The Online Privacy Problem
While the Internet-based economy provides many benefits, it also raises new concerns for maintaining the privacy of information. “Internet privacy is the privacy and security level of personal data published via the Internet. It is a broad term that refers to a variety of factors, techniques and technologies used to protect sensitive and private data, communications, and preferences.”
As the federal government’s National Telecommunications and Information Administration (NTIA) explains:
Every day, billions of people around the world use the Internet to share ideas, conduct financial transactions, and keep in touch with family, friends, and colleagues. Users send and store personal medical data, business communications, and even intimate conversations over this global network. But for the Internet to grow and thrive, users must continue to trust that their personal information will be secure and their privacy protected.
Internet privacy concerns are warranted. According to a July 2015 survey of Internet-using households, 19 percent of such households (representing nearly 19 million households) reported that they had been affected by an online security breach, identity theft, or similar malicious activity during the 12 months prior to the survey. Security breaches appear to be more common among the most intensive Internet-using households—31 percent of those using at least five different types of online devices suffered such breaches. Security breach measures, of course, do not take into account consumer concerns about the unauthorized use of the personal data they supply to Internet service providers and to websites that they visit.
Furthermore, the total cost of data breaches is enormous. A 2016 survey of corporate data breaches funded by IBM showed that the average annual per-company cost of data breaches rose from $3.8 million to $4.0 million between 2014 and 2015. A 2014 study estimated that the aggregate annual data breach-specific cost to the U.S. economy was $140 billion (including direct costs to businesses, indirect costs to their customers, and indirect law enforcement-related costs), and that 500,000 jobs a year were lost due to such breaches.
Online security failures often result in identity theft. The U.S. Federal Trade Commission (FTC) explains, “identity theft occurs when someone uses or attempts to use the sensitive personal information of another person to commit fraud. A wide range of sensitive personal information can be used to commit identity theft, including a person’s name, address, date of birth, Social Security number (SSN), driver’s license number, credit card and bank account numbers, phone numbers, and even biometric data like fingerprints and iris scans.” According to the U.S. Justice Department’s Bureau of Justice Statistics, “an estimated 17.6 million Americans—about 7% of U.S. residents age 16 or older—were victims of identity theft in 2014.”
Some examples highlight the scale and the nature of the damage identity theft inflicts on consumers and businesses. For example, a 2013 hack of Target involved the theft of 40 million credit card records, leading to $443 million in losses for that company, a $1 billion fine, and substantial costs to customers whose credit card information was compromised. In another case, AOL publicized the search history of 658,000 consumers from which those consumers could reportedly be identified.
Information can be stolen if companies do not pay enough attention to the red flags of possible software problems. For example, Sony incorporated a copy-protection technology called XCP into the CDs it produced. As a side effect of this technology, it became possible to track consumer IP addresses, thereby undermining the security of these personal devices. Depending upon the privacy settings and policies of social media and online dating sites, one’s individual photos and name may be readily available through general online search engines for an indefinite period of time. Several social media sites have also had scandals that involve the tracking of consumers. According to The Wall Street Journal, Foursquare, purveyor of a mobile app that allows one to learn about popular dining spots near one’s current location, continues to track users’ every movement—even after the app has been closed.
Public attention has focused primarily on Internet data breaches by third party hackers and thieves, since the financial harm stemming from those harmful actions (and, in particular, identity theft), can be estimated. Nevertheless, government regulators are also concerned about other sorts of misuses of sensitive non-public consumer information that is obtained online—even when particularized financial losses cannot readily be measured. Perhaps the most severe such misuse involves the stalking of individuals by predators who obtain private information online (either directly from vulnerable individuals such as children and teenagers, or through data breaches). Less obviously harmful are online companies’ unauthorized uses of consumers’ private data to make money through the sale of that information to advertisers and other commercial websites, or through the tracking of consumers’ physical movements or web browsing patterns. Some consumers (although not all) may strongly resent and feel themselves harmed by such types of behavior, even if it does not result in direct out-of-pocket losses. Such a concern is in harmony with the long-recognized legal American doctrine that individuals have a limited “privacy interest” in preventing certain personal information from being publicized.
