Facebook and Instagram owner Meta has come under fire in a letter from US senators Edward J Markey and Bill Cassidy, who allege that the company has “not even tried to obtain informed parental consent” despite its obligations under children’s privacy law.
The letter makes serious allegations about Meta’s collection of children’s personal data and arrives amid a flurry of enforcement action and proposed legal reforms concerning kids’ privacy in the US.
Why are these senators writing to Meta now?
The senators’ letter comes after 33 states filed a joint complaint alleging that Meta is violating the Children’s Online Privacy Protection Act (COPPA), a federal US law that requires certain online platforms to provide notice and get consent from the parents of children under 13.
The case was lodged with a US District Court in California in late November 2023 by Attorneys General from each state. Among other allegations, the Attorneys General claim that:
- Meta has “specifically targeted young users” to “maximize profit”
- Meta’s platforms are not safe for young people despite the company’s claims to the contrary
- Meta has concealed internal evidence showing a “high incidence” of harm to young people
But the senators’ letter focuses on the Attorneys Generals’ allegations under COPPA, which include claims that:
- Meta’s Facebook and Instagram platforms are “directed to children”, bringing Meta within the scope of the kids’ privacy law
- Meta has “actual knowledge” that millions of young people use Facebook and Instagram
- Despite this knowledge, Meta has failed to obtain verifiable parental consent in relation to users under 13
Do the senators allege that Meta is violating COPPA?
The senators’ letter builds on the 33 states’ complaint and urges Meta to change its practices if the allegations in the complaint are proven true.
However, the letter includes some strongly-worded claims, including that Meta has shown a “callous disregard for COPPA’s commonsense and practical privacy requirements.”
COPPA is a federal law that passed in 1998. In 2000, the Federal Trade Commission (FTC) adopted the “Privacy Rule”, laying down specific requirements for companies falling within COPPA’s scope.
The law requires online websites and platforms directed at children under 13 to tell parents how they collect and use personal information, and obtain parental consent before collecting or using children’s personal information for most purposes.
The Privacy Rule was updated in 2012 to include data derived from cookies and geolocation within its scope. The FTC is currently consulting on another update to the Privacy Rule to further restrict how companies use kids’ data, particularly for targeted advertising.
Are the senators right about Meta?
The senators, and the lawsuit from Attorneys General across 33 states, make some serious allegations about Meta. And Meta’s own data and internal communications form the basis of many of these allegations.
For example, an internal Meta report found that around 4 million US users aged under 13 were using Instagram in 2015, or around 30% of 10-12-year-olds in the country at the time.
The company also allegedly used a signal to determine users’ ages based on their online activity. But the senators allege that the age estimation was used only for the purposes of engagement—not to keep young people off the company’s platforms, or comply with COPPA.
Meta’s Global Head of Safety, quoted in the letter, reportedly told colleagues that “if we’re using a signal to predict age for business purposes, it should be used to enforce on age.”
In other words, if Meta knew users’ ages, it should have used this knowledge for privacy and COPPA compliance – not just to maximize the company’s profits.
But doesn’t Meta tell under 13s not to use its platforms?
Even if a business does not direct its services at children, and tells children not to use its services, it can still be covered by COPPA.
For example, consumer review platform Yelp reached a $450,000 COPPA settlement in 2014. While clearly not designed for kids, Yelp implemented an age-gating process that failed to prevent underage children from signing up for its services.
Last year, the FTC enforced against Amazon and Ring’s voice assistant devices for failing to delete children’s voice recordings in line with COPPA.
And several social media firms have been sanctioned for allegedly violating COPPA, including YouTube, TikTok, and Microsoft’s Xbox Live platform.
With tougher COPPA rules around the corner, it’s a good time for every company to review how it handles children’s personal information.