Archives For consumer protection

Last week, the FTC announced its complaint and consent decree with Nomi Technologies for failing to allow consumers to opt-out of cell phone tracking while shopping in retail stores. Whatever one thinks about Nomi itself, the FTC’s enforcement action represents another step in the dubious application of its enforcement authority against deceptive statements.

In response, Geoffrey Manne, Ben Sperry, and Berin Szoka have written a new ICLE White Paper, titled, In the Matter of Nomi, Technologies, Inc.: The Dark Side of the FTC’s Latest Feel-Good Case.

Nomi Technologies offers retailers an innovative way to observe how customers move through their stores, how often they return, what products they browse and for how long (among other things) by tracking the Wi-Fi addresses broadcast by customers’ mobile phones. This allows stores to do what websites do all the time: tweak their configuration, pricing, purchasing and the like in response to real-time analytics — instead of just eyeballing what works. Nomi anonymized the data it collected so that retailers couldn’t track specific individuals. Recognizing that some customers might still object, even to “anonymized” tracking, Nomi allowed anyone to opt-out of all Nomi tracking on its website.

The FTC, though, seized upon a promise made within Nomi’s privacy policy to provide an additional, in-store opt out and argued that Nomi’s failure to make good on this promise — and/or notify customers of which stores used the technology — made its privacy policy deceptive. Commissioner Wright dissented, noting that the majority failed to consider evidence that showed the promise was not material, arguing that the inaccurate statement was not important enough to actually affect consumers’ behavior because they could opt-out on the website anyway. Both Commissioners Wright’s and Commissioner Ohlhausen’s dissents argued that the FTC majority’s enforcement decision in Nomi amounted to prosecutorial overreach, imposing an overly stringent standard of review without any actual indication of consumer harm.

The FTC’s deception authority is supposed to provide the agency with the authority to remedy consumer harms not effectively handled by common law torts and contracts — but it’s not a blank check. The 1983 Deception Policy Statement requires the FTC to demonstrate:

  1. There is a representation, omission or practice that is likely to mislead the consumer;
  2. A consumer’s interpretation of the representation, omission, or practice is considered reasonable under the circumstances; and
  3. The misleading representation, omission, or practice is material (meaning the inaccurate statement was important enough to actually affect consumers’ behavior).

Under the DPS, certain types of claims are treated as presumptively material, although the FTC is always supposed to “consider relevant and competent evidence offered to rebut presumptions of materiality.” The Nomi majority failed to do exactly that in its analysis of the company’s claims, as Commissioner Wright noted in his dissent:

the Commission failed to discharge its commitment to duly consider relevant and competent evidence that squarely rebuts the presumption that Nomi’s failure to implement an additional, retail-level opt out was material to consumers. In other words, the Commission neglects to take into account evidence demonstrating consumers would not “have chosen differently” but for the allegedly deceptive representation.

As we discuss in detail in the white paper, we believe that the Commission committed several additional legal errors in its application of the Deception Policy Statement in Nomi, over and above its failure to adequately weigh exculpatory evidence. Exceeding the legal constraints of the DPS isn’t just a legal problem: in this case, it’s led the FTC to bring an enforcement action that will likely have the very opposite of its intended result, discouraging rather than encouraging further disclosure.

Moreover, as we write in the white paper:

Nomi is the latest in a long string of recent cases in which the FTC has pushed back against both legislative and self-imposed constraints on its discretion. By small increments (unadjudicated consent decrees), but consistently and with apparent purpose, the FTC seems to be reverting to the sweeping conception of its power to police deception and unfairness that led the FTC to a titanic clash with Congress back in 1980.

The Nomi case presents yet another example of the need for FTC process reforms. Those reforms could ensure the FTC focuses on cases that actually make consumers better off. But given the FTC majority’s unwavering dedication to maximizing its discretion, such reforms will likely have to come from Congress.

Find the full white paper here.

