Posts tagged with "FTC"

CarShield ordered to pay $10 million federal settlement over deceptive repair coverage ads

August 2, 2024

CarShield—a company that sells vehicle service contracts to automobile owners that it claims will cover the cost of certain repairs—has agreed to pay $10 million in a settlement with federal regulators over charges that its marketing tactics were deceptive and misleading, reports NBC News.

In a statement released on Wednesday, July 31, the Federal Trade Commission said CarShield, which employs celebrity endorsers including rapper and actor Ice-T and sports commentator Chris Berman, had falsely lured customers with the promise of “peace of mind” and “protection” from the cost and inconvenience of vehicle breakdowns through its contracts.

The FTC also charged American Auto Shield, the administrator of CarShield’s vehicle service contracts, in the scheme.

The agency said that at least one ad, which ran 18,000 times on television, stated, “With CarShield’s administrators, they make sure you don’t get stuck with expensive car repair bills like this.” It also touted CarShield contracts as “your best line of defense against expensive breakdowns.”

Yet many purchasers discovered that their repairs were not covered, despite making payments of up to $120 per month for CarShield’s product, the FTC said.

“Instead of delivering the ‘peace of mind’ promised by its advertisements, CarShield left many consumers with a financial headache,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said in a statement.

“Worse still, CarShield used trusted personalities to deliver its empty promises,” Levine said. “The FTC will hold advertisers accountable for using false or deceptive claims to exploit consumers’ financial anxieties.”

In a statement, CarShield said that while it disagreed with “many” of the FTC’s assertions, it shares the agency’s “commitment to helping customers fully understand exactly what we provide and the value we offer.”

It said that its marketing efforts now include additional details about the elements of typically covered car repair and that full plans are now “easily viewed prior to making a purchase decision.”

And CarShield said that it had expanded its Shield Repair Network “by adding more than 10,000 preferred car repair shops, and added a concierge system to help customers quickly locate a repair facility convenient for them.”

A representative for AAS did not respond to a request for comment.

Research contact: @NBCNews

GoodRx made money selling your health data. The FTC is making it pay.

February 2, 2023

GoodRx has not been very good at protecting your privacy. In fact, reports Vox, it’s more like BadRx.  And now the Federal Trade Commission has written an expensive prescription: a hefty fine and an agreement to implement various privacy protections.

If you’re one of the tens of millions of people who used GoodRx to find bargains on your medications, the drug discount and price-shopping website and app might have done a little more than you bargained for: It sent your sensitive health data to data brokers as well as tech companies like Meta and Google to use for advertising, according to the FTC.

The FTC announced on Wednesday, February 1, that GoodRx has agreed to pay a $1.5 million fine and take various steps to ensure that it no longer shares health data for advertising purposes, that it obtains user consent to share health data for other reasons, and that it makes an effort to get the third parties with whom it previously shared data to delete that data. The move shows how committed the FTC is to protecting people from digital privacy violations, even as

Indeed, Vox notes, America lacks federal privacy laws that would make that job a lot easier. It also shows just how leaky some of these services, which we entrust with our most private information, can be.

The FTC alleges that GoodRx shared the names of medications users were looking for on the app, which medications users redeemed GoodRx coupons for at pharmacies, and which conditions they were using GoodRx’s telehealth platform to get treatment for. GoodRx is also accused of sending lists, including identifying information, of users who purchased certain medications to Meta to then target those users with ads related to the conditions GoodRx knew they had.

“Digital health companies and mobile apps should not cash in on consumers’ extremely sensitive and personally identifiable health information,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said in a statement. “The FTC is serving notice that it will use all of its legal authority to protect American consumers’ sensitive data from misuse and illegal exploitation.”

GoodRx did not immediately respond to a request for comment.

