2025 Privacy Concerns and Violations

• White House says US companies will oversee TikTok’s algorithm and Americans will hold six of seven board seats for US operations.

• Oracle, chaired by Trump ally Larry Ellison, will lead data and privacy protections.

• Trump and Xi discussed TikTok’s future, but Beijing has not confirmed approval of the deal.

White House signals breakthrough in talks

The White House announced over the weekend that US companies will take control of TikTok’s algorithm and that six of seven board seats in the app’s US operations will be held by Americans. Press secretary Karoline Leavitt said a deal could be signed “in the coming days,” though Chinese officials have yet to comment publicly.

Speaking on the Fox News program “Saturday in America,” Ms. Leavitt said that “we are 100 percent confident that a deal is done,” but added in the same breath that the deal had not yet been signed, the New York Times reported. She said that could happen in the coming days.

The move follows years of negotiations over whether TikTok could continue to operate in the United States amid concerns over its Chinese parent company, ByteDance. The app had previously faced the threat of a ban unless its US business was sold.

Oracle to oversee data and privacy

Leavitt said that US tech giant Oracle will lead TikTok’s US data and privacy safeguards. Oracle’s founder and chair, Larry Ellison—long a political ally of President Trump—will play a central role.

“The data and privacy will be led by one of America’s greatest tech companies, Oracle, and the algorithm will also be controlled by America as well,” Leavitt told Fox News. She added that “all of those details have already been agreed upon,” with only a final signature needed to seal the deal.

The Ellison family has gained growing influence in US media, with Larry Ellison’s son, David, recently acquiring Paramount, owner of CBS News.

Mixed signals from China

President Trump said he and Chinese President Xi Jinping discussed TikTok in a phone call and both approved the deal. He described the exchange as “productive” in a Truth Social post.

But Beijing’s response has been less clear. China’s Commerce Ministry said it welcomed negotiations “in accordance with market rules” and emphasized that any solution must comply with Chinese law. State news agency Xinhua quoted Xi as welcoming talks, without confirming a final agreement, according to a BBC report.

Dispute over the algorithm

A major sticking point in negotiations has been who controls TikTok’s powerful recommendation algorithm, which shapes content for its 170 million American users. While Trump sidestepped questions about whether a new algorithm would be needed, the White House has now insisted that control will rest firmly in US hands.

Legal and political backdrop

In January, the US Supreme Court upheld a 2024 law banning TikTok unless ByteDance divested from its US operations. The app briefly went offline before the deadline was pushed back. Trump, who initially called for TikTok to be banned during his first term, shifted course in 2024 and embraced the platform to reach younger voters in his presidential campaign.

The Justice Department has previously warned that TikTok posed a national security threat of “immense depth and scale,” citing concerns about user data access.

Key takeaways:

• Covered California, the website Californians use to shop for health care plans, sent sensitive health data to LinkedIn.
• The data, collected via trackers, included whether people were pregnant, blind and used prescription drugs.
• Covered California has since removed the trackers and said it is reviewing its policies.

Californians unknowingly had their health data sent by a state-backed organization to LinkedIn, an investigation found.

Trackers on health insurance marketplace Covered California's website, coveredca.com, gathered sensitive health information that was sent to LinkedIn as part of an advertising campaign, according to an investigation by The Markup, a nonprofit journalism outlet covering technology.

Covered California, created in 2010 under the Affordable Care Act, has said that as many as one in six Californians have enrolled for health insurance through its service.

The data Covered California sent to LinkedIn included if people were pregnant, blind, used a high number of prescription drugs, transgender and victims of domestic abuse.

The Markup determined the information was being collected and sent after a monthslong investigation that reviewed trackers on websites.

No longer used in advertising

A spokesperson for Covered California told The Markup that the data was sent to LinkedIn as part of an advertising campaign, but the health insurance marketplace has since ended the practice.

"All active advertising-related tags across our website have been turned off out of an abundance of caution," the spokesperson said. "Covered California has initiated a review of our websites and information security and privacy protocols to ensure that no analytics tools are impermissibly sharing sensitive consumer information."

A LinkedIn spokesperson told The Markup that the social media company's policies prohibit advertisers using sensitive data.

“Our Ads Agreement and documentation expressly prohibit customers from installing the Insight Tag on web pages that collect or contain sensitive data, including pages offering health-related services," the spokesperson said.

