Expectations Matter: The FTC’s Next Approach to Privacy

Consumer Expectations and Privacy

Recently, the Federal Trade Commission terminated its inquiry into Google’s “accidental” collection of Internet users’ personal data through its Street View vehicles after Google promised to improve its privacy efforts and delete the data. As you may recall, the investigation began after the FTC learned that Google’s Street View vehicles had been taking more than just pictures—the cars had also inadvertently collected and stored “payload” data, including passwords and email messages that were available over unsecured Wi-Fi networks.

Although critics are crying foul on the FTC, others are commending its decision. They argue that Google did nothing wrong, and that users transmitting their information over unsecured networks cannot expect privacy.

While this argument is certainly reasonable, another point (among many) should be made: Google disappointed not only unreasonable expectations of privacy, but also perfectly reasonable expectations. When a Street View car sets out to acquire information, we expect it to take pictures and chart streets. We do not expect it to record login information and emails—whether transmitted over secured networks or not. Likewise, when any company performs a service or sells a product, the public has certain expectations about the kinds of information it will collect and store. When companies ignore these expectations, the public rightly gets nervous.

Despite its decision to let Google off the hook, the FTC recently affirmed the role of consumer expectations in privacy policy. During a recent speech (.pdf) in New York, Commissioner Julie Brill discussed the FTC’s recent efforts to “re-think” privacy in the digital age. Its research started by conducting a series of public roundtable discussions to gauge consumer expectations and attitudes about privacy.

Judging from Brill’s remarks, the FTC’s new approach will be a needed improvement. Unlike its previous approaches, the agency’s new approach will be centered on consumer expectations. Such an approach is necessary in today’s technologically advanced economy, which depends on the routine exchange of information. By focusing on the unexpected uses of information, rather than the expected uses, the new approach will better protect the privacy of consumers while still accommodating the marketplace.

Privacy, Previously

According to Brill, the FTC’s latest privacy approach will be its third. The FTC’s first approach, starting in the mid-1990’s, used a “notice and choice” model. Under this model, the agency called for businesses to provide consumers with notice and choice about how their personally identifiable information would be used.

Despite its good intentions, this model has resulted in long and complex privacy policy statements that seem to be aimed at shielding websites from liability rather than informing consumers, according to Brill. By flooding consumers with every conceivable use of their information, companies are able to discreetly obscure unexpected and potentially harmful uses of information. With its focus on consumer expectations, the FTC’s new approach will hopefully discourage sprawling privacy policy statements in favor of clear, concise notices of unexpected uses of information.

In the early 2000s, the agency shifted to a “harm based” model, which is still in place today. Under this model, according to Brill, the agency focuses on harmful privacy practices and the risks of privacy-related consumer injuries. The harm based approach focuses on areas such as data security and data breaches, identity theft, children’s privacy, spam, and spyware.

According to Brill, the harm based model focuses too heavily on quantifiable harms and neglects other real but intangible harms. Such harms include those resulting from exposure of sensitive information such as information regarding religion, sexual orientation, or medical conditions. By allowing consumers themselves to define what constitutes harm, the FTC’s new approach can alleviate this problem. An approach informed by the public’s attitudes will likely recognize a broader range of potential harms—both tangible and intangible.

Privacy Now

Although we still await specifics about the FTC’s privacy report, Brill describes three issues it will address. First, it will promote proactive “privacy by design.” Privacy by design limits data collection to uses that are truly necessary, and implements reasonable procedures to ensure data security and accuracy. Second, the report will address transparency and encourage shorter and more consistent privacy notices, with the goal of allowing customers to compare privacy policies. Third, the report will address consumer choice and meaningful notice. Brill expressed her support for “streamlining” notices and focusing on “‘unexpected’ uses of consumer data, rather than on uses that consumers reasonably expect, such as giving their address to a shipping company in connection with an online product order.”

While we await the final details of the FTC report, at the very least, we can commend its concern with consumer expectations and its focus on unexpected uses of information in particular. Although consumer expectations are fluid and can be difficult to define, any effective privacy approach in our rapidly changing environment must be flexible enough to accommodate changing norms and technologies.

About the Author

Marshall Hogan

Marshall Hogan is a 2L at Columbia Law School
blog comments powered by Disqus