take a very hard look at the Oracle deal and industry concentration more generally. There’s no reason for us to be racing toward a dystopian future of total surveillance.” -
Blog
Promising Start by White House on Privacy; But will it empower people over Big Data in the digital era? Role of TTIP/trade
We await to review the text of proposed privacy bills announced today by President Obama. Next month will mark the third (link is external)anniversary of the promise by the White House to release "Consumer Privacy Bill of Rights" legislation. The "Bill of Rights" for privacy is supposed to empower an individual to have serious control over how their data is gathered and used. While the "Bill of Rights" incorporates high-minded principles, we fear that at the end of the day legislation will sanction our ever-growing data collection status quo. Today, Americans face a greater loss of their privacy due the unchecked and growing use of commercial (link is external) surveillance (link is external)technologies, which now afflicts us regardless of whatever device (link is external) we use (and with most applications (link is external)). Rather than lead on privacy, U.S. companies are aggressively expanding their sophisticated and pervasive data mining activities on individuals, groups, and communities (link is external). Whether we are online or off, (link is external) our finances, (link is external) geolocation, ethnicity/race (link is external), health (link is external)concerns and much more are secretly gathered and used without meaningful consent--let alone our awareness. A set of invisible practices operate that assess, score and take advantage of all of this online and offline data. So far, the only tangible result of the President's privacy promise has been online data lobbyist-dominated "stakeholder" meetings at the Commerce Department. This process has failed to develop even a modest form of more effective self-regulation, let alone truly provide privacy protection. If the President's bill relies on these flawed stakeholder proceedings to develop privacy safeguards, it will not bring any change and merely allow ubiquitous data collection to further flourish. We also believe that an unannounced but intended audience for today's Administration plan is to remove a serious obstacle for an U.S.EU trade deal, known as TTIP. U.S. data giants see the TTIP (link is external)as a powerful way to expand their market in Europe without having to run afoul of the EU's stronger data protection rules (under the guise of "free flow of data," the TTIP would enable U.S. companies to engage in all sorts of practices without worrying about EU privacy regulators). The TTIP deal also includes a regulatory "poison pill" called "regulatory convergence." Before the FTC or other consumer protection agency could create any new regulation, it would have to be reviewed by a new EU/US council. This would enable corporate lobbyists to have additional opportunities to weaken proposed rules even before they were made public. New regulations would face a new hurdle, having to demonstrate they wouldn't negatively impact corporate trade profits. The EU should not accept as only a promise that the U.S. will protect the privacy of Americans. Even if the Obama bill is a good one, its congressional path ahead is a hard political road, with an uncertain outcome. The EU should be prudent and wait. On data breach, we are wary of preempting more effective state laws--which is high on the data industry's political agenda in 2015. The most promising development may be a commitment by the White House to seek a national bill protecting the privacy of K-12 students. CDD intends to play an active role on this and all the other proposals. -
In December, CDD urged the FTC to reject the verifiable parental consent mechanism for COPPA (Children's Online Privacy Protect Act) proposed by AgeCheq. The comments are attached. Ensuring meaningful parental consent so their child's data can be gathered and used requires a robust and effective system. Parents need to understand precisely what data is collected and by what means; how it is to be used--now and in the future--as well as the business models and online marketing practices that can affect them. CDD and its attorneys at Georgetown Law Center found a range of problems with AgeCheq's submission. The commission should decline approving its parental system for COPPA. Yesterday, the commission announced (link is external)it agreed with CDD and rejected Agecheq's proposal. Eric Null, Staff Attorney at the Institute for Public Representation, Georgetown Law Center, which represented CDD, said that "We are pleased that the FTC followed CDD's recommendation to reject AgeCheq's application for a verifiable parental consent mechanism. This is a true victory for parents and children and sends the message that future applicants must ensure their system meets the COPPA standards."
-
News
Bigger Data Broker Mergers as Oracle Swallows Datalogix, after Acquiring Bluekai/FTC must review deal to address privacy, competition.