LinkedIn is currently facing multiple lawsuits alleging that it violated users' privacy by collecting information from medical appointment sites, including from a fertility clinic, trade publication Bank Info Security reported.

The Markup has a free online tool called Backlight where you can check the trackers on a website.

Honda is paying a $632,500 fine and changing its business practices to resolve privacy violations of Californians.

The carmaker required Californians to verify themselves and provide "excessive personal information," didn't give people the options to make privacy choices, shared personal information with advertisers without customer contracts and made it difficult for people to authorize other individuals or organizations to exercise their privacy rights, the California Privacy Protection Agency (CPPA) said Wednesday.

As part of the agreement, the CPPA said Honda will create a simpler process and user design for Californians to assert their privacy rights, certify compliance, train employees and change its contracting process to ensure they protect personal information.

"We won’t hesitate to use our cease-and-desist authority to change business practices, and we’ll tally fines based on the number of violations," said Michael Macko, head of the CPPA's enforcement division, in a statement.

Texas Attorney General Ken Paxton has announced an investigation into DeepSeek, a Chinese artificial intelligence company with alleged ties to the Chinese Communist Party. The probe focuses on the privacy practices of DeepSeek's AI platform and its claims of technological superiority, purportedly rivaling advanced models such as OpenAI's Model o1.

Paxton has formally notified DeepSeek that its platform is in violation of the Texas Data Privacy and Security Act. Paxton has also issued third-party Civil Investigative Demands to tech giants Google and Apple.

These demands request a thorough analysis of the DeepSeek application and require the submission of all documentation that DeepSeek was obligated to provide before its app was made available to consumers.

"DeepSeek appears to be no more than a proxy for the CCP to undermine American AI dominance and steal the data of our citizens," Paxton said in a statement. 

Requesting cooperation from Apple and Google

"That’s why I’m announcing a thorough investigation and calling on Google and Apple to cooperate immediately by providing all relevant documents related to the DeepSeek app. The United States and Texas will continue to be at the forefront of global AI innovation, and any CCP-aligned company that tries to undermine that dominance by violating the rights of Texans and illegally undercutting American technology companies will face the full force of the law."

The investigation follows a directive issued by Paxton on January 28, which banned DeepSeek's platform from all Office of the Attorney General devices. This action was taken due to significant security concerns and the company's perceived allegiance to the CCP, including its readiness to censor information critical of the Chinese government.

As the investigation unfolds, the Attorney General's office remains committed to safeguarding the privacy rights of Texans and maintaining the integrity of American technological advancements. The outcome of this investigation could have far-reaching implications for the AI industry and international relations concerning data privacy and security.

Tulsi Gabbard had barely been sworn in as the U.S. director of national intelligence before a new potential intelligence threat affecting U.S. consumers landed in her lap

Two U.S. lawmakers, one a Democrat and the other a Republican, have sent Gabbard a letter warning that the United Kingdom has reportedly ordered Apple to provide a back door to iPhone users’ encrypted data.

The letter, obtained by various U.S. media outlets, pointed to reports in UK media that the country’s home secretary secretly directed the tech giant to water down the security of its iCloud backup service to give the British government access.

"Apple is reportedly gagged from acknowledging that it received such an order, and the company faces criminal penalties that prevent it from even confirming to the U.S. Congress the accuracy of these press reports," said the letter, signed by Sen. Ron Wyden (D-Ore.) and Rep. Andy Biggs (R-Ariz.).

The UK government has engaged in crackdowns on social media, similar to the U.S. crackdown during the pandemic, seeking to limit commentary opposing various government policies. Last year, London's metropolitan police chief warned that not only could it charge British residents for posts made in the wake of a mass stabbing at a Taylor Swift concert, but could also extradite and charge U.S. residents as well.

The two lawmakers, whose committee assignments include intelligence and crime, asked the new DNI to "act decisively to protect the security of Americans’ communications from dangerous, shortsighted efforts by the United Kingdom that will undermine Americans’ privacy rights and expose them to espionage by China, Russia and other adversaries."

Spam calls and texts continue to annoy Americans, and worse, they’re costing people money. Telephone companies should do more to combat the problem, U.S. PIRG insists.

According to Truecaller’s U.S. Spam and Scam Report, 92% of Americans received spam calls in 2023, and 86% got spam texts. Even more alarming, 56 million Americans lost money to scam calls.

