The report titled “A Look Behind the Screens: Examining the Data Practices of Social Media and Video Streaming Services” by the Federal Trade Commission (FTC) provides a comprehensive review of the data practices of major social media and video streaming services (SMVSSs), including platforms like Facebook, TikTok, YouTube, and others. Here’s an easily understood summary:
- Key Findings:
- Data Collection: These companies collect vast amounts of data from both users and non-users, often from multiple sources, both online and offline. This includes sensitive data like personal, demographic, and even inferred information.
- Data Use and Sharing: The data is used for targeted advertising, algorithms, and AI-driven services, often without sufficient user knowledge or control. Companies frequently share this data with affiliates and third parties, raising significant privacy concerns.
- Children and Teens: The report highlights insufficient protection for teens and children. While companies comply with basic legal frameworks like COPPA (Children’s Online Privacy Protection Act), many do not offer additional safeguards, particularly for teens, who are treated similarly to adult users.
- Advertising and Algorithms: Targeted advertising is heavily reliant on personal data, leading to privacy-invasive practices like tracking and behavioral profiling. The use of AI and algorithms to drive engagement often prioritizes content that may negatively affect mental health, particularly for younger users.
- Competition: The companies’ vast data collection practices contribute to market dominance, making it difficult for smaller competitors to emerge and challenging user privacy further.
- Recommendations:
- Data Practices: Companies should minimize the data they collect and retain, establish clearer retention and deletion policies, and give users more control over their data.
- Advertising: Companies should prevent the use of sensitive data for targeted ads and implement stronger safeguards for privacy.
- Children and Teens: Additional protections should be put in place for these vulnerable groups, particularly for teenagers.
- AI and Algorithms: There needs to be more transparency and user control regarding how AI and algorithms use personal data. Systems should be tested and monitored to prevent harm.
- Implications for Users and Competition: The FTC notes that the current data practices could worsen if left unchecked, and self-regulation by these companies has proven inadequate. The report calls for legislative action to establish clear and comprehensive privacy standards to protect users, especially children and teens.
This report serves as a critical analysis of the privacy and competitive landscape surrounding social media and video platforms, offering insight into the need for stricter regulations to protect users.
What types of data are being harvested?
The report outlines a broad range of data types collected by social media and video streaming services (SMVSSs). Here is a summary of the specific data types that are being harvested:
- Personal Information: This includes data such as email addresses, demographic information (age, gender, household income), URLs visited, and other information related to user accounts or devices.
- User Attributes: These are characteristics like location (country, city), language, and user interests, which are often used for targeted advertising.
- Shopping Behavior: Information on users’ shopping behavior, including actual purchases and inferred interests, is collected by many platforms, though some child-directed platforms stated they do not deliberately collect this data.
- User Interests: Platforms collect and categorize users’ interests into detailed subcategories, such as food, drink, or parental status. These inferred interests can be used for targeted advertising.
- Data from Other Sources: SMVSSs often collect information from other SMVSSs or third parties (e.g., advertisers, data brokers) and ingest non-user data when users sync contact lists or when advertisers upload customer information.
- Inferred Data: SMVSSs derive information about users, such as their preferences and interests, from user activities like watching videos, clicking on ads, or making purchases.
- Passively Gathered Data: This includes IP addresses, device data, and other technical information used for various purposes, including targeted advertising.
- Offline and Non-User Activity: SMVSSs gather information about users and non-users from sources like advertisers, data brokers, and offline activities.
The scope of data collection goes beyond direct user inputs, extending into third-party data and inferred or passive data collection, highlighting significant privacy implications.
What are some examples of data being harvested?
The report outlines several ways in which social media and video streaming services (SMVSSs) gather data. These examples include:
- User-Provided Information: Data that users input themselves, such as when setting up an account (name, phone number, date of birth), profile information (interests, demographic data), or even voluntary survey responses.
- Passively Gathered Information: Data collected without active user input, such as device characteristics (device ID, IP address, browser cookies), activity on the platform (messages, conversations), viewership history, and user interactions with advertisements.
