Sen. Catherine Cortez Masto, D-Nev., introduced a privacy bill Thursday that would make companies get opt-in consent for collecting and disseminating precise location data. The Data Privacy Act also would require “reasonable” data collection, processing, storage and disclosure. It would prohibit data practices that discriminate against people for political and religious beliefs, barring “deceptive” data practices. There are no co-sponsors.
Owners of musical.ly, a video social networking app now called TikTok, reached a record $5.7 million settlement with the FTC over claims the company illegally collected children’s personal data, the agency announced Wednesday. It’s the largest civil penalty the FTC, whose members unanimously approved, has collected under the Children’s Online Privacy Protection Act. Musical.ly failed to seek parental consent for collecting names, email addresses and other data from users younger than 13, the FTC alleged in a complaint filed by DOJ. “We take enforcement of COPPA very seriously, and we will not tolerate companies that flagrantly ignore the law,” Chairman Joe Simons said in a statement. “These practices reflected the company’s willingness to pursue growth even at the expense of endangering children,” said Commissioners Rohit Chopra and Rebecca Kelly Slaughter. They said executives should face more accountability in future cases. The company has implemented changes that now direct TikTok users into “age-appropriate” app sections, it said: “The new environment for younger users does not permit the sharing of personal information, and it puts extensive limitations on content and user interaction.” Sen. Ed Markey, D-Mass., urged future “higher monetary penalties that will actually [incentivize] COPPA compliance.” More than 200 million worldwide users, 65 million registered in the U.S., downloaded the app. Accounts were publicly available by default, the FTC said, and public reports show adults contacted children through the app. The app includes a feature that lets users discover other users within a 50-mile radius. App operators received thousands of complaints from parents that their underage children had accounts, the FTC said. “This case should put tech companies on notice that continued disregard for COPPA will result in penalties and consumer mistrust that can seriously impact their business,” said Common Sense Media CEO Jim Steyer.
Three Senate Republicans want to know why Google didn't disclose to consumers that the Nest Secure home security system has a hidden mic, they wrote CEO Sundar Pichai Monday. Consumers are increasingly concerned about the ability of large tech companies to collect and use personal data without consent, said the letter from Senate Commerce Chairman Roger Wicker, Miss.; Communications Subcommittee Chairman John Thune, S.D.; and Manufacturing Subcommittee Chairman Jerry Moran, Kan. “It is critically important that companies like Google be completely transparent with consumers, and provide full disclosure of all technical specifications of their products at the point of sale." Google’s “failure to disclose a microphone within its Nest Secure product raises serious questions about its commitment to consumer transparency and disclosure.” They asked Google to address by March 12 questions on whether a mic has always been a component of Nest Secure, when and how Google became aware that a mic wasn’t listed on the system’s technical specifications; what Google has done to inform buyers the device contains a previously undisclosed mic; Google's process for developing tech specs, when the error occurred and actions to prevent such an error in other products; whether Google is aware of any third-party using the mic for unauthorized purposes; and if the company is aware of similar omissions in its other products. The committee requested an in-person briefing by March 29. Google didn't comment Tuesday.
Comments on privacy to NTIA show “urgency, and a desire for American leadership” there, and that a “patchwork regulatory landscape” won’t work, Administrator David Redl said Tuesday at Mobile World Congress in Barcelona. “We want to build consensus around a fundamentally American approach to privacy, built on the same bedrock principles that so many nations share,” Redl said. “We’ve been talking with dozens of stakeholders to better understand what the problems are, what we can agree upon, and how we can move forward.” The model must ensure people trust technology that's part of their lives, he said. Privacy and prosperity are both possible, he said. “Focusing on risks and outcomes is preferred to notice-and-consent approaches,” Redl said. “Few consumers bother to read long legal notices -- and it’s our view that giant compliance departments aren’t going to lead to better privacy outcomes for consumers. We don’t want companies creating checkboxes and regulators critiquing web design.” Redl touched indirectly on who will be allowed to provide telecom network equipment in the U.S. (see 1902260019). The administration is considering rules against equipment by Chinese providers (see 1902220066). Booths at MWC show many options for 5G equipment, he said. “When network operators around the world are deciding which equipment they’re going to use, their first thought should be: Do I value my customers’ privacy and data security?” Redl said: “Our four largest wireless carriers have clearly answered affirmatively.”
