On May 3, 2023, the Federal Trade Commission ("FTC") issued an Order to Show Cause against Meta for alleged violations of Meta's 2012 and 2020 privacy orders and seeks to bar the company from monetizing data related to individuals under the age of 18.

In the Order to Show Cause ("Order"), the FTC proposes several changes to Meta's 2020 order and is directed at Meta's portfolio of products and businesses, including Instagram, WhatsApp, and Oculus. Specifically, because of the alleged violations, the FTC seeks to impose a blanket prohibition on "monetizing" data collected from individuals under 18 and prohibit the release of new products without prior approval from the FTC's independent assessor. The FTC also seeks to limit the company's future use of its facial recognition technology and would require FTC approval of all merger and acquisition targets for similar privacy concerns. The FTC Commissioners approved the Order unanimously.

The Order reflects the latest attempt by the FTC to position itself as the dominant U.S. consumer privacy regulator, particularly with regard to youth data privacy. By the end of 2022, the FTC announced a record setting fine against Epic Games for violations of the Children's Online Privacy Protection Act, which allows the FTC to regulate the online privacy of children under the age of 13. The Order signals the FTC's willingness to go much further with this ban. It also demonstrates the FTC's willingness to test the limits of its enforcement authority in the field of consumer privacy protection by inserting itself into the everyday operations of a business without express regulatory authority.

On a practical level, the Order as proposed will inject uncertainty for countless businesses and is a warning to technology, marketing, and other companies that participate in this complex digital marketing ecosystem. A ban will impact many companies and industries as virtually every major company today uses data for a range of commercial purposes, including to develop new products and services and provide free online services to this group. The Order leaves open the question of what constitutes "monetization" and whether it is ever permissible in the youth context under such a ban. It appears the FTC's answer to the latter question is: Never. The Order would effectively bar the company from using youth data even after the minor turned 18.

Outside of the youth context, the FTC has made clear that it intends to crack down on "commercial surveillance and lax data security." The FTC broadly defines "[c]ommercial surveillance [as] the business of collecting, analyzing, and profiting from information about people." This sweeping definition could include a broad swath of companies that use data during everyday operations. The FTC also would extend its authority by requiring prior approval of new products before commercialization and imposing heightened scrutiny on data privacy-based mergers and acquisitions. These measures apply well beyond the technology sector to manufacturing, marketing, healthcare, and other industries.

There are significant questions about whether the FTC has the regulatory authority to impose such a sweeping Order, even if it was able to prove the alleged violations, or to take the additional aggressive actions it intends. Under longstanding equitable principles, the FTC may obtain prophylactic relief only when that remedy bears a reasonable relation to the violation. That inquiry requires an evaluation of whether there is a history of prior violations, the seriousness and deliberateness of the violation at issue, and the ease with which the violation may occur with respect to other products. When the FTC attempts to prohibit a broad swath of lawful conduct, courts also may consider the economic harm to the business, the injury to the public of any additional violations, and the availability of less intrusive deterrents. These considerations may limit the FTC's ability to regulate broadly through the vehicle of prophylactic relief, and at minimum, invite litigation from companies the FTC targets.

Moreover, bipartisan legislation has been introduced regulating data privacy protections and a host of states have enacted their own statutory frameworks—some address youth data privacy specifically. Courts may look skeptically on this latest attempt by the FTC to circumvent such frameworks by regulating major questions of policy through the guise of its Section 5 authority.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.