On December 12, 2017, the Federal Trade Commission hosted a workshop on informational injury in Washington, D.C., where industry experts, policymakers, researchers and legal professionals considered how to best characterize and measure potential injuries and resulting harms to consumers when information about them is misused or inappropriately protected.
Acting FTC Chairwoman Maureen Ohlhausen delivered opening remarks at the commencement of the day-long workshop and noted the key goals of the meeting were to (1) better identify different types of privacy injury, (2) explore frameworks for quantitatively measuring and estimating the risk of harm, and (3) better understand how consumers and businesses weigh the risks of increased exposure to privacy injuries against the benefits of personal information use. Another stated goal was to determine when FTC intervention may be warranted.
The four panel workshop began with a discussion of types of informational injuries that can and do occur in the marketplace, followed by a discussion of potential factors to consider in assessing consumer injury. Later in the afternoon, the discussion turned to business and consumer perspectives on the benefits, costs and risks of collecting and sharing data. The workshop concluded with a panel on different methods for and challenges in measuring injury.
- Injuries 101: The first panel discussed negative outcomes that arise from unauthorized access to and misuse of consumers’ personal data. The discussion included an examination of the broad range of injuries that can occur. This was not limited to common informational injuries, such as financial harms resulting from identity theft, but also included lesser known harms such as medical and biometric identity theft, doxing (which is the public release of documents people wish to keep private), stalker ware apps, algorithmic decision making, discrimination based on knowledge of sensitive data points, predictive policing and the personalization of services.
Panelists called on the FTC to take a number of measures to further study these informational risks and injuries, including studying different types of identity theft distinctly and not limiting this to one general topic, and writing reports on substantive harms that have meaningful impacts on people’s lives and the potential solutions.
More generally, panelists called for efforts to understand harms to come up with the appropriate measures and to take a multifactorial approach, considering different expertise and different victims and stakeholders. Such measures should include the creation of a clear set of societal norms for tech platforms and the development of ethical frameworks to guide information use.
- Potential Factors in Assessing Injury: The second panel discussed potential factors in assessing consumer injury, including types of injury, magnitude and the sensitivity of consumer data. Consideration was given to whether the same factors apply in both the privacy and security contexts, the risk of potential injury versus realized injury and when government intervention is warranted.
Panelists were presented with two consumer harm and injury hypotheticals (one in a privacy context, based on retail tracking and marketing, and one in a security context, based on unauthorized access to company consumer data) and asked to assess at which stage of the hypothetical they believed consumer injury was taking place. Responses varied with some noting that, in the retail tracking hypothetical, until actual harm is realized, no consumer injury has taken place, while others stated that retail tracking to determine aggregate consumer interest in a product could be enough to cause injury. Panelists were then asked at which stage of the hypotheticals they believed government intervention should occur. Some panelists stated it should occur if the information is sensitive, while others noted over-enforcement can be a deterrent to new technologies.
With respect to the data security hypothetical, panelists were asked the same question of which stage they believed injury occurred. Responses varied again, largely on similar logic, with some noting that unless actual harm is realized through the use of breached data, no injury occurs, and others taking the line that unauthorized access to consumer data alone is enough to constitute injury.
With respect to enforcement, one panelist noted that the FTC can look at these issues in a broader way than the court system. For instance, it can look at social harms in ways that courts cannot. Further, the unfairness doctrine under Section 5 of the FTC Act was mentioned as having the potential to facilitate the FTC in exploring how to assess risk and harm.
Panelists also discussed the role of consumer expectations in determining (1) whether there was injury; (2) whether there should be a distinction between the collection of information and use of information (whereby use, but not collection, may result in injury); (3) risks associated with the use or failure to use sensitive data; (4) the role of considering countervailing benefits in assessing net injury; (5) whether quantifiability of harm is an effective or sufficient criterion for cognizable injury in the privacy context; and (6) the role of the market in mediating the issue of acceptable privacy risks.
- Business and Consumer Perspectives: The third panel examined how businesses and consumers perceive and evaluate the benefits, costs and risks of data collection and sharing in light of potential benefits and injuries. The panel also discussed considerations businesses take into account when choosing privacy and data security practices, and consumer decision making regarding sharing their information.
With respect to the business perspective, one panelist noted that when businesses try to assess risk they start by looking at the benefits, and most businesses go through privacy impact assessments to mitigate risks to an acceptable level in light of benefits. Another panelist took the view that businesses overestimate the benefits of data uses and are not internalizing the risks. A third panelist noted that business perspectives vary from sector to sector.
With respect to the consumer perspective, panelists noted that consumers view data as one aspect of the transaction and are willing to pay with information rather than money. They may not, however, be aware of what disclosing their information means and consumer education efforts to date have largely been ineffective. One panelist noted that default options are extremely important because people usually do not make choices if they do not fully understand them. Too many choices, however, can lead to complexity and can overburden consumers.
The session concluded with one panelist recommending that the FTC pursue other methods than the traditional approaches of transparency, notice, choice and consent, noting that these have been tried in the past and do not work. The data economy is too complex and a constantly moving target. In addition, it has to be considered that other areas of law and regulation (e.g., environment, nutrition, conflict resolution and arbitration, etc.) make similar demands on consumer attention through transparency, thereby adding to the burden on consumers. Panelists also suggested looking at what people do rather than what they say about privacy. One panelist stated that watching the big industry players and understanding their responsible data practices is an effective path forward. It was also suggested that consumers have only so much time to make choices and that responsible and ethical information use by companies is the way forward in protecting consumers.
- Measuring Injury: The final panel examined methods for and challenges in assessing informational injuries. Discussion points included how to quantify injury and the risk of injury, as well as how consumer choice and stated preferences can be accounted for.
Panelists noted that most work in measuring injury has been conducted through surveys. A key issue raised in this regard is the privacy paradox. In a survey, most people will state they care about privacy but do not act accordingly. Actual, rather than reported, preferences may be more insightful, but one panelist cautioned that this issue is complex and that one cannot generalize that “revealed action” is a better indicator than “stated preferences.” There may be other explanations for why people act the way they do other than for privacy-related reasons. Building on this point, one panelist noted the cyber insurance market shows what customers are willing to pay for privacy, but acknowledged the limitations and rarity of personal cyber insurance coverage.
Panelists agreed that further research is needed to get an understanding on baseline risk and that to measure causal links, we need to have a better understanding of what causes injury to happen. One panelist called for more research on what prevents harm from happening. For the FTC and other government agencies going forward, panelists asked for thought to be given to new risks hitting consumers more directly, such as ransomware, and to consider appropriate remedies, taking into account the costs to the consumer. Another suggestion was to identify occasions of injury where there is no effect on individuals.
Andrew Stivers, Deputy Director for Consumer Protection in the Bureau of Economics of the FTC, delivered closing remarks and emphasized the importance to the FTC of continued work on informational injury.
The FTC will accept public comments on the workshop until January 26, 2018. Details regarding submissions can be found in the detailed public notice about the workshop.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code