FTC: Social media and video streaming companies violate user privacy on 'vast' scale
A Federal Trade Commission (FTC) report released Thursday asserts that large social media and video streaming companies are essentially maintaining an all-seeing surveillance apparatus that spies on consumers with few internal controls to regulate how users and non-users’ data is collected, stored and sold.
The report is based on FTC orders for information sent to nine platforms including Meta, Amazon, X, Snap, YouTube and ByteDance, the parent company of TikTok.
The orders were sent in 2020 and reflect the companies’ practices between 2019 and 2020 — but the agency said many of the behaviors it covered remain in use today.
The information the FTC collected from the companies is being released now in part because Congress is currently considering legislation — known as the Kids Online Safety Act (KOSA) and the Children and Teens’ Privacy and Protection Act (COPPA 2.0) — to better regulate the companies, the report said.
The FTC report focuses in particular on how the firms’ data practices impacted children and teens’ privacy and suggests the companies’ are potentially violating the law by flouting the agency’s rule protecting the digital privacy of minors. The practices also could violate Section 5 of the FTC Act by misrepresenting or omitting information that is likely to “mislead consumers acting reasonably under the circumstances,” the report said.
The 2020 orders asked companies to provide information documenting how they collect data; track and use it; decide how to target ads to both users and non-users of their sites; and use algorithms and artificial intelligence to harness the data collected. The agency also asked recipients to reveal how their data practices affect minors.
“The report lays out how social media and video streaming companies harvest an enormous amount of Americans’ personal data and monetize it to the tune of billions of dollars a year,” FTC Chair Lina Khan said in a statement.
“The report’s findings are timely, particularly as state and federal policymakers consider legislation to protect people from abusive data practices,” the statement added.
The companies’ profited from the surveillance even as users’ privacy and freedoms were compromised and the practices led to stalking and identity theft for some users, according to Khan.
Many of the companies studied “indefinitely” stored the data they gathered and merged it with information received from data brokers who provided personal information belonging to both the companies’ users and non-users, the report said.
The firms also shared data broadly, including with other social media and video streaming companies, allowing them to track consumers’ behavior off their platforms, the report said. The companies also culled data from other apps and websites tracking user behavior, it added.
The FTC noted that the companies relied on inadequate data handling regimes and oversight mechanisms and failed to minimize the data they collected. Some did not erase user data even when consumers requested that their data be deleted, the report said.
“The companies collected so much data that in response to the Commission’s questions, they often could not even identify all the data points they collected or all of the third parties they shared that data with,” the report said.
The firms also deployed tracking technologies, such as pixels, in order to help advertisers better target their ads, tracking users’ online activity “down to each click,” according to the report.
“The report found that users and non-users had little or no way to opt out of how their data was used by these automated systems, and that there were differing, inconsistent and inadequate approaches to monitoring and testing the use of automated systems,” an agency press release said.
The poor protections for children and teens were especially alarming, the report said. Many of the companies examined told the FTC that no children and teens used their services, a position the report said was meant to dodge liability under the agency’s rule protecting minors’ privacy, known as the Children’s Online Privacy Protection Act Rule.
Most of the companies did not limit how teens used their platforms and treated them the same as adult users, the report said.
The report made several recommendations to fix the problem, including that Congress pass comprehensive federal privacy legislation.
It also recommended several reforms for the companies:
- Minimize what data they collect and not share data with third parties and affiliates while deleting data no longer needed
- Stop collecting data through ad trackers and examine how they control ad targeting drawn from sensitive data such as location tracking
- Begin allowing consumers to dictate how the firms’ algorithms and artificial intelligence systems use their data
- Address the lack of transparency regarding how such systems are used and improve how they monitor standards for the systems
- Stop denying that children use their platforms and better safeguard minors’ data
Suzanne Smalley
is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.