Rethinking the FTC’s Privacy Enforcement for Modern Technologies

Former FTC Commissioner Joshua Wright. 

Former FTC Commissioner Joshua Wright. 

“Government regulators have instead been slow, and at times outright reluctant, to embrace the flow of data." 

Former FTC Commissioner Joshua Wright said this in a recent speech on the FTC’s privacy regulation. In the same speech he observed that during his time at the Commission, the FTC was generally apprehensive “about the collection and use of data…along with a corresponding and arguably crippling fear about the possible misuse of such data.” This approach to privacy regulation is contradictory to what consumers and businesses expect from the exchange of data. 

Instead, the FTC should catch up with consumers by embracing the many benefits of data collection and retention, and avoid punishing companies where there is no evidence of consumer harm. In addition to the internal observations made by the former Commissioner, there are many public examples that demonstrate the FTC’s apprehension about data collection and suggest a change is needed.

Take, for example, the Commission’s calls for companies to practice data minimization – the principle of limiting the collection and use of consumer data to only what is needed. While limiting the data collected makes sense in some cases (e.g. a company should not collect a user’s social security number as their log-in), the FTC urges data minimization practices in broad strokes that encompass practices relied on by startups. The FTC justifies this broad policy because a company collecting and storing vast amounts of consumer data will be “a more enticing target for data thieves or hackers,” and that the consumer data will be used in ways consumers may not expect.

Image via Perspecsys Photos 

Image via Perspecsys Photos 

While data theft does pose a potential harm to consumers, developers and businesses know that strong security practices, such as encryption, can mitigate this risk.  Many companies already use this and other security tools to protect valuable consumer data. Companies are incentivized to protect the data they collect and store in order to protect their reputations and grow their businesses. To address the data theft concern, the FTC should continue to encourage strong data security practices, rather than insist on data minimization, an especially shortsighted idea that could set back the development of new products or improvements of existing ones.

Data is especially critical for startups that rely on it to help identify needed upgrades to a product or to meet unexpected user demands. While small businesses might find it difficult to gain a marketing toehold against their larger competitors, understanding their customer data can provide untold benefits in making customer-centric improvements that will drive growth.

The FTC’s insistence on data minimization is also out of touch with what consumers expect and desire.  Consumers know intuitively that the services they enjoy relating to traffic, travel, banking, commerce, and entertainment, for example, rely on data. The increasing growth of the app industry is clear evidence that consumers are willing to share data when they receive value in return.  Thus, consumers’ and developers’ interests are aligned – both seek a relationship whereby consumers willingly share data through apps, wearables and other devices in exchange for the benefits those services offer.

Some FTC privacy enforcement actions also demonstrate the Commission’s reluctance to accept data flows. In deception cases – typically where a company fails to fulfill a promise made in its privacy policy – the FTC should place a greater emphasis on identifying evidence of consumer harm.

In the FTC’s case against Nomi Technologies, Inc., Nomi (a startup providing retail tracking analytics) promised to allow consumers to opt out of Nomi’s service at any retailer using Nomi’s technology. At the time of the alleged violation, Nomi did not offer an opt-out in retail locations using Nomi’s services. 

In its decision, the Commission concluded the misstatement resulted in consumer harm. While there is no doubt Nomi should have corrected its privacy policy, the FTC failed to show any evidence of consumer harm. Additionally, Nomi did not collect personal information, and was not required to offer an opt-out. Heavy-handed enforcement actions like this may lead companies to implement vague policies, or may encourage companies to eliminate policies and opt-out options altogether. The result is contrary to the FTC’s goals of offering increased transparency and consumer choice.

Urging data minimization and the Nomi decision are just two examples of the FTC’s overemphasis on hypothetical or nonexistent risks. Without an updated way of approaching deception cases – that considers evidence of consumer harm, and weighs the benefits of a product or service – the FTC risks leaving consumers with fewer options in the marketplace, and less information up front about how their information will be used.

As society moves towards a connected ecosystem, the FTC should modernize its approach to privacy regulation by accepting and embracing modern data flows. The Commission should avoid overly burdensome punishments to businesses where there is no evidence of consumer harm. Without a change, the next great idea could be stifled, and consumers will be the ones ultimately worse off. 

 

Michelle Lease, Policy Counsel