In the past few years, a growing divide has emerged at the Federal Trade Commission when it comes to data privacy enforcement and policy development.
On one side of this divide stand the FTC consumer protection staff and majority Commissioners who operate under the historical enforcement model for the agency. In the privacy context, this means entering into settlements with entities that allegedly violated their privacy policies and hosting policy workshops on emerging issues such as data collection and use by data brokers and the Internet of Things. On the other side of the divide stand the minority Republican Commissioners, Maureen Ohlhausen and Joshua Wright, each of whom has a background in antitrust combined with savvy when it comes to consumer protection.
This shared antitrust background is significant, even in the privacy realm. In antitrust enforcement, the Holy Grail is evidence of actual consumer harm. In an ideal world, this evidence is empirical in nature: regressions run by PhD economists evidencing consumer harm are not uncommon. Regressions backed up by ordinary course documents in which businesses admit to anticompetitive conduct are even better.
With its emphasis on empiricism, antitrust sets a high evidentiary bar for an enforcement agency such as the FTC. It’s also the case that, even if this bar is reached, antitrust further requires that evidence of harm be weighed against evidence that the conduct may, in fact, produce efficiencies such as lower costs. (This evidence is considered relevant because efficiencies may benefit consumers and therefore outweigh potential harms). In antitrust, this weighing of costs and benefits using empirical evidence is often referred to as “evidence-based antitrust.”
It seems that Commissioners Wright and Ohlhausen would like to apply this antitrust standard to privacy enforcement at the FTC. When you boil the ocean, calls for evidence-based privacy are the common thread running through both Commissioners’ speeches and statements. A review of their official websites confirms this hunch. According to Commissioner Ohlhausen, “[I]n cases where there are both costs and benefits, and the decision could affect a wide range of parties, regulators ought to carefully assess consumer harms and benefits.” Or consider the following from Commissioner Wright: “[A]ny sensible approach to regulating the collection and use of data will take into account the risk of abuses that will harm consumers. But those risks must be weighed with as much precision as possible, as is the case with potential consumer benefits, in order to guide sensible policy for data collection and use.” In other words, instead of the somewhat strict liability standard applied by the majority Commissioners, the minority Commissioners want to see evidence that the deception actually resulted in consumer harm before voting in favor of an enforcement action.
In light of these public positions, it should come as no surprise that evidence-based privacy has found its way into enforcement actions at the FTC, most recently in the Nomi settlement. To those unfamiliar with the company, Nomi sells a service to retailers that allows them to track how many shoppers visit their stores, where they spend time once inside, and how frequently they return. Key to this tracking is the customer’s iPhone MAC address- the 12-character identifier a phone emits when it’s searching for a Wi-Fi network.
In a settlement made public last month, the FTC announced that it had agreed to settle charges that Nomi had misled consumers with promises in its privacy policy that it would provide an in-store mechanism for consumers to opt out of tracking and that consumers would be informed when locations were using Nomi’s tracking services. The FTC complaint alleges that these promises were not true because no in-store opt-out mechanism was available, and consumers were not informed when the tracking was taking place. In a 3-2 vote, the Commission voted to settle these charges and Nomi signed up to a 20-year consent order. For the FTC majority, this settlement was cookie cutter in nature. The minority, however, dissented – which brings us back to evidence-based privacy.
In their dissents, both minority Commissioners pointed to a lack of evidence of consumer harm resulting from Nomi’s conduct. According to Commissioner Wright, in order for Nomi’s conduct to amount to deception, FTC staff must produce evidence that the “deceptive statement is one that is not merely misleading in the abstract but one that causes consumers to make choices to their detriment that they would not have otherwise made.” Similarly, Commissioner Ohlhausen wrote, “I believe the FTC should not have brought a case against Nomi based on these facts” since “the Commission should use its limited resources to pursue cases that involve consumer harm.” Commissioner Ohlhausen went on to express her concern that the Commission’s action against Nomi might send the wrong signal to start ups seeking to do the right thing by consumers, since Nomi was under no legal obligation to provide consumers with an opt-out from data collection in retail locations.
Taken in the wider context of their speeches and statements in both the antitrust and consumer protection spheres, the FTC minority vote in the Nomi case should not have come as a surprise to anyone. Even those who disagree with them cannot accuse Commissioners Ohlhausen and Wright of inconsistency. Their framework is straightforward: apply cost-benefit analysis; find evidence of consumer harm; and weigh it against countervailing benefits.
In other words, be prepared to answer the simple question: “Where’s the beef?”