Some of GoodRx’s practices were first exposed in February 2020 by reports from Consumer Reports and Gizmodo, which detailed how user data was being sent to third parties. At the time, GoodRx apologized, said the data wasn’t used to target ads, and implemented some privacy controls. That seemed to be the end of it, as GoodRx operates in a digital privacy gray area. Although it may collect the same data that pharmacies, doctors, and health insurance companies do, in most cases it’s not beholden to the same health privacy laws — namely, HIPAA, the Health Insurance Portability and Accountability Act.

Even when HIPAA didn’t apply to GoodRx, the FTC says that the company gave users the impression that it did by putting a little “HIPAA” icon on its website.

When websites and apps collect and mismanage health data that isn’t covered by HIPAA, that might be a job for the FTC’s consumer protection arm. When the period tracker app Flo Health sent users’ fertility information to data brokers despite promises that it wouldn’t, the FTC went after the company for deceiving users.

The FTC is also in the midst of an unfair or deceptive acts lawsuit against Kochava, a data broker that the agency has accused of making people’s personally identifiable and sensitive location data that could cause substantial harm easily available; while those people have no way of knowing that their data is being collected or used this way, let alone how to stop it.

With GoodRx, things are a little different, as the FTC is using a rule it has never invoked before. The Health Breach Notification Rule requires vendors of personal health records that aren’t covered by HIPAA to notify consumers if their data has been accessed by a third party without consumers’ authorization. It’s been on the books since 2009, but the FTC never enforced it until now. The agency signaled a move like this would be coming in 2021, when it issued a warning to health apps and connected devices that they must get their users’ permission before disclosing their health data to third parties.

This was both a clarification of the rule and a warning that the FTC was ready and willing to enforce it. Now it’s made good on that threat for the first time. It likely won’t be the last, given FTC Chair Lina Khan’s stated commitment to data privacy and the notoriously leaky nature of apps and websites. But it should prompt some of these companies to make an effort to either better secure their users’ health data—or to make it more clear to them how and why it’s being shared with someone else, lest the hammer come down on them, too.

The FTC’s new order has to be approved by a federal court before it goes into effect. Assuming it is, the $1.5 million fine won’t kill GoodRx, which reported revenue of $745.42 million in 2021, the most recent year for which that data is available.

But it’s not nothing, either; despite pulling in almost three-quarters of a billion dollars, GoodRx ended the year with a net loss of $25.25 million. There are also the added costs of setting up all the compliance measures the FTC requires per the order; as well as however much revenue GoodRx loses as a result of users deciding to take their business elsewhere because they don’t trust GoodRx to keep their data private.

Consumers pay, too. For some of them, GoodRx disclosed their most sensitive information when they were at their most vulnerable: searching for a way to get medication they otherwise couldn’t afford. They might not be so quick to use drug discount apps in the future now that they know at least one of them sent that data to Facebook.

Research contact: @voxdotcom

Epic Games, maker of ‘Fortnite,’ to pay $520 million to resolve FTC allegations

December 20, 2022

Epic Games has agreed to pay $520 million to resolve Federal Trade Commission allegations that the Fortnite videogame developer violated online privacy protections for children and tricked players into making unintended purchases, reports The Wall Street Journal.

The FTC said the agreement consisted of two record-breaking settlements that resolve a pair of civil complaints it was filing against Epic. One, filed in federal court, alleged the company violated the federal Children’s Online Privacy Protection Act (COPPA) by collecting personal information from Fortnite players under the age of 13 without notifying their parents or obtaining verifiable parental consent.

That lawsuit also accused the company of illegally enabling real-time voice and text chat communications for children and teens in the game by default. Further, the FTC said Epic put those users at risk by connecting them with strangers, and as a result, some were “bullied, threatened, harassed and exposed to dangerous and psychologically traumatizing issues such as suicide.”

Epic will pay a $275 million civil penalty for the alleged COPPA violations, the FTC said—the largest assessed in the commission’s enforcement of the privacy law.

