Learn more about the FTC report on social media practices

On September 19, 2024, the Federal Trade Commission (FTC) released a report highlighting the data processing practices of nine major social media and video streaming services (SMVSSs). The report concludes that many SMVSSs engaged in data collection practices that compromised user privacy. In addition, numerous reforms are proposed, including the passage of a comprehensive federal privacy law, measures to protect youth privacy, and recommendations to change data practices. The report proposes some reforms that would benefit both consumers and businesses. However, a closer look reveals numerous shortcomings that policymakers should consider when using the report for policy considerations.

Importantly, the data on which the FTC report relies is old. In 2020, when the study was initiated, companies' data practices were of course adapted to the laws in force at the time. Today, digital services regularly implement industry-wide privacy protections and comply with numerous additional state and local laws, calling into question some of the complaints raised in the FTC report.

Significantly, the only comprehensive state privacy law in 2020 was the California Consumer Privacy Act, which implemented rules for companies that provide digital services to California residents. However, by 2024, over 20 states have enacted comprehensive data protection laws that give users more control over their data and ensure transparency in processing decisions. Companies' data protection practices have also evolved since 2020. Current industry-wide standards include features such as convenient privacy controls with opt-out options, transparency settings, and more detailed information about how data is collected and processed by third parties. Therefore, when the FTC report suggests that SMVSS's data processing practices pose “risks” due to “inadequate” business practices, it may be relying on outdated information.

Next, the report's conclusion that SMVSS's advertising practices raise privacy concerns appears to be purely theoretical and not supported by empirical evidence. The FTC report calls ad personalization fundamentally harmful, despite known economic benefits for consumers and small businesses. Additionally, advertising practices have evolved since the report's release, as have companies' privacy practices. Some digital services allow users to block third-party trackers in web browsers, thereby phasing out third-party cookie models and trackers. Others are leveraging advances in artificial intelligence to enable a safer advertising process that is useful to consumers. It is unclear to what extent the mere existence of advertising poses risks to users.

Finally, the report attempts to categorize a group of SMVSSs that operate in completely different business areas – for example, social media, streaming, e-commerce or forum-based message boards. The data processing practices of a company that primarily deals in consumer products should be understood differently than those of a company that primarily provides a video game streaming service.

Still, the FTC report notes that SMVSSs should generally be admonished for processes such as using data anonymization instead of automatic mass deletion, even if the latter method could reduce the effectiveness of a digital service. What's remarkable is that not even the strictest data protection laws, such as Europe's General Data Protection Regulation, impose such a drastic mandate. A better approach would be to identify companies' appropriate data processing needs based on their industry, rather than lumping them all together under one banner.

One thing the FTC gets absolutely right is the need for comprehensive federal privacy laws. Consumers and businesses alike benefit from knowing their rights and responsibilities when making data processing decisions. And as the FTC notes, a federal privacy law that standardizes teen protections would protect the public. Accurate, up-to-date information based on current industry practices will serve as the foundation for this process, rather than an outdated snapshot – a point that lawmakers should carefully consider as they process how this four-year-old study discusses future federal regulations to influence data protection and security.