The FTC alleges Meta failed to comply with a 2020 privacy order — and as such, the agency wants to impose new restrictions on the social giant, including prohibiting Facebook, Instagram and its other services from monetizing data from users under 18. The FTC also is proposing to prohibit Meta from releasing new or modified products, services or features without “written confirmation” from the third-party assessor overseeing its privacy programs.
Under the 20-year settlement with the FTC (reached in 2019 and approved the following year) Meta agreed to pay a record-breaking $5 billion fine and to submit to new oversight by the commission. That was to settle claims that the company violated a 2012 FTC order “by deceiving users about their ability to control the privacy of their personal information.”
According to an announcement Wednesday by the FTC, Meta “has failed to fully comply with the [2020] order, misled parents about their ability to control with whom their children communicated through its Messenger Kids app, and misrepresented the access it provided some app developers to private user data.” The FTC also alleges that Meta violated the Children’s Online Privacy Protection Act (COPPA).
Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said in a statement, “Facebook has repeatedly violated its privacy promises. The company’s recklessness has put young users at risk, and Facebook needs to answer for its failures.”
In a statement responding to the FTC’s announcement, Meta said, “This is a political stunt. Despite three years of continual engagement with the FTC around our agreement, they provided no opportunity to discuss this new, totally unprecedented theory. Let’s be clear about what the FTC is trying to do: usurp the authority of Congress to set industry-wide standards and instead single out one American company while allowing Chinese companies, like TikTok, to operate without constraint on American soil.”
The tech giant’s statement continued, “FTC Chair Lina Khan’s insistence on using any measure — however baseless — to antagonize American business has reached a new low. We have spent vast resources building and implementing an industry-leading privacy program under the terms of our FTC agreement. We will vigorously fight this action and expect to prevail.”
In seeking modifications to the 2020 order, the FTC formally asked Meta to respond in 30 days to the proposed findings from the agency’s investigation.
According to the agency, the independent assessor overseeing Meta’s privacy practices, “identified several gaps and weaknesses in Facebook’s privacy program.” The FTC also alleged that Facebook violated both the 2012 and 2020 orders by “continuing to give app developers access to users’ private information after promising in 2018 to cut off such access if users had not used those apps in the previous 90 days.” In certain circumstances, Facebook continued to allow third-party app developers to access that user data until mid-2020, according to the agency.
In addition, the FTC has asked Meta to respond to allegations that from late 2017 until mid-2019, Facebook “misrepresented that parents could control whom their children communicated with through its Messenger Kids product. Despite the company’s promises that children using Messenger Kids would only be able to communicate with contacts approved by their parents, children in certain circumstances were able to communicate with unapproved contacts in group text chats and group video calls.” The FTC says these misrepresentations violated the 2012 order, the FTC Act and COPPA.
The FTC’s proposed modifications to the 2020 order — which would apply to Facebook, Instagram, WhatsApp and Quest VR businesses — includes:
- Prohibiting monetizing data of children and teens under 18;
- Barring the launch of new or modified products, services or features without written confirmation from the assessor that its privacy program is in full compliance with the order’s requirements and “presents no material gaps or weaknesses”;
- Extending compliance of the order to cover any companies Meta acquires or merges with, and to honor those companies’ prior privacy commitments;
- Limiting future uses of facial recognition technology, to require Meta to disclose and obtain users’ affirmative consent for any future uses of facial recognition technology; and
- Strengthening existing requirements in the order such as those related to privacy review, third-party monitoring, data inventory and access controls, and employee training. Meta’s reporting obligations also would be expanded to include its own violations of its commitments.