Statement of Jeff Chester, executive director, CDD With personal information on every U.S. individual, their families, community and workplace the "currency" in today's digital economy, the frenzy of dealmaking (link is external)in the databroker business continues as Oracle acquires (link is external)Datalogix (link is external). Through the data (link is external) it gathers on what we buy (link is external), and with its relationship with Facebook (link is external)and other powerful marketers, Datalogix consists of a online treasure trove of data on Americans. The Oracle (link is external) deal announced today follows its recent acquisition (link is external) as well of Bluekai, (link is external) which holds reams (link is external)of information (link is external) on consumers. (link is external) CDD calls on the Federal Trade Commission to closely scrutinize the proposed deal. It must examine the impact on competition and protect the privacy of Americans. Given the FTC's 20-year consent decree with Facebook, and the role that Datalogix plays (link is external) with the social network, it also must review whether the deal requires additional safeguards under that decree. Both Oracle (link is external) and Datalogix (link is external)are members of the EU/US Data Protection Safe Harbor program and the commission must examine how this pending databroker/consumer targeting acquisition impacts that program. The growing consolidation of information on every American and whatever we do--regardless of location, time of day, whether we are online or off--should trigger action, as well as soul searching by both policymakers and the public. Do we want a society where a very powerful few data barons are able to gather and profit from our information without an individual having any ability to protect their privacy? ****** PS: This summary (link is external)via Adexchanger is useful to see the impact and intention of this deal: Datalogix aggregates and provides insights on over $2 trillion in consumer spending from 1,500 data partners across 110 million households to provide purchase-based targeting and drive more sales. Over 650 customers, including 82 of the top 100 US advertisers such as Ford and Kraft, as well as 7 of the top 8 digital media publishers such as Facebook and Twitter use Datalogix to enhance their media. Oracle and Datalogix's Data as a Service cloud solutions will provide marketers and publishers with the richest understanding of consumers across both digital and traditional channels based on what they do, what they say, and what they buy. This will enable leading brands to personalize and measure every customer interaction and maximize the value of their digital marketing. The combination fundamentally transforms marketing automation from executing campaigns to being able to correctly identify consumers, target them accurately with digital campaigns, allow marketers to measure which campaigns and channels are effective, and optimize how they reach consumers and spend their campaign resources. The addition of Datalogix represents a further extension of Oracle's Public Cloud strategy to combine IaaS, PaaS, SaaS and Data as a Service on a common cloud and to transform SaaS business applications and processes by integrating data within these applications. More information can be found at http://www.oracle.com/datalogix (link is external). Supporting Quotes "The addition of Datalogix to the Oracle Data Cloud will provide data-driven marketers the most valuable targeting and measurement solution available," said Omar Tawakol, group vice president and General Manager of Oracle Data Cloud. "Oracle will now deliver comprehensive consumer profiles based on connected identities that will power personalization across digital, mobile, offline and TV." "Datalogix's mission is to help the leading consumer marketers connect digital media to the offline world, where over 93 percent of consumer spending occurs," said Eric Roza, CEO, Datalogix. "We are thrilled to join Oracle and extend the value Oracle Data Cloud brings to marketers and publishers." -
News
Consumer, Privacy, Child Health Groups Challenge Federal Trade Commission’s Proposed Settlement with TRUSTe
