Suppose I order a book about scuba from an online bookseller. Unbeknownst to me, the bookseller provides this information to a data broker, who sells my name and email address to a dive shop in my neighborhood, which then sends me an enticing discount coupon for a fancy new dive mask.
Is this unfair?
Section (a)(4)(A) of the Federal Trade Commission Act declares that a business practice is unfair if it causes or is likely to cause foreseeable injury to a consumer. So then: Am I injured?
The transaction hasn’t cost me anything. I probably don’t know, though I might guess, that the information about my purchase has been disclosed, but the only effect on me will be to eventually receive an advertisement targeting my presumed interest in undersea sightseeing. I don’t see this as a big deal.
The Federal Trade Commission, however, thinks I have been injured without knowing it, because my privacy has been invaded. The bookseller has sold my data to someone else without explicitly telling me so. But all I know is that some time after my original purchase, the dive mask manufacturer’s message appears. I won’t need much time to recover from the shock.
This, in a nutshell, is the problem with the FTC’s aggressive approach to privacy protection.
Most truly sensitive information is already protected by statute. This information includes financial records, educational records and medical records. All of these are covered by existing law, and can only be shared in very specific ways, with explicit permission.
This isn’t the sort of data the FTC is talking about in a recent report offering “best practices” for consumer privacy protection. Instead, the FTC is now taking aim at a much broader array of information.
In the case of my hypothetical purchase, there were two parties to the transaction. I was the consumer, but the bookseller was an equal part of the exchange. I willingly became that seller’s customer. Does the seller not have the right to use information it lawfully obtained when doing so doesn’t hurt me? The FTC thinks not.
When I first saw the recent New York Times article covering the FTC’s new guidelines, it struck me that you can tell the economy is recovering, given this revived interest in doing something that will so directly inhibit business activity. The FTC has framed this issue as a simple trade-off between privacy and profits. The agency, especially in its current incarnation, sees its mandate as to protect the consumer above all else. It does not see profit and jobs as much of an offset to any loss of privacy, real or perceived.
But the FTC should limit its concern to protecting consumers from actual injury. If the consumer, or the consumer’s wallet, does not notice an injury, chances are that there isn’t one to notice. In truth, the FTC getting its way would cause the only injury in this scenario: to the businesses that use the - largely public - data, and to consumers who want more effective advertising.
Advertising can be deceptive and is frequently silly, but that does not mean it is inherently harmful to consumers, though the FTC seems to think this is the case. Advertising, as any value-conscious shopper knows, is most useful when it offers prospective buyers things they want or need: either good deals on products they already use, or new products that align with their lifestyles and interests. Why would we needlessly inhibit ads that have the best chance of reaching the consumers who are most likely to respond?
Maybe I bought that scuba book for my niece, not myself; I still might be interested in the scuba mask to give her as another gift. If not, I’ll ignore the ad. But if I have purchased many books about scuba, it’s even more likely the interest is my own. If someone wants to offer me a great deal on the latest technology in scuba masks (and there are some very cool masks out there, with built-in flash cameras and dive computers), I won’t want to miss it.
This sort of transaction is the opposite of consumer injury. It’s also one that consumers are generally already used to if they spend any significant amount of time on the Internet.
The FTC’s own press release highlights its overly aggressive stance on the matter. The agency “recommends that Congress consider enacting general privacy legislation, data security and breach notification legislation, and data broker legislation.” In other words, the FTC must go back to Congress and ask for new legislation, because some of the protections it wants to enact are not covered by current law. However, as The New York Times points out, “none of [the] legislation is likely to make it into law in this Congressional session […] given the heavy schedule of pending matters and re-election campaigns.” Or, more succinctly: Good luck with that, FTC.
It isn’t that Congress has anything against consumers. For that matter, it isn’t that consumers don’t care about privacy. But the cost of making non-sensitive information inaccessible is that it becomes harder for businesses to reach consumers with messages that both sides want to exchange. There ought to be a good reason to interfere with that sort of transaction, beyond the FTC imagining an injury consumers themselves don’t feel.
The FTC was established for good reason, back in the days when “caveat emptor” was the marketplace’s guiding principle. By this point, however, the FTC could benefit by considering another principle, like “no harm, no foul.”