The company separately agreed to pay $245 million in consumer refunds to resolve the FTC’s second complaint, which was filed in administrative court. It is the FTC’s largest settlement that bars the use of so-called dark patternstactics that trap customers into paying for goods and services and create obstacles to canceling.

Epic didn’t admit or deny the FTC’s allegations as part of the settlements.

“No developer creates a game with the intention of ending up here,” Epic said in a statement. “We accepted this agreement because we want Epic to be at the forefront of consumer protection and provide the best experience for our players.”

FTC Chair Lina Khan said protecting the public, especially children, from online privacy invasions and deceptive practices was a top priority. “These enforcement actions make clear to businesses that the FTC is cracking down on these unlawful practices,” she said.

The FTC’s second complaint alleged that Epic deployed a variety of tactics to drive unintended purchases of virtual currency for acquiring perks such as outfits and dance moves in Fortnite—including the use of counterintuitive, inconsistent and confusing button configurations. “These tactics led to hundreds of millions of dollars in unauthorized charges for consumers,” it said.

The FTC further alleged that Epic intentionally obscured cancel and refund features to make them more difficult to find and that the company locked the accounts of customers who disputed unauthorized charges with their credit card companies.

Even when Epic agreed to unlock an account, consumers were warned that they could be banned for life if they disputed any future charges, the FTC said.

Fortnite made its debut in 2017 and quickly became one of the world’s most popular shooter videogames and a cultural phenomenon. Closely held Epic was last valued at nearly $32 billion in April. The Cary, North Carolina-based company counts Sony Group and China’s Tencent Holdings  among its investors.

Earlier this month, Epic unveiled a new type of account it said was designed to provide a safe and inclusive experience for players under 13. Users who sign up for it can’t access features such as chat and purchasing unless they obtain consent from a parent or guardian.

As part of the dual settlements, the FTC said Epic is required to make a number of changes to Fortnite to protect users, as well as to establish a privacy program that addresses the problems identified in its complaints. The company must also obtain regular, independent audits, the agency said.

Consumers who believe they were unfairly charged for in-game purchases can go to a website set up by the FTC to request refunds, the commission said. It is likely to take several months or longer to process those claims, the FTC said.

Research contact: @WSJ

Twitter’s former security chief accuses it of ‘egregious deficiencies’

August 24, 2022

Twitter’s former head of security has accused the company of “extreme, egregious deficiencies” in its spam- and hacker-fighting practices, according to a whistle-blower complaint, reports The New York Times.

The complaints by Peiter Zatko, the former executive, said that the shortcomings in enforcing security, privacy, and content moderation policies dated to 2011.

Zatko, a well-known hacker who is known in the security community as Mudge, joined Twitter in late 2020 and was terminated by the company in January of this year.

His complaints were sent to the Securities and Exchange Commission, Justice Department, and Federal Trade Commission on July 6. The Washington Post and CNN first reported on the complaints.

Zatko accuses Twitter, its CEO Parag Agrawal, and other executives and directors of “extensive legal violations,” including making misleading statements to users, misrepresentations to investors and acting with “negligence and even complicity” toward efforts by foreign governments to infiltrate the platform, according to the complaint filed with the SEC, which was obtained by The New York Times.

The allegations come at a perilous time for Twitter, which is locked in a legal battle with Elon Musk over his efforts to walk away from a $44 billion agreement to acquire the social media company. Twitter has sued Musk to force him to close the deal, and the two sides are set to go to trial at the Delaware Chancery Court in October.

The complaints put forward by Zatko and Musk are in some ways similar—focusing on the number of fake users on Twitter’s website. Musk claims that Twitter’s public disclosures about those figures are materially misleading.

Perhaps most damaging, if true, is Zatko’s allegation that Twitter is in violation of its 2011 settlement with the FTC over its safeguarding of user information. The agency had accused Twitter of “serious lapses” in data security that “allowed hackers to obtain unauthorized administrative control of Twitter” including the ability to send out phony tweets.

