Reading list: Hoofnagle on FTC Privacy Law

Chris Jay Hoofnagle, Federal Trade Commission Privacy Law and Policy (2016)

Review copy. The book will be available on Amazon Feb. 5.  This is a detailed, clearly written guide to the FTC, with specific attention to its privacy practices but including an extensive discussion of its overall history and jurisdiction, at least on the consumer protection side; the antitrust side receives much less attention, which is not a complaint (at least not from me!).  I learned a lot, and I’m going to recount some of the highlights.

 

Hoofnagle regards the FTC’s activities, mostly through settlements, as “the most important regulation of information privacy in the United States,” likely to be so for the near future given our choked-off political system.  Nor is rulemaking a possibility, given the special, non-APA legal regime that makes rulemaking incredibly difficult for the FTC.  And that incrementalism is not a bad thing: he thinks the FTC is well-positioned to meet the challenge, having “matured into a careful, bipartisan, strategic, and incrementalist policy actor.”  

 

Because its regulatory scope is so broad, it hasn’t been subject to capture by any particular industry, and has been able to target the biggest actors in relevant markets.  When it goes too far, it risks a Congressional backlash, but it is also constantly under pressure to prove its worth.  First by using its deception authority, and increasingly with unfairness, the FTC has pushed companies to improve privacy policies substantively, which is needed since mere disclosure, we know, doesn’t change a thing.  Hoofnagle regards the fact that the FTC isn’t constrained by common-law requirements like a specific harm to an identifiable person as its great strength, and rejects the idea that the FTC should have to follow common-law harm principles.  His emphasis on the desirability of a reasonably active regulator to protect well-behaved businesses against outliers in their own fields is welcome; business interests are not libertarian interests.

 

Hoofnagle goes into great detail about the structures of the FTC, with both practical and ideological effects.  He identifies a tension between “legal, more moralistic culture” of the Bureau of Consumer Protection and the economists—the former “view a misrepresentation as an inherent wrong,” while the latter want harm outside of that before the government should act.  He views the FTC’s history as one of continuity, arguing that the FTC has always been a technology agency responding to new developments in marketing and otherwise.

 

Not everything is perfect.  In the past decade, only about 25 percent of FTC judgments and settlements result in full payment, due to resistance by companies (one $16 million case required subpoenaing sixty-four different entities and getting thirty-five garnishments); lack of money remaining in the hands of fraudsters; and asset hiding.  This fact serves as a good reminder that the FTC goes after some truly bad actors, which is one reason that case law is generally so favorable to the FTC; the incorrigible/litigious respondents “create terrible precedents for other companies.”  At the same time, the FTC has trouble enforcing consent orders, because courts

require the FTC to prove by clear and convincing evidence that the respondent has violated an express and unequivocal command in order to find contempt.  Where the issue is something like privacy, it’s difficult to reach the right level of specificity: “respect consumer privacy and … secure data” are hard obligations to define.  Google, which is under 20 years of monitoring for its ill-fated Buzz initiative, promised to create a “comprehensive privacy program that is reasonably designed to address privacy risks related to the development and management of new and existing products and services for consumers.”  Hoofnagle points out that  this order could be complied with “substantially” and “still be inadequate to protect privacy in a meaningful way. … [A] weak or partial embrace of the duty may be practically difficult to police.”

 

When it comes to privacy, Hoofnagle argues that the FTC’s broad authority to police unfair and deceptive trade practices can take it very far.  Deception is available in at least some circumstances, where people are misled into a false sense of security.  Historically, he contends, the FTC has begun regulatory interventions with its deception authority, moving towards unfairness when market manipulations become more subtle and hard to deem deceptive, which is what is happening with privacy now.  The more companies write their contracts to excuse themselves from any constraints in the fine print, the more of a role unfairness, and generalized consumer expectations, will have to play in enforcing privacy protections.

 

One example of the use of deception is when, in part to stave off government action, industry engages in self-regulation.  Then, violations of self-regulatory rules can be enforced under the FTC’s deception authority.  Self-regulation also avoids First Amendment challenges and may be appealed to as reasonable standards of industry behavior when the FTC goes after outliers under its unfairness authority.  “Perhaps for these reasons, the FTC exhibits a kind of credulity when new groups appear claiming to represent entire industries and claiming a commit ment to a set of rules. To privacy advocates, this activity is galling and empty, but to the Commission the industry has just rested its foot in a trap.”

 

Hoofnagle makes the conventional arguments against disclosure as sufficient to protect privacy such as the failure of disclosures and the third-party problem of information collection/use by third parties with no relation to the consumer or reputational checks on their behavior (think collection agencies or the servicing agent for your mortgage).  He draws on Gordon Hull’s argument that current neoliberal ideas treat privacy as an individual economic choice, setting people up for failure (because self-management of privacy is impractical).  Individualization obscures the true social nature of the problem.

 

However, Hoofnagle doesn’t think that privacy law is the appropriate place to deal with discrimination in credit offers or pricing based on individualized targeting.  Price discrimination, he says, is about power, and information companies are natural monopolies. Therefore, competition policy, rather than privacy law, is the place to work on disturbing uses of data to discriminate on price.

