Mobile apps by Sega and iTriage allowed third parties to collect and use consumers’ precise location for third-party ads without notifying users or obtaining their consent, said the Advertising Self-Regulatory Council in a Thursday news release. The Sega game, Sonic Runners, also raised issues under the Children’s Online Privacy Protection Act, which says no personal information may be collected from children under 13 without obtaining parental consent. While the game used an age gate to meet COPPA, the gate didn’t function properly, ASRC said. Sega and iTriage cooperated with ASRC’s Online Interest-Based Advertising Accountability Program, pledging to comply with Digital Advertising Alliance standards in current and future apps. After Sega was notified about the problems, the video game company removed Sonic Runners from app stores and removed all third-party ads before offering it to the public again, while also pushing a mandatory update to all current users, ASRC said. Later this month, Sega will shut down Sonic Runners forever, said the company’s website. The Aetna-owned iTriage committed to stop using location data for ads and agreed to add real-time notice of data collection and use with links to an opt-out mechanism on its app and the iTriage and Aetna websites. They also pledged to be transparent and give users a choice to participate if they decide to allow third-party use of personal directory data or healthcare data for interest-based ads, ASRC said. “Today’s decisions are a win for both consumers and advertisers,” said Genie Barton, director of the Accountability Program.

Troubled over potential privacy implications with the popular new smartphone game Pokémon Go, Sen. Al Franken, D-Minn., Tuesday asked game creator Niantic to provide details about the data it's collecting from users. Franken, ranking member on the Senate Judiciary's Privacy and Technology Subcommittee, called the game's popularity “impressive” -- with 7.5 million downloads in the U.S. since its July 6 launch -- but added in a news release that "Niantic may be unnecessarily collecting, using, and sharing a wide range of users’ personal information without their appropriate consent." Pokémon Go is an "augmented reality app" that uses a mobile device to introduce animated creatures and activities into views of the real world, including a user's exact location, email and IP addresses, last website visited and/or Google accounts, said the release. Franken sent a letter to the San Francisco-based company asking several questions about the data collected by the app, whether it would support an opt-in option, user information shared with third parties and how it ensures that parents provide meaningful consent for their child's use. A phone message left with Niantic was not immediately returned.

Thirty civil liberties, technology and government watchdog groups are urging Senate leaders to hold public hearings on a proposal that would give the FBI wider access to Americans' internet browsing history and other metadata without a court warrant. "The proposal, if enacted, would remove necessary judicial oversight of the FBI's access to these personal records and would threaten individuals' privacy," wrote the coalition in a Monday letter to Sen. Judiciary Committee Chairman Chuck Grassley, R-Iowa, and Senate Intelligence Chairman Richard Burr, R-N.C. At issue is expansion of national security letters (NSLs), which are like administrative subpoenas, that the coalition says would permit "the FBI to unilaterally issue demands" for sensitive data like "logs of who individuals communicated with online via email, chat, video, and text; what services they subscribe to; what times they sign into and out of their accounts; IP addresses; and much more." Such data are called electronic communications transactional records (ECTR). The groups said the NSL statute "has been the subject of significant abuse" because there's no check against it. Last month, the Senate failed to end debate on the amendment to the Commerce, Justice and Science Appropriations bill (see 1606220075). Before then, Sen. John Cornyn, R-Texas, introduced an ECTR amendment to legislation updating the Electronic Communications Privacy Act that forced that bill's sponsors to withdraw it, likely jeopardizing its passage this session (see 1606090007). The coalition -- including Access Now, the American Civil Liberties Union, Computer & Communications Industry Association, New America's Open Technology Institute and TechFreedom -- said senators should have the opportunity in a public setting to probe the FBI's current needs and challenges raised by this proposal as well as understand its impact, before voting on the amendment again.

A CNN app user who subsequently sued CNN has no standing under Article III for an appeal of that unsuccessful lawsuit since the plaintiff didn't allege he or any hypothetical class suffered any qualifying injury from CNN's disclosures, CNN said in a motion to dismiss (in Pacer) filed Tuesday with the 11th U.S. Circuit Court of Appeals. CNN said Ryan Perry's complaint rests solely on the Video Privacy Protection Act (VPPA), and pointing to the Supreme Court's Spokeo v. Robins decision -- which requires concrete injury even in a statutory violation in order to have standing -- said, "This is not enough." Perry sued CNN in 2014, alleging violations when the network shared data of its mobile app user with its analytics provider, Bango, and a U.S. District judge in Atlanta subsequently granted CNN's motion to dismiss. In a civil appeal statement (in Pacer) filed in June with the 11th Circuit, Perry said under VPPA subscribers are authorized to sue for unlawful disclosure of some data, but the 11th and 1st circuits have been divided over the meaning of the word "subscriber" in the VPPA. Counsel for Perry didn't comment Wednesday.

The EU should rethink its e-privacy directive since it duplicates existing and new laws such as the general data protection regulation and "creates a fragmented privacy regime," said the Internet Association in Tuesday news release. In a filing to the EU, the group, which represents almost 40 internet companies including Facebook, Google and Twitter, said the directive has been "superseded" by several new legal instruments (see 1512160001) and creates "ambiguous implications." Internet Association General Counsel Abigail Slater said in the release the EU should assess the directive’s "continued relevance.” She said data protection policies also should include encryption and other mechanisms to safeguard people's electronic communications without back doors that weaken such protections.