What is the correct overall approach government should take in dealing with Internet privacy problems? In addressing this question, it is important to focus substantial attention on the effects of such regulation on economic welfare. In particular, policies should address Internet privacy problems in a manner that does not unduly harm the private sector or deny opportunities to consumers. The U.S. Federal Trade Commission (FTC), the federal government’s primary consumer protection agency, has been the principal federal regulator of online privacy practices. Very recently, however, the U.S. Federal Communications Commission (FCC) has asserted the authority to regulate the privacy practices of broadband Internet service providers, and is proposing an extremely burdensome approach to such regulation that would, if implemented, have harmful economic consequences. Congress may wish to take this into account in deciding whether to reallocate and constrain regulatory responsibilities in this area, which is so important to the 21st century innovation-driven economy.
The FTC and Privacy
The FTC uses a variety of legal instruments in protecting consumers, and, in particular, individuals’ privacy. As the FTC explains:
The FTC’s primary legal authority comes from Section 5 of the Federal Trade Commission Act, which prohibits unfair or deceptive practices in the marketplace. The FTC also has authority to enforce a variety of sector specific laws, including the Truth in Lending Act, the CAN-SPAM Act, the Children’s Online Privacy Protection Act, the Equal Credit Opportunity Act, the Fair Credit Reporting Act, the Fair Debt Collection Practices Act, and the Telemarketing and Consumer Fraud and Abuse Prevention Act. This broad authority allows the Commission to address a wide array of practices affecting consumers, including those that emerge with the development of new technologies and business models.
The FTC uses a variety of tools to protect consumers’ privacy and personal information. The FTC’s principal tool is to bring enforcement actions to stop law violations and require companies to take affirmative steps to remediate the unlawful behavior. This includes, when appropriate, implementation of comprehensive privacy and security programs, biennial assessments by independent experts, monetary redress to consumers, disgorgement of ill-gotten gains, deletion of illegally obtained consumer information, and provision of robust notice and choice mechanisms to consumers. If a company violates an FTC order, the FTC can seek civil monetary penalties for the violations. The FTC can also obtain civil monetary penalties for violations of certain privacy statutes and rules, including the Children’s Online Privacy Protection Act, the Fair Credit Reporting Act, and the Telemarketing Sales Rule. To date, the Commission has brought hundreds of privacy and data security cases protecting billions [sic] of consumers.
More specifically, “[t]he FTC has brought enforcement actions addressing a wide range of privacy issues, including spam, social networking, behavioral advertising, pretexting, spyware, peer-to-peer file sharing, and mobile. These matters include over 130 spam and spyware cases and more than 50 general privacy lawsuits.” A very large portion of these matters involved online commercial activity.
As stated above, most of the FTC’s privacy-related work is based on its core general authority to proscribe unfair or deceptive acts or practices under Section 5(a)(1) of the Federal Trade Commission Act (Section 5). Although deception and unfairness are covered in the same statutory section, they represent different concepts.
The FTC defines “deception” as involving a “representation, omission or practice that is likely to mislead the consumer acting reasonably in the circumstances, to the consumer’s detriment.” Thus, deception occurs only when business conduct causes tangible harm to consumers who acted reasonably and were, nonetheless, misled. By comparison, conduct is “unfair” if it involves “an act or practice [that] causes or is likely to cause substantial injury to consumers which is not reasonably avoided by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.” This necessarily calls for cost-benefit analysis, since it weighs potential efficiencies against consumer harm, which makes it a more stringent test than deception. Central to both the “deception” and “unfairness” cases is the concept of “materiality,” which means that the behavior under scrutiny must actually affect consumer choices—if consumer choices are unaffected, consumers are not harmed, and thus the behavior does not violate Section 5. In a speech on Internet privacy protection, FTC Commissioner Maureen Ohlhausen summarized the interplay between Section 5 unfairness and deception:
[U]nfairness establishes a baseline prohibition on practices that the overwhelming majority of consumers would never knowingly approve. Above that baseline, consumers remain free to find providers that match their preferences, and our deception authority governs those arrangements. . . . The FTC’s case-by-case enforcement of our unfairness authority shapes our baseline privacy practices. Like the common law, this incremental approach has proven both relatively predictable and adaptable as new technologies and business models emerge.
A brief review of representative Section 5 privacy cases provides a sense of how the FTC applies the unfairness and deception standards in that context. Applying these standards, the FTC has successfully resolved investigations (through settlements and final litigated decisions) in which it alleged that companies made deceptive claims about how they collect, use, and share consumer data; failed to provide reasonable security for consumer data; deceptively tracked consumers online; spammed and defrauded consumers; installed spyware or other malware on consumers’ computers; shared highly sensitive, private consumer data with unauthorized third parties; and publicly posted such data online without consumers’ knowledge or consent. The many companies under FTC orders include Microsoft, Facebook, Google, Equifax, HTC, Twitter, Snapchat, and Wyndham Hotels.
