EPIC Educates the Public on Data Collection and Advocates to Protect Consumer Privacy in the Digital Age

TL; DR: The Electronic Privacy Information Center (EPIC) has fought to protect consumer privacy and civil liberties online since the early days of the internet. Today, the Washington DC-based nonprofit research center educates the public on the significant number of risks in the digital age. EPIC also advocates stronger consumer protection and privacy regulations before lawmakers and federal agencies. The organization says it is time for the United States to re-emerge as a global leader in privacy while also fighting to protect vulnerable children from the spying, data collection, and hacking made possible by IOT-connected toys. EPIC sees reasons for optimism ahead in 2018 as the implementation of a stronger European privacy law may affect devices sold in the US and new leadership takes over at the FTC.

When American drivers get behind the wheel, they don’t live in constant fear of other cars speeding through intersections because the traffic lights installed there help control the flow of traffic.

Sam Lester, a Legal Fellow with the Electronic Privacy Information Center (EPIC), a Washington DC-based nonprofit, says the US needs to take that same level-headed approach to improve consumer privacy protections in the age of cyber hacks, data breaches, and online tracking.

“It’s the wrong way to frame the issue to say consumers need to be wary and scared of all the spying that’s going on online and with connected devices,” Sam said. “That’s not how we approach other public policy issues. We don’t say, ‘Be scared of cars speeding through intersections when you get on the road.’ No, we have traffic lights.”

EPIC was established in 1994, and the public interest research center has focused on protecting privacy and civil liberties online since the early days of the internet.

That mission is particularly important in today’s digital age when bank accounts, credit cards, and personal information are all vulnerable to breaches. Internet providers can track our activities online and sell that information to marketers, and household appliances that are connected to the Internet of Things (IoT) collect data on users.

EPIC educates and informs the public on these issues through a mix of op-ed pieces, media appearances, resources, and research published on its website.

The organization also realizes that many consumers are not technically savvy enough to understand the privacy risks posed by shopping online, electronic financial records, or connected home devices.

“We take the position it should not be all on the consumer to understand these privacy risks because they aren’t very apparent to the consumer when they buy a product,” Sam said. “Like the inherent safety risks of a car or a toaster, the internal workings of a product are not known by an end user. Only public policy and regulation can address these concerns.”

EPIC regularly appears before lawmakers and agencies such as the Federal Trade Commission (FTC), Federal Communications Commission (FCC), and Consumer Product Safety Commission (CPSC) to advocate for stronger consumer protections.

EPIC representatives testified before congressional committees in the wake of the massive data breach at credit reporting agency Equifax to advocate for the establishment of a dedicated data security agency.

In addition to expanded government authority over credit reporting agencies and stronger enforcement actions in response to data breaches, EPIC’s current focus areas include IoT-connected children’s toys that collect personal information and are vulnerable to hackers.

In the year ahead, Sam said EPIC would push for stronger consumer privacy laws in the US — similar to those in Europe — and continue its advocacy on IoT connected toys, data security, and a series of other privacy risks before a brand-new FTC board.

The US was once a global leader on privacy issues. Over the decades, bipartisan support for privacy protection policies produced the Privacy Act, the Fair Credit Reporting Act, and laws limiting the legal use of wiretaps.

Today, EPIC says Europe has surpassed the US in terms of privacy protections — and the gap continues to grow. The European Union’s General Data Protection Regulation (GDPR), is set to take effect in May 2018. The GDPR was the product of four years of policymaking to establish a single set of standards that stretch across national boundaries to protect personal data. GDPR regulations require prompt notification of data breaches and include the “right to be forgotten,” which gives individuals the ability to have personal information or pictures removed from the internet and personal data deleted from companies‘ records.

“There was already a lack of parity between the United States and Europe on privacy protection, and that lack of parity is about to increase significantly. The US is going to be lagging behind Europe and other countries when it comes to protecting consumer privacy.” — Sam Lester, Legal Fellow with the Electronic Privacy Information Center

Browser services and companies that make smart devices will only be able to collect the data needed to fulfill specific user commands. That regulation has prompted the redesign of those devices and may affect some sold in the US, as well, Sam said.

Fines for violations will increase and a single authority will be established to oversee data security.

EPIC is advocating for several similar changes, including a national data security agency and standards and limits on the amount of data browsers and devices are allowed to collect, to protect consumers in the US.

“There was already a lack of parity between the United States and Europe on privacy protection, and that lack of parity is about to increase significantly,” Sam said “ The US is going to be lagging behind Europe and other countries when it comes to protecting consumer privacy. The US needs to be a global leader on privacy. We are the global economic powerhouse. We have always been a global leader on policy, and we were once a global leader on privacy.”

Privacy advocates are particularly concerned about the capability of IoT-connected toys to collect data and personal information on young children for marketing purposes — as well as the devices’ vulnerability to hackers.

“We think toys shouldn’t be collecting data from children at all,” Sam said. “There is a specific privacy law that protects children because Congress recognized children are not aware of their privacy and cannot protect it as adults can.”

In 2016, EPIC was one of four advocacy groups that filed a complaint with the FTC against the makers of My Friend Cayla and i-Que Intelligent Robot, two toys young children can interact with. The complaint alleged that the toys were recording and storing conversations and information about young children and using that data for marketing purposes.

“The toys would record interactions, talk back to children, and ask them personal questions to profile them. They would sell information to third-party advertisers or the toy would have an advertisement on it based on what the child liked,” Sam said. “Children don’t understand the privacy risk, especially in the under-10 age range they were marketing to. It’s just unconscionable to think these toys were preying on the vulnerability of children to collect data for marketing purposes. Worse yet, these toys are hackable. All of a sudden, a hacker, not just a toy manufacturer, might be interacting with your kids.”

Sam said the issue attracted media attention during the Christmas shopping season and EPIC plans to continue its advocacy on the issue before the new members of the FTC.

Massive data breaches, cyberattacks, and online tracking are persistent risks today. EPIC says the proper response to those threats is to establish and enforce stronger consumer privacy protection regulations and standards — not to live in fear of going online.

“The issue is not about being afraid of the brave new world that now exists or being afraid of using smartphones, computers, and the internet,” Sam said. “Privacy is an issue of personal liberty, personal autonomy. It’s fundamental to our Constitution. These issues of data collection that consumers face need to be addressed by adequate legislation.”

This year, Sam said there are reasons to be optimistic. First, EPIC feels that the tougher rules the EU is implementing with the GDPR will also lead to redesign and privacy improvements for smart devices sold in the US. Second, is the new FTC membership.

In confirmation hearings, every FTC nominee said that responding to data breaches was a priority challenge for the new leadership.

“We’re cautiously optimistic about the new leadership at the FTC,” Sam said. “We have never seen a federal agency have a wholesale makeover like the FTC is about to have with five new commissioners. We are going to be going to them aggressively, as well as the FCC, the CFPB (Consumer Financial Protection Bureau) and the Consumer Product Safety Commission.”