A spokesperson for Twitter said Zatko was fired for ineffective leadership and poor performance. “What we’ve seen so far is a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context,” she said.

“Zatko’s allegations and opportunistic timing,” she said, “appear designed to capture attention and inflict harm on Twitter, its customers, and its shareholders. Security and privacy have long been companywide priorities at Twitter and will continue to be.”

Research contact: @nytimes

Facebook parent Meta COO Sheryl Sandberg is stepping down

June 3, 2022

Sheryl Sandberg is stepping down from her role as Chief Operating Officer at Meta, the company formerly known as Facebook, reports CNBC.

Sandberg joined Facebook in early 2008 as the No. 2 to Facebook CEO and co-founder Mark Zuckerberg, and helped turn Facebook into an advertising juggernaut—and one of the most powerful companies in the tech industry, with a market cap that topped $1 trillion at one point.

Javier Olivan, the company’s chief growth officer, will take over as COO this fall. Sandberg, who informed Zuckerberg of her decision this past weekend, will continue to serve on Meta’s board of directors.

“Over the next few months, Mark and I will transition my direct reports,” Sandberg said in a lengthy Facebook post discussing stepping down. Meta is also planning an internal reorganization to go along with the change, Zuckerberg said.

“Looking forward, I don’t plan to replace Sheryl’s role in our existing structure. I’m not sure that would be possible since she’s a superstar who defined the COO role in her own unique way,” Zuckerberg said in a Facebook post.

“But even if it were possible, I think Meta has reached the point where it makes sense for our product and business groups to be more closely integrated, rather than having all the business and operations functions organized separately from our products,” he said.

Meta has come under fire in recent years for its massive influence, its lack of success in stopping the spread of misinformation and harmful material, and its acquisitions of one-time rivals like Instagram and WhatsApp. Zuckerberg and other execs have been forced to testify before Congress multiple times in the last three years, although Sandberg has largely escaped that spotlight. The company currently faces an antitrust lawsuit from the Federal Trade Commission and could see scrutiny from other agencies like the Securities and Exchange Commission after a whistleblower filed a complaint about its efforts to combat hate on its platform.

Speaking with CNBC’s Julia Boorstin, Sandberg said the decision to step down will allow her to focus more on her philanthropic work. The move is not because of the company’s regulatory overhang or its current advertising slowdown, she said.

Prior to Facebook, Sandberg served in the Treasury Department of the Clinton Administration; then joined Google in 2001 and helped grow its advertising business.

Research contact: @CNBC

‘Cold case’: FTC said to be investigating McDonald’s broken McFlurry machines

September 6, 2021

The feds have had it with McDonald’s broken McFlurry machines, reports the New York Post.

The Federal Trade Commission is said to be investigating why the burger chain’s ice cream machines break down so often—a matter that’s become the butt of late-night TV jokes and viral social media posts.

The FTC contacted McDonald’s franchise owners this summer seeking information on what the problem is with the chain’s ice cream machines, The Wall Street Journal reported on Wednesday, September 1—citing a letter from the FTC and sources familiar with the matter.

When reached for comment by The Post, representatives for the FTC declined to comment.

The broken machines have drawn the ire of franchisees, who say it leaves them unable to serve milkshakes, soft cones; and the preeminent McFlurry, a cup of ice cream blended with candy and cookies.

The machines require a nightly automated heat-cleaning cycle that can take up to four hours, the Journal reported; and the cleaning cycle can fail, which makes the machines unusable until a repair technician can fix them.

The dysfunctional machines make treats that account for about 60% of the chain’s dessert sales in the United States, the Journal reported, citing a consumer survey by research firm Technomic.

And the repeated breakdowns rub customers the wrong way, spurring some to even pen petitions calling for action.

We are tired of being the butt of late night jokes. So are our customers and crews,” The National Owners Association, a group of franchisees, said in a May message to owners, according to the Journal.

