On May 3, 2023, the Federal Trade Commission (FTC) announced that it issued an order to show cause (the “show cause order”) to Meta Platforms, Inc. (formerly Facebook, Inc., “Meta”). The show cause order proposes major changes to the April 2020 order (the “2020 order”) pursuant to which Meta agreed to make substantial changes to its privacy program and pay a record $5 billion fine. The show cause order alleges that Meta has repeatedly violated the 2020 order as well as a previous 2012 order, Section 5 of the FTC Act, and the Children’s Online Privacy Protection Act Rule (COPPA Rule). For the first time ever, the FTC has proposed prohibiting a company from profiting from any data collected from users under age 18. Meta has 30 days to respond and provide evidence for why the FTC should not modify the order. In addition to other changes, the FTC has proposed a heightened review process for any product or feature launches or changes, and an expansion of the requirement to seek affirmative consent for the use of facial recognition technology.

This alert provides a summary and analysis of the show cause order issued by the FTC to Meta, along with key observations.

Background

As one of the largest technology and social media companies in the world, with a number of products and services, Meta has repeatedly been in the FTC’s crosshairs. The show cause order is the FTC’s third action against Meta for alleged privacy violations. The FTC first filed a complaint against Meta’s predecessor Facebook in 2011. The complaint alleged, among other things, that Facebook had misrepresented the extent of sharing of personal information with third-party app developers. In July 2012, the FTC issued an order (the “2012 order”) that prohibited Facebook from misrepresenting its privacy practices, required affirmative express consent for sharing of personal information with third parties in a manner that materially exceeded privacy settings, imposed limits on retention and access to data of deleted accounts, and required Facebook to create a comprehensive privacy compliance program and have third-party assessments conducted.

Subsequently, in 2019, the DOJ (acting on the notification and authorization of the FTC) issued a complaint alleging that Meta’s predecessor entity Facebook had engaged in practices violating the 2012 order and Section 5 of the FTC Act in connection with the Cambridge Analytica incident. Facebook entered into an order to resolve this complaint in 2019 that took effect in 2020. Among other things, the 2020 order required Facebook to engage in a privacy review for every new or changed feature, product, or service prior to implementation and to retain documentation regarding the review. The 2020 order also required Facebook to implement heightened security procedures for personal information, as well as third-party apps and developers, and restricted Facebook’s use of facial recognition and telephone numbers collected for account security.

Show Cause Order Allegations

As stated in the show cause order, the FTC alleges that the independent assessor identified several areas where Meta’s privacy program did not comply with the terms of the 2020 and 2012 orders and where the FTC alleges that Meta violated Section 5 of the FTC Act and COPPA. Alleged violations of the previous orders and privacy laws include the following:

• Misrepresentations Regarding Third-Party Developer Access to Private Information. Meta, beginning in 2018, had publicly represented on its apps and websites that third-party app developers would not have access to users’ private information if users had not used those apps within the previous 90 days. The show cause order alleges that Meta continued to share user data with third-party developers in violation of these representations from April 2018 until June 2020. The FTC alleges that Meta’s misrepresentations regarding the extent to which expired applications could continue to receive users’ nonpublic information violated Section 5 of the FTC Act and the 2012 and 2020 orders.
• Misrepresentations Regarding Children’s Data in Messenger Kids. The show cause order also alleges that, from December 2017 through July 2019, Meta misrepresented the extent of parental controls in its Messenger Kids product. Messenger Kids is a messaging and video calling application designed for users under the age of 13. The FTC alleges that despite representations that children could only communicate with parent-approved contacts, children communicated with unapproved contacts in group texts and video calls due to Meta’s coding errors. According to the show cause order, by allowing children to communicate with contacts who were not approved by their parents, in contravention of Meta’s representations and notice to parents, Meta violated the 2012 order, Section 5 of the FTC Act, COPPA, and the COPPA Rule. As stated in the FTC’s announcement, under the COPPA Rule, operators of websites or online services that are directed to children under 13 must notify parents and obtain their verifiable parental consent before collecting personal information from children.
• Failure to Establish an Effective Privacy Program. The FTC alleges that Meta violated the 2020 order by failing to establish and implement an effective privacy program. Per the show cause order, the FTC’s “staff’s investigation showed the most serious deficiencies and sheer number of total gaps and weaknesses overall present substantial risks to the public.” However, the public version of the show cause order is heavily redacted, and it is not clear what gaps and weaknesses the third-party assessor identified.

Proposed Changes

The show cause order includes a number of proposed changes to the 2020 order that would apply to all of Meta’s products and services, including Facebook, Messenger, Instagram, WhatsApp, and Portal.

• No Monetization of Teenagers’ and Children’s Information. Meta would be prohibited from monetizing data of individuals under 18 or otherwise using such information for commercial gain, even after such users become adults. Meta would only be permitted to collect and use data to provide the services or for security reasons.
• No New or Modified Features or Products Without Assessor Approval. Meta would be prohibited from launching new or modified products, features, or services until it receives written confirmation from the third-party assessor that Meta’s privacy program is fully compliant with the order.
• Acquired Companies Also Have to Comply. Meta would be responsible to ensure compliance with the order for any merged or acquired companies in the future.
• Affirmative Consent for Facial Recognition Technology. Users would have to grant Meta affirmative consent for any future use of facial recognition technology by Meta. More generally, the order would broaden protections requiring Meta to give conspicuous notice and obtain users’ affirmative express consent for changes to its data practices.
• Existing Requirements Bolstered. Provisions relating to issues such as privacy risk assessments and safeguard adjustments, third-party monitoring, data inventory and access controls, privacy review, and employee training would be bolstered by the revised order.
• Meta Must Report Own Violations. Meta would also expressly be required to report violations of its own commitments.

Here are some key observations from the FTC’s action:

An aggressive FTC is using novel tools and issuing sweeping relief. The FTC’s show cause order to Meta is indicative of the FTC’s increasingly aggressive enforcement approach. We can’t recall a time when the FTC has issued an Order to Show Cause for an order violation. Certainly, the FTC’s proposal banning the monetization of any data collected from users under 18 across Meta’s products and services is novel and sweeping.

The three Democratic commissioners have different views. Although FTC watchers tend to view the three Democratic commissioners as being in lockstep, Commissioner Bedoya’s separate statement indicates that this may not be the case. His statement takes issue with the nexus between Meta’s alleged misrepresentations regarding privacy controls for Messenger Kids and the FTC’s penalty, particularly as the alleged violations took place before the FTC issued the final 2020 order.

It is unclear whether the facts justify the relief. The FTC’s show cause order does not allege that Meta willfully or deliberately collected data from children in violation of its public representations. Instead, the show cause order states that “coding errors” led to children under 13 being able to enter into group chats or video calls with contacts not approved by their parents. A complete ban on the monetization of youth data across Meta’s products is a drastic step in response to the technical issues discussed in the public document. Additionally, large portions of the show cause order are redacted and the Proposed Findings of Fact cited extensively in the order have not been made public at all. Thus, it is unclear what other gaps or deficiencies identified by the third-party assessor led to the FTC’s proposed changes in the show cause order.

Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and data security issues. For more information or advice concerning cybersecurity compliance or investigations, please contact Christopher Olsen, Nikhil Goyal, or any member of the firm’s privacy and cybersecurity practice.