- Offline and Third-Party Data: Information about users and non-users acquired from advertisers, data aggregators, or other third parties. This data is often integrated through advertising tools, helping companies build custom audiences for targeted advertising. For example, data obtained through advertiser uploads or synced contact lists provides additional personal information that the company can use.
- Cross-Platform Data: Data shared between SMVSSs when users connect accounts across platforms or interact with embedded content on other services. This includes data provided by one platform when accounts are linked.
- Non-User Data: Some companies also gather data on non-users when their information is shared via contact list syncing or when advertisers upload customer data, which may include both users and non-users.
- Inferred Data: Data inferred from user activities, such as preferences and interests, based on how users interact with the platform or the type of content they engage with.
- Data Purchased from Brokers: Companies also purchase personal information from data brokers, which could include demographics like household income or location.
These practices are often hidden from users and can lead to extensive insights into users’ behaviors, preferences, and even offline activities.
Other potentials our data can be misused and abused
Aside from advertising, the report identifies several other ways companies use the data they collect:
- Algorithms, Data Analytics, or AI: Many companies apply data to algorithms and AI systems to analyze user behavior, make automated decisions, and improve services. These systems use personal information to infer details such as user preferences, demographics, and habits.
- Business Purposes: Some companies use the data for internal business purposes, such as research and development, optimizing products, and enhancing their digital advertising services.
- User Engagement: Data is used to determine what content to promote to users, such as which posts, videos, or articles to show to maximize engagement. This includes analyzing metrics like the number of followers or connections, the types of content users engage with, and their overall interaction with the platform.
These uses, while often enhancing user experience, also raise concerns about privacy and the lack of transparency in how companies utilize the collected data.
What can we do about it?
he report does offer several recommendations for users to reduce the risk of their data being harvested by social media and video streaming services (SMVSSs). Here are some key ways users can take action:
- Limit Data Sharing: Users should limit the data they provide to SMVSSs, especially when creating accounts. This includes being cautious about sharing personal information such as location, contacts, and sensitive demographic data.
- Privacy Settings: Users should regularly review and adjust their privacy settings on these platforms to restrict data sharing. This can help prevent their data from being used for purposes such as targeted advertising or sharing with third parties.
- Opt-Out of Tracking: Where available, users should opt-out of behavioral tracking and personalized advertising. Some platforms provide options to opt-out of targeted ads or limit the use of personal data for algorithmic decisions, though these controls are not always clear or comprehensive.
- Delete Data and Accounts: Users can request the deletion of their data from a platform by contacting the service and asking for their data to be deleted. They should also be aware that many companies offer a “soft deletion” where data is not immediately erased, and users may need to follow up to ensure full deletion.
- Use of Alternative Services: Where possible, users can seek out platforms that offer better privacy protections or are more transparent about their data practices.
The report emphasizes that users should not be the only ones responsible for protecting their data and calls for stronger federal privacy legislation and more transparent data practices by SMVSSs.
Did the report cite any recorded instances of abuse?
The report does mention several instances of confirmed data abuse or misuse involving social media and video streaming services (SMVSSs). Here are key examples:
- Use of Security Data for Advertising: In 2022, Twitter was fined $150 million for deceptively using users’ phone numbers and email addresses, provided for security purposes, to target advertisements without their consent【13:16†source】.
- Violations of Children’s Data Protection Laws: The report highlights that TikTok (formerly Musical.ly) was fined by the FTC for violations of the Children’s Online Privacy Protection Act (COPPA), where the platform illegally collected personal data from children without parental consent【13:16†source】.
- Facebook’s Misuse of Data: The report mentions Facebook’s involvement in several enforcement actions, including its failure to comply with privacy agreements. This included misleading parents about their ability to control their children’s data and giving unauthorized access to third-party developers.
These examples underscore the real-world risks of data abuse, with both legal and financial consequences for the companies involved.