Some franchise owners aren’t waiting for the corporate bosses to do something. Instead, they’re reportedly paying on their own to train staff on how to fix the machines.

Others have reached out to the machine’s manufacturer, Taylor Commercial Foodservice, which says the machines, themselves, are fine.

“A lot of what’s been broadcasted can be attributed to the lack of knowledge about the equipment and how they operate in the restaurants,” a Taylor representative told the Journal.

When working with dairy products, “you have to make sure the machine is cleaned properly. The machines are built up with a lot of interconnecting parts that have to operate in a complex environment and manner,” the representative added.

“There is no reason for us to purposely design our equipment to be confusing or hard to repair or hurt our operators.”

One startup, called Kytch, has tried to help franchisees address the problem by building a device that mounts on the ice cream machines and alerts owners about a breakdown through real-time text and email alerts.

The company told the Journal that its devices can prevent damage to the machines and help franchisees keep them running.

At one point, McDonald’s franchisees in 30 states used Kytch’s devices, the company told the Journal, but then McDonald’s told franchisees that the devices aren’t sanctioned and that they could pose a safety hazard, which Kytch denies.

“Nothing is more important to us than delivering on our high standards for food quality and safety,” the corporate parent reportedly said to franchisees, “which is why we work with fully vetted partners that can reliably provide safe solutions at scale.”

Kytch responded in May with a lawsuit that accused Taylor, a separate repair company authorized to work on the ice cream machines and a McDonald’s franchisee of conspiring to steal Kytch’s technology and replicate its device.

This is a case about corporate espionage and the extreme steps one manufacturer has taken to conceal and protect a multimillion-dollar repair racket,” attorneys for Kytch wrote in the complaint in California Superior Court in Alameda County. The case is pending.

But Taylor denied it had a copy of Kytch’s device or that it wanted to steal the startup’s technology.

“This is a case of a hacker—Kytch—incredibly accusing the hacked—Taylor—of theft,” lawyers for Taylor said in a court filing.

The Tennessee-based franchisee who was named in the suit also denied the allegations.

In an interview with the Journal, Kytch co-founder Jeremy O’Sullivan then accused Taylor of infringing on McDonald’s franchisees’ rights to alter and repair their ice cream machines.

Taylor responded by saying that owners are allowed to repair equipment as they see fit, but that the warranty on the machines isn’t valid if they fix them on their own, according to the Journal.

According to the Post, the FTC’s interest in the matter may stem from the Biden administration’s previously announced efforts to crack down on various manufacturers of products ranging from phones to farming equipment. Critics have alleged that major manufacturers of such products restrict customers from fixing the products themselves.

In July, Biden signed an executive order directing agencies to take the matter on, saying at the time in a fact sheet that Americans should be able to repair good they purchased on their own.

At the root of the FTC’s inquiry is how McDonald’s reviews suppliers and equipment, including the ice cream machines, and how often restaurant owners are allowed to work on their machines. The FTC inquiry is preliminary, and “the existence of a preliminary investigation does not indicate the FTC or its staff have found any wrongdoing,” the agency’s letter reportedly said.

In a statement, McDonald’s said it “has no reason to believe we are the focus of an FTC investigation.”

Research contact: @nypost

Seriously, stop sharing your vaccine cards on social media

March 19, 2021

When one of her editors at CNN Business recently shared a celebratory picture of his vaccine card on Instagram, Samantha Murphy Kelly sent him a direct message: “Didn’t you read our story about not posting your record? Scammers are watching!”

He argued they’d be hard pressed to dupe him based on anything listed on the card: “What scam are you gonna run on me just by knowing my name and my birthday? Unless it’s that you sign up for free ice cream scoops on my birthday and don’t give them to me in which case, yes, that is very serious.”

But it’s not just his birthday that was listed. The card showed medically sensitive information, including his vaccine lot number, clinic location and the brand of vaccination received. And for some people, the card contains even more.

