Digging Deeper into the FTC Report on Social Media Practices

On September 19th, 2024, the Federal Trade Commission (FTC) issued a report highlighting data processing practices of nine major social media and video streaming services (SMVSSs). The report concludes that many SMVSSs engaged in concerning data collection practices that harmed user privacy. It also proposes numerous reforms, including passing a comprehensive federal privacy bill, measures to address youth privacy, and recommendations for modifying data practices. The report suggests some reforms that would benefit consumers and businesses alike, but a closer look reveals numerous flaws that policymakers should be cognizant of when using the report in policy considerations.

Importantly, the data relied upon in the FTC report is old. In 2020, when the study was initiated, companies’ data practices were naturally tailored to the laws in place at that time. Today, digital services regularly implement industry-wide privacy protections and comply with numerous additional state and local laws, calling into question some of the complaints made in the FTC’s report. 

Tellingly, the only existing comprehensive state privacy law in 2020 was the California Consumer Privacy Act, which implemented rules for companies who provide digital services to California residents. As of 2024, however, over 20 states have passed comprehensive privacy laws which increase users’ control over their data and provide transparency regarding processing decisions. Businesses’ privacy practices have also advanced since 2020. Current sector-wide standards include capabilities such as hands-on privacy controls with opt-out options, transparency settings, and increased detail about how data is collected and processed by third parties. Therefore, when the FTC report surmises that SMVSSs’ data processing practices pose “risks” based on “inadequate” business practices, it may be relying on outdated information.

Next, the report’s conclusion that SMVSSs’ advertising practices raise privacy concerns appears to be merely theoretical and not supported by empirical evidence. The FTC report characterizes the personalization of ads as inherently harmful despite known economic benefits to consumers and small businesses. Additionally, like businesses’ privacy practices, advertising practices have evolved since the report’s inception. Some digital services allow users to block third-party trackers on web browsers, phasing out third-party cookie models and trackers. Others utilize advancements in artificial intelligence to provide a more secure advertising process that is useful to consumers. It is unclear how the mere existence of advertising alone poses risks to users.

Finally, the report attempts to shoehorn a group of SMVSSs which operate in entirely different areas of business — social media, streaming, e-commerce, or forum-based message boards, for example — into one category. Data processing practices for one company that mainly deals in consumer products should be understood differently than those of a company that primarily provides a streaming service for video games. 

Nevertheless, the FTC report indicates that SMVSSs across the board should be admonished for processes such as utilizing data anonymization rather than automatic mass deletion, even where the latter method could harm a digital service’s efficacy. Notably, not even the most stringent privacy laws, like Europe’s General Data Protection Regulation, impose such a drastic mandate. A better approach would be to determine the appropriate data processing needs of companies based on their industry, instead of lumping all of them together under one flag.

One thing the FTC does get absolutely right is the need for comprehensive data privacy legislation at the federal level. Consumers and companies alike benefit from knowing their rights and obligations regarding data processing decisions. And as the FTC notes, federal privacy law that standardizes protections for teens would protect the public. Accurate, up-to-date information based on current industry practices will help to inform this process rather than an outdated snapshot — a point lawmakers should carefully consider when processing how this four-year-old study should inform discussions surrounding future federal regulation of privacy and security.