Recent years have seen an increasing interest in incorporating privacy into antitrust analysis. The FTC and regulators in Europe have rejected these calls so far, but certain scholars and activists continue their attempts to breathe life into this novel concept. Elsewhere we have written at length on the scholarship addressing the issue and found the case for incorporation wanting. Among the errors proponents make is a persistent (and woefully unsubstantiated) assertion that online data can amount to a barrier to entry, insulating incumbent services from competition and ensuring that only the largest providers thrive. This data barrier to entry, it is alleged, can then allow firms with monopoly power to harm consumers, either directly through “bad acts” like price discrimination, or indirectly by raising the costs of advertising, which then get passed on to consumers.

A case in point was on display at last week’s George Mason Law & Economics Center Briefing on Big Data, Privacy, and Antitrust. Building on their growing body of advocacy work, Nathan Newman and Allen Grunes argued that this hypothesized data barrier to entry actually exists, and that it prevents effective competition from search engines and social networks that are interested in offering services with heightened privacy protections.

According to Newman and Grunes, network effects and economies of scale ensure that dominant companies in search and social networking (they specifically named Google and Facebook — implying that they are in separate markets) operate without effective competition. This results in antitrust harm, they assert, because it precludes competition on the non-price factor of privacy protection.

In other words, according to Newman and Grunes, even though Google and Facebook offer their services for a price of $0 and constantly innovate and upgrade their products, consumers are nevertheless harmed because the business models of less-privacy-invasive alternatives are foreclosed by insufficient access to data (an almost self-contradicting and silly narrative for many reasons, including the big question of whether consumers prefer greater privacy protection to free stuff). Without access to, and use of, copious amounts of data, Newman and Grunes argue, the algorithms underlying search and targeted advertising are necessarily less effective and thus the search product without such access is less useful to consumers. And even more importantly to Newman, the value to advertisers of the resulting consumer profiles is diminished.

Newman has put forth a number of other possible antitrust harms that purportedly result from this alleged data barrier to entry, as well. Among these is the increased cost of advertising to those who wish to reach consumers. Presumably this would harm end users who have to pay more for goods and services because the costs of advertising are passed on to them. On top of that, Newman argues that ad networks inherently facilitate price discrimination, an outcome that he asserts amounts to antitrust harm.

FTC Commissioner Maureen Ohlhausen (who also spoke at the George Mason event) recently made the case that antitrust law is not well-suited to handling privacy problems. She argues — convincingly — that competition policy and consumer protection should be kept separate to preserve doctrinal stability. Antitrust law deals with harms to competition through the lens of economic analysis. Consumer protection law is tailored to deal with broader societal harms and aims at protecting the “sanctity” of consumer transactions. Antitrust law can, in theory, deal with privacy as a non-price factor of competition, but this is an uneasy fit because of the difficulties of balancing quality over two dimensions: Privacy may be something some consumers want, but others would prefer a better algorithm for search and social networks, and targeted ads with free content, for instance.

In fact, there is general agreement with Commissioner Ohlhausen on her basic points, even among critics like Newman and Grunes. But, as mentioned above, views diverge over whether there are some privacy harms that should nevertheless factor into competition analysis, and on whether there is in fact  a data barrier to entry that makes these harms possible.

As we explain below, however, the notion of data as an antitrust-relevant barrier to entry is simply a myth. And, because all of the theories of “privacy as an antitrust harm” are essentially predicated on this, they are meritless.

First, data is useful to all industries — this is not some new phenomenon particular to online companies

It bears repeating (because critics seem to forget it in their rush to embrace “online exceptionalism”) that offline retailers also receive substantial benefit from, and greatly benefit consumers by, knowing more about what consumers want and when they want it. Through devices like coupons and loyalty cards (to say nothing of targeted mailing lists and the age-old practice of data mining check-out receipts), brick-and-mortar retailers can track purchase data and better serve consumers. Not only do consumers receive better deals for using them, but retailers know what products to stock and advertise and when and on what products to run sales. For instance:

  • Macy’s analyzes tens of millions of terabytes of data every day to gain insights from social media and store transactions. Over the past three years, the use of big data analytics alone has helped Macy’s boost its revenue growth by 4 percent annually.
  • Following its acquisition of Kosmix in 2011, Walmart established @WalmartLabs, which created its own product search engine for online shoppers. In the first year of its use alone, the number of customers buying a product on Walmart.com after researching a purchase increased by 20 percent. According to Ron Bensen, the vice president of engineering at @WalmartLabs, the combination of in-store and online data could give brick-and-mortar retailers like Walmart an advantage over strictly online stores.
  • Panera and a whole host of restaurants, grocery stores, drug stores and retailers use loyalty cards to advertise and learn about consumer preferences.

