Data privacy and security regulators don’t always agree. That’s no surprise to those observing the discussions that have followed the European Court of Justice’s decision to invalidate the adequacy of the EU-U.S. Safe Harbor framework. But the disputes aren’t always global. Sometimes regulators from the same country, working in the same agency, disagree about how to regulate data privacy and security issues.
Take a look at the Federal Trade Commission (“FTC”) for example. In recent years, FTC commissioners have disagreed about the role that cost-benefit analyses should play and the types of consumer harms that should be considered in the FTC’s data privacy and security enforcement actions. For organizations that rely on the collection and use of consumer information, understanding the different viewpoints at the FTC and how those viewpoints may influence future enforcement is vital to evaluating risk.
On Thursday, November 5, 2015, the Future of Privacy Forum (“FPF”) will look at those issues as it celebrates its new home and its new partnership with Washington & Lee University School Law by hosting a panel discussion addressing the Future of Section 5 of the FTC Act. Panelists David Vladeck (former FTC Consumer Bureau Director David Vladeck) and James Cooper (former Acting Director of the Office of Policy Planning) will look at key Section 5 issues, including:
Section 5 of the FTC Act authorizes the FTC to prevent unfair and deceptive acts or practices. And since the late 1990s, the FTC has used this authority to take action against companies for their allegedly deceptive data privacy and security practices. The FTC considers representations to be deceptive if they are likely to mislead reasonable consumers in a material manner. In other words, representations are deceptive if they lead consumers to make choices that they otherwise would not have made.
Perhaps surprisingly, FTC commissioners don’t always agree on whether false claims are material. The FTC’s recent settlement with Nomi Technologies is a good example of this.
Nomi expressly stated that consumers could opt out of its location tracking service at any retailer using the company’s technology. But there were no in-store opt outs. FTC Chairwoman Edith Ramirez and Commissioners Julie Brill and Terrell McSweeny argued that the false representation was deceptive because express statements are presumed to be material. Then-Commissioner Joshua Wright argued that the FTC has an obligation to consider available evidence of consumer behavior to evaluate materiality. And Wright believed that the evidence showed that Nomi’s false representation was not material—it did not seem to influence consumer behavior.
The Nomi settlement shows how the level of data privacy and security risk depends upon the FTC’s approach to materiality. When express statements are presumed to be material, organizations may be on the hook for every statement that they make. If determinations of materiality require a more thorough assessment of available evidence, organizations will be liable only if a majority of commissioners determines that there was an influence on consumer behavior.
During his tenure as an FTC commissioner, Joshua Wright emphasized that the FTC should engage in rigorous economic analysis before entering into consent orders under Section 5. And he believed that economic analysis should have dissuaded the FTC from taking action against Apple regarding the company’s in-app billing practices.
When app users entered their billing passwords to authorize transactions, the company allowed additional purchases to be made for fifteen minutes without prompting for passwords. The FTC claimed that the company did not expressly inform users of the fifteen-minute window and that the practice led to account holders being charged without authorization when children made purchases after password were entered for initial purchases. According to a majority of the commissioners, this was an unfair business practice. Chairwoman Ramirez and Commissioner Brill claimed that the unfairness stemmed, at least in part, from the fact that the practice impacted a large number of consumers.
Wright disagreed. He noted that the FTC’s test for unfairness requires that the act or practice cause substantial injury that consumers could not reasonably avoid and that is not “outweighed by any countervailing benefits to consumers or competition.” Wright agreed that the fifteen-minute window harmed some consumers. But he argued that the harm was not substantial because it impacted a miniscule percentage of consumers. Wright suggested that providing additional disclosures regarding the fifteen-minute window would not result in a net benefit for consumers. And he claimed that FTC staff did not analyze how the consent order might impact consumers.
Defining appropriate market segments and evaluating the economic impact of remedies have long been central to the FTC’s approach regarding antitrust and competition concerns. It’s not surprising to see commissioners with antitrust backgrounds, like Wright, pushing for economic considerations to play a key role in the FTC’s data privacy and security mission. And as the in-app-purchase consent order and dissent illustrate, the manner in which the FTC evaluates economic impacts could substantially impact the outcomes of data privacy and security investigations.
It’s a good time to consider how the FTC should wield its Section 5 authority over data privacy and security practices. We are waiting for former Commissioner Wright’s replacement to be nominated, and next year’s presidential election will impact the Commission’s roster. FPF’s panel discussion will shed important light on the future of the Commission’s Section 5 authority. We look forward to seeing you there.