Mobile advertising company InMobi will pay $950,000 in civil penalties and institute a comprehensive privacy program, settling FTC allegations the Singapore-based company tracked locations of hundreds of millions of consumers without their knowledge or consent -- including children without parental consent -- in an effort to provide geo-targeted ads, said the commission Wednesday in a news release. Commissioners voted 3-0 to approve the stipulated order and refer the complaint to DOJ, which filed both documents with the District Court for the Northern District of California. InMobi has an ad network that reaches more than 1 billion devices globally through thousands of popular apps and can serve those ads based on consumers' locations, the release said. The FTC alleged the company "misrepresented that its advertising software would only track consumers' locations when they opted in and in a manner consistent with their device's privacy settings." But InMobi tracked consumers even when they denied permission to access their locations, FTC said. The commission also alleged the company violated the Children's Online Privacy Protection Act (COPPA) by collecting data from apps directed at children "in spite of promising that it did not do so," the release said. The agency said the settlement subjected InMobi to a $4 million civil penalty, but it was reduced to $950,000 because of the company's financial condition. InMobi also must delete all data collected from children and is prohibited from further violating COPPA. The company also needs to get express consent from consumers to collect their location data and must delete any information from consumers who didn't consent, the commission said. InMobi will implement a comprehensive privacy program that will be audited every two years for the next two decades, the FTC said. The company emailed that it has "implemented a process to exclude any publisher’s site or app identified as a COPPA app from interest-based, behavioral advertising." During the FTC's investigation, the company said it "discovered" a "technical error" on its end that resulted in some COPPA sites being served with interest-based campaigns on its network. "InMobi promptly notified the FTC of this issue as soon as it was discovered and has made it clear from the outset that this was by no way means deliberate," it said, saying it has been compliant. The company said it would only use Wi-Fi information to serve location-based targeted ad campaigns when a user "has authorized the app to collect and transmit the same."

Citing the damage data breaches could inflict on businesses and consumers, FTC Commissioner Maureen Ohlhausen told participants Wednesday at the commission's Start with Security forum in Chicago that it's important to integrate security practices into a company. “So whether you’re building an app or managing your network or choosing your vendors, sound security practices are not an accident," she said. "They begin with a commitment to prioritize security within a business’s culture." Data breaches, she said, can harm a company's financial interests and reputation and result in a loss of consumer confidence. Consumers whose data is stolen can become victims of fraud and identity theft, she said. For instance, 16.6 million people -- U.S. residents 16 years and older -- were victims of identity theft in 2012, mainly credit card fraud, said Ohlhausen, citing the Bureau of Justice Statistics. She also cited the FTC's enforcement approach in making sure that companies have reasonable security practices and protections, and recent actions against AsusTeK Computer, Henry Schein Practice Solutions and Oracle (see 1602230032, 1605230030 and 1603290046). The Chicago workshop, with several panels of security experts providing insights and practical tips for the broader business community, is the fourth over the past year, including stops in Austin, San Francisco and Seattle.

Electronic health record company Practice Fusion settled FTC charges that it misled consumers into providing doctor reviews without telling them such feedback would be publicly posted on the internet, disclosing sensitive personal and medical information, the commission said in news release Wednesday. The commission voted 3-0 to issue an administrative complaint and accept the consent agreement, which will be published soon in the Federal Register and be open for public comment through July 8. “Companies that collect personal health information must be clear about how they will use it -- especially before posting such information publicly on the Internet," said FTC Consumer Protection Bureau Director Jessica Rich in a statement. The settlement will require the cloud-based EHR company to get a patient's "affirmative consent" and "clearly and conspicuously disclose" that such information would be publicly available, the release said. The agreement also bars the company from making deceptive privacy or confidentiality statements about collected patient data. FTC said Practice Fusion sought to launch a public healthcare provider directory in 2013 and, during the prior year, solicited feedback through a "satisfaction survey" from patients of providers using the company's EHR service. Patients believed such feedback would be shared only with their providers and many included personal data, such as their full name, phone number and medical inquiries, the release said. For example, one patient asked about a Xanax prescription and dosage, while another inquiry related to the mental state of the consumer's daughter and provided a phone number, the complaint said. Practice Fusion said in a blog post Wednesday the consent agreement "does not represent an admission of wrongdoing," doesn't impose monetary damages nor allege its current actions are "problematic."

Fifteen state attorneys general encouraged the FCC to follow the FTC's recommendation to address privacy concerns about third-party set-top boxes, said an ex parte filing posted online Monday in docket 16-42. Multichannel video program distributors "should provide access only to third-party set-top boxes that have provided consumer facing privacy statements,” the filing said. “Requiring consumer-facing statements would enhance the States’ abilities to pursue consumer protection actions against third-party set-top box manufacturers.” That logic is consistent with a letter sent to the FCC by the FTC earlier this year (see 1604220063). The 15 AGs represented in the letter included those from California, Vermont, Oregon, Massachusetts, Iowa and Washington, D.C.

The EU-U.S. "umbrella agreement" will set a high bar for protecting trans-Atlantic personal data transferred by law enforcement agencies, will strengthen legal certainty and will boost the rights of people, DOJ said in a news release. The new agreement (see 1606020018), which awaits approval by the European Parliament, is aimed at improving EU-U.S. cooperation to fight crime, including terrorism. DOJ called it a "major step forward" in relations. Thursday's signing was in Amsterdam during a EU-U.S. Ministerial Meeting on Justice and Home Affairs and was attended by Attorney General Loretta Lynch, Homeland Security Deputy Secretary Alejandro Mayorkas and European Justice Commissioner Věra Jourová, DOJ said.