And of course there is a host of others uses for data, as well, including security, fraud prevention, product optimization, risk reduction to the insured, knowing what content is most interesting to readers, etc. The importance of data stretches far beyond the online world, and far beyond mere retail uses more generally. To describe even online giants like Amazon, Apple, Microsoft, Facebook and Google as having a monopoly on data is silly.

Second, it’s not the amount of data that leads to success but building a better mousetrap

The value of knowing someone’s birthday, for example, is not in that tidbit itself, but in the fact that you know this is a good day to give that person a present. Most of the data that supports the advertising networks underlying the Internet ecosphere is of this sort: Information is important to companies because of the value that can be drawn from it, not for the inherent value of the data itself. Companies don’t collect information about you to stalk you, but to better provide goods and services to you.

Moreover, data itself is not only less important than what can be drawn from it, but data is also less important than the underlying product it informs. For instance, Snapchat created a challenger to  Facebook so successfully (and in such short time) that Facebook attempted to buy it for $3 billion (Google offered $4 billion). But Facebook’s interest in Snapchat wasn’t about its data. Instead, Snapchat was valuable — and a competitive challenge to Facebook — because it cleverly incorporated the (apparently novel) insight that many people wanted to share information in a more private way.

Relatedly, Twitter, Instagram, LinkedIn, Yelp, Pinterest (and Facebook itself) all started with little (or no) data and they have had a lot of success. Meanwhile, despite its supposed data advantages, Google’s attempts at social networking — Google+ — have never caught up to Facebook in terms of popularity to users (and thus not to advertisers either). And scrappy social network Ello is starting to build a significant base without data collection for advertising at all.

At the same time it’s simply not the case that the alleged data giants — the ones supposedly insulating themselves behind data barriers to entry — actually have the type of data most relevant to startups anyway. As Andres Lerner has argued, if you wanted to start a travel business, the data from Kayak or Priceline would be far more relevant. Or if you wanted to start a ride-sharing business, data from cab companies would be more useful than the broad, market-cross-cutting profiles Google and Facebook have. Consider companies like Uber, Lyft and Sidecar that had no customer data when they began to challenge established cab companies that did possess such data. If data were really so significant, they could never have competed successfully. But Uber, Lyft and Sidecar have been able to effectively compete because they built products that users wanted to use — they came up with an idea for a better mousetrap.The data they have accrued came after they innovated, entered the market and mounted their successful challenges — not before.

In reality, those who complain about data facilitating unassailable competitive advantages have it exactly backwards. Companies need to innovate to attract consumer data, otherwise consumers will switch to competitors (including both new entrants and established incumbents). As a result, the desire to make use of more and better data drives competitive innovation, with manifestly impressive results: The continued explosion of new products, services and other apps is evidence that data is not a bottleneck to competition but a spur to drive it.

Third, competition online is one click or thumb swipe away; that is, barriers to entry and switching costs are low

Somehow, in the face of alleged data barriers to entry, competition online continues to soar, with newcomers constantly emerging and triumphing. This suggests that the barriers to entry are not so high as to prevent robust competition.

