The FTC should investigate Google’s potentially “deceptive” collection of Android users’ sensitive location data, Sens. Ed Markey, D-Mass., and Richard Blumenthal, D-Conn., said Monday. The lawmakers cited an investigation by Quartz, alleging Google gathers Android user location data when location services are disabled. Google’s privacy settings allow “an intimate understanding of personal lives as they watch their users seek the support of reproductive health services, engage in civic activities, or attend places of religious worship,” the lawmakers wrote to CEO Sundar Pichai. Google and the FTC didn’t comment.

While 76 percent of people “are very concerned about the safety of their personal information online,” only 24 percent reported altering their Facebook accounts after the Cambridge Analytica privacy breach, Mozilla said, releasing a survey Tuesday. Of the 47,000 participants, 65 percent said individuals, not government or platforms, are most responsible for protecting their digital data, and 12 percent expressed a willingness to pay for a Facebook not reliant on data collection and sales.

The FCC is deferring to the FTC to investigate reports that comScore, Dish Network and TiVo may have sold data on subscribers’ viewing habits to already-embattled political data analytics firm Cambridge Analytica, FCC Chairman Ajit Pai said in a letter to Rep. Debbie Dingell, D-Mich., released Friday. Dingell asked Pai in early April to open an investigation into the claims, citing existing federal scrutiny of Cambridge Analytica over its alleged misuse of Facebook users’ private information. The FTC is doing a nonpublic investigation into whether Facebook violated its 2011 privacy consent decree because of Cambridge Analytica’s actions (see 1803260039). “Given the specific protections laid out under the Communications Act and the troubling scope of the recent revelations regarding Cambridge Analytica, I believe the [FCC] should bring its investigatory resources to bear to protect consumers' privacy,” Dingell told Pai. The FCC has “limited authority” to investigate Dingell’s claims given “neither TiVo nor [c]omScore is a satellite or cable operator and it is unclear” whether Dish shared individual personally identifiable information, Pai responded: “As our nation’s premier privacy cop on the beat, the FTC has already announced” its investigation of Facebook’s actions, so Dingell’s claims about other company’s dealings with Cambridge Analytica could fit into their proceeding. “I am sure this inquiry will be in good hands, given our sister agency’s well-established record of protecting consumers’ privacy and mandate to examine potentially unfair and deceptive practices,” Pai said. “We need regulators who will follow their obligations under the law and conduct thorough investigations instead of passing the buck,” Dingell said in a statement.

Facebook unveiled a “sleep mode” for its Messenger Kids application Friday, letting parents control their children’s access to the application throughout the day. Parents will be able to schedule “off times” for the application from their Parent Control center in their Facebook account.

Kudos & Co. agreed to modify privacy practices for its social media app to comply with the Children’s Advertising Review Unit’s Self-Regulatory Program for Children’s Advertising, CARU said Thursday. CARU determined the app’s “method of obtaining parental consent was insufficient for its information collection practices and did not meet” federal Children’s Online Privacy Protection Act requirements. To comply, “Kudos joined and completed certification through an FTC-approved Safe Harbor program,” the company said in a statement.

Seventeen of 22 internet, mobile and telecom companies tracked by a New America report improved scores on at least one issue like privacy, security and corporate governance, yet "companies still fall short," it said Wednesday. Top-rated, in order of highest to lower, were Google, Verizon's Oath, Microsoft, Facebook, Twitter and Vodafone, with percentage scores in the 50's or low 60s. AT&T had a "digital rights" score of 49 percent, Apple 44 percent and Samsung 28. The lowest rated was Ooredoo, a Qatar mobile and broadband firm. Apple and Twitter improved the most and third-most from the 2017 ranking (see 1703210015). Much of Apple's "improvement was due to improved transparency reporting, plus new direct disclosure to users on its own website of information that it had previously only disclosed to experts and other third parties," an executive summary said. Overall, another summary of the 143-page report said, "Companies fail to disclose enough about what user information is collected and shared, with whom, and under what circumstances. ... Companies provide insufficient evidence of measures to protect users’ information." The Internet Association didn't comment, nor did Apple, AT&T, Ooredoo or Samsung.

Sonos doesn’t “and will not sell your data to third parties,” it said in a lengthy update of its privacy policy Tuesday. The company “will be clear about the data we collect and why,” it said, saying the primary purpose of collecting data is to improve users’ listening experience. Information Sonos users “voluntarily provide” -- name, phone number and email address -- is used when users want to learn more about Sonos products and services or when they contact customer support, it said. Data collected automatically -- functional and usage data collected by using cookies and similar technologies -- includes operation system and version, IP address, general geographic location, browser type, webpages viewed on Sonos websites and “whether and how you interact with content available on our websites,” it said. The company may receive information about users from other sources, “including third parties, such as music service partners and partners with whom we offer co-branded services or engage in joint marketing activities,” it said, along with “information about you from social media platforms, for instance, when you interact with us on those platforms.” Sonos doesn’t target children under 16 years old, it said. Visitors of all ages can navigate Sonos’ app or website, but the company said it doesn’t “knowingly collect or request personal information from those under the age of sixteen without parental consent.” If it discovers after notification by a parent or guardian that a child under 16 has been improperly registered by using false information, “we will cancel the child's account and delete the child's personal information from our records,” it said.

Sens. Amy Klobuchar, D-Minn., and John Kennedy, R-La., introduced privacy legislation Tuesday that would allow users to opt out of online platform data collection and tracking. The bill would require platforms to provide “clearer” privacy disclosures and alert consumers of privacy violations within 72 hours. “Every day companies profit off of the data they’re collecting from Americans, yet leave consumers completely in the dark about how their personal information, online behavior, and private messages are being used,” Klobuchar said. Kennedy said he doesn’t want to regulate Facebook “half to death” but his job is to protect the rights and privacy of U.S. citizens. He called the bill’s requirements “simple steps that online platforms should have implemented in the first place.”

The Department of Homeland Security should release unclassified documents shedding new light on the threat of cellsite simulators, or StingRays, in Washington and around the U.S., said Sens. Ron Wyden, D-Ore.; Cory Gardner, R-Colo.; Rand Paul, R-Ky.; and Ed Markey, D-Mass., in a letter to DHS Wednesday (see 1804100015). “The American people have a legitimate interest in understanding the extent to which U.S. telephone networks are vulnerable to surveillance and are being actively exploited by hostile actors.” The group asked DHS to release a PowerPoint presentation containing “additional details about the use of rogue [international mobile subscriber identity] catchers in the U.S." The presentation for federal employees had been marked "for official use only." DHS didn’t comment.

A Vermont privacy bill about data brokers is unconstitutional, said the Software & Information Industry Association on a blog and letter this week to state senators. The House-passed HB-764, pending in the Senate, would mandate security standards for data brokers and require them to register annually with the Vermont secretary of state to “provide information about their data collection activities, opt out policies, purchaser credentialing practices, and security breaches.” The bill “violates both the First Amendment and the Commerce Clause of the U.S. Constitution,” SIIA General Counsel Chris Mohr said in a Tuesday statement. “It requires anyone who sells so-called ‘personal information’ to register with the state and comply with a slew of security requirements. The bill does nothing to protect privacy and will only burden Vermont’s existing technology companies and deter others from setting up shop there.” The Vermont Public Interest Research Group in February supported the bill as “an important step to give Vermonters better protections and more control when it comes to their sensitive information.”