As the COVID vaccine rolls out to more people around the country, Kelly writes that she has lost track of how many vaccine information cards I’ve seen across social networks and chat apps.

While selfies are encouraged as a way to express joy at being vaccinated and broadcast that people are doing their part to help stop the spread of Covid-19, multiple government agencies have warned about the risks of posting vaccine card images online.

“Think of it this way—identity theft works like a puzzle, made up of pieces of personal information. You don’t want to give identity thieves the pieces they need to finish the picture,” the Federal Trade Commission said in a blog post last month. “Once identity thieves have the pieces they need, they can use the information to open new accounts in your name, claim your tax refund for themselves, and engage in other identity theft.”

Cybersecurity experts said they’re not aware of any widespread hacks or scams specific to vaccine cards—although the roots of identity theft are hard to uncover. But some also said these security threats would be easy to execute.

For now, it’s mostly “speculation but plausible,” Mark Ostrowski, head of engineering at cybersecurity company Check Point Software said in an interview with CNN. “We will have hundreds of millions of people getting vaccinated. If cyberattack history repeats itself, these threat actors or scammers will try to find a way to take advantage of this situation.”

At the same time, there have been a number of COVID-19 scams—ranging from people pretending to be COVID-19 contact tracers to fake websites promising vaccine appointments.

Many of us (perhaps Kelly’s boss included) may be desensitized to the risks given how much information we assume is already available online about us—either because we posted it ourselves, it’s been harvested from public data, or because it was dumped as part of a previous security breach.

But Rachel Tobac, an ethical hacker who specializes in social engineering, told CNN that one of the biggest concerns around the vaccine card trend is that the information is visible all in one place and easy to access.

“Posting an unedited vaccination card, unfortunately, makes it much easier for a criminal to target a specific person,” she said. In some cases, a person’s medical record number is listed on the card. “To gain access to sensitive medical records over the phone, having the medical record number, last name, and date of birth—all of which are listed on the vaccination card—are all I need to authenticate as that individual and gain access to sensitive details.”

A cybercriminal could attempt to impersonate you and call your healthcare company to learn about your medical history or diagnoses, cancel upcoming procedures, change prescription doses and more.

With or without the medical record number, she said, vaccine cards could also allow a hacker to conduct a phishing scheme to steal data and passwords. With the lot number of the vaccine you received or the location of the place where you got the shot, they’d be able to spoof the email address of that facility with a message about, for example, a recall urging you to click a link, supposedly to reschedule an updated dose but really intended to take information from you.

This doesn’t mean you should ignore any email you get about your vaccine, but it is a good reminder to be thoughtful about links you click with any email about any subject and to make sure the sender is who they say they are.

People who are in the public eye more, whether they’re influencers, celebrities or journalists like my editor, have a higher threat of this because criminals are more likely to target them. Stealing their free ice cream scoops on their birthday would be just the start of it.

“There are all kinds of issues related to potential identity theft,” said Michela Menting, a research director who specializes in cybersecurity at tech market advisory firm ABI Research. “Individuals should be as wary of posting vaccine records information as they would be about posting their credit card numbers online.”

Research contact: @CNNBusiness

Facial recognition goes to camp

July 31, 2019

 “Hello Mudddah, Hello Faddah, Here I am at Camp Granada. Camp is very entertaining.  And they say we’ll have some fun if it stops raining.”

Those lyrics were written by comedian Allan Sherman—and produced as one of the most popular songs of 1963. Meant to satirize the sleepover camp experience through the eyes (and vocal cords) of a homesick child, the song is punctuated by the chorus, “Take me home, Oh Muddah, Fadduh, Take me home. I hate Granada.”

But the reality is that, when kids leave for summer camp for the first time (or any time), their parents miss them, too—and wonder what they are doing, if they are making friends, and if they are settling in. They wait anxiously for cards and emails—and check the camp’s daily photos for what they hope will be a happy and smiling face.

