The Transatlantic Consumer Dialogue (TACD) and the Heinrich Boll Stiftung Foundation published a new report on the privacy practices of Amazon, Netflix, and Spotify in the EU and the US. "Privacy in the EU and US: Consumer experiences across three global platforms" revealed that the companies provided less protection to US users, and that none of the companies complied fully with GDPR. The report recommends "baseline federal data protection and privacy law that does not pre-empt stronger state privacy protections and that creates an independent data protection agency." EPIC's recent report on federal privacy legislation Grading on a Curve: Privacy Legislation in the 116th Congress evaluates federal privacy bills. EPIC has called for comprehensive baseline, federal legislation and the creation of a data protection agency.
In response to EPIC's Public Record Request, the Idaho Department of Correction released several documents about its risk assessment instrument, the "Level of Service Inventory-Revised" (LSI-R). Revealed in an annotated scoresheet that informs the LSI-R's calculation, the Idaho Department of Corrections uses several subjective categories to calculate an offender's risk and recidivism rate--including information about the alleged criminality of a defendant's social network, participation in leisurely activity, and mental health. EPIC also obtained a detailed scoring guide, LSI-R training materials, validation studies, and contract details. Only two validation studies were produced, and they were thirteen years apart. EPIC has obtained documents about pre-trial risk assessments as well as a scoring system developed by the DHS to assign risk assessments to travelers, including US citizens. EPIC has urged government agencies to make transparent algorithmic-based decision making.
EPIC today submitted comments to the FTC on the agency's regulatory review of the Children's Online Privacy Protection Act (COPPA) Rules. EPIC said the FTC should : (1) maintain the strong safeguards for children's data, (2) reject the "school official exception", (3) the FTC define the term "commercial purpose" and ensure that children's personal data collected in schools is not transferred to EdTech companies; and (4) the FTC require notification within forty-eights of a data breach of children's data by a company subject to COPPA. EPIC said "the FTC must now establish clear safeguards for children's data gathered in schools." EPIC testified before Congress in 1996 in support of the original children's privacy law. The FTC previously considered EPIC's recommendations in an early review of the COPPA Rule and incorporated several of EPIC's recommendations in the 2013 regulations.