The Federal Trade Commission said Meta has "repeatedly violated" privacy rules and proposes tightening the agency's 2020 order against the company, completely barring it from monetizing data from anyone under 18 in any way among other new restrictions.
The order the company is accused of violating was enacted in 2019, but it went into effect this year. The firm formed in 2020 as part of then-Facebook's $5 billion settlement for violating a prior order. Now the FTC claims Facebook/Meta has violated the new order, as well as the Children's Online Privacy Protection Act Rule.
"The company's recklessness has put young users at risk, and Facebook needs to answer for its failures," said Samuel Levine, director of the FTC's Bureau of Consumer Protection, in a news release. (Due to the order and said failures spanning both names of the company, both are also used throughout.).
The 2020 order provided for an independent third-party assessor that would determine the extent to which Meta was complying with the privacy rules, that is, things like allowing new products to undergo review for privacy and the restrictions how facial recognition data and a phone number may be used.
This assessor recently sent the FTC his report and apparently it is not pretty; it contains evidence of numerous shortcomings or violations: "the breadth and significance of these deficiencies pose substantial risks to the public," the agency wrote.
Specifically, Facebook said it would end app developers' access to users' data if that user hadn't used the app in 90 days. But it didn't, the FTC claims, and allowed some of that data to be used into well into 2020.
Who regulates social media?
The company also "misrepresented that parents could control whom their children communicated with through its Messenger Kids product." The contact controls Facebook had in place were insufficient, as children were able to communicate with unapproved contacts through group video calls and chats.
These may not be the worst failures, but regulations around tech for kids are tight for good reason, and COPPA violations are serious. When one considers that Facebook had been placed on notice for over a decade for lackadaisical privacy practices, but that it knew the FTC was scrutinizing everything it did, especially around sensitive information like under-13 users, one is less forgiving.
Such seemingly flippant noncompliance with the FTC order has prompted the agency to turn the screws, with a series of proposed changes to the order — something it may do when "changed conditions of fact or law or public interest" warrant it. Companies may consider themselves warned that FTC orders are very much living documents.
In this scenario, the order of 2020 would be amended in the inclusion of all the businesses of Meta: the businesses of Facebook, Instagram, WhatsApp, and Oculus should be included with:
Tota prohibition against monetarizing data of anybody younger than 18 years of age. It shall be strictly used only to service/ security purposes only. In fact, the very point does not automatically retroactive and become a valid means once the user attained 18 years of age either.).
No roll out of new or modified products or services without the independent auditor first approving that new features are privacy-limited.
If Meta buys some hip new company, this privacy policy now binds them too.
More significant limits on facial recognition, disclosure, and affirmative consent required.
Stringent requirements all around including but not limited to review of privacy, data inventory, access controls, etc.
Meta strongly condemned the approach taken by the FTC, labeling it "a political stunt" in a statement. "Despite three years of constant engagement with the FTC on our settlement, they gave no opportunity to discuss this new, totally unprecedented theory," said Meta policy spokesperson Christopher Sgro, accusing FTC chair Lina Khan of "a new low" in letting TikTok run free while antagonizing Meta. "We have expended significant resources on designing and implementing an industry-leading privacy program that complies with our FTC consent order. We will vigorously defend this litigation and intend to prevail."
Today, the FTC releases an Order to Show Cause summarizing briefly the issues identified above and previously not available for public view at the time of writing. Meta has 30 days to respond, and after that, the agency will "carefully consider the facts and arguments made by the parties" and determine whether the expanded order is warranted-not a done deal; at least one Commissioner expresses skepticism at the tactics. I asked how long it might take before this new order comes into effect and will report if I hear back.