The Federal Trade Commission (FTC) recently announced plans to add a series of sanctions to a 2020 privacy order with Meta that would inhibit Meta’s ability to offer services to children or launch new products. In attempting to unilaterally revise the 2020 order, the FTC is unjustifiably and excessively obstructing legitimate business practices, bypassing the proper legislative process to create new privacy rules, and diminishing its ability to use consent decrees in the future.
The FTC reached a settlement with the company in 2019 to pay a record-breaking $5 billion fine and make substantial changes to its privacy and security practices. The settlement required the company to allow an independent, third-party assessor to evaluate its privacy practices and identify any gaps. The FTC alleges that the independent assessor found deficiencies in Meta’s privacy program and has called for several major changes to its settlement. Specifically, the FTC plans to prohibit Meta from monetizing data from users under the age of 18, prohibit Meta from launching new products without independent confirmation of full compliance with a privacy program, and limit its use of facial recognition technology.
These proposed changes are a gross overreaction to Meta’s alleged harms, many of which have already been resolved. Indeed, the assessor’s report, which covered Meta’s actions from October 2020 to April 2021, notes that the “key foundational elements necessary for an effective program are now in place.” Nor do any of the alleged violations justify such a drastic response. For example, Meta’s only alleged misrepresentation of its protections for children’s privacy occurred due to what the FTC itself describes as a “coding error” in the company’s Messenger Kids app, which allowed users in limited circumstances to communicate with unapproved contacts. Using a routine software bug to justify banning Meta from offering any services to users under the age of 18 is completely unjustified. Indeed, even FTC Commissioner Alvaro Bedoya issued a statement noting his concerns about the “nexus between the original order, the intervening violations, and the modified order.”
Further, the authority to enact broad rules governing the use of youth data, facial recognition technology, and other data-related issues belongs to Congress, not a regulatory agency such as the FTC. The proposed ban on Meta providing services to users under 18 oversteps this boundary and is a clear example of regulatory overreach. Moreover, this change would negatively impact children’s ability to access social media, communications apps, and the metaverse. While many of the advocacy groups that have tried, and failed, to pass stricter children’s privacy laws are cheering on this power grab, the FTC should leave lawmaking to the elected officials in Congress.
Finally, the FTC’s attempt to unilaterally amend the order represents a breach of trust that will give other companies pause before entering into future consent decrees with the agency. The FTC frequently uses consent decrees to avoid costly litigation and obtain settlements with companies that provide unique remedies and oversight. However, companies will rightly question whether they should enter into voluntary settlements with the FTC in the future if the FTC cannot be trusted to abide by the agreements.
The FTC’s proposed unilateral changes are both unwarranted and overreaching, and Meta has rightly challenged its legal authority. While the FTC should ensure that companies comply with the law and uphold commitments in consent decrees, restricting legitimate business practices is an unreasonable reaction that will hurt the company’s users too.