Consumer, Children’s, and Privacy Groups Challenge Federal Trade Commission’s Proposed Settlement with TRUSTe (True Ultimate Standards Everywhere, Inc.) As Too Lenient Stronger Sanctions Needed for TRUSTe’s Violation of the Public Trust Consumers—Especially Parents—Materially Harmed by Years of Deception Washington, DC: The Center for Digital Democracy (CDD), through its counsel the Institute for Public Representation and on behalf of the American Academy of Child and Adolescent Psychiatry, Campaign for Commercial Free Childhood, Consumer Action, Consumer Federation of America, Consumer Watchdog, and The Rudd Center for Food Policy and Obesity, filed comments today at the Federal Trade Commission (FTC) in response to that agency’s proposed Agreement and Consent Order with True Ultimate Standards Everywhere, Inc. (“TRUSTe”). In November, after conducting an investigation, the FTC filed a complaint against TRUSTe, a company that has been issuing various “privacy seals” since 1997. The display of such seals indicate that a website has been reviewed annually by TRUSTe to ensure it is compliance with TRUSTe’s program requirements designed to protect consumer privacy. In fact, according to the FTC TRUSTe deceived consumers in two important respects. First, TRUSTe failed in over one thousand instances between 2006 and 2013 to conduct the annual re-certifications that it told consumers and the FTC it was conducting. Second, the company failed to require the companies using its privacy seals to change references to TRUSTe’s nonprofit status after it became a for-profit operation in 2008. As CDD’s filing makes clear, these violations are especially significant coming from a company that is entrusted with verifying the self-regulatory privacy-protection efforts of thousands of companies—including some of the biggest in the world—and covering such important areas of concern as the Children’s Online Privacy Protection Act (COPPA) and the EU-US Safe Harbor framework for transatlantic data transfers. Thus while the filing applauds the FTC’s enforcement action against TRUSTe, it finds the proposed sanctions—a $200,000 fine and additional recordkeeping and reporting requirements concerning the COPPA safe harbor program—to be far too lenient. “Safe harbors such as TRUSTe,” the filing points out, “play a pivotal role protecting children’s privacy by prohibiting the collection, use or disclosure of personal information without meaningful notice to parents and advance, verifiable parental consent, limiting the amount of data collected from children and protecting the security of data that is collected.” Unfortunately, because the FTC neither revealed the websites and services that were not properly re-certified, nor estimated the number of consumers who were affected by these violations, consumers—including parents concerned for their children’s privacy—are left wondering just how much meaningful privacy protection they have online. In addition to calling for a significant increase in the size of TRUSTe’s payment (citing individual companies that have paid as much as $1 million for their COPPA violations in the past), CDD’s filing called for all COPPA safe harbor reports (including those filed by TRUSTe) be made available to the public on the FTC’s website in a timely manner. Angela Campbell, co-director of the Institute for Public Representation, emphasized that “Parents rely on seal programs such as TRUSTe when deciding whether a particular website is appropriate for their children. Misrepresentations such as these have the potential to put millions of children at risk across potentially hundreds or thousands of child-directed websites. The FTC must do more to restore public trust in the COPPA safe harbor programs.” “The commission needs to stand up for children and their parents,” explained Jeff Chester, executive director of CDD. “If the FTC had adequately engaged in oversight of these programs, such problems would have been identified earlier,” he noted. “Those companies such as TRUSTe that have pledged to truly protect the privacy of American children should be required to make public how they actually determine whether online companies targeting kids engage in fair and responsible practices.” A copy of CDD’s FTC filing is available at www.democraticmedia.org. --30-- -
News
Topps Company, Trading Card and Candy Company Charged with Violations of the Children’s Online Privacy Protection Act (COPPA); Coalition of Groups Groups Urge FTC to Investigate and Bring Action
Topps Company, Trading Card and Candy Company owned by Michael Eisner, Charged with Violations of the Children’s Online Privacy Protection Act
