Hasbro, JumpStart Games, Mattel and Viacom agreed to pay $835,000 collectively in penalties and to institute changes to prevent third parties from illegally tracking, collecting and using personal data from children under 13 who visit those companies' popular websites, said New York Attorney General Eric Schneiderman Tuesday after a two-year investigation. Schneiderman, who held a web-streamed news conference and whose office issued a news release, said the results of the investigation were "frankly shocking." He said the companies violated the Children's Online Privacy Protection Act, which bars companies from specifically collecting children's data, including names, email addresses, cookies and IP addresses, without their parents' permission. Many of those companies' sites were "littered" with technologies to track and collect data illegally without the knowledge of the companies that operate the sites, he said. As part of the settlement, the companies will regularly monitor sites to identify unexpected third-party tracking, vet vendors before allowing them on their sites and update privacy policies, among other actions, he said. Hasbro, which owns popular sites like My Little Pony, said in an emailed statement it fully cooperated with the investigation and it's "rolling out a new, stricter online privacy protection policy for our partners, and enacting new protocols and technology to scan our digital properties for any cookies, widgets or other applications that may violate our policy." Mattel, which operates popular Barbie and Hot Wheels sites, said in an email it regards online privacy and security "very seriously" and takes "prompt action" to investigate and remedy issues anytime it's notified. Viacom, which owns Nickelodeon, said in an email it has a "longstanding commitment" to protect children's privacy and the AG's investigation resolves "an earlier generation of Nickelodeon websites." JumpStart didn't comment.

Sen. Al Franken, who asked the Pokemon Go developer in July for details about data it's collecting from users due to his privacy concerns (see 1607120072), said Niantic provided a seven-page comprehensive response and he plans to meet with company officials "in the near future" to clarify some answers. "The launch of Pokémon GO earlier this summer represented a new era in gaming, but shortly after the app's release, there were strong concerns about how it treats its users' digital data," said Franken, D-Minn., in a Thursday news release. People have a fundamental right to privacy and to know how their personal data is treated, he said. "That's why I pressed app maker Niantic to detail how Pokémon GO collects, uses, and shares its users' information," he added. He said he's particularly concerned about children who are playing the game. In the letter to Franken, Niantic General Counsel Courtney Power wrote about the mistake of requesting full Google account information from iPhone users, but also how it gets verification for players under age 13 and use of third parties to improve the game by sharing some information. Some other lawmakers and children's and privacy advocates have also raised concerns about Niantic's collection and use of data (see 1607150014, 1607190066, 1607200063 and 1607250009).

The FTC detailed the agenda for a Sept. 15 event on how company disclosures to consumers about advertising claims, privacy practices and other information are tested and evaluated. In a Monday news release, the commission said it's "especially interested in learning about the costs and benefits of disclosure testing methods in the digital age." Chairwoman Edith Ramirez, Chief Technologist Lorrie Cranor and Consumer Protection Bureau Director Jessica Rich will speak at the daylong workshop, which will feature academics, other FTC staff and representatives from technology companies. Twenty-two presentations will focus on cognitive models on how consumers process disclosures, methods and procedures to assess the effectiveness of such disclosures, whether people pay attention to various types of disclosures, how well they understand the disclosures and how disclosures affect consumers' decision-making processes. The event will also look at future research and case studies. The 9 a.m.-5:30 p.m. workshop, which will be webcast live, will be at FTC's Constitution Center auditorium, 400 7th St. SW.

Microsoft's Windows 10 operating system "sends an unprecedented amount of usage data back" to the company, so it could face backlash from users whose privacy is being disregarded, said the Electronic Frontier Foundation in a blog post Wednesday. EFF Intake Coordinator Amul Kalia wrote that some of the information sent back includes location data; text, touch and voice input; visited webpages; and telemetry data such as programs run and for how long. He said Microsoft "claims" the data is used to "'personalize' the software by feeding it to the OS assistant called Cortana." Many users might find that service useful, he said, but many other users would want to opt out to preserve their privacy. "While users can opt-out of some of these settings, it is not a guarantee that your computer will stop talking to Microsoft’s servers," wrote Kalia, saying users can't opt out of providing telemetry data at all. While the company has said the data is aggregated and anonymized, Microsoft doesn't explain how or say how long data will be retained, he said. It needs to offer "real, meaningful opt-outs," among other changes in security updates, he added. If not, "Microsoft may find that it has inadvertently discovered just how far it can push its users before they abandon a once-trusted company for a better, more privacy-protective solution," said Kalia. Microsoft "is committed to customer privacy and ensuring that customers have the information and tools they need to make informed decisions," emailed a spokesman. "We listened to feedback from our customers and evolved our approach to the upgrade process. Windows 10 continues to have the highest satisfaction of any version of Windows."

