FTC Claims that Large Companies Engage in Surveillance of Users

The Federal Trade Commission (FTC) recently released a 129-page report that claims that large social media and streaming companies engage in a “vast surveillance” of users and profit off of personal data, signaling the FTC’s interest in protecting the privacy of consumers. The report states that the tech industry failed to implement appropriate safeguards against privacy risks, used personal data to shape content to keep users on their platforms, and introduced significant risks to children and teens. The report focuses on the practices of the following well-known companies: Discord, Meta, Facebook, Twitch, TikTok, Instagram, WhatsApp, Reddit, Snapchat, Twitter, and YouTube. In this article, we will discuss the FTC’s report and its findings about the privacy risks inherent in how these companies collect, use, share, and process data. 

Collection, Use, and Sharing of Data 

The first part of the report focuses on the fact that the above companies collect vast amounts of data, which can be retained indefinitely. The report found that the companies collect the following types of data, much of which can be sensitive: 

1. Demographic information (e.g. age, gender, language, education, marital status); 
2. User metrics (e.g. amount of messages sent or received); 
3. Privacy preferences (e.g. access and deletion requests);
4. Shopping behavior (e.g. products or services purchased); 
5. User interests (e.g. an individual is interested in beer and spirits or fast food). 

The report also found that in addition to the collection of personal data (e.g. names and email addresses) and the information mentioned above, the companies also received data regarding consumers’ activities outside of their platforms, as well as activities on other platforms. The FTC found that this data was not just collected from the users themselves, but that it was also collected from advertisers and/or data brokers, advertising tracking technologies, connections with other platforms or online services, affiliates, and engagement with social media and video streaming services. 

The report found that most companies were not transparent about who they are sharing this data with, which can include affiliates, advertising providers, researchers and academics, and other third party entities. 

Retention of Data

The FTC’s report found that the enumerated companies did not provide adequate safeguards to protect consumers against privacy risks. While many companies reported that they engaged in data minimization efforts, many companies’ efforts to minimize the data collected or held were often vague or undocumented. In addition, multiple companies stated that they did not have written data retention and deletion policies, meaning that data could be retained indefinitely. In addition, only a few companies reported automatically deleting inactive or abandoned user accounts. 

Privacy Rights 

The FTC’s report found that even though the companies needed to comply with the General Data Protection Regulation (GDPR), many of them afforded those rights to EU customers, and not to US customers. It is important to note that there is no requirement to provide GDPR rights to US customers as GDPR only protects residents of the European Union. While other privacy laws may provide rights to US residents, it is surprising that the FTC would expect companies to provide GDPR rights to US residents. While providing privacy rights when it is not legally required is certainly an honorable goal, the FTC and US legislators should work on legislation that would make this an actual legal requirement. 

Advertising practices 

The second part of the report focuses on the fact that the enumerated companies gain most of their revenue through targeted advertising, which is powered by the collection, use and sharing of data. The FTC discussed that targeted advertising can pose privacy risks to individuals as such advertising is frequently invisible to individuals, can lead to sales of data and can be used to identify sensitive personal information about an individual. In its report, the FTC discussed the fact that targeted advertising based on sensitive data can lead to discrimination, invasion of privacy, stigma, and reputational harm. 

Use of algorithms, data analytics, or AI 

The FTC’s report found that social media and streaming companies used AI-fueled systems to process the data of users and non-users of their platforms. The AI-systems used personal data that was inferred, purchased from third parties, or derived from activities in a way that did not provide adequate transparency, choice, or control. It is important to note that the report states that AI systems were used to process the data of non-users as well, meaning that individuals could have their data processed by AI without their knowledge. 

Protection of Children 

The report found that many companies asserted that they do not have children users, though that was not the case in practice. Almost all companies allowed children and teens to use their platforms and placed no restrictions on their accounts. In fact, many companies treated children as they would adult accounts, meaning that children were not afforded any additional protections for their privacy. 

Recommendations

The FTC’s report concluded with providing recommendations to companies, such as the recommendation for companies to take privacy seriously and for Congress to pass a comprehensive federal privacy law that would limit this type of data collection and tracking, as well as provide individuals with privacy rights. The FTC also recommended companies to implement more targeted advertising safeguards, provide consumers with more information about their privacy, and implement policies that would ensure greater protection of children and teens.