The U.S. Federal Trade Commission and the District Attorney for Los Angeles County announced a settlement this week with NGL, a company that created an anonymous messaging app and allegedly preyed on the insecurities of teenagers through a wide variety of deceptive and harmful practices.

The complaint alleges a series of egregious design and marketing choices that render this case somewhat limited in its lessons for privacy professionals. But the remedy — a total ban on allowing minors on this or similar apps — is a first-ever outcome that deserves close consideration.

Anonymity is a dwindling resource on the internet. A quarter century ago, the earliest canine cybersurfers reportedly reveled in the existence of a virtual world where no one could tell who or what they were.

Today, seemingly every layer of the digital stack is constantly aware of our characteristics. Promiscuous metadata, ubiquitous integrations and permissive defaults have helped to create a world where my operating system, web browser, platform, third-party app and next-door neighbor can all tell that I am, in fact, a dog.

Nevertheless, the intoxicating allure of purely anonymous interactions continues to tempt app developers. “What if you could find out what your friends really think of you?” they ask us. And again and again they build products to help us find out.

Inevitably, for some reason, these apps are named using tired internet lingo, as in Yolo, LMK and NGL. To be clear, these are all examples of anonymous Q&A apps, one-on-one communication platforms that do not provide identifying information about one of the parties to the communication. These are distinct from encrypted messaging apps, which often can be used in a securely anonymous manner but are also designed to enable secure nonanonymous communication.

Anonymous Q&A apps appeal most directly to a certain demographic of netizens: teenagers.

Now that I’m in my 30s, I have no use for such an app. My friends are more than happy to tell me their frank assessment of my shortcomings in open fora even face-to-face. Luckily, in my ostensibly mature form, I have supposedly grown thick enough skin to accept even the most clear-eyed assessment of my myriad issues.

But when I was a teenager, the allure of an app that promised insights beyond the murky world of hormone-fueled posturing and mercurial social skills would have been undeniable.

If I had downloaded NGL and decided to post a link to social media through which my schoolmates could send me anonymous questions, I would have immediately been greeted by one such message, something like, “are you straight?”

How much angst could a message like this have caused my half-developed teen brain? The limit does not exist.

To make matters worse, in reality, the message would not have originated from anyone who saw my social media post but from the makers of NGL themselves, who sought a way to increase engagement on their failing app and allegedly created thousands of fake template messages, hand-crafted to keep users on the platform.

Another alleged practice doubled down on the deception: promising users they could find out the identity of the message sender if they upgraded to the paid version of the app.

There are numerous unforced errors and head-scratching allegations in the complaint. For example, why would a supposedly anonymous messaging app immediately promise to reveal the identity of a message sender? Seems sketchy.

But setting aside the most egregious issues, there are some important reminders in this case.

  • Always be transparent about synthetic content. Just like with artificial intelligence-generated messages, fake messages that otherwise appear to originate as organic user-generated content should be labeled and disclosed to end users, even if that means reduced engagement.
  • Don’t lie to your users. I mean, I should not have to say this but I’m just going to put this here because the alleged behavior is so egregious in this case. Directly lying to your users is illegal. Full stop. This is the foundation of consumer protection law. Lying to trick them into giving you money is illegal and will only result in you later having to pay back all USD4.5 million in ill-gotten gains.
  • When you find children on your platform, kick them off. Unless you have a fully baked strategy for complying with the Children's Online Privacy Protection Act, children are not your customers. Failing to act on consumer complaints and failing to delete children's data will only result in enhanced scrutiny and additional liability from regulators.
  • If you market to teens, consider the risks. The consent order in this case requires NGL and its founders to implement a neutral age gate on any anonymous messaging app they place on the market. Notably, this falls short of requiring a technical age verification mechanism, which some state laws now require. Still, the message is clear: teens are subject to unique risks and burdens. If your product appeals primarily to teens, or even attracts large numbers of teen users, it is important to consider the privacy and other socio-technical challenges teens may face in using your product.

Of course, it is important not to over-generalize the outcomes of an individual FTC action. In a statement, the newest FTC commissioner, Andrew Ferguson, takes pains to highlight the fact that the outcome of this case is limited to its unique facts. His fellow Republican commissioner, Melissa Holyoak, signed onto the statement.

The central message of his opinion is worth a close read as it grapples with the interplay between free speech, anonymity and fraudulent activity:

“On the other hand, no reasonable person can deny that anonymity aggravates the risk of injury and harm to children online. People say and do things online behind the veil of anonymity, sometimes truly vile things, that they would never do under their real names. Bad actors can more easily conceal their identity as they target children and teenagers for nefarious purposes, including sexual exploitation and fraud. That is what happened here. As the Commission alleges, a for-profit company used its anonymity to lie to minors—lies about the sorts of things that trouble the youthful psyche—in order to induce them to buy a product. Nothing in our constitutional structure permits using anonymity as a cloak for fraud. And Section 5 forbids it no differently than it forbids other forms of deception.

“It does not follow, however, that the marketing of anonymous messaging services to minors necessarily violates Section 5. Indeed, I strongly believe it does not. Insofar as language in the complaint suggests the contrary, I do not think it correctly states the law, and my vote for this complaint and proposed consent order should not be understood to suggest it does. Anonymous speech is a right protected by the Speech Clause, and the Speech Clause protects children’s speech (if not necessarily to the same extent as an adult’s speech). Interpreting Section 5—or any law—to deny anonymous messaging apps to minors categorically would create grave constitutional concerns. We should not interpret Section 5 to create those concerns.”

Ferguson’s statement references this sentence in the complaint: “In connection with the marketing, promotion, distribution, or sale of the NGL App and NGL Pro, Defendants have specifically targeted children and teens knowing that use of anonymous messaging apps by these groups causes substantial injury.”

Perhaps both Commissioner Ferguson and the FTC’s complaint can be right at the same time. Marketing such a product to teens may not be per se unfair. But doing so without regard to known risks to privacy and mental health, and without taking pains to design the product to mitigate the risks, steps outside the bounds of expected business practices.

For what it's worth, the FTC has been building a foundation for its expectations about teen-protective privacy practices for years through workshops, blogs, reports and enforcement actions. NGL is the most recent example, but this won't be the last time federal regulators step in to protect this at-risk demographic of consumers.

Please send feedback, updates and anonymous messages to cobun@iapp.org.

Cobun Zweifel-Keegan, CIPP/US, CIPM, is a managing director for the IAPP in Washington, D.C.