 

Later chapters discuss specific areas of privacy, such as children’s privacy/COPPA, where fears for children’s safety “caused Congress to build a framework with scant regard to how children might want to use interactive services.” COPPA created incentives to develop services that are one-way, television-like broadcasting services. Designers do this because interactivity triggers

legal duties under COPPA, but it makes the information environment less healthy. Children also learn to lie about their age in order to join fun, highly interactive services that are supposedly only used by adults.

 

There are good parts of COPPA, Hoofnagle contends, but they should be available to everyone, not just kids: “the allocation of privacy responsibilities for the behavior of vendors, such as third-party trackers, to the service; limitations on how data can be used; limitations on tracking; rules on how much data can be collected; a regulatory incentive for contextual advertising and against behavioral tracking; and ceilings on how long data can be retained.”  These non-consent related provisions, he concludes, provide much more protection for privacy than parental consent does.

 

Information security cases raise both deception and unfairness concerns.  Hoofnagle relies on Ross Anderson’s argument that, even in competitive markets, insecure products tend to drive out secure ones because of first-mover advantage. Consumers have trouble evaluating security, and don’t rank it highly when choosing products; it’s a latent safety defect.  Companies often build security into products “to transfer risk to others, or to enable differential pricing, or to cause customer lock-in, such as through digital rights management technologies.”  For example, for credit cards, issuers have successfully defined the problem of fraud as one of merchant security, putting a “Sisyphean” burden on merchants: keeping a widely shared number secret.  A more comprehensive approact to the structure of payment systems would define and deal with the problem differently.  Hoofnagle argues for a public health-type approach, dealing with insecurity as a collective action problem.

 

Anti-marketing laws, e.g., anti-spam laws: Here I learned of research by Brian Krebs asking why anyone buys from spammers.  He looked at records from a large online pharmaceutical sales network and interviewed 400 purchasers.  Many couldn’t afford the US prices of drugs—they could save hundreds of dollars per month to treat chronic conditions, and get Indian drugs that looked just the same as those from the local pharmacy (perhaps because most of those drugs are made in India too). Others were embarrassed to see a doctor; thought it was more convenient to self-diagnose and buy treatments online; or couldn’t get legal prescriptions because they were dependent on the drugs.  This too seems like a series of political problems.  But because spammers benefit, they impose huge externalities on the rest of us: $20 billion estimated annually, for revenue for spammers of $200 million a year.  This is apparently an externality ratio greater than that for auto theft.  Worse, techniques created to spread spam create an infrastructure for other malicious software.

 

Hoofnagle briefly addresses Eric Goldman’s arguments that we should like ad targeting because then we’d only see information useful to us.  Among other things, he makes the nice point that no commercial entity will have the incentive to develop such a filter, to which we provide input about our preferences, so long as data about us are readily available other ways and we have no legal means to stop that.  Goldman’s related critique that Do Not Call isn’t granular enough to let through calls people really would want is not persuasive—not only is it outrageously popular, suggesting a revealed preference for not getting the calls, the cost of erecting a screen and choosing which you might be interested in—even if you could really figure that out in advance—is itself a cost consumers don’t want to bear.

 

Hoofnagle also sounds the alarm about First Amendment constraints on regulation.  Since we don’t have to worry any more about paying for each email we receive, regulations may not seem justified under the strict standards the Court now applies, even if we don’t want all this spam.  I would have liked a bit more First Amendment analysis, fitting Hoofnagle’s policy arguments into the First Amendment scheme.

 

Financial privacy: I didn’t know that other countries, such as France and Australia, don’t have the kind of credit reporting we do, where all our transactions are tracked. They only create records when there’s nonpayment—and yet, Hoofnagle notes, France and Australia are modern markets.  The US, by contrast, uses a model of “total surveillance. It gives individuals incentives to pay bills on time – and to have them monitored by [Credit Reporting Agencies] – in order to have a report dominated by positive information.”  He doesn’t mention this, but that also puts priority on participating in the formal economy. 

 

He also notes the history of financial entities putting lots of people at risk because it paid them to do so, with prescreened credit offers that could be swiped out of people’s mailboxes.  To check your credit report/opt out of offers, you need to provide your Social Security number—but business users can search for you using your name alone, without that number. “This dynamic is typical for opt-out schemes – opting out is subjected to higher security requirements than the much riskier act of delivering a full consumer report to a business.”

 

Hoofnagle suggests that financial privacy laws could be protected somewhat against First Amendment challenges by tying immunity for credit report providers from tort suits to the burdens of the law—if they aren’t going to be required to protect consumers’ ability to access and contest credit reports, and to omit information that’s old or contested, then they shouldn’t get federal preemption of negligence and other tort claims.

