Artificial Intelligence & Machine Learning
,
Governance & Risk Management
,
Next-Generation Technologies & Secure Development
FTC Also Wants Confirmation That New & Modified Products Meet Privacy Requirements
The U.S. Federal Trade Commission is seeking tougher sanctions for Facebook parent company Meta after determining that several gaps and weaknesses exist in the company’s compliance with a 2020 consent decree mandating privacy improvements.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
Among the new measures the FTC seeks is a blanket pause on the launch of new or modified products without written confirmation from a third-party assessor that the product satisfies the privacy program. A redacted copy of a show cause letter transmitted to Facebook says an agency investigation “showed the most serious deficiencies and sheer number of total gaps and weaknesses overall present substantial risks to the public.”
The agency is also calling for a “blanket prohibition” against Facebook monetizing the data of children and teens younger than 18. It calls for stricter limits on facial recognition technology, stating that Facebook should obtain users’ affirmative consent for any future uses of the artificial intelligence technology. The prohibition would include virtual reality products. Meta, which is in the throes of multiple rounds of layoffs, bet heavily on virtual reality in a 2021 strategy pivot to the so-called metaverse. The company’s most recent quarterly filing shows its Reality Labs division lost nearly $4 billion during the first three months of 2023.
“Facebook has repeatedly violated its privacy promises,” said Sam Levine, director of the FTC’s Bureau of Consumer Protection. “The company’s recklessness has put young users at risk, and Facebook needs to answer for its failures.”
The company will have 30 days to respond to the agency’s proposals. It could challenge in a federal court of appeals any final decision made by the agency to harden privacy requirements.
in an online statement, Facebook accused the FTC of pulling a “political stunt.”* Facebook in 2019 agreed to a $5 billion settlement ending an FTC investigation into the company sparked by its Cambridge Analytica privacy scandal. The agreement required Facebook to fortify its privacy program and allow third-party assessors to periodically evaluate compliance for two decades (see: It’s Official: FTC Fines Facebook $5 Billion).
“The FTC does not have the authority to unilaterally impose ‘do-overs’ on court-approved, negotiated settlements,” Facebook said. It pointed to a statement from FTC Commissioner Alvaro Bedoya, a Democrat, questioning whether the agency is going past its authority to modify consent orders.
“When the Commission determines how to modify an order, it must identify a nexus between the original order, the intervening violations, and the modified order. Based on the record before me today, I have concerns about whether such a nexus exists,” Bedoya wrote.
Among the deficiencies the FTC said assessors identified are that Facebook continued to give app developers access to users’ private information despite its 2018 pledge to cut off the data flow if users stopped using a particular app for three months. In some circumstances, Facebook allowed third-party app developers to tap into that information until mid-2020, the FTC said.
The FTC also said Facebook misrepresented whom users of its Messenger Kids chat service could access. Representations that users could only communicate with contacts approved by parents were incorrect since “children in certain circumstances were able to communicate with unapproved contacts in group text chats and group video calls.”
*Update May 4, 2023 1:36 UTC: Updates story with statements from Facebook and FTC Commissioner Alvaro Bedoya.