Today, in what could only be described as a political stunt, the Federal Trade Commission (FTC) accused us of not adequately protecting people’s privacy based on events that occurred and were disclosed years ago and an assessment which looked at just the first six months of a 20-year agreement. None of these issues warrant the drastic changes the FTC is seeking just three years into our decades-long agreement–and that the FTC lacks unilateral authority to impose. We have not violated the agreement and operate an industry-leading privacy program.
The timing is striking. These events occurred years ago, and we continuously update the FTC, yet today’s action comes without any opportunity for us to address their concerns. In fact, this action was brought just before an independent assessor was scheduled to update them on our compliance work and program enhancements we made over the past two years — yet the FTC chose to proceed without waiting to hear the results of that work. The action also comes after the Commision lost its bipartisan membership, and extraordinarily, even one of the remaining Democratic FTC Commissioners has already publicly questioned the FTC’s authority for the relief it is seeking.
We are focused on working productively with the agency to protect peoples’ privacy, but such gamesmanship suggests an agency more focused on getting headlines than protecting Americans’ privacy.
Let’s be clear about what the FTC is trying to do: usurp the authority of Congress to set industry-wide standards and instead single out one American company while allowing Chinese companies, like TikTok, to operate without constraint on American soil. FTC Chair Lina Khan’s insistence on using any measure — however baseless — to antagonize American business has reached a new low.
The FTC’s Latest Action Ignores Key Facts
- We have invested in a comprehensive privacy program that is working well. Since 2019, we have completely overhauled our approach to protecting people’s privacy — having made massive investments to build a comprehensive privacy program. We plan to end 2023 having invested more than $5 billion in a rigorous privacy program that includes teams and technology designed not only to identify and address privacy risks early but to embed privacy into our products from the start.
- We’re held accountable for our privacy practices. The depth and breadth of the 20-year order we have with the FTC exceeded all other FTC orders. It is subject to both a continuous internal assessment and audit as well as external assessments for 20 years. We prioritize this work and have transformed our approach to protecting people’s privacy. For example, more than 200,000 audit hours have already been spent on the current biennial assessment.
- Today we build every product with privacy at the forefront. We review an average of 1,200 products and features per month across the company before they ship to assess and mitigate privacy risks. We have allocated over 800 engineers to rebuild portions of our infrastructure to improve data protection. We’ve improved the transparency and controls we give people over their privacy settings.
- We were in compliance with all of the FTC Order requirements following the first assessment and we’ve only continued to invest and improve on them since then. The first assessment report, covering just the first six months of the program required by our 20-year Order, found our program to be “appropriately comprehensive” with “key foundational elements necessary for an effective program in place” with improvement opportunities they would expect for a new program at this level of breadth and complexity. But this initial report was always meant as a beginning, not an end. Since then, we’ve undertaken an intensive, comprehensive effort to address the assessment’s findings, while simultaneously building upon the existing program. We’re also continuing to invest in tools and technology to add automation to manual processes to ensure even better outcomes. With the second assessment period having just concluded, we expect that the assessor will find that we have made substantial progress.
- The coding errors highlighted by the FTC occurred years ago. We found and quickly fixed them on our own and voluntarily informed the FTC and users about them. We of course work hard to prevent bugs in our code and take this seriously, but it’s impossible for any company to prevent them entirely as the FTC has itself long recognized. This is not evidence of a violation of the Order.
- We take seriously the need to safeguard people on Messenger Kids: The coding errors related to Messenger Kids were ones we disclosed to the FTC and parents in 2019. They sometimes resulted in Messenger Kids users being able to communicate with friends of their parent-approved contacts who were not themselves parent-approved contacts. We found that these were all friends-of-friends, and when we notified the parents of the impacted users, we shared details of who was chatting with whom and additional resources on parental controls and online safety. The technical errors impacted a very small subset of group chat and video threads due to the overlapping controls we have in place to protect against errors like this. In the years since the errors happened, we have built even more state-of-the-art protections in Messenger Kids to prevent coding errors and their impacts. We fully cooperated with the FTC’s inquiries. We acted in good faith throughout that process. Now the FTC is applying a standard of perfection to Meta that is patently unreasonable, that it does not apply to others, and that is not the law.
- We have strong safeguards for the apps that you give permission to use your data: We’ve long had controls in place that prevent an app from accessing a user’s nonpublic data on Facebook without their consent. These include a restriction that prevents an app from obtaining non-public information about a user’s friends unless those friends are users of the same app and have already agreed to share the information with the app directly. In April 2018, we went beyond these user controls by automatically preventing an app from continuing to access a user’s data if it appeared the user had not used the app in the prior 90 days. This was not something we were required to do but was an additional control that we put in place to enhance already-strong privacy protections. The coding oversight did not result in any apps accessing data contrary to peoples’ privacy settings; it only resulted — in certain, limited circumstances — of apps having access to data for longer than our additional 90-day limitation measure. In 2020, we found, fixed and told people about this issue.
Privacy has been and remains our priority. We work with the FTC, not only in the interest of being extremely transparent with them but also to ensure that we’re engaging with them regularly as we work to protect peoples’ privacy and constantly improve our program. We have fully cooperated with the Assessor in its continuous monitoring of our program, as they have recognized, and we cooperate fully with the FTC in responding to their inquiries about the Order.
Pursuing actions like this with little or no engagement with companies about what their concerns are and without any indication of non-compliance before seeking to unilaterally reopen a negotiated Order, sends a chilling message to all American businesses about how to work with the FTC productively on these very important issues. We have spent vast resources building and implementing an industry-leading privacy program under the terms of our FTC agreement and will continue to prioritize our work to improve it because privacy isn’t something that is ever “done” for us, it’s part of what we do.
We will vigorously fight this action and expect to prevail.