 

International privacy efforts: Unfortunately, the US-EU Safe Harbor rules were invalidated just as this book was going to press, so most of it discusses the situation as if the Safe Harbor existed.  Hoofnagle sets out the different US and EU approaches, based on different history and values:

 

The atrocities committed during the Holocaust were assisted through information technology, and private companies were complicit in Nazi activities. Furthermore, the penetration of reliable census-taking activities is one explanation of why so many Dutch Jews were killed in the Holocaust while nearby countries with fewer information collection activities had higher rates of Jewish survival. Stasi and Communist tracking of individuals and their social networks, and citizens “informing” on others reinforced the lesson that information can become a tool of oppression.

 

But he cautions against understanding the European approach as simply fear-based.  Instead, European values of respect for private life and individual dignity reflect a positive view of the self as well.

 

I was particularly interested in his description of conflicting legal cultures: “US lawyers seek rules that will help bring clients into full legal compliance. But international rules are often stated as general, high-level principles for data handling. Read literally, these rules would be impossible to implement because they would regulate personal, inconsequential matters.”  E.g., data protection laws, on their plain terms, make many a Facebook post unlawful (and there’s at least one woman who was held liable for doing just that). So US lawyers, who often want to be within the law, look at European law and say it’s impossible, especially given national variations.  Mostly, he suggests, European regimes want “good enough” privacy, like “good enough” parenting, but that’s really hard to define in advance.  And the privacy version of the precautionary principle—delete data after a reasonable time, and don’t do new things with them without consent—conflict with the Silicon Valley approach of collecting information now and figuring out how it might be valuable later.

 

Turning to the future, Hoofnagle endorses the approach of David Vladeck (my colleague), who suggested that the FTC would include threats to individual dignity as one reason it might choose to pursue a case.  “Harm supporters reacted hysterically, labeling Vladeck’s views emotional, questionable, vague, nontraditional, and subjective…. In critiquing Vladeck, harms-based supporters almost always put dignity in quotes, as if it were some Germanism.”  But dignity, Hoofnagle notes, is a good way to describe why people seek privacy (and why they don’t generally poop in public).  Being spied on in your own home—as actually happened to some people in cases pursued by the FTC—isn’t primarily or measurably an economic invasion.

 

In his view,

 

the FTC’s case selection is causing American law to converge with some European norms. For instance, the FTC’s matters concerning malware reject traditional contract notions in favor of fairness principles that one would expect from European consumer protection efforts. Similarly, FTC actions against companies that collect information for one specified purpose and resell it for another reflect European ideals of purpose specification and limitation. Finally, the US–EU Safe Harbor Agreement itself, while only legally applicable to Europeans’ data, causes some companies to extend Continental-style protections to American consumers.

 

The Bureau of Economics is, in Hoofnagle’s view, a barrier to more effective FTC policies on privacy.  The BE doesn’t generally see privacy violations as having an economic value, and “it perceives there to be no market for pro-privacy practices.”  Hoofnagle suggests ways that a more dynamic market for privacy might be encouraged and value.  For example, there is a “privacy differential” between the policies of free, consumer-oriented services and for-pay, business-oriented services, and the value of that differential to consumers could be studied. This could result in disgorgement and restitution penalties for violations of the FTCA.  More aggressively, the BE could help change the incentives of industry participants who lack incentives to protect privacy. Hoofnagle analogizes to the market for auto safety:

 

automakers once claimed that consumers did not really care about safety, that consumers chose cars based on appearance, and that auto safety was the domain of a small group of malcontents. In the 1950s, there was no ability to express a preference for safety, but once seat belts became an option, they proved tremendously popular. The BE could be part of a movement to create the “seat belt” for internet commerce.

 

I love analogies, but I’m not sure how exactly this would work, because understanding the options is probably always going to be difficult, by Hoofnagle’s own account of consumer decisionmaking.  But Hoofnagle has more practical suggestions, too.  He suggests drawing on methods used by the plaintiffs’ bar for measuring how consumers conceive of the value of personal information:

 

For instance, in one case involving illegal sale of driver record information, an economist polled citizens to explore what kind of discounts they would accept in renewing their driver’s license in exchange for this information being sold to marketers. While the market valued the information at $0.01 per record, 60 percent of respondents said they would reject an offer of a $50 discount on their license in exchange for allowing the sale of their name and address to marketers.

 

Most importantly, however, Hoofnagle advocates that the FTC should reject any return to the “common law,” which means limiting FTC action to addressing pecuniary injuries.  (As he points out, the common law also provides criminal punishment for frauds on the public, which the proponents of harm requirements don’t support.)  Affronts to dignity and violation of consumer expectations also deserve protection.  And this means a willingness to use the unfairness power to address inherent wrongs.  The FTC has begun to do this with awful behavior like revenge porn sites, and with spyware, and he contends it should do more.  For example, he considers Facebook to be an “information-age bait and switch.”  After consumers had become locked into the platform, it changed its privacy policies to make us far more exposed, relying on its market dominance to keep defections to a minimum.

 

As part of this regulatory attention, privacy advocates will have to hold their own in cost-benefit analyses.  Hoofnagle argues that deregulation advocates produce biased work that ignores the externalities of privacy intrusions, such as the disruption caused by telemarketing calls and the costs of developing technologies such as caller ID to fend them off.  Privacy-side work could provide a fuller picture of the externalities and transaction costs to consumers of ugly industry practices.