Consumer, Child Health, and Privacy Groups Urge Federal Trade Commission to Investigate and Bring Action Against Topps for Violating Children’s Privacy Rights through its Child-directed Website Candymania.com and its #RockThatRock Contest Washington, DC: The Center for Digital Democracy (CDD), through its counsel the Institute for Public Representation, along with the American Academy of Child and Adolescent Psychiatry, Campaign for a Commercial Free Childhood, Center for Science in the Public Interest, Consumer Action, Consumer Federation of America, Consumers Union, Consumer Watchdog, Rudd Center for Food Policy and Obesity, and United Church of Christ, today asked the Federal Trade Commission (FTC) to investigate and take enforcement action against The Topps Company, Inc., for violating the Children’s Online Privacy Protection Act (COPPA) Rule in connection with its child-directed website Candymania and its online contest #RockThatRock. Topps, a candy and trading-card company owned by former Disney CEO Michael Eisner, uses its child-directed website Candymania.com and social media to promote Ring Pop, a candy that appeals to children. The #RockThatRock contest, which ran in Spring 2014, encouraged children to post photos of themselves wearing Ring Pops on Facebook, Twitter, and Instagram for a chance to have their photo used in a music video with tween band R5. Of the photographs collected, Topps used several that depicted children clearly under 13 in the video. The video is available on both Candymania and YouTube and has been viewed almost 900,000 times. Long after the contest ended, Topps continued to display children’s photos and contact information submitted using the #RockThatRock hashtag on the Ring Pop Facebook page. Topps made no effort to provide notice to parents about the information collected or to obtain advance, verifiable parental consent as required by the COPPA Rule. Additionally, Topps violated the COPPA Rule by failing to post its children’s privacy policy in a prominent manner, failing to provide a complete and understandable privacy policy, conditioning a child’s participation in the contest on disclosing more information than was reasonably necessary, and retaining children’s personal information for longer than reasonably necessary. “Topps and its partners cynically sought to bypass COPPA’s key safeguard that parents must first be told about a company’s data collection practices before their child’s information is gathered,” explained Jeff Chester, CDD’s executive director. "This is a textbook study of how online marketers are so eager to use Facebook and other social media to promote their products to friends and even strangers, they ignore this key law designed to protect consumer privacy online. Companies such as Topps need to carefully review all their digital marketing practices to make sure they are adhering to COPPA, and also are marketing their products in a responsible manner. The FTC must do more, however, to ensure that COPPA is effectively enforced. It must devote more resources to protect the privacy of children, and begin examining contemporary digital data-driven practices more thoroughly.” Angela J. Campbell, Co-Director of the Institute for Public Representation, which drafted the request, emphasized that “Topps is in violation of provisions of the COPPA Rule that the FTC adopted nearly two years ago to update and strengthen children’s privacy protections,” in two significant ways. First, Topps is collecting photographs of young children, even though the FTC decided to include photographs within the definition of “personal information” requiring parental notice and collection due to the privacy and safety concerns. Second, Topps is using social media to collect and post children’s personal information from which Topps reaps commercial benefits. The Commission amended the COPPA rule to clarify that a child-directed website was responsible for information collected by third parties on its behalf or from which it benefits. Campbell urged the FTC to take action to show that it is serious about enforcing the updated COPPA Rule. In addition to the privacy concerns of Topps’ marketing and data-collection practices, this case comes at a time of heightened concern over the health effects of candy and other unhealthy foods on children. Earlier this month, 41 members of the Food Marketing Workgroup (link is external) (including CDD, Center for Science in the Public Interest, and the American Heart Association) wrote five candy companies—including Topps—to ask them to adopt strong policies on food marketing to children. As the groups’ letter points out, “obesity has tripled in children and adolescents over the past decades. Currently, more than one in three children and teens are overweight or obese.” -
Project
Privacy Groups Call for Major Changes on APEC Cross-Border Data Rules; Raises Questions about work of TRUSTe
