Businesses are invading your privacy

The Federal Trade Commission’s strategic enforcement of privacy cases has struck a nerve. The business lobby has responded on the opinion pages of DC newspapers, portraying the FTC as an agency out of control. The FTC tramples the rights of companies. It stifles innovation. It chases headlines instead of fraudsters and real harms to consumers. The FTC is losing credibility. Consumers however should be comforted by these headlines. The attacks on the FTC are actuated by the agency’s successes in the courts and its increasing sophistication in protecting privacy.

A gulf exists between consumer and business lobby perceptions of privacy problems. Most consumers care about privacy. Consumers want to use new technologies, yet they have no idea how Internet businesses use and transfer personal data to others.

{mosads}Consumers and policymakers are only just now waking up to the reality that many businesses quietly seek to identify consumers personally and sell information about them to others. This information is transferred to data brokers, and repackaged and resold.

Keeping the consumer in the dark is key to new information-intensive business models, because data brokers know that consumers will object to them. One data broker even touted a system that could secretly determine the home address of a customer. A key advantage of the service was that it helped retailers avoid “losing customers who feel that you’re invading their privacy.”

Consider this: without bothering to ask or tell you, retail stores are using systems that capture a unique, unchangeable identifier from your phone to track your movements and to identify you on your next visit. Currently this tracking is done on a pseudonymous basis. But how long do you think it will take for retailers to link the phone identifier to your contact information? And what remedy will you have—aside from leaving your phone at home—once this linkage occurs?

The passage of strong privacy laws in the 1990s, the rise of security breach notification laws, and the FTC’s enforcement over the past decade have elucidated some of these practices. Many consumers think aggressive information practices are harmful in themselves. For instance, when my team surveyed consumers about how much they thought companies should be fined for purchasing or using information illegally, 69 percent chose the highest option we offered: “more than $2,500.”

As a society, we get to define harms through policy mechanisms such as legislation. Many federal and state legislative pronouncements define information privacy violations as a harm. Liquidated damages are specified to address the longstanding challenge of obtaining a penalty for an information wrong.

Yet the business lobby maintains that privacy violations do not cause harm. We should see the “no harm” argument as question begging because business lobby has a very high bar for recognizing an information harm. FTC opponents would permit a company to break a promise it makes in a privacy policy when the obligation, in the critics’ opinion, is not important. One FTC critic writing in these pages was an acolyte of Commissioner Orson Swindle, a longtime opponent of the FTC’s privacy activities. Swindle set the harm bar so high that he did not consider pretexting, the practice of fooling a bank into revealing account information about another person, harmful.

Why is it so important to characterize privacy violations as harmless? The business lobby desperately wants to limit the FTC’s powers so that the agency does not investigate or pursue information practices. For the FTC to pursue the most problematic and structural challenges in privacy, such as data brokers, the agency has to conceive of how a loss of control over information and sale of it to others constitutes a harm.

Understood in this way, objections about “harm” are a mask for an underlying ideological commitment against privacy rights. Swindle was honest enough to admit this underlying interest—he lamented that protecting consumers against pretexting would lead to a “foray into broader privacy regulation.”

While the business community funds FTC critics, it does not understand how radical these advocates are. If the FTC were defanged according to its critics’ tendentious reading of law and history, the agency could bring common law consumer fraud cases only. The FTC would have to prove specific intent to mislead the consumer, actual consumer reliance on the deception, and only cases involving economic harm could be remedied. In short, consumer protection would be left to the market. The market approach did not work in the 19th century and was rejected by state and federal legislators and even the business community itself.

Responsible businesses would regret a return to the 19th century laissez-faire marketplace. Businesses benefit from having a responsible and competent regulator. For instance, our country’s conflicts with Europe over the US–EU Safe Harbor will only be quelled if Europeans are satisfied that US businesses are adequately overseen. If our regulators cannot conceive of privacy violations as harmful, Europeans will insist that their two dozen privacy agencies oversee American business.

Privacy and other consumer protection enforcement encourages businesses to shun, rather than replicate, irresponsible practices. The FTC’s attention to privacy causes smart businesses to think deeply about the design and consequences of their products and services. Business lobby claims that the agency is losing credibility is perhaps the best evidence of the FTC’s privacy sophistication and continued relevance to the American consumer.

Hoofnagle holds dual appointments at the University of California, Berkeley in the School of Information and the School of Law. His forthcoming book, Federal Trade Commission Privacy Law and Policy, is a 100-year history of the FTC’s consumer protection efforts.