MediaPost: Privacy Watchdog Unimpressed With New State Laws 

While more than a dozen states have recently passed sweeping laws regarding consumer data, most don’t go far enough to actually protect privacy. That’s according to the advocacy group Electronic Privacy Information Center, which Thursday released a report examining the state laws. 

“Weak, industry-friendly laws allow companies to continue collecting data about consumers without meaningful limits,” the group writes in the new report, “The State of Privacy,” which explores laws in 14 states — California, Colorado, New Jersey, Oregon, Delware, Connecticut, New Hampshire, Montana, Texas, Virginia, Indiana, Tennessee, Utah and Iowa. 

The report, written in conjunction with the U.S. Public Interest Research Group, concludes that current state laws “largely fail to adequately protect consumers.”

Read more here

The Record: State privacy laws have been crippled by big tech, new report says 

The tech industry has shaped a series of weak privacy laws nationwide, according to a new report, with half of the 14 states to have passed such laws receiving failing grades and none receiving an “A” on the report’s scorecard. 

The Electronic Privacy Information Center and U.S. PIRG Education Fund assessed the 14 bills across several metrics, including whether they have provisions for strong enforcement; how much transparency they offer into data risk assessments; whether they include strong individual data rights such as opt-out signals; if they bar manipulative design; and whether they strongly define what constitutes personal data and covered entities. 

The report argues that the lack of a federal privacy law to govern a multibillion-dollar industry’s data practices has opened the door to states enacting lax privacy laws nearly across the board. 

“Weak, industry-friendly laws allow companies to continue collecting data about consumers without meaningful limits,” the report states. “Consumers are granted rights that are difficult to exercise, and they cannot hold companies that violate their rights accountable in court.” 

Read more here.

Bloomberg Law: Connecticut Privacy Report Details Company Leeway in Enforcement 

The findings come as advocacy groups such as the Electronic Privacy Information Center argue that state comprehensive privacy laws do little to limit how companies use personal data. A report released Thursday by EPIC and the US PIRG Education Fund argues that state laws need stronger enforcement to be effective. It gave Connecticut a D grade for its law, which it called overly favorable to the tech industry and “a favored piece of template legislation for lobbyists, particularly in bluer states.”

Read more here.

FCC Adopts EPIC Recommendations to Safeguard 911 Location-Based Routing Data

On January 25, the Federal Communications Commission adopted its Report and Order on Location-Based Routing (LBR) for 911 calls. Rather than directing a 911 call to an emergency assistance call center based on the area code of the phone (e.g., directing a 202 area code number to DC), or based on what cell tower is nearby (which could result in inaccurate dispatch 10% or more of the time), LBR directs the call based on the precise location of the caller.

In its order, the FCC agreed with EPIC that its existing rules for safeguarding the privacy and security of dispatchable location information (i.e., where emergency responders are sent) should apply equally to the precise location information used in LBR. This requires providers to certify that neither they nor their vendors use the information or associated data for any non-911 purpose except with prior express consent or as otherwise required by law, and to certify that providers and their vendors have implemented sufficient privacy and security measures to safeguard this information. At EPIC’s suggestion, the FCC also clarified that LBR data is subject to the same requirements and exemptions as dispatchable location data under Section 222, which means that the caller’s location data must be treated as confidential information except when providing it to an emergency response authority in connection with a 911 call.

EPIC regularly regularly files comments with the FCC and advocates for improved safeguards for location data, the privacy and security of emergency assistance requests, and greater consumer protection from the unsavory practices of data brokers.

EPIC Urges FCC to Offer Wi-Fi Without Surveillance to Students

On January 29, EPIC filed reply comments with the Federal Communications Commission supporting the FCC’s proposal to expand its E-Rate program to include Wi-Fi hotspots but urging the Commission not to require surveillance of users’ online activities through those hotspots. The E-Rate program uses discounted pricing to facilitate schools and libraries providing free internet access to their students and patrons. EPIC argued that concerns about use of the hotspots for non-educational purposes should not frustrate the FCC’s goal of making the internet available to students without reliable internet access at home, nor should the FCC introduce new privacy and cybersecurity vulnerabilities that may expose data about students and their families. EPIC further illustrated the harms of prioritizing program integrity over program utilization by citing to several examples of public benefits programs that wrongfully denied eligible people, largely due to automated decision systems.

EPIC regularly files comments with the FCC and has long advocated for consumer privacy protections in broadband services and student privacy in particular.

Google’s Location Data Policy Update: Why Users Need More Than Pinkie Promises to Protect Their Most Sensitive Information

In December 2023, Google announced an update to its location data policy to provide users with more control over their sensitive location information. While this seems like a promising step in the right direction, we should be mindful of Google’s long history of failing to uphold its privacy obligations and vigilant in monitoring Google’s follow-through on its commitments.

