FTC privacy enforcement focuses on deception, not unfairness

Revenge porn site operators should well fear the privacy enforcement powers of the Federal Trade Commission. Other online businesses, not so much — as long as they avoid lying to consumers.

The preeminent government agency tasked with protecting consumer privacy vastly prefers punishing deception rather than online unfairness. Only once in the last decade has the FTC relied solely on its power to police unfair practices to take an enforcement action, according to recent Government Accountability Office data analyzed by MLex.

That one occasion was in 2018, when the FTC went after MyEx, a now-defunct website where visitors uploaded intimate pictures of women and its operators charged victims up to thousands of dollars to remove them. MyEx was unfair, the FTC said. Otherwise, the agency has depended — at least partially, and sometimes completely — on privacy wrongdoers’ propensity to commit other misdeeds before stopping them.

For the FTC, MyEx was an exception: an Internet privacy case without a connection to a deception or financial crime or scam.

Section 5 of the Federal Trade Commission Act empowers the agency to police “unfair or deceptive" acts. Whether the FTC accuses someone of being “unfair” or “deceptive” isn't just semantics.

Broadly speaking, companies already know what deception is, and know that it is wrong. Unfairness is more ambiguous.

By mostly refusing to invoke its unfairness authority, the agency is missing the chance to send messages about privacy during a significant consumer backlash against Big Tech’s pervasive data-gathering. Moreover, the FTC's deception-heavy enforcement incentivizes companies to write vaguer privacy policies.

According to the Government Accountability Office’s count of 95 Internet privacy cases brought under the agency’s governing statute from July 2008 through June 2018, deception was overwhelmingly the FTC’s most frequent allegation.

The congressional watchdog compiled the list for a report recommending that Congress consider comprehensive privacy legislation. An FTC official told the GAO the cases represent substantially all of the agency’s Internet privacy enforcement actions — that is, cases related to the unauthorized transmission, collection or disclosure of personal information.

When the FTC charges that a practice is unfair, it has decided that injuries to consumers outweigh the benefits — that's the so-called balancing test, a cost-benefit analysis the agency has been making since the 1980s. Plenty of non-privacy cases survive the test and win settlements: Apple, for example, refunded $32.5 million to customers in 2014 to settle an unfairness charge related to in-app purchasing.

But most privacy cases can’t make it through the balancing test as the FTC applies it — not without an assist from a corporate lie or violation of another statute the agency enforces, such as the Fair Credit Reporting Act. The FTC doesn’t absolutely require a measurable monetary loss before it acts on consumers’ behalf, but the agency is inclined to look for that and hesitates when it doesn’t find it.

So long as online services don’t cost consumers money, skepticism over whether privacy violations have quantifiable value dominates balancing-test assessments. That is especially the case among the agency’s economists, whose views are influential. The balancing test has become a bottleneck.

In response to an MLex request for comment, an FTC spokesperson said the agency examines “every case on its own merits” and uses the unfairness standard “where appropriate.”

The agency's privacy-minded attorneys have instead focused on deception. Getting internal buy-in for a deception case is far easier, as it hinges on a less stringent test: Did a lie affect the choice of a reasonable consumer?

Of the 95 Internet privacy cases, 19 included accusations of unfairness and deception, and they included the agency’s most high-profile privacy actions — those against Facebook, Vizio and Lenovo, for example.

“The FTC has to contort itself into pretzel shapes to show that this cost-benefit analysis can be satisfied,” said Megan Gray, a tech executive who was the lead staff attorney in the FTC’s $22.5 million settlement with Google after it misrepresented to Safari browser users the extent of its ad targeting program.

When the FTC in 2014 went after operators of Jerk.com — a self-declared “anti-social network” that let users rate people as “a jerk” — it brought down the website because it misled consumers by scraping profile data from Facebook. Whether it was unfair to host a website dedicated to crowd-sourcing mockery and abuse was left unaddressed.

The agency also didn’t invoke unfairness in the 2015 case of Nomi Technologies, a company that sold cellphone tracking technologies to retailers. Its offense was a misleading privacy statement, not turning shoppers’ phones into a tracking device.

“The real issue underlying these cases is our normative commitment to privacy: Do we really want websites that label people jerks or companies that collect unique identifiers from phones?” asked Chris Hoofnagle, a University of California-Berkeley professor and close FTC privacy observer in a 2018 article.

Not all of the FTC’s hesitation about unfairness comes from narrow conceptions of privacy harms. The agency is still haunted by a robustly rebuffed late-1970s attempt, using the agency's authority to police unfairness, to rein in children’s advertising, an episode shorthanded as “KidVid.”

That chapter of the FTC’s history ended with the food industry continuing to tout sugar-laden fare during Saturday morning cartoons, and the agency had its rulemaking authority permanently curtailed. “KidVid” is uttered to this day as a warning by those who think the FTC is going too far.

But changing perceptions of Big Tech risk have put the FTC’s hands-off approach to privacy behind the times.

A 2015 poll by the Pew Research Center found that three-quarters of American adults don’t believe records of their activity maintained by the online advertisers will remain private and secure. Slightly lower percentages reported the same level of distrust in search engine providers, social media sites and online video sites.

Congress, once so willing to give Big Tech a pass, is also making noises to the contrary. The House and Senate committees charged with overseeing commerce issues each plan to hold a hearing this month on privacy. Each chamber is expected to consider a national privacy bill, and dissatisfaction with the FTC on privacy matters has led activists to call for the bills to supplant the FTC with a new bureaucracy.

A dozen privacy advocates signaled no confidence in the FTC only last month by calling for Congress to create a new data protection agency.

“The FTC has failed to act,” said Caitriona Fitzgerald, policy director at the Electronic Privacy Information Center.

Also last month, Silicon Valley representative Anna Eshoo notably failed to make a strong case for the agency when addressing privacy bill must-haves during a privacy conference in Washington.

“I think that Congress could beef up the FTC or create a new agency. I’m agnostic on this and I’m open to options,” she said. “But I do think our current mechanisms of enforcement just don’t cut it.