Privacy & Information Security Law Blog

On December 12, 2017, the Federal Trade Commission hosted a workshop on informational injury in Washington, D.C., where industry experts, policymakers, researchers and legal professionals considered how to best characterize and measure potential injuries and resulting harms to consumers when information about them is misused or inappropriately protected.

Acting FTC Chairwoman Maureen Ohlhausen delivered opening remarks at the commencement of the day-long workshop and noted the key goals of the meeting were to (1) better identify different types of privacy injury, (2) explore frameworks for quantitatively measuring and estimating the risk of harm, and (3) better understand how consumers and businesses weigh the risks of increased exposure to privacy injuries against the benefits of personal information use. Another stated goal was to determine when FTC intervention may be warranted.

The four panel workshop began with a discussion of types of informational injuries that can and do occur in the marketplace, followed by a discussion of potential factors to consider in assessing consumer injury. Later in the afternoon, the discussion turned to business and consumer perspectives on the benefits, costs and risks of collecting and sharing data. The workshop concluded with a panel on different methods for and challenges in measuring injury.

• Injuries 101: The first panel discussed negative outcomes that arise from unauthorized access to and misuse of consumers’ personal data. The discussion included an examination of the broad range of injuries that can occur. This was not limited to common informational injuries, such as financial harms resulting from identity theft, but also included lesser known harms such as medical and biometric identity theft, doxing (which is the public release of documents people wish to keep private), stalker ware apps, algorithmic decision making, discrimination based on knowledge of sensitive data points, predictive policing and the personalization of services.

Panelists called on the FTC to take a number of measures to further study these informational risks and injuries, including studying different types of identity theft distinctly and not limiting this to one general topic, and writing reports on substantive harms that have meaningful impacts on people’s lives and the potential solutions.

More generally, panelists called for efforts to understand harms to come up with the appropriate measures and to take a multifactorial approach, considering different expertise and different victims and stakeholders. Such measures should include the creation of a clear set of societal norms for tech platforms and the development of ethical frameworks to guide information use.

• Potential Factors in Assessing Injury: The second panel discussed potential factors in assessing consumer injury, including types of injury, magnitude and the sensitivity of consumer data. Consideration was given to whether the same factors apply in both the privacy and security contexts, the risk of potential injury versus realized injury and when government intervention is warranted.

Panelists were presented with two consumer harm and injury hypotheticals (one in a privacy context, based on retail tracking and marketing, and one in a security context, based on unauthorized access to company consumer data) and asked to assess at which stage of the hypothetical they believed consumer injury was taking place. Responses varied with some noting that, in the retail tracking hypothetical, until actual harm is realized, no consumer injury has taken place, while others stated that retail tracking to determine aggregate consumer interest in a product could be enough to cause injury. Panelists were then asked at which stage of the hypotheticals they believed government intervention should occur. Some panelists stated it should occur if the information is sensitive, while others noted over-enforcement can be a deterrent to new technologies.

With respect to the data security hypothetical, panelists were asked the same question of which stage they believed injury occurred. Responses varied again, largely on similar logic, with some noting that unless actual harm is realized through the use of breached data, no injury occurs, and others taking the line that unauthorized access to consumer data alone is enough to constitute injury.

With respect to enforcement, one panelist noted that the FTC can look at these issues in a broader way than the court system. For instance, it can look at social harms in ways that courts cannot. Further, the unfairness doctrine under Section 5 of the FTC Act was mentioned as having the potential to facilitate the FTC in exploring how to assess risk and harm.

Panelists also discussed the role of consumer expectations in determining (1) whether there was injury; (2) whether there should be a distinction between the collection of information and use of information (whereby use, but not collection, may result in injury); (3) risks associated with the use or failure to use sensitive data; (4) the role of considering countervailing benefits in assessing net injury; (5) whether quantifiability of harm is an effective or sufficient criterion for cognizable injury in the privacy context; and (6) the role of the market in mediating the issue of acceptable privacy risks.

• Business and Consumer Perspectives: The third panel examined how businesses and consumers perceive and evaluate the benefits, costs and risks of data collection and sharing in light of potential benefits and injuries. The panel also discussed considerations businesses take into account when choosing privacy and data security practices, and consumer decision making regarding sharing their information.

With respect to the business perspective, one panelist noted that when businesses try to assess risk they start by looking at the benefits, and most businesses go through privacy impact assessments to mitigate risks to an acceptable level in light of benefits. Another panelist took the view that businesses overestimate the benefits of data uses and are not internalizing the risks. A third panelist noted that business perspectives vary from sector to sector.

With respect to the consumer perspective, panelists noted that consumers view data as one aspect of the transaction and are willing to pay with information rather than money. They may not, however, be aware of what disclosing their information means and consumer education efforts to date have largely been ineffective. One panelist noted that default options are extremely important because people usually do not make choices if they do not fully understand them. Too many choices, however, can lead to complexity and can overburden consumers.

The session concluded with one panelist recommending that the FTC pursue other methods than the traditional approaches of transparency, notice, choice and consent, noting that these have been tried in the past and do not work. The data economy is too complex and a constantly moving target. In addition, it has to be considered that other areas of law and regulation (e.g., environment, nutrition, conflict resolution and arbitration, etc.) make similar demands on consumer attention through transparency, thereby adding to the burden on consumers. Panelists also suggested looking at what people do rather than what they say about privacy. One panelist stated that watching the big industry players and understanding their responsible data practices is an effective path forward. It was also suggested that consumers have only so much time to make choices and that responsible and ethical information use by companies is the way forward in protecting consumers.

• Measuring Injury: The final panel examined methods for and challenges in assessing informational injuries. Discussion points included how to quantify injury and the risk of injury, as well as how consumer choice and stated preferences can be accounted for.

Panelists noted that most work in measuring injury has been conducted through surveys. A key issue raised in this regard is the privacy paradox. In a survey, most people will state they care about privacy but do not act accordingly. Actual, rather than reported, preferences may be more insightful, but one panelist cautioned that this issue is complex and that one cannot generalize that “revealed action” is a better indicator than “stated preferences.” There may be other explanations for why people act the way they do other than for privacy-related reasons. Building on this point, one panelist noted the cyber insurance market shows what customers are willing to pay for privacy, but acknowledged the limitations and rarity of personal cyber insurance coverage.

Panelists agreed that further research is needed to get an understanding on baseline risk and that to measure causal links, we need to have a better understanding of what causes injury to happen. One panelist called for more research on what prevents harm from happening. For the FTC and other government agencies going forward, panelists asked for thought to be given to new risks hitting consumers more directly, such as ransomware, and to consider appropriate remedies, taking into account the costs to the consumer. Another suggestion was to identify occasions of injury where there is no effect on individuals.

Andrew Stivers, Deputy Director for Consumer Protection in the Bureau of Economics of the FTC, delivered closing remarks and emphasized the importance to the FTC of continued work on informational injury.

The FTC will accept public comments on the workshop until January 26, 2018. Details regarding submissions can be found in the detailed public notice about the workshop.