Google’s Unfulfilled Promises to Protect Users’ Location Data

In July 2022, shortly after the U.S. Supreme Court invalidated the constitutional right to an abortion in Dobbs v. Jackson’s Women’s Health Organization, Google publicly promised to take new steps to protect users’ location data. In particular, Google said that it would delete location records that revealed whether a user had visited certain types of medical facilities soon after each visit. These facilities include counseling centers, addiction treatment facilities, domestic violence shelters, fertility centers, weight loss clinics, surgery clinics, and abortion clinics. Google promised that the change would go into effect in “the coming weeks” after the announcement.

But in November 2022, research by Accountable Tech showed that Google had failed to follow through on its policy change. In May 2023, follow-up reporting confirmed that failure. And nearly a year and a half after its initial promise to protect users’ location data, further research and reporting confirmed that Google had retained location data revealing visits to abortion clinics in about 50% of experiments conducted by Accountable Tech. The disconnect between Google’s public promises and its actual handling of users’ location data prompted EPIC and Accountable Tech to file a complaint with the Federal Trade Commission in January 2024. The groups urged the Commission to investigate Google, impose civil penalties, order the company to disgorge wrongfully retained location data, and enjoin Google’s unlawful location data practices.

Despite the failure to fulfill its 2022 location data promises, Google announced another update to its location data practices in December 2023. Once the changes take effect, the announcement promises that a user’s Location History timeline will be stored on the user’s device and that the default auto-delete control period for location data will shrink to three months from the previous period of 18 months. Google also promises to give users the option to delete activity related to specific places from Maps. As with the July 2022 announcement, Google provided no date certain for when the updates will take effect.

Location Data Reveals Highly Sensitive Details About Us

Location data can reveal a lot about us. Records of a person’s physical movements through the world can divulge sensitive information: a health condition inferred from a person’s visits to a dialysis clinic, someone’s religious affiliation inferred from their attendance at a mosque, or an individual’s sexuality inferred from his attendance at a gay speed dating event. Some location information may seem innocuous in isolation, but when these data points are collected over time, they can form a detailed profile of a person. Apps, phone providers, mobile ad companies, and…

RELEASE: Report: State Laws are Failing to Protect Privacy

Thursday, February 1, 2024 6:30 AM ET

Report: State Laws are Failing to Protect Privacy

Big Tech’s Influence on State Privacy Laws is Harming Consumers

WASHINGTON, DC  –  Today, the Electronic Privacy Information Center (EPIC) and U.S. PIRG Education Fund released The State of Privacy: How State “Privacy” Laws Fail to Protect Privacy and What They Can Do BetterThe report found that nearly half of the 14 states that have passed so-called comprehensive privacy laws received a failing grade, and none received an A. 

Because Congress has failed to pass a comprehensive privacy law to regulate the technologies that dominate our lives today, state legislatures have tried to fill the void in order to protect their constituents’ privacy. Unfortunately for consumers, in states across the country, legislators introducing consumer privacy bills have faced a torrent of industry lobbying vying to weaken protections. Nearly everywhere, they have succeeded. Of the 14 laws states have passed so far, all but California’s closely follow a model that was initially drafted by industry giants.

“Many of these ‘privacy laws’ protect privacy in name only,” said Caitriona Fitzgerald, deputy director of EPIC. “In effect, they allow companies to continue hoarding our personal data and using it for whatever purposes they want. Big Tech should not be allowed to write the rules.” 

The report details the measures states should be incorporating into legislation to better protect consumers, including:

  • Data minimization obligations on companies that collect and use personal information – taking the burden off individuals to manage their privacy online and instead requiring entities to limit their data collection to better match consumer expectations. 
  • Strict regulation all uses of sensitive data, including health data, biometrics, and location data. 
  • Strong civil rights safeguards online.
  • Limits on the harmful profiling of consumers. 
  • Strong enforcement and regulatory powers to ensure the rules are followed.

“The best way to keep data secure is to not collect it in the first place,” said R.J. Cross, U.S. PIRG Education Fund’s Don’t Sell My Data campaign director. “A law that really protects consumers would prevent companies from collecting and using people’s data however they want. Unfortunately, there’s not a privacy law in the country that does this as well as it should. The laws that are passing in most places are a bad deal for consumers.” 

Some states such as Illinois, Massachusetts, Maine, and Maryland are considering stronger comprehensive consumer privacy legislation that would limit the data companies are allowed to gather about consumers to what’s necessary to deliver the service consumers are expecting to get. 

“Grading these laws really makes it clear that they’re almost all copy-and-paste versions of a bill industry originally wrote,” said Kara Williams, Law Fellow at EPIC and report co-author. “It’s encouraging to see some states considering a different approach.”