For companies that adopt and post online privacy policies, a further issue is whether they decide to offer website users the choice of “opt in” or “opt out” information sharing frameworks. (Companies may choose to do neither and merely describe their privacy practices.) Under opt in, personal information obtained from website visitors cannot be shared with third parties (such as advertisers or marketers) unless and until the individual visiting a website grants permission for such use, typically by checking a box on a notice provided by the website. Under opt out, personal information can be shared unless the individual specifically requests that the website not do so. By its nature, opt in tends to restrict the dissemination of information, while opt out promotes more liberal information sharing. This difference is the result of the fact that many consumers may choose not to have their information shared if they have to make an initial election under opt in, while many consumers may not bother to act affirmatively to prevent information sharing under opt out.
Opt-in and opt-out policies also pose a welfare trade-off. The “up-front reminder” provided by opt in policies will be beneficial to consumers who highly value their privacy. But less privacy-sensitive consumers who value more highly the extra online services that are financed by websites’ greater ability to monetize consumer information (by selling it to third parties) would benefit from opt out policies. In addition to these general considerations, the greater the sensitivity and potential consumer harm that may arise from a website’s transfer of personal information, the more likely opt in policies will prove beneficial for the bulk of that website’s customers. In reviewing complaints in this area (for example, the claim that a company has sold the private information of consumers who opted against information sharing), the FTC applies its general Section 5 deception and unfairness principles on a case-by-case basis.
The FCC Steps In
Until very recently, the FTC was the only federal agency scrutinizing online privacy practices. On April 1, 2016, however, the FCC, which is the federal communications regulatory agency, published a Notice of Proposed Rulemaking (NPRM) entitled “Protecting the Privacy of Customers of Broadband and Other Telecommunications Services.” This “Privacy NPRM” sets forth detailed rules that, if adopted, would impose onerous privacy obligations on “Broadband Internet Access Service” (BIAS) Providers, the firms that provide the cables, wires, and telecommunications equipment through which Internet traffic flows—primarily cable (Comcast, for example) and telephone (Verizon, for example) companies. The Privacy NPRM reclassifies BIAS provision as a “common carrier” service, thereby totally precluding the FTC from regulating BIAS Providers’ privacy practices (since the FTC is barred by law from regulating common carriers). Put simply, the NPRM required BIAS Providers “to obtain express consent in advance of practically every use of a customer[’s] data,” without regard to the effects of such a requirement on economic welfare. All other purveyors of Internet services, however—in particular, the large numbers of “edge providers” that generate Internet content and services (Google, Amazon, and Facebook, for example) —are exempt from the new FCC regulatory requirements.
In short, the Privacy NPRM establishes a two-tier privacy regulatory system, with BIAS Providers subject to tight FCC privacy rules, while all other Internet service firms are subject to more nuanced, case-by-case, effects-based evaluation of their privacy practices by the FTC. This disparate regulatory approach is peculiar (if not wholly illogical), since edge providers in general have greater access than BIAS Providers to consumers’ non-public information, and thus may appear to pose a greater threat to consumers’ interest in privacy.
The FCC’s proposal to regulate BIAS Providers’ privacy practices represents bad law and bad economic policy, in several respects.
First, the Privacy NPRM undermines the rule of law by extending the FCC’s authority beyond its congressional mandate. The FCC justifies its privacy rules by invoking Section 222 of the Telecommunications Act of 1996, which empowers the FCC to regulate information Customer Proprietary Network Information (CPNI) over voice telephony. CPNI only covers a narrow category of information—telecommunications providers’ collection and use of individualized subscriber information regarding the time and length of calls, phone numbers called, and consumer voice billing when such information “is made available to the carrier by the customer solely by virtue of the carrier-customer relationship.” By contrast, the Privacy NPRM proposes to regulate the far broader category of “personally identifiable information,” or PII, defined as information that “can be used on its own, in context, or in combination to identify an individual or to logically associate with other information about a specific individual.”
