FTC Update: Agency Continues to Crack Down on Privacy Violations
A major goal of the Federal Trade Commission (“FTC”) is to protect consumer privacy. The rise in technology has made personal information of consumers more vulnerable than ever before. Because of this, the FTC has started to bring more data security and privacy cases against big tech companies. Since the U.S. does not have a comprehensive federal privacy law or independent agency solely committed to privacy violations, enforcement falls under the FTC’s purview. For years, many privacy advocates have claimed that the FTC does not issue strong enough penalties against big tech companies that fail to adequately safeguard consumer data. Now that more people are talking about data privacy issues and recent data breaches, we see a trend emerging of the FTC issuing larger fines and calling for stricter privacy standards. Two noteworthy FTC investigations recently made headlines due to the fines involved.
In February 2019, the Department of Justice filed a complaint for the FTC against a popular social media music platform called Musical.ly (now known as TikTok). This organization operates an app that many children under the age of 13 have used for years. Features of the app included the ability to share videos and communicate directly with users. The Children’s Online Privacy Protection Act (“COPPA”) requires that organizations get parental consent before obtaining, using, or disclosing any personal information from children under 13. The FTC investigation discovered that the app required users to provide identifying factors (such as an email address, phone number, name, and picture) in order to register. Privacy settings were automatically set to public. If the user changed to private mode, their photo and biography were still published to the public and other users could send direct messages to private users even if they did not follow their account.
The complaint alleged that Musical.ly violated COPPA in a number of ways, such as failing to obtain the age of their users, allowing users under 13 to create accounts and use the app without parental consent, and failure to notify parents about collecting their children’s data. The company knew that children were using the app because many parents contacted Musical.ly to complain. There were also reports of adults using the app to attempt contact with children.
As a settlement, the FTC issued a record-setting fine against Musical.ly in the amount of $5.7 million only weeks after filing the complaint, which is the largest fine to date in a COPPA case. The FTC also ordered the company to comply with COPPA, periodically submit compliance reports, and delete old content published by users under 13. While they did change their policies in July 2017 to require collection of age data and deny access to those under 13, they failed to delete old data violating COPPA prior to the policy change. Since the order, TikTok has expressed willingness to comply with the law and fix past mistakes. On February 27, two FTC commissioners issued a statement on this matter, commenting:
“The FTC’s action to crack down on the privacy practices of Musical.ly, now known as TikTok, is a major milestone for our COPPA enforcement program. Agency staff uncovered disturbing practices, including collecting and exposing the location and other sensitive data of young children. In our view, these practices reflected the company’s willingness to pursue growth even at the expense of endangering children…FTC investigations typically focus on individual accountability only in certain circumstances—and the effect has been that individuals at large companies have often avoided scrutiny. We should move away from this approach. Executives of big companies who call the shots as companies break the law should be held accountable…as we continue to pursue violations of law, we should prioritize uncovering the role of corporate officers and directors and hold accountable everyone who broke the law.”
As such, this case should definitely be an eye opener to organizations that offer membership to children. If they fail to comply with the law, even larger penalties than this could follow.
Facebook is not a new player in the realm of data privacy issues. In March 2018, the FTC began to investigate Facebook’s privacy measures and potential violation of a previous order the agency issued in 2011. This order outlined ways to improve Facebook’s privacy practices, such as transparency regarding sharing user data with third-parties. While Facebook has had several questionable privacy practices over the past few years, the major trigger for the 2018 investigation was Facebook’s involvement with Cambridge Analytica. This political consultancy improperly obtained access to millions of Facebook users’ data. Facebook has not admitted fault for this incident to date.
The FTC and Facebook have been in settlement discussions regarding this issue for over a year now. While neither has divulged any specific details of the negotiations, there is talk that the FTC wants to impose a multi-billion dollar fine. The largest fine to date for a privacy issue is $22.5 million against Google in 2012. A settlement would also likely include stricter privacy initiatives and compliance monitoring. The fact that these negotiations have taken over a year now has troubled many people since Facebook users continue to be at risk every day that passes without enforcing stricter privacy policies.
Facebook’s current struggles go beyond the FTC, as they are also under investigation for violating the EU’s General Data Protection Regulation (“GDPR”). In turn, privacy advocates and lawmakers are calling for much more intervention into Facebook’s privacy practices than a simple fine. Some ideas include cracking down on privacy requirements, appointing an independent director to solely represent user privacy interests, prohibiting integration of other business operations, imposing individual liability for corporate officers, and even dismantling the company. Regardless, reaching a settlement with the FTC would help boost Facebook’s reputation and show it is committed to maintaining user privacy.
If the FTC does impose a multi-billion dollar fine and some other strict requirements, this will likely spark a change in the way big tech companies handle privacy matters. Doing so might also help support the recent push for a federal privacy law. Facebook’s CEO Mark Zuckerberg even recently issued a public statement agreeing that the government needs to regulate harmful content, election integrity, privacy, and data portability. Zuckerberg suggested modeling a privacy initiative after the GDPR. For now, the public just needs to wait and see what comes of the settlement negotiations and any changes in the realm of social media privacy as a result.