FTC Focuses on Potential Types of ‘Informational Injuries’ as It Re-Examines Approach to Consumer Privacy
Privacy in Focus®
As part of the Federal Trade Commission’s (FTC) ongoing re-evaluation of its approach to consumer privacy, recent comments from FTC staff have emphasized the need to differentiate between different kinds of potential harms that might occur from disclosure of consumer information – and called for more empirical research on that question from stakeholders. A recent staff perspective paper on informational injuries and a comment to the National Telecommunications and Information Administration (NTIA) reiterate the Commission’s approach to distinguishing different kinds of privacy-related harms as well as the call for more research. This kind of feedback will be important as the agency continues its “Hearings on Competition and Consumer Protection in the 21st Century” to further explore consumer privacy issues in the coming year.
The nature and extent of any harm from the disclosure of private information matters greatly to the FTC. In order to challenge a practice as “unfair,” the FTC must show that the challenged practice causes or is likely to cause substantial injury that is not reasonably avoidable by consumers, and that the injury is not outweighed by countervailing benefits to consumers or competition. And even in weighing whether to bring an enforcement action under a deception theory, or in determining whether and what kind of policy recommendations to make, the nature and severity of the harm are important. Staff weigh such a determination in exercising prosecutorial discretion and in evaluating whether the benefits of FTC action outweigh the costs. Robust, empirical studies to quantify certain kinds of harm from the disclosure of information can carry great weight in FTC decision-making regarding enforcement and policy development.
The FTC has recently sought out more information on what kinds of harms might result from disclosure of different kinds of consumer information. In December 2017, the FTC held a workshop on “informational injuries,” which staff explained as injuries “that consumers may suffer from privacy and security incidents, such as data breaches or unauthorized disclosure of data.” In October 2018, staff from the Bureau of Consumer Protection and Bureau of Economics released a staff perspective paper summarizing key takeaways from the workshop.
The staff perspective first provides examples of different kinds of informational injury, including:
- Doxing. Doxing involves the deliberate and targeted release of an individual’s private information, often with the intent of harassment or injury. The information can be used for social engineering attempts to trick individuals into revealing more private information, extortion attempts, and other sorts of harassment that can result in threats of physical harm.
- Disclosure of private information. Disclosure of personal information that an individual wishes to keep private – such as medical information – may potentially affect employment possibilities or negatively affect relationships with friends and family.
- Erosion of trust. Some participants suggested that unanticipated disclosures may “erode consumers’ trust in the ability of businesses to protect their data,” and thereby undermine benefits provided by online businesses.
- Medical identity theft. Use of a consumer’s identity to obtain health care services can not only potentially cause financial harm, but may also result in a consumer’s medical file containing inaccurate information, which could adversely affect the individual’s safety or treatment.
Second, staff notes that these injuries must be balanced against the potential benefits to consumers of collecting certain kinds of data, including enabling an ad-supported Internet model in which consumers pay little or no fees; preventing fraud and allowing for more robust identity verification; allowing for location-based map services; and allowing for the customization of services.
Third, staff notes that stakeholders continue to debate the potential benefits and costs of government action. Without resolving the debate, staff notes that participants “appeared to coalesce around several factors that governments should consider.” These include:
- Sensitivity of the data at issue. Social Security numbers, financial information, and health information are more sensitive than other kinds of information and weigh more heavily toward protection from disclosure.
- How the information will be used. On this, staff notes that “[i]nternal, expected uses would not generate the same level of concern as unexpected uses for some other purpose.”
- Whether the information is anonymized or identifiable. Sharing anonymized data could potentially be beneficial for research purposes.
Fourth, staff discusses the current state of research regarding the value consumers assign to the privacy of certain information. Staff describes the phenomenon of the “privacy paradox,” in which consumers state in surveys that they care about privacy, but then act in ways inconsistent with their stated preference – which has generated a range of potential explanations. Without resolving the competing explanations for the current studies, staff calls for more research to illuminate these issues, including:
- Further consumer surveys of what consumers value in protecting data, including studies that might attempt to quantify how much consumers value certain privacy protections.
- Empirical studies on the efficacy of data protection measures, such as credit card chips and multi-factor authentication, to inform determination of how effective certain measures can be.