Again, despite the supposed data-based monopolies of Facebook, Google, Amazon, Apple and others, there exist powerful competitors in the marketplaces they compete in:

  • If consumers want to make a purchase, they are more likely to do their research on Amazon than Google.
  • Google flight search has failed to seriously challenge — let alone displace —  its competitors, as critics feared. Kayak, Expedia and the like remain the most prominent travel search sites — despite Google having literally purchased ITA’s trove of flight data and data-processing acumen.
  • People looking for local reviews go to Yelp and TripAdvisor (and, increasingly, Facebook) as often as Google.
  • Pinterest, one of the most highly valued startups today, is now a serious challenger to traditional search engines when people want to discover new products.
  • With its recent acquisition of the shopping search engine, TheFind, and test-run of a “buy” button, Facebook is also gearing up to become a major competitor in the realm of e-commerce, challenging Amazon.
  • Likewise, Amazon recently launched its own ad network, “Amazon Sponsored Links,” to challenge other advertising players.

Even assuming for the sake of argument that data creates a barrier to entry, there is little evidence that consumers cannot easily switch to a competitor. While there are sometimes network effects online, like with social networking, history still shows that people will switch. MySpace was considered a dominant network until it made a series of bad business decisions and everyone ended up on Facebook instead. Similarly, Internet users can and do use Bing, DuckDuckGo, Yahoo, and a plethora of more specialized search engines on top of and instead of Google. And don’t forget that Google itself was once an upstart new entrant that replaced once-household names like Yahoo and AltaVista.

Fourth, access to data is not exclusive

Critics like Newman have compared Google to Standard Oil and argued that government authorities need to step in to limit Google’s control over data. But to say data is like oil is a complete misnomer. If Exxon drills and extracts oil from the ground, that oil is no longer available to BP. Data is not finite in the same way. To use an earlier example, Google knowing my birthday doesn’t limit the ability of Facebook to know my birthday, as well. While databases may be proprietary, the underlying data is not. And what matters more than the data itself is how well it is analyzed.

This is especially important when discussing data online, where multi-homing is ubiquitous, meaning many competitors end up voluntarily sharing access to data. For instance, I can use the friend-finder feature on WordPress to find Facebook friends, Google connections, and people I’m following on Twitter who also use the site for blogging. Using this feature allows WordPress to access your contact list on these major online players.

Friend-Finder

Further, it is not apparent that Google’s competitors have less data available to them. Microsoft, for instance, has admitted that it may actually have more data. And, importantly for this discussion, Microsoft may have actually garnered some of its data for Bing from Google.

If Google has a high cost per click, then perhaps it’s because it is worth it to advertisers: There are more eyes on Google because of its superior search product. Contra Newman and Grunes, Google may just be more popular for consumers and advertisers alike because the algorithm makes it more useful, not because it has more data than everyone else.

Fifth, the data barrier to entry argument does not have workable antitrust remedies

The misguided logic of data barrier to entry arguments leaves a lot of questions unanswered. Perhaps most important among these is the question of remedies. What remedy would apply to a company found guilty of leveraging its market power with data?

It’s actually quite difficult to conceive of a practical means for a competition authority to craft remedies that would address the stated concerns without imposing enormous social costs. In the unilateral conduct context, the most obvious remedy would involve the forced sharing of data.

On the one hand, as we’ve noted, it’s not clear this would actually accomplish much. If competitors can’t actually make good use of data, simply having more of it isn’t going to change things. At the same time, such a result would reduce the incentive to build data networks to begin with. In their startup stage, companies like Uber and Facebook required several months and hundreds of thousands, if not millions, of dollars to design and develop just the first iteration of the products consumers love. Would any of them have done it if they had to share their insights? In fact, it may well be that access to these free insights is what competitors actually want; it’s not the data they’re lacking, but the vision or engineering acumen to use it.

Other remedies limiting collection and use of data are not only outside of the normal scope of antitrust remedies, they would also involve extremely costly court supervision and may entail problematic “collisions between new technologies and privacy rights,” as the last year’s White House Report on Big Data and Privacy put it.

It is equally unclear what an antitrust enforcer could do in the merger context. As Commissioner Ohlhausen has argued, blocking specific transactions does not necessarily stop data transfer or promote privacy interests. Parties could simply house data in a standalone entity and enter into licensing arrangements. And conditioning transactions with forced data sharing requirements would lead to the same problems described above.