Despite laws passed by Congress and state investigations to stop scammers, phone companies still aren’t doing enough to protect their customers. A new report by U.S. PIRG Education Fund, called “Who’s Calling?”, graded 24 of the largest phone companies on their efforts to fight spam calls and texts. The results weren’t great.

“It’s outrageous that these billion-dollar companies aren’t using every tool available to stop scammers,” said Teresa Murray, Consumer Watchdog Director at U.S. PIRG and the report’s author. “Even when we don’t fall for scams, we waste hours dealing with these unwanted calls, disrupting our work, family time, and relaxation.”

Phone companies could do more

Many companies aren’t providing free scam-blocking services that could help customers avoid fraud. For example, phone companies could warn customers about suspicious calls or block calls that don’t display Caller ID—but many don’t.

The FCC (Federal Communications Commission) allows companies to offer these services, yet half of them earned a D or F in the report.

The report outlines 10 key services phone companies should offer to protect customers, plus two additional services for text message security. The good news? Some companies scored well. The bad news? Many did not.

Of the 24 companies in the survey:

• Five companies scored A’s on services offered; three scored A’s overall.
• Two companies scored B’s on services offered; five scored B’s overall.
• 12 earned D’s or F’s on services, and 13 earned D’s or F’s overall.
• As for the big four cellular companies’ overall grades:, AT&T and T-Mobile scored B’s, U.S. Cellular scored a C and Verizon scored a D.

“We’ve been abused by robocalls for 15 years, yet the problem has not appreciably diminished,” Murray said. “These companies are our first line of defense, and we should demand better.”

Email James Hood at jhood@consumeraffairs.com

Amazon.com is facing a lawsuit alleging that it secretly tracks consumers' movements through their cellphones and sells the collected data. The proposed class action lawsuit, filed in San Francisco federal court, claims that Amazon gains "backdoor access" to personal information by providing app developers with code known as Amazon Ads SDK.

This code, embedded in various apps, allegedly allows Amazon to collect vast amounts of geolocation data, including where consumers live, work, shop, and visit. The lawsuit contends that this data can reveal sensitive information about individuals, such as their religious affiliations, sexual orientations, and health concerns.

Felix Kolotinsky, the plaintiff in the case, claims that Amazon collected his personal information through the "Speedtest by Ookla" app on his phone. He alleges that Amazon's actions violate California laws against unauthorized computer access and seeks unspecified damages on behalf of millions of Californians.

“Amazon has effectively fingerprinted consumers and has correlated a vast amount of personal information about them entirely without consumers’ knowledge and consent,” the complaint said.

Amazon did not immediately respond to a request for comment. 

Similar to other cases

The lawsuit highlights growing concerns about companies profiting from personal data collected without consent. It follows a similar lawsuit filed by the state of Texas against Allstate, accusing the insurer of tracking drivers through their phones and using the data to adjust premiums or deny coverage.

In the Allstate case, Texas Attorney General Ken Paxton sued Allstate and its subsidiary, Arity, for unlawfully collecting, using, and selling data about the location and movement of Texans’ cell phones through secretly embedded software in mobile apps, such as Life360.

Allstate and other insurers then used the covertly obtained data to justify raising Texans’ insurance rates, the suit alleges.

“Our investigation revealed that Allstate and Arity paid mobile apps millions of dollars to install Allstate’s tracking software,” said Paxton. “The personal data of millions of Americans was sold to insurance companies without their knowledge or consent in violation of the law. Texans deserve better and we will hold all these companies accountable.”

Allstate said its actions were legal. “Arity helps consumers get the most accurate auto insurance price after they consent in a simple and transparent way that fully complies with all laws and regulations,” Allstate said in a statement.

This case against Amazon raises important questions about privacy and data collection practices in the digital age. As consumers increasingly rely on smartphones and apps, the potential for unauthorized tracking and data exploitation becomes a significant concern.

The outcome of this lawsuit could have far-reaching implications for how companies collect and use personal data. It may lead to stricter regulations and greater transparency regarding data collection practices, potentially impacting the way businesses operate in the digital marketplace.

In a week set aside to stress good cybersecurity practices, officials in three states with strong consumer privacy laws are urging consumers to take advantage of these protections. 