The FCC won't review Verizon’s proposed buy of Yahoo (see 1607250016), FCC Chairman Tom Wheeler said in the news conference after commissioners' meeting Thursday. “There aren’t any licenses that transfer.” The deal demonstrates the importance of the agency’s ISP privacy proceeding “and the questions that were raised in there as to what’s the appropriate use of network-generated information,” he said. Wheeler didn’t say when the FCC would consider a final privacy order. Some characterize the proposed rules as having a “chilling” effect on industry, Wheeler said: “Well, it certainly didn’t have an impact on this deal, it would appear.”

Nearly half of Americans polled said they were victimized by an online scam or had their credit card information or identity stolen, leading a majority to say the internet has become less safe, said a Digital Citizens Alliance survey report released Thursday. In the July 27-29 online survey of 1,215 Americans, 46 percent said they were defrauded or had their financial and personal data stolen, with one in three reporting a monetary loss. As a result, 52 percent said they felt the internet was less safe than five years ago, with only 12 percent saying it was more safe, the survey found. It said 71 percent want tougher federal and state laws against online criminals. "It's a bad sign when Americans think the internet is becoming less safe, so it's vital that governmental entities such as the Federal Trade Commission and others ensure that crime does not pay," said Tom Galvin, the group's executive director, in a news release. The survey also said 69 percent reported finding malware on their computers, and 42 percent said their credit card information was stolen and used. Plus, one in five reported either their computer or company's systems had been hacked at some time, the survey said. Vrge Analytics conducted the survey, with a margin of error of 4 percent.

The FTC approved a final order against AsusTeK Computer over allegations the company put personal information of thousands of consumers at risk on the internet because it didn't update software on its routers (see 1602230032), the commission said in a Thursday announcement. Commissioners voted 3-0 to approve the consent order, which requires the company to establish and maintain a comprehensive security program over the next 20 years that will be subject to independent audits. Asus must also notify customers about software updates or provide a way for customers to receive security notices, said the order. The commission said the order also forbids Asus from misleading customers about the security of its products. Asus, which settled with the FTC in February, didn't comment.

The Consumer Federation of America Wednesday published an online resource guide to help advocates, media, policymakers and others better understand privacy issues. In a news release, the group said the guide offers a sampling of surveys, studies and articles on advertising, attitudes toward privacy, big data, data brokers, data security, facial recognition, healthcare, IoT, and personalized pricing and discrimination. "Consumers should not have to make a choice between energy efficiency and privacy, or worry about their children enjoying Pokémon GO because their personal information is being collected and shared for purposes that have nothing to do with playing the game,” said Susan Grant, the group's consumer protection and privacy director.

CTA, CTIA, Mobile Future, NCTA, USTelecom and the Wireless ISP Association jointly urged the FCC to back away from privacy rules for ISPs. The record doesn't support heightened privacy rules for just ISPs, the groups said Monday in a joint blog post. “Opposition to the FCC’s proposed broadband privacy rules continues to grow,” they said. “The recently filed ‘reply round’ comments, new reports, and expert submissions to the Commission, and testimony before Congress all demonstrate a growing consensus that the Commission’s proposed approach is flawed and a new course must be taken -- one that protects consumer data, encourages innovation and growth online, and provides consistent and evenhanded standards for all internet companies.” The post cites numerous filings in opposition to the rules. “Many commenters echoed a fundamental point made by Ghostery in its two visits to the Commission -- that the proposed rules’ opt-in default and other problematic measures will undermine consumer choice and stifle innovation, depriving consumers of new choices, options, and alternatives online.”

U.S. federal, state and local law enforcement agencies sent nearly 136,000 subpoenas, orders, warrants and emergency requests for data about Verizon's customers during the first half of 2016, the telco reported Wednesday in a transparency report. That was about 9 percent fewer than Verizon received in the first half of 2015 from U.S. authorities. The carrier received more than 67,000 subpoenas, about 33,000 general and wiretap orders and pen registers, nearly 12,000 warrants and more than 23,000 emergency requests. Outside the U.S., the company said it received more than 1,200 demands in the first six months of this year -- slightly down from the same period last year -- from Belgium, France, Germany and other countries for customer names, addresses, phone numbers, IP addresses or transactional information like a log of numbers called. Verizon General Counsel Craig Silliman in a blog post said "importantly" none of the U.S. demands sought customer data stored in overseas data centers. He cited the significance of Microsoft's court win last week against the U.S. government, which sought information about a customer in the company's Ireland data center (see 1607140071). Verizon filed an amicus brief in that case "to ensure that our customers outside the United States have confidence that the U.S. government cannot compel Verizon to turn over their data stored in our overseas data centers," wrote Silliman. He touted congressional legislation called the International Communications Protection Act (see 1605250050) that would help limit the government's reach. ICPA would allow the government to get data on a U.S. citizen or resident with a warrant regardless of where it's stored, requiring the U.S. to use the mutual legal assistance treaty (MLAT) process to get information about non-U.S. persons stored overseas, said Silliman. The process is considered laborious and ICPA would streamline it, he said. DOJ last week unveiled a legislative proposal for a model bilateral agreement that would essentially bypass the MLAT process in certain circumstances (see 1607180026).