If antitrust doesn’t provide a remedy, then it is not clear why it should apply at all. The absence of workable remedies is in fact a strong indication that data and privacy issues are not suitable for antitrust. Instead, such concerns would be better dealt with under consumer protection law or by targeted legislation.

In short, all of this hand-wringing over privacy is largely a tempest in a teapot — especially when one considers the extent to which the White House and other government bodies have studiously ignored the real threat: government misuse of data à la the NSA. It’s almost as if the White House is deliberately shifting the public’s gaze from the reality of extensive government spying by directing it toward a fantasy world of nefarious corporations abusing private information….

The White House’s proposed bill is emblematic of many government “fixes” to largely non-existent privacy issues, and it exhibits the same core defects that undermine both its claims and its proposed solutions. As a result, the proposed bill vastly overemphasizes regulation to the dangerous detriment of the innovative benefits of Big Data for consumers and society at large.

Rate this:

Continue Reading...
On Wednesday, March 18, our fellow law-and-economics-focused brethren at George Mason’s Law and Economics Center will host a very interesting morning briefing on the intersection of privacy, big data, consumer protection, and antitrust. FTC Commissioner Maureen Ohlhausen will keynote and she will be followed by what looks like will be a lively panel discussion. If you are in DC you can join in person, but you can also watch online. More details below.
Please join the LEC in person or online for a morning of lively discussion on this topic. FTC Commissioner Maureen K. Ohlhausen will set the stage by discussing her Antitrust Law Journal article, “Competition, Consumer Protection and The Right [Approach] To Privacy“. A panel discussion on big data and antitrust, which includes some of the leading thinkers on the subject, will follow.
Other featured speakers include:

Allen P. Grunes
Founder, The Konkurrenz Group and Data Competition Institute

Andres Lerner
Executive Vice President, Compass Lexecon

Darren S. Tucker
Partner, Morgan Lewis

Nathan Newman
Director, Economic and Technology Strategies LLC

Moderator: James C. Cooper
Director, Research and Policy, Law & Economics Center

A full agenda is available click here.

Anybody who has spent much time with children knows how squishy a concept “unfairness” can be.  One can hear the exchange, “He’s not being fair!” “No, she’s not!,” only so many times before coming to understand that unfairness is largely in the eye of the beholder.

Perhaps it’s unfortunate, then, that Congress chose a century ago to cast the Federal Trade Commission’s authority in terms of preventing “unfair methods of competition.”  But that’s what it did, and the question now is whether there is some way to mitigate this “eye of the beholder” problem.

There is.

We know that any business practice that violates the substantive antitrust laws (the Sherman and Clayton Acts) is an unfair method of competition, so we can look to Sherman and Clayton Act precedents to assess the “unfairness” of business practices that those laws reach.  But what about the Commission’s so-called “standalone” UMC authority—its power to prevent business practices that seem to impact competition unfairly but are not technically violations of the substantive antitrust laws?

Almost two years ago, Commissioner Josh Wright recognized that if the FTC’s standalone UMC authority is to play a meaningful role in assuring market competition, the Commission should issue guidelines on what constitutes an unfair method of competition. He was right.  The Commission, you see, really has only four options with respect to standalone Section 5 claims:

  1. It could bring standalone actions based on current commissioners’ considered judgments about what constitutes unfairness. Such an approach, though, is really inconsistent with the rule of law. Past commissioners, for example, have gone so far as to suggest that practices causing “resource depletion, energy waste, environmental contamination, worker alienation, [and] the psychological and social consequences of producer-stimulated demands” could be unfair methods of competition. Maybe our current commissioners wouldn’t cast so wide a net, but they’re not always going to be in power. A government of laws and not of men simply can’t mete out state power on the basis of whim.
  2. It could bring standalone actions based on unfairness principles appearing in Section 5’s “common law.” The problem here is that there is no such common law. As Commissioner Wright has observed and I have previously explained, a common law doesn’t just happen. Development of a common law requires vigorously litigated disputes and reasoned, published opinions that resolve those disputes and serve as precedent. Section 5 “litigation,” such as it is, doesn’t involve any of that.
    • First, standalone Section 5 disputes tend not to be vigorously litigated. Because the FTC acts as both prosecutor and judge in such actions, their outcome is nearly a foregone conclusion. When FTC staff win before the administrative law judge, the ALJ’s decision is always affirmed by the full commission; when staff loses with the ALJ, the full Commission always reverses. Couple this stacked deck with the fact that unfairness exists in the eye of the beholder and will therefore change with the composition of the Commission, and we end up with a situation in which accused parties routinely settle. As Commissioner Wright observes, “parties will typically prefer to settle a Section 5 claim rather than go through lengthy and costly litigation in which they are both shooting at a moving target and have the chips stacked against them.”
    • The consent decrees that memorialize settlements, then, offer little prospective guidance. They usually don’t include any detailed explanation of why the practice at issue was an unfair method of competition. Even if they did, it wouldn’t matter much; the Commission doesn’t treat its own enforcement decisions as precedent. In light of the realities of Section 5 litigation, there really is no Section 5 common law.
  3. It could refrain from bringing standalone Section 5 actions and pursue only business practices that violate the substantive antitrust laws. Substantive antitrust violations constitute unfair methods of competition, and the federal courts have established fairly workable principles for determining when business practices violate the Sherman and Clayton Acts. The FTC could therefore avoid the “eye of the beholder” problem by limiting its UMC authority to business conduct that violates the antitrust laws. Such an approach, though, would prevent the FTC from policing conduct that, while not technically an antitrust violation, is anticompetitive and injurious to consumers.
  4. It could bring standalone Section 5 actions based on articulated guidelines establishing what constitutes an unfair method of competition. This is really the only way to use Section 5 to pursue business practices that are not otherwise antitrust violations, without offending the rule of law.

Now, if the FTC is to take this fourth approach—the only one that both allows for standalone Section 5 actions and honors rule of law commitments—it obviously has to settle on a set of guidelines.  Fortunately, it has almost done so!

Since Commissioner Wright called for Section 5 guidelines almost two years ago, much ink has been spilled outlining and critiquing proposed guidelines.  Commissioner Wright got the ball rolling by issuing his own proposal along with his call for the adoption of guidelines.  Commissioner Ohlhausen soon followed suit, proposing a slightly broader set of principles.  Numerous commentators then joined the conversation (a number doing so in a TOTM symposium), and each of the other commissioners has now stated her own views.

A good deal of consensus has emerged.  Each commissioner agrees that Section 5 should be used to prosecute only conduct that is actually anticompetitive (as defined by the federal courts).  There is also apparent consensus on the view that standalone Section 5 authority should not be used to challenge conduct governed by well-forged liability principles under the Sherman and Clayton Acts.  (For example, a practice routinely evaluated under Section 2 of the Sherman Act should not be pursued using standalone Section 5 authority.)  The commissioners, and the vast majority of commentators, also agree that there should be some efficiencies screen in prosecution decisions.  The remaining disagreement centers on the scope of the efficiencies screen—i.e., how much of an efficiency benefit must a business practice confer in order to be insulated from standalone Section 5 liability?

On that narrow issue—the only legitimate point of dispute remaining among the commissioners—three views have emerged:  Commissioner Wright would refrain from prosecuting if the conduct at issue creates any cognizable efficiencies; Commissioner Ohlhausen would do so as long as the efficiencies are not disproportionately outweighed by anticompetitive harms; Chairwoman Ramirez would engage in straightforward balancing (not a “disproportionality” inquiry) and would refrain from prosecution only where efficiencies outweigh anticompetitive harms.

That leaves three potential sets of guidelines.  In each, it would be necessary that a behavior subject to any standalone Section 5 action (1) create actual or likely anticompetitive harm, and (2) not be subject to well-forged case law under the traditional antitrust laws (so that pursuing the action might cause the distinction between lawful and unlawful commercial behavior to become blurred).  Each of the three sets of guidelines would also include an efficiencies screen—either (3a) the conduct lacks cognizable efficiencies, (3b) the harms created by the conduct are disproportionate to the conduct’s cognizable efficiencies, or (3c) the harms created by the conduct are not outweighed by cognizable efficiencies.