The White House Office of Science and Technology Policy said Thursday the Trump administration is focused on maintaining confidence in the Privacy Shield and preventing international barriers to cross-border data flows and digital trade. OSTP’s Science & Technology Highlights report cites privacy efforts from NTIA and the National Institute of Standards and Technology (see 1811090050 and 1812170032). The proper balance is allowing users to “benefit from dynamic uses of their information, while still expecting organizations to appropriately minimize risks to users’ privacy,” the report said. It cites President Donald Trump’s executive order directing federal agencies to “prioritize investments” in artificial intelligence R&D (see 1902110054). It referred to Trump's remarks about technologies that “could improve virtually every aspect of our lives, create vast new wealth for American workers and families, and open up bold, new frontiers in science, medicine, and communication.” The report cites Trump signing the first national cybersecurity strategy in 15 years (see 1809200055) and calling for cyber collaboration across all government agencies. It cites efforts to develop the “world’s most powerful and smartest supercomputers” partly through the Department of Energy, advanced computing systems and National Science Foundation cloud computing partnerships.
The U.S. Chamber of Commerce is the latest to suggest legislation seeking a federal privacy law (see 1902130058), saying "that would protect consumers and eliminate a confusing patchwork of state laws." After working "with nearly 200 organizations" on this, it recommends the FTC enforce such a law. The agency could "impose civil penalties on businesses that violate transparency, opt-out, or data deletion provisions" under FTC Act Section 5, the Chamber said Wednesday. The group doesn't "discuss its members, but we worked with organizations of all sizes -- small, medium, and large businesses -- and from various sectors, such as retail, telecommunications, transportation, healthcare, financial services, and the insurance industry." So emailed a spokesperson when asked to identify those it worked with on the plan and say whether they back the proposal. Among others with proposals are BSA| The Software Alliance, the Center for Democracy & Technology, Cisco and Information Technology and Innovation Foundation. Software & Information Industry Association Senior Vice President-Public Policy Mark MacCarthy said the Chamber's plan "is a productive step forward as Congress considers new national privacy legislation." The proposal "has more holes than Swiss cheese. In fact, it's almost all hole and no cheese," tweeted Omer Tene, International Association of Privacy Professionals chief knowledge officer. "If this reflects industry/civil society negotiations, businesses should quickly pivot to prep for #CCPA. 10 months to go." The 2018 California Consumer Privacy Act will be enforced from Jan. 1 (see 1902010015).
Apple should provide details about discovery and timing of a Group FaceTime glitch that allegedly allowed eavesdropping on unsuspecting users (see 1901290037), House Commerce Committee Chairman Frank Pallone, D-N.J., and Commerce Subcommittee Chairman Jan Schakowsky wrote Tuesday. They asked if the company knew about the glitch before being notified by a 14-year-old’s mother. Companies like Apple “must proactively ensure devices and applications protect consumer privacy, immediately act when a vulnerability is identified, and address any harm caused when you fail to meet your obligations to consumers,” they wrote CEO Tim Cook. Apple didn’t comment.
Offices of attorneys general in Connecticut, North Carolina and Illinois confirmed involvement Friday in a multistate investigation of Facebook’s Cambridge Analytica privacy breach. Connecticut AG William Tong (D), North Carolina AG Josh Stein and Illinois AG Kwame Raoul (D) are helping lead the probe, their offices said. Bloomberg reported Pennsylvania also is involved. The office for AG Josh Shapiro (D) didn’t comment. AGs in New York, New Jersey, Massachusetts and Washington, D.C., previously announced investigations. Facebook has had “productive conversations” with AGs from various states, a spokesperson emailed: “Many officials have approached us in a constructive manner, focused on solutions that ensure all companies are protecting people’s information, and we look forward to continuing to work with them.”
Don't adopt a federal privacy law like the one in the “one-party” state of California, American Enterprise Institute Visiting Scholar Roslyn Layton recommended in Forbes Monday. Focus on empowering the FTC, the proper agency, she said.
U.S. efforts on Privacy Shield are welcome, but the EU still has concerns, the European Data Protection Board said Thursday after EDPB's Tuesday-Wednesday meeting. Among positive steps are changes to the initial certification process, own-initiative oversight and enforcement actions, publication of key documents such as decisions by the Foreign Intelligence Surveillance Act Court, appointment of new members to the Privacy and Civil Liberties Oversight Board and the appointment of a permanent ombudsman. President Donald Trump Jan. 18 nominated Keith Krach undersecretary of state for growth, energy and the environment (see 1901230051). EDPB said remaining issues include a "lack of concrete assurances" about indiscriminate collection and access of personal data for national security purposes, and questions whether the ombudsman has sufficient powers to remedy noncompliance with the trans-Atlantic data transfer regime. EDPB said checks for compliance with PS principles aren't strong enough. A December European Commission review found many improvements but warned the agreement could be shut down if no permanent ombudsman is in place by Feb. 28 (see 1812190002). The Computer & Communications Industry Association on Thursday urged the Senate to "expedite confirming the ombudsman."