###

ABOUT EPIC

The Electronic Privacy Information Center (EPIC) was established in 1994 to protect privacy, freedom of expression, and democratic values in the information age. Our mission is to secure the fundamental right to privacy in the digital age for all people through advocacy, research, and litigation. 

US Foreign Policy Is a Far Cry from the Founders Intent

In July 2021, the Watson Institute of Public Affairs at Brown University reported that since September 11, 2001, 7,057 US military personnel have been killed in military operations in Iraq and Afghanistan alone. Civilian contractor deaths reached 8,000, although the institute admits this is an estimate considering many contractors were not US citizens, so some deaths went unreported. Finally, 30,177 US service members would commit suicide after their deployments to these war zones, and the number of wounded veterans is even higher, as the Watson Institute would claim:

Over 1.8 million veterans have some degree of officially recognized disability as a result of the wars—veterans of the current wars account for more than half of the severely disabled veteran population. Many additional veterans live with physical and emotional scars despite lack of disability status or outstanding claims.

Since September 11, the US government has participated in three major conflicts: the second war in Iraq, the war in Afghanistan, and military operations in Iraq and Syria against the Islamic State of Iraq and Syria (ISIS). But they have also led operations in Libya to overthrow Muammar Gaddafi and in Yemen in support of the Saudi government, despite the fact that Saudi bombings and blockades pushed the country to the brink of starvation.

Twenty-three years after September 11, neoconservatives in Congress, the State Department, and the Pentagon are still pushing the same war hawk policy in Ukraine, Israel, and Syria. American foreign policy is out of step with the Constitution and the original intent of the founding fathers. It is time for the men and women who push this policy to be held accountable.

The Founders’ Intent

At the Reagan National Defense Forum in Simi Valley, California, Defense Secretary Lloyd Austin made remarks about American leadership. He highlighted the importance of an American military presence throughout the world in order to protect “democracies’’ like Ukraine and Israel. Secretary Austin also had remarks about noninterventionists:

You know, in every generation, some Americans prefer isolation to engagement—and they try to pull up the drawbridge. They try to kick loose the cornerstone of American leadership. And they try to undermine the security architecture that has produced decades of prosperity without great-power war. And you’ll hear some people try to brand an American retreat from responsibility as bold new leadership. So, when you hear that, make no mistake: It is not bold. It is not new. And it is not leadership.

Secretary Austin needs a history lesson in the founding ideals of the United States. If what he said is true, then American figures such as George Washington and Thomas Jefferson were bad leaders. President George Washington issued a neutrality proclamation in response to the revolution in France and the subsequent declaration of war on Austria, England, and Prussia, which embroiled the whole European continent in war. In President Washington’s farewell address on September 19, 1796, he made his vision for American foreign policy clear: “It is our true policy to…

The Daily Upside: Google Patent Could Track Users Based on Wi-Fi Connection 

While Google’s patent indicates that this tech could automatically activate devices based on user presence, physical sensors have long filled that gap, so it’s unclear how this kind of tech offers anything different from a motion-activated porch light, said Sara Geoghegan, counsel for the Electronic Privacy Information Center.  

With a lot of innovations in consumer tech, the common case is that companies will ask for more and more personal data, and in return users get more convenient and useful features. This leaves the consumer to decide how much trust they’re willing to put into these tech firms for the sake of convenience.  

But with this tech, Geoghegan said, “It seems that the potential benefits that this software service could provide already exist with significantly less privacy-invasive services. Like a lot of things in our space, I think that there is often this idea that there is some sort of convenience or benefit. But if you really look at it, it’s quite minimal.”  

Google, meanwhile, gains access to continue growing its “troves of personal information,” said Geoghegan. And while Google does make the caveat that these systems may come with privacy-preserving identifiers for the users it tracks, the fact that this system may be operated through a cloud-based system presents its own risks. 

Read more here.

Boston Globe: Amazon abandons plan to purchase Bedford-based iRobot; Roomba maker cuts 350 jobs

The proposed iRobot acquisition has also alarmed privacy advocates. Calli Schroeder, senior counsel for the Electronic Privacy Information Center, pointed out that Amazon has a roster of electronic products that collect household data, including Echo smart speakers and Ring security cameras. “They already have a bunch of technology that is privy to very, very personal information, because it’s focused on our home,” she said. 

Schroeder believes Amazon wanted iRobot because its advanced Roomba machines use cameras to create maps of the rooms it cleans. This would give Amazon even deeper insights into the habits of its customers. But it could also violate users’ privacy, if the collected data was stolen or abused. For instance, MIT Technology Review reported in 2022 that images captured by prototype Roomba machines wound up on Facebook after iRobot shared them with a business partner that helped train the Roomba’s artificial intelligence software. 

Schroeder celebrated the collapse of the deal on Monday. “It looks like the privacy side won,” she said. “We’ve got to take those victories anywhere we can get them.” 

Read more here.