California, Colorado and Connecticut have strong consumer protection laws that align with Global Privacy Control, an easy-to-use browser setting or extension that automatically signals to businesses that they should not sell their personal information to third parties, including for targeted advertising.

“Websites are constantly tracking and collecting our personal information for every purpose you can imagine,” Connecticut Attorney General William Tong said in a statement. “In Connecticut, you can now opt out of tracking across all sites by selecting a single simple option. It’s an easy step to take back control over your data and protect your privacy.” 

California Attorney General Rob Bonta called Global Privacy Control “the easiest way to limit the number of third parties that have access to our personal information and online behavioral data.” He called on mobile device manufacturers to develop an easy, GPC-like feature that consumers can use to signal the right to opt out.

Other states may also have laws that allow the use of tools to prevent the sale of their browsing data.

There are two ways to opt out by using GPC:

Option 1: Enabling Global Privacy Control

GPC is a signal that allows users to automatically indicate to the websites they visit that they would like to opt out of the “sale” of their personal information. The GPC signal is an easy way to opt out because a consumer does not have to make individualized requests to opt out on each website they visit. Download GPC via a browser extension. In fact, some browsers offer a GPC setting. 

Option 2: Opt Out One Business at a Time

Businesses that sell personal information must provide a clear and conspicuous link on their website that allows them to submit an opt out request. Businesses cannot require you to create an account to submit your request or ask for additional information to process your opt-out.

If you can’t find a business’s link, review its privacy policy to see if it sells or shares personal information for purposes of targeted advertising. If the business does, it must also include that link in its privacy policy. 

Popular web hosting and domain name provider GoDaddy will have to improve its security measures under the terms of a settlement announced today with the Federal Trade Commission (FTC).

The FTC claims GoDaddy failed to secure its web hosting services from cyberattacks, leaving customers vulnerable. It said that since 2018, GoDaddy did not properly protect or monitor its hosting environments, and it misled customers about the security of its services.

As part of the settlement, GoDaddy must create a comprehensive security program similar to other companies’ programs that have settled with the FTC. This includes protecting customer data, monitoring security risks, and ensuring the company is honest about its security practices.

GoDaddy, one of the world's largest web hosting companies, has had several security breaches in recent years. These breaches allowed attackers to access customer websites, exposing visitors to possible risks. The FTC also alleges that GoDaddy falsely claimed it followed security standards like the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks.

The settlement will require GoDaddy to stop misleading customers, implement a strong security program, and hire an independent third party to review its security measures regularly. The FTC’s decision is part of its broader efforts to protect consumers from poor data security practices.

The state of Texas has filed a lawsuit against Allstate and its subsidiary, Arity, accusing the defendants of unlawfully “collecting, using, and selling” data about the location and movement of Texans’ cell phones through secretly embedded software in mobile apps, such as Life360. 

Texas Attorney General Ken Paxton charged the information is being used by Allstate and other insurance companies to charge some customers higher premiums.

According to the lawsuit, Allstate, through its subsidiary data analytics company Arity, would pay app developers to incorporate its software to track consumers’ driving data. The complaint claims Allstate collected trillions of miles worth of location data from over 45 million consumers nationwide and used the data to create the “world’s largest driving behavior database.” 

When a consumer requested a quote or renewed their coverage, the suit claims Allstate and other insurers would use that consumer’s data to justify increasing their car insurance premium if it showed drivers covered more ground.

Paxton claims these actions violated the Texas Data Privacy and Security Act (“TDPSA”), which created heightened protections for Texans’ sensitive data, including but not limited to precise geolocation information. 

Clear notice and informed consent

The law specifically addresses privacy, requiring clear notice and informed consent regarding how a company will use consumers’ sensitive data. Paxton says Allstate never provided notice or obtained Texans’ consent to collect or sell their sensitive data. This is the first enforcement action ever filed by a State Attorney General to enforce a comprehensive data privacy law.

“Our investigation revealed that Allstate and Arity paid mobile apps millions of dollars to install Allstate’s tracking software,” Paxton said. 

“The personal data of millions of Americans was sold to insurance companies without their knowledge or consent in violation of the law. Texans deserve better and we will hold all these companies accountable.”

This lawsuit follows Paxton’s lawsuit against General Motors and his ongoing investigations into several car manufacturers for secretly collecting and selling drivers’ highly detailed driving data.