On 3 December 2014 a coalition of privacy and consumer groups sent a Joint Submission to APEC asking for significant changes to the APEC Cross Border Privacy Rules system (CBPRs). The submission is available here. (link is external) This joint submission follows a long period of opposition by civil society representatives to the first implementation of the CBPRs, which has now been operating in the US for 18 months. The submission raises concerns at the growing number of false claims of APEC certification and the absence of an official accurate list of members. One key aspect of the submission is that the signatories oppose the appointment of TRUSTe (link is external) as an Accreditation Agent for the CBPRs in the US, citing weaknesses in their program criteria, conflicts of interest, and the unacceptable use of fine print exclusions in TRUSTe certified privacy policies. The group calls on APEC to reform its CBPRs or close it down. The coalition includes: the Australian Privacy Foundation; the Canadian Internet Policy & Public Interest Clinic; the US Center for Digital Democracy; and the Electronic Privacy Information Center. -
News
CDD Asks FTC for Information on COPPA, Kids Privacy, Safe Harbors. Raises concerns on their effectiveness & operations
For months, CDD has been in contact with the Federal Trade Commission over the actual efficacy of the so-called "Safe Harbors" programs established to address children's privacy thru the Children's Online Privacy Protection Act (COPPA). We have major concerns about how these programs are structured, and whether they meaningfully ensure privacy of young people. We have asked, via FOIA, for a detailed documentation on how the COPPA Safe Harbors operate. The FTC has not--to date--provided the information parents and the public require. CDD will ensure, however, that there is meaningful accountability by both the FTC and its COPPA Safe Harbor companies. The commission cannot look the other way on this issue, even if some of the Safe Harbor companies prefer to operate in a non-transparent mannner. Among the companies we have asked for information include: kidsSafe Seal Program; Aristotle International; Children's Advertising Review Unit; Entertainment Software Rating Board; PRIVO; and TRUSTe. -
Blog
CDD files Appeal to make public NIST grant to Privo
Disclosure required on kids privacy issue involving Privo's partnership with a toy company and Verizon
The Children's Online Privacy Protection Act (COPPA), a federal law my NGO led the campaign for back in the mid-1990's, was designed to ensure that parents (or the responsible adult) be able to make meaningful decisions about commercial data collected from a child (thru age 12). It's based on a concept requiring serious (read honest) and full disclosure of data collection and use practices, with prior affirmative consent (informed opt-in) before any collection occurs. Given the powerful array (link is external)of digital marketing techniques focused on collecting our information, and the need to ensure that parents have federal safeguards for the children's privacy, COPPA means that online marketing companies and their partners need to act in a highly responsbile, transparent and truly privacy appropriate manner.We are concerned that some in the online marketing industry want to create an easy "one-stop shopping" process that encourages parents to approve data collection for their child. Kids are a very lucrative market, spending (link is external)and influencing many billions a year. Some companies view COPPA as an obstacle to their plans to generate profits by online marketing to kids. Despite claims of respecting privacy (and which can also be viewed by examining the commercial market targeting adolescents), the default most marketers have adopted is full non-stop personalized data collection and real-time targeting. But COPPA makes such practices, commonplace in the digital ad industry, much harder to do. In part, it's because under the law they have to actually explain first what they intend to do and get permission. That approach is anathema to most in the online marketing business.When we learned that the National Institute for Standards and Technology (NIST, a division of the Department of Commerce) gave a federal $1.6 million grant (link is external)to Privo (link is external)designed to create a "parent consent at Internet scale" system for COPPA we were concerned. Privo's partners in its grant include "one of the world's largest toy companies" as well as Verizon (link is external). CDD, through our attorneys at the Institute for Public Representation, Georgetown Law Center, filed a FOIA request. The public needs to know how Privo's (link is external) system will operate; whether it's really designed to help parents make meaningful decisions; what role does the major toy company and Verizon (which has expanded (link is external) its own data targeting apparatus) play.NIST redacted nearly all of the Privo related documents, failing to provide the public the information and accountability necessary (especially when it's about the privacy of children). Today, we filed an Appeal and intend to pursue our legal options. (See attachment below.) More details coming. -