In short, under the NPRM, the FCC cites its authority over a very limited category of “telephone bill” information unrelated to Internet communications to justify regulating vast amounts of private information transmitted over the Internet. This is “a gross overextension of the authority conferred by Congress under Section 222. It is legally improper for the Commission to reinterpret its circumscribed privacy mandate regarding telephone services and overextend that authority to the competitive broadband services.” Moreover, this expansive approach is at odds with the overall guidance Congress provided the FCC in enacting the 1996 Telecommunications Act, which emphasizes reliance on competitive forces, rather than FCC regulation, and provides for FCC forbearance from regulating telecommunications services to the greatest extent possible, including when regulation “is not necessary for the protection of consumers.”
Second, the Privacy NPRM imposes a set of sweeping opt-in consent requirements on BIAS Providers, without regard to private sector burdens or actual consumer welfare. In the name of protecting online privacy, the NPRM requires that BIAS Providers seek affirmative opt-in consent from each customer for virtually all uses of any consumer data. A BIAS Provider would have to inform customers of its intended use of their data and then obtain their consent—even if the Provider had no plans to disclose the data and even if the data already was being used by other Internet businesses for advertising and marketing purposes. In contrast, the FTC has reserved its imposition of opt-in requirements to very limited situations, involving “specific uses like making retroactive changes to privacy representations, or collecting sensitive information, such as information about children, financial and health information, Social Security numbers, and precise geolocation data.” The FTC’s limited use of opt-in requirements reflects the fact that “opt in mandates unavoidably reduce consumer choice” by setting a privacy baseline that is too high and by preventing unanticipated beneficial uses of consumer data. In a similar vein, former FTC Commissioner Joshua Wright wrote that the Privacy NPRM imposes “a rigid, one-size-fits-all regulatory approach, forgoing the individualized analyses that leave space for innovative, welfare-enhancing uses of customer information.” In particular, Wright aptly summarized the nature of the costs the FCC’s approach would impose on consumers and the economy as a whole:
[The Privacy NPRM] presumes that consumers with strong privacy preferences somehow cannot effectively protect these interests by opting-out when doing so would make them better off, and, instead, imposes the burdens to act upon those consumers with weak preferences. Far from benefiting consumers, this regime eliminates the ability of firms to compete and experiment with business models to maximize consumer value and would impose significant costs upon many firms in the online ecosystem—costs that consumers would ultimately bear. These costs would far outweigh the very limited and speculative benefits the NPRM proffers.
Third, the Privacy NPRM, if implemented, will reduce BIAS Provider revenues and thereby dampen investment that is vital to the continued growth of and innovation in Internet-related industries. Opt-in restrictions will sharply limit the ability of BIAS Providers to monetize consumer information by selling it to advertisers and marketers, thereby reducing funds available to finance new Internet services and improving existing services. Furthermore, the financial health of BIAS Providers would be undermined. As the U.S. Chamber of Commerce explained, in its comment on the Privacy NPRM:
The NPRM threatens the long-term economic health of broadband and other telecommunications providers. According to Moody’s Investors Services, the FCC’s proposed privacy rules pose “a long-term risk to the current TV advertising business model, as well as all broadband providers whom also have ad sales exposure.” Given the regulatory imbalance created by the proposed rule, the credit agency also predicts that NPRM will be “credit-negative” for Internet service providers.
Fourth, and relatedly, Edge providers (Google, for example), which are not covered by the NPRM (and whose ability to monetize consumer information is subject only to “lighter touch” FTC oversight), will feel less competitive pressure from BIAS Provider offerings, and have a weaker incentive to innovate and compete in Internet service provision.
Fifth, the Privacy NPRM, if implemented, will harm consumer welfare and, in particular, raise consumer prices for Internet services and deny discount programs desired by consumers. NPRM-related limitations on the ability of BIAS Providers to monetize consumer data will, by reducing advertising revenue used to help defray broadband service costs, incentivize the Providers to raise consumer broadband service prices. In addition, by barring BIAS Providers from offering discounted Internet broadband services in exchange for greater access to consumer data, the NPRM will deny a valuable option to consumers who value service discounts more than additional data privacy.
In sum, the Privacy NPRM would, if implemented, undermine the economic welfare of both businesses and consumers in a manner that ignores clear limitations on the FCC’s statutory authority. As a matter of sound economics and law, the FCC should abandon this disastrous proposal and leave the federal oversight of online Internet privacy where it now resides—with the FTC.
While the previous discussion has centered on the federal government’s approach to Internet privacy, foreign governments increasingly have sought to regulate privacy (and, in particular, data protection) practices, generally in a far more intrusive manner than that employed by the FTC. Because the Internet is global in scope, American businesses (particularly those with a significant international reach) need to take into account foreign privacy regulations in planning their operations.
