Privacy protection isn't just about Facebook. On Friday, U.S. PIRG joined a complaint to the Federal Trade Commission that Facebook is in violation of a previous 2011 privacy order. Today, we also joined one alleging that Google's YouTube collects information about kids in violation of the Children's Online Privacy Protection Act (COPPA). And we haven't forgotten about the Equifax debacle.
Facebook's collection and sharing of information without user consent, of course, is the subject of several Congressional hearings this week featuring its founder Mark Zuckerberg. A key question is whether Facebook's sharing, which may have led to vast political implications, was in violation of a 2011 FTC privacy order, or consent decree. Law professor David Vladeck, who in 2011 was director of the FTC's Bureau of Consumer Protection and negotiated the decree, told The Atlantic this week that “I predict that if the FTC concludes that Facebook violated the consent decree, there will be a heavy civil penalty that could well be in the amount of $1 billion or more."
Our joint Facebook complaint alleges several violations of the order but focuses on one in particular. U.S. PIRG joined the Electronic Privacy Information Center (EPIC) and other groups (complaint) claiming that Facebook's use of facial recognition techniques without consent violates the order. This particular practice may also violate a ground-breaking PIRG-backed Illinois biometric information law.
The Facebook complaint argues the following:
"Facebook never obtained “affirmative express consent” for its deployment of facial recognition, as required by Part II of the 2011 Consent Order. The Commission’s analysis of the Order makes clear that Facebook must “give its users a clear and prominent notice and obtain their affirmative express consent before sharing their previously-collected information with third parties in any way that materially exceeds the restrictions imposed by their privacy settings. Since 2010, Facebook deployed extensive facial recognition practices on an opt-out basis without providing clear and conspicuous notice, without obtaining users’ express affirmative consent, and without effectively guiding users on how to opt-out of the default Tag Suggestions setting.
The complaint goes on to use a series of screen shots (read from left to right) to show how many layers a consumer must drill down even to exercise her facial recognition "choices." You must find "Privacy Shortcuts," then "Settings," then "Facial Recognition," then turn it off.
The complaint also notes that the rollout of facial recognition technologies raises both privacy and civil liberties concerns. Excerpt from the complaint:
"Facial recognition technology can be done covertly, even remotely, and on a mass scale. There is little that individuals can do to prevent collection of one’s image. Participation in society involves exposing one’s face. Ubiquitous and near effortless identification eliminates individuals’ ability to control their identities and poses a special risk to the First Amendment rights of free association and free expression, particularly to those who engage in lawful protests. [...] As large institutions begin using facial recognition on the public, it normalizes a privacy-invasive technology that lacks meaningful safeguards. The lack of regulation of facial recognition and other biometric surveillance methods means the data collected and used now for one purpose can easily be utilized for purposes not even imagined yet and without the consent from the targets of the technology."
But privacy isn't all about Facebook. Today, we also joined the Center for Digital Democracy's FTC filing (complaint) alleging that Google's YouTube collects information about kids in violation of the Children's Online Privacy Protection Act (COPPA). Leading children's protection, consumer and privacy groups including Consumers Union and the Campaign for a Commercial-Free Childhood are also on the complaint.
"[The groups allege that] Google, which owns YouTube, makes substantial profits collecting many types of personal information on kids on YouTube, including geolocation, unique device identifiers, mobile telephone numbers, and persistent identifiers used to recognize a user over time and across different websites or online services. Google collects this information without first providing direct notice to parents and obtaining their consent, and Google uses it to target advertisements to kids across the internet, including across devices. COPPA bars the operator of a website directed to children, or that has knowledge of children using it, from collecting and using such information without obtaining parental consent."
Of course, it remains to be seen what Congress and the FTC or Facebook and Google will do with these privacy complaints. Congress, for one, is now doing favors for Equifax (and all firms that commit privacy breaches) after an initial period of bluster, high dudgeon and drama last fall. We will be encouraging the FTC to take action on our privacy complaints, but the best hope for privacy protection in the U.S. comes from Europe. Mark Zuckerberg has indicated he will testify that Facebook will comply worldwide with the new European General Data Protection Regulation (GDPR), which is explained by Natasha Singer in the New York Times today. Our London-based colleague Anna Fielder of Privacy International told Singer that "she thought the new law would require the social network to change certain advertising and other settings to make privacy, and not sharing, the default."
Of course, the GDPR is only the new European law, not a worldwide rule. It should form the basis of a new U.S. privacy law for all data collectors, not simply another Facebook promise that might change. Equifax, Facebook and Google are not the only ones taking advantage of American consumers.