News
Public Citizen, Consumer Action, CDD Support FTC via Amicus in "Wyndham" case/Role of FTC vital to protect consumers in online era
Through the terrfic work of Public Citizen, CDD submitted this Amicus brief today in what's called the Wyndham case. Wyndham and its allies are challenging the much needed role of the FTC to protect Americans from data breaches and related online harms. That they are afraid of having a consumer protection agency do its job says a great deal about them. The brief is attached. -
News
FTC asked to review "Big Data" merger between Alliance Data/Conversant; Also address privacy, consumer data consolidation & expansion of tracking on public across devices
[excerpt from attached letter] Dear Chairwoman Ramirez: We urge the FTC to review its decision of September 24, 2014, providing “early termination” of the “Big Data” acquisition by Alliance Data Systems of Conversant (formerly ValueClick). We are deeply concerned that the commission failed to examine sufficiently the consequences to competition—and to privacy—of the consolidation of two powerful sets of consumer data. This merger reflects the continuing consolidation of the consumer data marketplace, an issue that the FTC must address. The Alliance/Conversant deal also raises serious privacy concerns, including with its intended goal of further unleashing powerful tracking technologies that follow individuals across all of their devices and applications. Both companies’ play leading roles providing data for financial services targeting, and Conversant is at the forefront of online lead-generation practices. The commission’s approval of this transaction without appropriate safeguards directly undermines its role as the country’s chief privacy regulator. The FTC cannot, on the one hand, express concern about the discriminatory and privacy implications of “Big Data” and the invisible role of databrokers, but at the same time silently consent to expanded commercial surveillance of the American people... The failure of the commission to address key consumer protection issues with this acquisition underscores the need for a greater commitment by the FTC to tackle the competition and privacy issues of today’s data-driven digital marketing era. We specifically urge the commission to launch a formal review of “Big Data” consolidation. The level of commercial data gathering on Americans is unprecedented, growing daily without respite, and is ending up in the hands of fewer companies... In addition, this transaction illustrates the dramatic and unfettered growth of so-called “cookie-less” cross-screen/device-tracking...The commission should not wait until American privacy is further undermined through the dramatic growth of these new “cookie-less” commercial tracking practices. Action is required now -
News
U.S. PIRG Education Fund & CDD File Add'l Comments on Big Data at FTC: Urge Action to Rein in "Wild West" of Unfair & Discriminatory Practices
U.S. PIRG Education Fund and the Center for Digital Democracy (CDD) respectfully submit these additional comments to the Federal Trade Commission (FTC). A set of regulatory and other safeguards is urgently required to ensure that contemporary “Big Data”-driven financial services are used in an equitable, transparent, and responsible manner. All Americans, especially those who confront daily challenges to their economic security, should be assured that their lives will be enhanced—not undermined—by the new digital-data financial services marketplace. A closer critical examination of the commercial information infrastructure in the U.S. reveals a set of well-developed and interconnected data collection and use practices that few consumers are aware of—let alone have consented to. While the commission’s September 2014 workshop explored some of the key issues, it did not sufficiently examine the implications of current “Big Data” business practices. U.S. PIRG Education Fund and CDD urge the commission to issue a final report that addresses the issues we identify [see attached file]. -
Youth of color are a key focus for digital marketers, especially for fast-foods and beverages linked to the youth obesity epidemic. The digital targeting of African American and Hispanic youth is growing, and uses a full array of sophisticated mobile, geo-location, social media and other cutting-edge marketing strategies. Food and beverage marketers should adopt practices that stop unfair and irresponsible digital marketing practices. The FTC and State AG's should call for safeguards.Here's the latest CDD Infographic that addresses African American youth.