- Studies to track downstream injury from information disclosure, such as attempting to link specific data breaches to a specific harm such as identity theft.
FTC staff’s recent comment to the NTIA, in response to a Request for Comment on developing the Administration’s privacy approach, echoes this framework of weighing injuries from information disclosure in assessing the costs and benefits of government action, including the potential effects on pro-consumer innovative technologies. In particular, the comment provides examples of privacy-related harms that fall into at least four categories, including financial injury, physical injury (such as risks of stalking), reputational injury, and unwarranted intrusions (including both intrusions into the sanctity of people’s homes and intimate lives as well as unwanted commercial intrusions). And it cites to numerous examples of how the use of consumer data can improve consumers’ lives, including improved consumer fraud detection, free or substantially discounted services, and safer homes, among others.
The FTC is continuing to re-assess its approach to privacy, including taking a closer look at balancing the costs and benefits of government action, and 2019 will provide more opportunity for comment. On February 12-13, the Commission will host a two-day hearing on consumer privacy, which it has billed as “the first comprehensive re-examination of the FTC’s approach to consumer privacy since 2012.” Many of the preliminary questions for consideration deal with how to define and quantify harm from disclosures of consumer information. The deadline for submitting comments is March 13, 2019, and as Wiley Rein has previously noted, FTC officials have encouraged stakeholders to submit comments with tangible, data-driven analysis on the topics of privacy-related harm. Expect the FTC to continue focusing on injury-related questions as it continues its evaluation of privacy law and policy.
 15 U.S.C. §§ 45(a), 45(n).
 See FTC Staff, FTC Informational Injury Workshop: BE and BCP Staff Perspective, October 2018, available at https://www.ftc.gov/system/files/documents/reports/ftc-informational-injury-workshop-be-bcp-staff-perspective/informational_injury_workshop_staff_report_-_oct_2018_0.pdf (“Staff Perspective”), at 1. The workshop homepage is at https://www.ftc.gov/news-events/events-calendar/2017/12/informational-injury-workshop.
 Staff Perspective at 2.
 Id. at 3.
 Id. at 1-2.
 Id. at 3.
 Id. at 4.
 Id. A related topic on which there was less agreement was whether the government should consider a greater risk of injury as part of its injury calculus. The workshop participants’ mixed views on this issue is reflective of recent FTC history. In overturning an FTC Administrative Law Judge’s ruling in favor of LabMD in a case that involved the disclosure of large volume of consumer data without an evidentiary record of actual misuse, the Commission, under then-Chairwoman Ramirez, articulated a theory that harm is present if the magnitude of potential injury is large even if the likelihood of injury is low. See In re LabMD, FTC Docket No. 9357, at 10, 21 (2016), available at https://www.ftc.gov/system/files/documents/cases/160729labmd-opinion.pdf. In overturning the Commission’s LabMD decision, the Eleventh Circuit did not reach the question of whether this is the appropriate standard. It remains to be seen whether the FTC under Chairman Simons will explicitly adopt this standard.
 Id. at 5-6.
 Id. at 6-7.
 Comment of FTC Staff, In re Developing the Administration’s Approach to Consumer Privacy, NTIA Docket No. 180821780-8780-01 (Nov. 9. 2018), available at https://www.ftc.gov/system/files/documents/advocacy_documents/ftc-staff-comment-ntia-developing-administrations-approach-consumer-privacy/p195400_ftc_comment_to_ntia_112018.pdf.
 Id. at 8-11.
 See FTC Press Release, “FTC Announces Sessions on Consumer Privacy and Data Security as Part of its Hearings on Competition and Consumer Protection in the 21st Century,” October 26, 2018, available at https://www.ftc.gov/news-events/press-releases/2018/10/ftc-announces-sessions-consumer-privacy-data-security-part-its.
 The hearing page is available at https://www.ftc.gov/news-events/events-calendar/ftc-hearing-competition-consumer-protection-21st-century-february-2019. Looking further out, the FTC will host its fourth annual PrivacyCon on June 27, 2019; the agency is seeking research presentations on consumer privacy and security issues, including the quantification of costs and benefits to consumers of keeping data about them private. More information is available at https://www.ftc.gov/news-events/events-calendar/privacycon-2019.
© 2019 Wiley Rein LLP