FTC Pursues Blanket Prohibition on Meta’s Monetization of Children’s Data
“Facebook has repeatedly violated its privacy promises,” said FTC lawyer Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The company’s recklessness has put young users at risk, and Facebook needs to answer for its failures.”
As part of the proposed changes, Meta, which changed its name from Facebook in October 2021, would be prohibited from profiting from data it collects, including through its virtual reality products, from users under the age of 18.
The company would also be subject to other expanded limitations, including in its use of facial recognition technology, and required to provide additional protections for users.
This marks the third time the agency has taken action against Facebook for allegedly failing to protect users’ privacy.
The Commission first filed a complaint against Facebook in 2011, and secured an order in 2012 barring the company from misrepresenting its privacy practices. However, according to a subsequent complaint filed by the Commission, Facebook purportedly violated the first FTC order within months of it being finalized – engaging in misrepresentations that helped fuel the Cambridge Analytica scandal.
In 2019, Facebook agreed to a second order—which took effect in 2020—resolving claims that it violated the FTC’s first order.
This action alleges that Facebook has violated the 2020 order, as well as the Children’s Online Privacy Protection Act Rule.
The 2020 privacy order required Facebook to pay a $5 billion civil penalty.
The 2020 order also expanded the required privacy program, as well as the independent third-party assessor’s role in evaluating the effectiveness of Facebook’s program.
For example, the 2020 order required Facebook to conduct a privacy review of every new or modified product, service, or practice before implementation and document its risk mitigation determinations. The order also required Facebook to implement greater security for personal information, and imposed restrictions on the use of facial recognition and telephone numbers obtained for account security.
The independent assessor, tasked with reviewing whether the company’s privacy program satisfied the 2020 order’s requirements, allegedly identified several gaps and weaknesses in Facebook’s privacy program, according to the heavily redacted May 3,2023 Order to Show Cause, in which the Commission notes that the breadth and significance of these deficiencies pose substantial risks to the public.
The Order to Show Cause also alleges that Facebook violated both the 2012 and 2020 orders by continuing to give app developers access to users’ private information after promising in 2018 to cut off such access if users had not used those apps in the previous 90 days. In certain circumstances, Facebook purportedly continued to allow third-party app developers to access that user data until mid-2020.
In addition, the FTC has asked the company to respond to allegations that, from late 2017 until mid-2019, Facebook misrepresented that parents could control whom their children communicated with through its Messenger Kids product.
Despite the company’s promises that children using Messenger Kids would only be able to communicate with contacts approved by their parents, children in certain circumstances were able to communicate with unapproved contacts in group text chats and group video calls, according to the FTC.
The FTC says these misrepresentations violated the 2012 order, the FTC Act and the COPPA Rule. Under the COPPA Rule, operators of websites or online services that are directed to children under 13 must notify parents and obtain their verifiable parental consent before collecting personal information from children.
The proposed changes to the 2020 order, which would apply to Facebook and Meta’s other services such as Instagram, WhatsApp, and Oculus, include:
- Blanket prohibition against monetizing data of children and teens under 18: Meta and all its related entities would be restricted in how they use the data they collect from children and teens. The company could only collect and use such data to provide the services or for security purposes, and would be prohibited from monetizing this data or otherwise using it for commercial gain even after those users turn 18.
- Pause on the launch of new products, services: The company would be prohibited from releasing new or modified products, services, or features without written confirmation from the assessor that its privacy program is in full compliance with the order’s requirements and presents no material gaps or weaknesses.
- Extension of compliance to merged companies: Meta would be required to ensure compliance with the FTC order for any companies it acquires or merges with, and to honor those companies’ prior privacy commitments.
- Limits on future uses of facial recognition technology: Meta would be required to disclose and obtain users’ affirmative consent for any future uses of facial recognition technology. The change would expand the limits on the use of facial recognition technology included in the 2020 order.
- Strengthening existing requirements: Some privacy program provisions in the 2020 order would be strengthened, such as those related to privacy review, third-party monitoring, data inventory and access controls, and employee training. Meta’s reporting obligations also would be expanded to include its own violations of its commitments.
The recent action is the first step in the process, according to the FTC. In seeking modifications to the 2020 order, the FTC has formally asked Meta to respond in 30 days to the proposed findings from the agency’s investigation.
The proposed order modifications are based on the agency’s authority under Section 5(b) of the FTC Act and Commission Rule 3.72, which allow the Commission to reopen an administrative case and modify a final order when the Commission finds “changed conditions of fact or law or [when the] public interest” may require such action.
The Commission voted 3-0 to issue the Order to Show Cause. Commissioner Alvaro Bedoya released a statement.
Informational purposes only. Not legal advice. May be considered attorney advertising.
About This Blog and Hinch Newman’s Advertising + Marketing Practice
Hinch Newman LLP’s advertising and marketing practice includes successfully resolving some of the highest-profile Federal Trade Commission (FTC) and state attorneys general digital advertising and telemarketing investigations and enforcement actions. The firm possesses superior knowledge and deep legal experience in the areas of advertising, marketing, lead generation, promotions, e-commerce, privacy and intellectual property law. Through these advertising and marketing law updates, Hinch Newman provides commentary, news and analysis on issues and trends concerning developments of interest to digital marketers, including FTC and state attorneys general advertising compliance, civil investigative demands (CIDs), and administrative/judicial process. This blog is sponsored by Hinch Newman LLP.