Thank you for following EPIC’s work this year! We need your support to carry it forward in 2025 and have an exciting opportunity for you to have a huge impact on EPIC’s work – generous donors have stepped up to TRIPLE your end-of-year gift! That means that if you give $100, you are generating $300 of much-needed support for EPIC! $500 becomes $1,500, and a $2,000 donation becomes $6,000!

Somebody Spilled the Genes: 23andMe’s Downturn Highlights Insufficient Privacy and Data Security Safeguards for Consumer Genetic Data
Suzanne Bernstein (EPIC Counsel), Abigail Kunkler (EPIC Law Fellow), and Matthew Contursi (EPIC Fall Semester Clerk)

23AndMe is facing an uncertain future. The direct-to-consumer genetic testing company has lost 98% of its value and recently laid off nearly 40% of its workforce. In addition to the massive 2023 data breach that compromised at least 6 million users’ genetic data and resulted in a $30 million settlement, the entire board of directors resigned in protest of a plan to take the company private. The company continues to report year-over-year losses and the stock of the company has dropped below $1. As 23andMe likely heads towards bankruptcy or sale, many consumers are understandably concerned: what will happen to their genetic data?

More EPIC Analysis:
 
Mass Hysteria Over Drones Flying in the Night Sky? It Didn’t Have to Be This Way

The California Privacy Protection Agency (CPPA) has released a new website with privacy resources for Californians. The website includes information for consumers about state and federal level privacy rights and information for businesses about how to comply with the privacy rules and regulations. It shares instructions for Californians to opt out of the sale or sharing of their personal information and how to submit a complaint to the CPPA if their privacy rights have been violated. 

the Federal Communications Commission announced that 2,411 voice service providers are at risk of being removed from the Robocall Mitigation Database (RMD) and consequently blocked from the U.S. phone network. EPIC and other consumer advocates, as well as members of Congress, have called attention to egregiously deficient RMD entries, which suggest that those companies are not meeting the bare minimum requirements to mitigate robocall traffic and in some instances may even be soliciting traffic from bad actor callers.

The Federal Trade Commission announced two proposed settlements with data brokers that unlawfully sold sensitive location data: one with Gravy Analytics and its subsidiary Venntel, the other with Mobilewalla. Gravy Analytics and its subsidiary Venntel collect precise consumer location data from other data suppliers to package and sell to private and public sector clients. Mobilewalla similarly collects precise consumer location data from suppliers and real-time bidding (RTB) exchanges. The FTC alleged that Mobilewalla collected and retained information from failed RTB bids, a practice that is prohibited by the terms of RTB exchanges.

EPIC, the National Consumer Law Center, the National Consumers League, Consumer Action, and Public Knowledge submitted reply comments to the Federal Communications Commission about NumberBarn’s application for access to numbering resources.

A Federal Judge rejected a constitutional challenge against Daniel’s Law, a New Jersey law that allows judges, law enforcement officers, and other public officials to request to have their personal information, including their home address and phone number, removed from websites.

EPIC welcomed the announcement that the Consumer Financial Protection Bureau will advance new rules to rein in data brokers, protect our privacy, and strengthen public safety. The proposed rules clarify that the Fair Credit Reporting Act—a federal statute promoting accuracy, fairness, and privacy in the collection and retention of personal information—applies to data brokers that have operated outside of the law for years.

EPIC, along with 54 other civil society organizations, industry, and professional associations, wrote a letter to the European Union’s Justice and Home Affairs Council, warning them of the dangers of undermining encryption for further law enforcement access to data.

EPIC Executive Director Alan Butler testified before the House Financial Services Committee in a hearing entitled: “Innovation Revolution: How Technology is Shaping the Future of Finance.”

When courts reach the merits, spyware loses. After five years of procedural back and forth, the Northern District of California granted WhatsApp’s motion for partial summary judgement finding NSO Group liable under a variety of hacking and breach of contract claims. The Court found NSO Group liable because its malicious Pegasus software infiltrated WhatsApp’s servers in order to spy on WhatsApp users. This is a huge win for the journalists, activists, politicians, and everyday users that NSO Group targets to help authoritarian governments.