-
News
U.S. PIRG and CDD urge Consumer Financial Protection Bureau to issue regulations and safeguards for mobile and digital financial services and privacy
Apple iPhone/mobile payments era poses threats and opportunities for consumers, especially those financially at risk Washington: Two leading consumer organizations told the Consumer Financial Protection Bureau (CFPB) today to issue rules so consumers can use mobile financial services without placing their privacy at risk or exposing themselves to new forms of predatory lending and other unfair practices. The groups—U.S. PIRG and the Center for Digital Democracy (CDD)— submitted comments to the agency as part of its inquiry on mobile financial services. They called for a series of safeguards on mobile and other digital financial applications, including on data collection, online financial marketing, mobile payments and other key applications. “The CFPB has a short window to ensure that the public receives the necessary consumer safeguards, especially for financial applications and their privacy, as they increasingly rely on mobile devices for banking, payments, credit applications, shopping, e-commerce, and other services,” explained Ed Mierzwinski, Consumer Program Director for U.S. PIRG. “Otherwise, unfair business practices will become entrenched in the marketplace and hard to stop.” The introduction yesterday of Apple’s mobile payment system is just the latest development transforming how Americans save and spend their money in the digital era. The Internet is quickly becoming the foundation for banking and other financial services, from mobile deposits, online loans, and digital payments. Financial services companies will spend $6.20 billion in 2014 promoting lending, credit cards and related services, a figure that is predicted to grow to $9.57 billion by 2018. $2.2 billion was spent this year for mobile financial marketing targeting consumers. Mobile payments and other digital financial services are integrated into a broad set of online industry marketing practices, which require CFPB action, explained the groups. Industry practices described in the filing as requiring CFPB action include the following: Data collection and profiling, The use of real-time location, How “apps” and other digital financial applications are designed to trigger consumer behavior, The special targeting of multicultural groups, including African Americans and Hispanics, and, How “Big Data” technologies raise privacy and other consumer protection concerns. The growing use of “lead generation” on mobile devices, where a consumer’s data can be stealthily collected and sold to credit card, banking and other financial companies so they can be targeted with offers. the use of data profiles and location to micro-target consumers in real-time with payday loans and other costly financial products. “Contemporary mobile practices that take advantage of the powerful capabilities of online financial marketing raise questions about whether consumers will well-served in the long-run, said Jeff Chester, CDD executive director. For example, economically vulnerable consumers—or any other American on a budget—could be bombarded with highly sophisticated offers urging them to spend that take advantage of their data, buying habits, family composition, ethnicity and more. Without fair rules, such practices could undermine their ability to protect their financial security. That’s why we call on the CFPB to take action now,” he explained. “Without question, the convenience and power of mobile devices and applications provide financially at risk, unbanked, and other vulnerable consumers greater opportunities to save money on banking transactions and payments, have additional ways to build financial resources, make more effective decisions on purchasing,” Mierzwinski concluded. “But few consumers understand or can effectively control how mobile and other digital financial products actually operate; as a result we believe they also pose serious risks unless safeguards are enacted.” **** U.S. PIRG is the non-profit, non-partisan federation of state Public Interest Research Groups. The PIRGs are public interest advocacy organizations that take on powerful interests on behalf of their members. On the web at www.uspirg.org (link is external) The Center for Digital Democracy (CDD) addresses contemporary digital marketing and privacy issues, including their impact on public health, children and youth, and financial services. On the web at www.democraticmedia.org In March, U.S. PIRG and CDD released the report “Big Data Means Big Opportunities and Big Challenges: Promoting Financial Inclusion and Consumer Protection in the “Big Data” Financial Era.” It is available at http://www.uspirg.org/reports/usf/big-data-means-big-opportunities-and-big-challenges (link is external). -
News
CDD Files Complaint on U.S./EU Safe Harbor for Data Privacy at FTC/ Filing Reveals Failure of U.S. Agreement to Protect European Privacy
