A new Federal Trade Commission (FTC) staff report accuses social media and video streaming sites of engaging in vast surveillance of consumers in order to monetize personal information, while failing to adequately protect children and teens.
The government’s battle with social media is nothing new. The US Senate held a hearing at the beginning of this year, in which Senators took turns grilling social media CEOs, such as Mark Zuckerberg, about their roles in the safety of children on their respective platforms. Senators also passed the so-called TikTok bill in late April, which could effectively ban the Chinese-owned social media site in the US unless it sells to a US owner. Now, the FTC is raking social media and video streaming services over the coals over privacy concerns and the safety of teens and children on the popular sites.
“The report lays out how social media and video streaming companies harvest an enormous amount of Americans’ personal data and monetize it to the tune of billions of dollars a year,” remarked FTC Chair Lina M. Khan. “While lucrative for the companies, these surveillance practices can endanger people’s privacy, threaten their freedoms, and expose them to a host of harms, from identity theft to stalking.”
Khan added firms’ failure to adequately protect kids and teens on the platforms was “especially troubling.” The report cited research that found social media and digital technology contributed to negative mental health impacts on young users. Many companies asserted there were no children on their platforms because their services were not directed to children or did not allow children to create accounts. The staff report noted this was an apparent attempt to avoid liability under the Children’s Online Privacy Protection Act Rule.
The report is in response to 6(b) orders issued in December 2020 to nine social media and video streaming sites. Those include: Amazon.com, Inc., which owns the gaming platform Twitch; Facebook, Inc. (now Meta Platforms, Inc.); YouTube LLC; Twitter, Inc. (now X Corp.); Snap Inc.; ByteDance Ltd., which owns TikTok; Discord Inc.; Reddit, Inc.; and WhatsApp Inc.
According to the report, companies collected and could indefinitely retain “troves of data, including information from data brokers, and about both users and non-users of their platforms.” It also noted many companies engaged in broad data sharing that raised serious concerns regarding the adequacy of the companies’ data handling controls and oversight. It also added some companies did not delete all user data in response to user deletion requests.
Regarding the companies collecting information on its users, Khan added, “After collecting vast amounts of people’s personal information, the platforms implemented few guardrails on the disclosure of people’s data, and most disseminated this data to an assortment of third parties. Troublingly, no platform could provide a comprehensive list of the third parties to which it had disclosed user data, and several reported disclosing the data to third parties outside of the U.S., including foreign adversaries.”
The FTC did make some recommendations to policymakers and companies according to staff’s observations, findings, and analysis. Those recommendations include:
- Congress should pass comprehensive federal privacy legislation to limit surveillance, address baseline protections, and grant consumers data rights.
- Companies should limit data collection, implement concrete and enforceable data minimization and retention policies, limit data sharing with third parties and affiliates, delete consumer data when it is no longer needed, and adopt consumer-friendly privacy policies that are clear, simple, and easily understood.
- Companies should not collect sensitive information through privacy-invasive ad tracking technologies.
- Companies should carefully examine their policies and practices regarding ad targeting based on sensitive categories.
- Companies should address the lack of user control over how their data is used by systems as well as the lack of transparency regarding how such systems are used, and also should implement more stringent testing and monitoring standards for such systems.
- Companies should not ignore the reality that there are child users on their platforms and should treat COPPA as representing the minimum requirements and provide additional safety measures for children.
- The Companies should recognize teens are not adults and provide them greater privacy protections.
- Congress should pass federal privacy legislation to fill the gap in privacy protections provided by COPPA for teens over the age of 13.
The FTC voted 5-0 to issue the staff report. The full report can be read on the FTC website.