A little under four years ago, the Federal Trade Commission issued an order requiring nine of the largest social media and video streaming platforms to share detailed information about their collection and use of personal consumer data.
On the receiving end were Amazon, Facebook and WhatsApp, YouTube, Twitter, Snap, ByteDance, Reddit and Discord.
The FTC’s goal was to understand exactly how these companies use – and potentially misuse – consumer data, including for targeted advertising and feeding their algorithms, with a particular focus on how their practices affect children and teens.
On Thursday, the commission published the fruits of its labor, a more than 100-page staff report with a deceptively anodyne title: “A Look Behind the Screens: Examining the Data Practices of Social Media and Video Streaming Services.”
That might sound like a term paper, but it’s got bite. Although a staff report isn’t a law enforcement investigation, it’s a strong signal of the commission’s ongoing priorities.
“I don’t think it takes a lot of detective work to connect the dots between the enforcement work we’ve been doing over the last few years and some of the problems we identified in this report,” a top FTC official told reporters on background during a press briefing on Wednesday.
It’s the business model
And the problems identified in the report are many: data hoarding, including information from data brokers; indefinite data retention policies; a lack of control or oversight for data handling; an inadequate approach to data minimization; a tendency not to fully comply with user data deletion requests; a reliance on “privacy-invasive tracking technologies, such as pixels”; using algorithms for analytics with no easy way for people to opt out – you get the drift.
But they all boil down to the same underlying issue, according to the report, which is that these companies are incentivized to engage in the mass collection of user data for monetization, because that’s how they make most of their revenue.
The problem of “vast surveillance,” as the report calls it, therefore has less to do with any specific product feature or aspect of a service, the FTC official said. It’s deeper than that.
“It’s the underlying business incentives – the behavioral advertising business model in particular,” they said. “That business model is driving a lot of our concerns with targeting people based on sensitive characteristics, whether it’s where they go to church or what medical needs they have.”
This point of view is reflected in numerous recent FTC enforcement actions that zero in on the misuse of sensitive consumer data, including location and health information.
The kid question
But every problem laid out in the report is intensified when it comes to the collection and use of data from children and teens.
The report found that social media and video streaming services aren’t sufficiently protecting the kids that use their products – when, that is, they admit that there are kids using their products at all.
Many companies will claim there aren’t any children using their platform, because the service isn’t directed to children and/or doesn’t officially allow kids to create accounts. This, according to the report, is an attempt to circumvent the Children’s Online Privacy Protection Act (COPPA) Rule, which applies to site owners and operators with “actual knowledge” that they’re collecting personal data from a child under 13.
And the reality is, based on the information shared with the FTC in response to its order, there’s evidence that social media and video streaming companies typically treat teens no differently than their adult users.
Not that getting the platforms to cough up information about their data practices wasn’t a little like pulling teeth.
“It wasn’t exactly easy extracting information from these companies – even with the benefit of having civil investigative demand authority,” the FTC official quipped.
The ‘fiction’ of notice and choice
And regular consumers don’t fare much better getting the information they need to make informed privacy choices.
Typically, they’re getting too much information, which anyone who’s been presented with a lengthy online privacy policy written in legalese (as in, everyone who’s ever surfed the internet) understands firsthand.
This, the official said, is the “fiction” of notice and choice.
“Consumers are expected to protect themselves online by reading privacy policies and clicking ‘I agree’ at the end,” they said. “We need real protections for people’s data. … No one has time to read those policies, and choice is illusory in many of these markets.”
The FTC (more than) recommends
So, what’s the solution?
The FTC’s report has a bunch of suggestions, including limiting data collection, enforcing a rational approach to data minimization and retention, deleting consumer data once it’s no longer needed, adopting consumer-friendly privacy policies that regular humans can understand and not collecting any sensitive information through ad tech providers.
The report also calls for companies to give users more control over how their data is fed into automated systems and, while they’re at it, to stop ignoring when there are children using their services.
“Pretending that there aren’t kids on the platform and burying one’s head in the sand is not going to get you out of COPPA liability,” the FTC official said.
But there’s also a full-throated call for Congress to pass comprehensive privacy legislation.
Because self-regulation just “hasn’t worked,” the official said.
“Two decades ago, many people even said that government should stay away from the internet … that tech companies should be trusted – that is not what has happened,” they said. “[We are] probably the only country in the industrialized world, or one of them, that does not have comprehensive privacy protections. … This is a Wild West.”