And that part is getting easier all the time: Summer camps across the country are allowing parents to  opt into facial-recognition services to receive photos of their camper without having to sift through hundreds of group shots for proof that little Susie is having a good time climbing ropes, The Wall Street Journal reported on July 30.

Camp photographers can upload photos to a service, where they are scanned and identified. Parents then receive photos of their kids via text or through a website.

Waldo Photos of Austin, Texas, Inc. is one of the services, now offered at more than 150 summer camps across the country. The service is starting to be adopted by schools and sports leagues, too.

Camps either pay for Waldo, themselves, and offer it to parents or they ask parents to pay directly at a price of $1 to $2 per child a day, the Journal reports. If parents want to sign up to receive photos through Waldo, they have to submit a reference photo of their child so that the artificial intelligence (AI )can detect a match. The images are stored until a parent asks for them to be deleted.

Is that a good thing?

Rodney Rice, Waldo’s founder, said the facial data the company uses to identify kids would be no good to anyone else. “The misperception is that facial recognition is a fingerprint. I could hand a 40-digit alphanumeric hash to Google or Facebook and they couldn’t do anything with it,” he said. “I’m a father of three and I’d have never started this business if I was going to be putting kids at risk.”

Privacy and cybersecurity experts say parents may well trust a company’s intentions, but what happens if the company changes hands? Waldo’s privacy policy contains the boilerplate legalese explaining that if the company were sold, its customers’ personal information could be transferred.

While commercial applications of facial-recognition software abound—and bear their own fair share of controversy—the fact that this latest wave is geared toward children has privacy experts and politicians urging parents, camps, and school districts to think twice.

Concerns over this precious data—children’s faces—range from accuracy to abuse, the Journal says. Could it one day be used for purposes other than that for which it’s currently intended?

In the movie, Minority Report, biometric systems created for marketing are commandeered to hunt down citizens suspected of wrongdoing. There’s no evidence of this happening yet, but as science fiction goes, it’s not too far-fetched.

“We’re in the very early stages of commercial, nongovernmental use of facial recognition and we shouldn’t be waiting until harms occur to do something, we should be acting now to mitigate the harms,” Nathan Sheard, a grass-roots advocacy organizer with the Electronic Frontier Foundation, told the news outlet.

Facial data also is coming under scrutiny by the Federal Trade Commission—which earlier this month launched a review of the Children’s Online Privacy Protection Act, a 1998 law that requires children’s websites to obtain parental consent before collecting, using or disclosing a child’s personal information. The FTC now is seeking comment on whether the definition of “personal information” should be expanded to include biometric data.

The makers of facial-recognition software argue that concerns about the technology are overblown because people don’t really understand it. For these companies, facial data isn’t captured and stored as a usable image, but rather as lengthy chains of numbers and letters that can only be deciphered by proprietary software. Developers argue the data would be meaningless to anyone who doesn’t have their model.

“At some point we have to stop and ask ourselves whether the costs to our privacy are no longer outweighed by the benefits,” Sean McGrath, managing editor at ProPrivacy.com, a digital privacy advocacy group, told the Journal, adding,. “With facial recognition, more than any other technology, we’re at one of those watershed moments where we really need to step back and assess the bigger picture.”

Julie Jargon, a tech writer for The Wall Street Journal advises parents to ask the following questions before consenting to facial recognition for their children:

  1. Where will my child’s facial data be stored and for how long?
  2. Will the data be shared with third parties and, if so, what are their policies for storing and sharing the data?
  3. Are there purposes for the data other than what’s being advertised? For example, will my child’s facial data be used to train AI for law enforcement or corporate partners?
  4. What happens to my child’s data if the service provider is sold?
  5. What happens to the data if I decide I no longer want to use this service? Will it be deleted immediately?

Research contact: @WSJ