- Commitments by Companies to Robust Data Protection. U.S. companies participating in the new framework will be required to commit to robust obligations regarding the processing of personal data from Europe. Companies handling human resources data from Europe will be further required to agree to comply with the decisions of the Data Protection Authorities (“DPAs”) of the various EU member states.
- FTC Enforcement. The [FTC]…will have enforcement authority regarding U.S. companies’ compliance with the new framework, just as it did with the old Safe Harbor agreement. The U.S. Department of Commerce will have overall responsibility for monitoring companies’ compliance with the Privacy Shield framework.
- Redress for EU Citizens. EU citizens who believe that their data has been misused by a U.S. company will have several avenues of redress. For example, DPAs may refer EU citizen complaints to the Department of Commerce and the FTC. In addition, a new Ombudsperson will be established to handle complaints of access to personal data by national intelligence authorities.
- Restrictions on U.S. Government Surveillance. Access to EU personal data by U.S. law enforcement and national security authorities will be subject to clear limitations and oversight, and the U.S. has provided the EU with written assurances to this effect. The absence of such protections was a key factor in the…[European Court of Justice’s 2015] decision that invalidated the Safe Harbor agreement. The European Commission and the U.S. Department of Commerce will conduct annual joint reviews regarding the issue of national security access.
Membership in the Privacy Shield is entirely voluntary. In deciding whether to bring themselves under the Shield, which imposes significant and costly regulatory obligations and severe sanctions for violations of Shield commitments, American businesses may wish to consider instead using standardized contractual terms to govern their U.S.-EU data transfers. Whether or not they “opt in” to Shield commitments, however, American firms doing business in the EU will be subject to potentially large and uncertain liability and European regulatory oversight.
Furthermore, given the very significant influence of European data protection and privacy norms on international thinking, the implementation and evolution of Shield and European DPA policies will be a major ongoing concern for American companies, wherever they do business. The Privacy NPRM (if implemented) heightens that concern for BIAS Providers, since they will have to evaluate the implications of new FCC regulation (rather than simply rely on FTC oversight) in deciding whether to opt in to the Shield’s standards and obligations.
The FCC’s Privacy NPRM is at odds with the pro-competitive, economic welfare enhancing goals of the 1996 Telecommunications Act. It ignores the limitations imposed by that act and, if implemented, would harm consumers and producers and slow innovation. This prompts four recommendations.
- The FCC should withdraw the NPRM and leave it to the FTC to oversee all online privacy practices under its Section 5 unfairness and deception authority. The adoption of the Privacy Shield, which designates the FTC as the responsible American privacy oversight agency, further strengthens the case against FCC regulation in this area.
- Moreover, the FTC should borrow a page from former FTC Commissioner Joshua Wright by implementing an “economic approach” to privacy. Under such an approach:
- FTC economists would help make the commission a privacy “thought leader” by developing a rigorous academic research agenda on the economics of privacy, featuring the economic evaluation of industry sectors and practices;
- FTC economists would report independently to the FTC about proposed privacy-related enforcement initiatives; and
- The FTC would publish the views of its Bureau of Economics in all privacy-related consent decrees that are placed on the public record.
- The FTC should encourage the European Commission and other foreign regulators to take into account the economics of privacy in developing their privacy regulatory policies. In so doing, it should emphasize that innovation is harmed, the beneficial development of the Internet is slowed, and consumer welfare and rights are undermined through highly prescriptive regulation in this area (well-intentioned though it may be). Relatedly, the FTC and other U.S. government negotiators should argue against adoption of a “one-size-fits-all” global privacy regulation framework. Such a global framework could harmfully freeze into place over-regulatory policies and preclude beneficial experimentation in alternative forms of “lighter-touch” regulation and enforcement.
Although not a panacea, these recommendations would help deter (or, at least, constrain) the economically harmful government micromanagement of businesses’ privacy practices in the United States and abroad. The Internet economy would in turn benefit from such a restraint on the grasping hand of big government.
—Alden F. Abbott is Deputy Director of and John, Barbara, and Victoria Rumpel Senior Legal Fellow in the Edwin Meese III Center for Legal and Judicial Studies at The Heritage Foundation. He gratefully acknowledges the research assistance of Heritage Foundation Intern Jessica Higa, who participated in the Young Leaders Program.