On the heels of filing a lawsuit against Facebook for anti-competitive business conduct, the Federal Trade Commission is taking a closer look at how social media data is collected and used by nine of the market's biggest players.
On Monday, the FTC issued orders to Facebook, Amazon, Twitter, Reddit, TikTok operator ByteDance Ltd., WhatsApp, YouTube, Snapchat operator Snap Inc., and video and chat streaming service Discord Inc. to provide information within the next 45 days on how they collect and track personal information, determine what advertisements to display, how analytics are applied to personal data, how user engagement is measured and promoted, and how those data practices impact children and teens.
The request isn't litigious but could be viewed as the data-gathering phase before a more significant step is taken by federal regulators, said Rob Clyde, board director for ISACA, a professional organization focused on IT governance, and executive adviser to data protection company ShardSecure.
"This could be yet another step toward the United States making a national move toward some type of consumer privacy protection," Clyde said. "Many experts have long felt it's only a matter of time before the U.S. made such a move."
The FTC's request for insight into how social media data is gathered and analyzed is part of the government's push against big tech companies that have become so powerful, they dominate markets and help sway elections.
Data privacy issues
Clyde said social media users face significant privacy challenges as they become more engaged with digital products and as the tools for social media data analysis become more sophisticated.
Today, consumer data is at risk for data breaches, but it's also at risk for practices consumers may not be aware of, such as who can access their social media data, how third-party providers operate or how analytics tools can potentially uncover information that they may not have readily shared, such as a medical condition.
Rob ClydeBoard director, ISACA
"Consumers probably don't realize how much information they're actually sharing about themselves with these companies, which can build a fairly accurate profile of who you are," he said.
Gartner data protection analyst Nader Henein echoed this sentiment, noting that almost every big tech platform could be more transparent in how they collect data and what they intend to use it for.
"Generally speaking, consumers are not made aware in a clear and consistent manner as to what is being done with their data," he said. "As such, the risk is that their data is being used in ways they do not expect and shared with parties they would not otherwise want handling their data."
Some consumer data protection efforts have already come into play, such as the European Union's GDPR. In the United States, the California Consumer Privacy Act of 2018 was passed by the California Legislature in an effort to protect consumer data and provide greater transparency into data use. Now, the U.S. government's antitrust lawsuits and information-seeking pursuits could pull back the curtain on how tech giants collect and use personal and social media data, Clyde said.
"I think what we're heading toward is a world where, as consumers, we have far more choice of what happens to information about ourselves," Clyde said. "This [FTC action] is, 'Let's shine a bright light on how it's done at these companies.' It's fairly mysterious how those algorithms work today, and I think they'll be asked to tell a little more about it."
Indeed, both the federal government and consumers are showing more interest in how their data is being analyzed and protected, according to Tonia Dudley, a strategic adviser at phishing prevention vendor Cofense. That's especially true given the growing popularity of platforms like TikTok, whose ownership can be traced back to China.
"As consumers become more aware of devices, apps and platforms collecting their data, there are more questions raised about how this data will be used," she said.
These same concerns over how social media data is protected should be shared by companies as well, Dudley added.
"Employers should have concerns about how threat actors can leverage this information to gather intel about a target to gain access to an organization, finding a way to social engineer their way into the workplace," she said.