Washington, DC: The key framework that is supposed to protect EU citizens’ privacy when their data is collected by U.S. companies—known as the U.S.-EU Safe Harbor—is failing to provide them the safeguards that were promised, according to a complaint filed today by a leading U.S. consumer privacy group—the Center for Digital Democracy (CDD). The complaint, filed at the U.S. Federal Trade Commission (FTC), details how these companies are compiling, using, and sharing EU consumers’ personal information without their awareness and meaningful consent, in violation the Safe Harbor framework. Overseen by the U.S. Department of Commerce, the Safe Harbor is based on a voluntary “self-certification” process, in which companies that promise to provide clear “notice” (of their data-collection practices and data uses) and “choice” (giving consumers the opportunity to “opt out” of practices they did not previously agree to) are then allowed to collect information from European consumers without strictly following the EU’s higher data-protection standards. The EU has itself recognized that the current Safe Harbor regime is inadequate, and has called for its revision. CDD’s filing at the FTC, which is the agency that is supposed to ensure that the Safe Harbor system protects EU consumers’ privacy, calls for an investigation of 30 companies involved in data profiling and online targeting, including data brokers that have compiled vast amounts of sensitive information on individual consumers; data management platforms that allow their corporate clients to analyze their own consumer information and combine it with outside data sources to produce detailed marketing insights; and mobile marketers that track devices and tie them to user profiles in order to identify the most profitable consumers for personalized advertising. “The U.S. is failing to keep its privacy promise to Europe,” said Jeff Chester, CDD’s executive director. “Instead of ensuring that the U.S. lives up to its commitment to protect EU consumers, our investigation found that there is little oversight and enforcement by the FTC. The Big Data-driven companies in our complaint use Safe Harbor as a shield to further their information-gathering practices without serious scrutiny. Companies are relying on exceedingly brief, vague, or obtuse descriptions of their data collection practices, even though Safe Harbor requires meaningful transparency and candor. Our investigation found that many of the companies are involved with a web of powerful multiple data broker partners who, unknown to the EU public, pool their data on individuals so they can be profiled and targeted online.” Although the companies cited for FTC investigation differ in their various approaches to data collection for the purposes of profiling and targeting individual consumers, the filing identified five broad concerns that illustrate the inadequacy of the Safe Harbor regime: (1) the failure of Safe Harbor declarations and required privacy policies in particular to provide accurate and meaningful information to EU consumers; (2) an overall lack of candor from the companies about the nature of their data collection apparatus, including their networks of data broker partners and even their corporate affiliations; (3) the general failure to provide meaningful opt-out mechanisms that EU consumers can find and use to remove themselves fully from privacy-harming data collection and processing; (4) the myth of “anonymity” at a time when marketers—armed with vast amounts of details about consumers’ personal needs and interests, employment and social status, location and income—do not need-to-know one’s name in order to track and target that particular individual online; and (5) the false claim made by several companies named in the complaint that they act as “data processors” on behalf of others, when in fact they play a central role in bringing the power of their Big Data-driven services to bear on consumer profiling and targeting. As CDD Legal Director Hudson Kingston explained, “CDDs complaint describes the systemic failure of the Safe Harbor to function as it was intended. Companies are flouting standards that the Department of Commerce agreed to and the Federal Trade Commission pledged to enforce. Safe Harbor has to be overhauled to make sure it actually works; until that time, it should be suspended. We call on the FTC to investigate and sanction the companies named in our complaint. The fundamental privacy right of 500 million Europeans has been ignored and must be acknowledged and protected going forward.” “The U.S. and EU are currently negotiating a trade agreement that will enable U.S. companies to gather even more data on Europeans,” Chester added. “Reform of Safe Harbor is urgently required before it becomes a ‘Get Out of Protecting Privacy’ card used by American companies under the forthcoming Transatlantic Trade and Investment Partnership (T-TIP).” The 30 companies cited in CDD’s filing include Acxiom, Adara Media, Adobe, Adometry, Alterian, AOL, AppNexus, Bizo, BlueKai, Criteo, Datalogix, DataXu, EveryScreen Media, ExactTarget, Gigya, HasOffers, Jumptap, Lithium, Lotame, Marketo, MediaMath, Merkle, Neustar, PubMatic, Salesforce.com, SDL, SpredFast, Sprinklr, Turn, and Xaxis. The Center for Digital Democracy is a nonprofit group working to protect the public in the digital era from unfair practices that threaten their privacy, especially in the financial and health sectors. --30--