EPIC joined 50 civil society organizations urging major European Union institutions to take action to stop the Serbian Authorities’ illegal use of spyware to target journalists, activists, and members of civil society.

EPIC, the Brennan Center for Justice, Demand Progress, and the Surveillance Technology Oversight Project were joined by several other organizations in comments submitted to the Office of Management and Budget urging it to push back against federal agency’s use of commercially available information to get around key constitutional and statutory privacy protections.

EPIC, alongside 13 civil society organizations, has sent a joint letter to the Polish Presidency of the Council of the European Union, urging them to prioritize decisive action against spyware misuse.

A new report from the Government Accountability Office reviewed the Department of Homeland Security (DHS) law enforcement agencies’ use of detection and monitoring technologies in public without warrants. DHS was found to use over 20 types of detection, observation, and monitoring technologies, such as drones and closed-circuit televisions, in fiscal year 2023. 

EPIC filed comments with the Dutch data protection authority, Autoriteit Persoonsgegevens, regarding use of and prohibitions on emotion recognition surveillance. The EU AI Act prohibits the development, deployment, and placement on the EU market of emotion recognition systems intended for use in the workplace and in educational institutions, with limited exceptions where the algorithm is intended for certain medical or safety reasons. Autoriteit Persoonsgegevens opened a consultation requesting feedback on the implementation of this prohibition.

EPIC and 12 other national and Colorado-based organizations published an open letter calling on Colorado lawmakers to strengthen the Colorado AI Act before it goes into effect in 2026. The letter outlines several provisions in the law that are key to ensuring Colorado workers and consumers are protected from algorithmic discrimination, including a broad definition of what AI systems are covered and a right for individuals to appeal decisions made using AI to a human decisionmaker.  

EPIC submitted an amicus brief in NetChoice v. Bonta, an important case about the constitutionality of kids’ online privacy and safety protections. In NetChoice v. Bonta, NetChoice—a tech industry lobbying group—is trying to prevent the enforcement of California’s Age Appropriate Design Code (AADC). Together with briefs from Common Sense Media and legal and tech experts led by the Tech Justice Law Project, amici urged the district court to reject NetChoice’s haphazard attempt to revive its lawsuit after a series of rebukes from appellate courts about its overbroad litigation strategy.

EPIC submitted an amicus brief in NetChoice v. Bonta, an important case about whether the First Amendment prevents the government from regulating harmful, content-neutral features on online platforms. EPIC’s brief urged the court to deny the tech industry trade association NetChoice’s request for a preliminary injunction that seeks prevent California’s Protecting Our Kids from Social Media Addiction Act (SB 976) from going into effect by declaring the law unconstitutional.

The Michigan Senate voted during the final days of its session to pass SB 659, the Michigan Personal Data Privacy Act. The bill now goes to the House of Representatives for consideration. The bill includes many strong protections for Michiganders, including a ban on the sale of sensitive data, a prohibition on targeted advertising to minors, and strong civil rights protections. Importantly, the bill also includes a data minimization provision limiting what personal data companies can collect about consumers to only what is reasonably necessary for the product or service the consumer requests.

EPIC Deputy Director Caitriona Fitzgerald testified before the Michigan Senate Committee on Finance, Insurance, and Consumer Protection in support of the S1 version of SB 659, the Michigan Personal Data Privacy Act.

A U.S. security agency confirmed reports that foreign actors, sponsored by the People’s Republic of China, infiltrated at least eight U.S. communications companies, compromising sensitive systems and exposing vulnerabilities in critical telecommunications infrastructure. It is widely believed that this attack was made possible by exploiting the requirements imposed upon carriers to make data available to law enforcement by the Communications Assistance for Law Enforcement Act–a vulnerability long-criticized by cybersecurity experts and privacy advocates, including members of Congress.