Upcoming FTC Workshop on Informational Harm; Next Brushstrokes on the FTC’s Consumer Privacy and Security Enforcement Canvas
On September 29, the Federal Trade Commission (FTC) formally announced a December 12th workshop on informational injury—the injury a consumer suffers when information about them is misused. The workshop will address questions such as, how to characterize and measure such injury and what factors businesses and consumers should consider the benefits and risks of collecting, using and providing personal information so as to gain further perspective for how the FTC should apply its legal framework for privacy and security enforcement under 15 USC § 45 (Section 5). In her September 19th remarks to the Federal Communications Bar Association, Commissioner Maureen Ohlhausen, the Acting Chairman of the FTC, metaphorically characterized the workshop’s purpose as providing the next brushstrokes on the unfinished enforcement landscape the FTC is painting on its legal framework canvas. The full list of specific questions to be addressed may be accessed here.
Background. The FTC views itself as the primary US enforcer of data privacy and security, a role it recently assumed. While the FTC’s enforcement against practices causing informational injury through administrative proceedings goes back as far as 2002, its ability to pursue corporate liability for data security and privacy practices under its Section 5 “unfair or deceptive trade practices” jurisdiction was only ratified in 2015 by the US Court of Appeals for the Third Circuit in FTC v. Wyndham Worldwide Corporation. The FTC has actively invoked its enforcement authority but, in doing so, has been selective in determining which consumer informational injuries to pursue by questioning the strength of evidence connecting problematic practices with the injury, examining the magnitude of the injury and inquiring as to whether the injury is imminent or has been realized.
The FTC has generally taken a case-by-case approach to addressing informational injuries, which include deception, financial injury, health or safety injuries, unwarranted intrusion on privacy, and reputational harm, focusing on real-world facts and specifically alleged behaviors and practices. Rather than viewing the impact of each case in a vacuum, the cases should be viewed as part of a series whereby the FTC has integrated feedback on prior cases from advocates, the marketplace and the courts. What have emerged are various patterns comprising the current FTC enforcement landscape.
The Workshop. According to Chairman Ohlhausen’s remarks, the FTC is now stepping back to look at those patterns as they relate to consumer injury and to obtain additional perspectives from consumers and businesses. The purpose of this exercise is to further inform and refine the FTC’s use of its privacy and enforcement authority in future cases in a way that is measured and effective in protecting consumers from injury without stifling ongoing innovation and achieving the most good with the fewest unintended consequences (e.g., targeting substantial rather than hypothetical injury, an important distinction various courts have addressed in determining what constitutes standing for bringing a case). The workshop will be the first step in that effort and has three underlying goals: (1) to better identify the qualitatively different types of injury to consumer and business from privacy and data security incidents; (2) to explore frameworks for how the FTC may measure informational injuries and determine the risk of their occurrence; and (3) to better understand how consumers and businesses weigh informational injuries and risk when evaluating the tradeoffs to sharing, collecting, storing and using information.
The FTC’s engagement of consumers and businesses is commendable and should contribute meaningfully to its effort to achieve the right balance between protecting consumers and supporting technological innovation. Digital health innovators and other businesses whose strategies rely largely on the exchange of patient and other consumer personal information should watch closely as the FTC’s privacy and security enforcement landscape continues to unfold.