As Commissioner Wright has observed any one of these sets of guidelines would be superior to the status quo.  Accordingly, if the commissioners could agree on the acceptability of any of them, they could improve the state of U.S. competition law.

Recognizing as much, Commissioner Wright is wisely calling on the commissioners to vote on the acceptability of each set of guidelines.  If any set is deemed acceptable by a majority of commissioners, it should be promulgated as official FTC Guidance.  (Presumably, if more than one set commands majority support, the set that most restrains FTC enforcement authority would be the one promulgated as FTC Guidance.)

Of course, individual commissioners might just choose not to vote.  That would represent a sad abdication of authority.  Given that there isn’t (and under current practice, there can’t be) a common law of Section 5, failure to vote on a set of guidelines would effectively cast a vote for either option 1 stated above (ignore rule of law values) or option 3 (limit Section 5’s potential to enhance consumer welfare).  Let’s hope our commissioners don’t relegate us to those options.

The debate has occurred.  It’s time to vote.

In a previous Truth on the Market blog posting, I noted that the FTC recently revised its “advertising substantiation” policy in a highly problematic manner.  In particular, in a number of recent enforcement actions, an FTC majority has taken the position that it will deem advertising claims “deceptive” unless they are supported by two randomized controlled tests (RCTs), and (in the case of food and drug supplements) will require companies to obtain prior U.S. Food and Drug Administration (FDA) approval for future advertising claims.  As I explained in a Heritage Foundation Legal Memorandum, these and other new burdens “may deter firms from investing in new health-related product improvements, in which event consumers who are denied new and beneficial products (as well as useful information about the attributes of current products) will be the losers.  Competition will also suffer as businesses shy away from informational advertising that rewards the highest quality current products and encourages firms to compete on the basis of quality.  Furthermore, the broad scope of these requirements is in tension with the constitutional prohibition on restricting commercial speech no more than is necessary to satisfy legitimate statutory purposes.” (NOTABLY, Commissioner Maureen Ohlhausen has argued against categorically imposing a two RCTs requirement in all cases , explaining that “[i]f we demand too high a level of substantiation in pursuit of certainty, we risk losing the benefits to consumers of having access to information about emerging areas of science and the corresponding pressure on firms to compete on the health features of their products.”  Commissioner Joshua Wright has also opined “that a reflexive approach in requiring two RCTs as fencing-in relief might not always be in the best interest of consumers.”)

In a January 30, 2015 decision, POM Wonderful, LLC v. FTC, the D.C. Circuit took an initial step that may help rein in FTC enthusiasm for imposing a “two RCTs” requirement on future advertising by a firm.  The FTC ruled in 2013 that POM Wonderful, a producer and seller of pomegranate products, violated the FTC Act by making advertisements that suggested POM products could treat, prevent, or reduce heart disease, prostate cancer, and erectile dysfunction.  According to the FTC, the ads were false and misleading because POM lacked valid and adequate scientific evidence to substantiate its claims.  (The FTC determined that scientific findings cited by POM, based on over $35 million of pomegranate-related research, had not been supported by subsequent studies.)   The FTC entered a cease and desist order that barred POM from making future disease claims (claims that its products treat, prevent, or reduce a disease) about its products without “competent and reliable” scientific evidence.  Specifically, the FTC’s order required that such future claims be supported by at least two RCTs.  (NOTABLY, Commissioner Ohlhausen disagreed with the majority’s view that two RCTs were warranted and would have required only one RCT, regarding that study in light of other available scientific evidence.)

POM appealed to the D.C. Circuit, which unanimously held that there was no basis for setting aside the FTC’s finding that many of POM’s ads made false or misleading claims; that there was no First Amendment protection for deceptive advertising; and that requiring an RCT was not too onerous and did not violate the First Amendment.  The court concluded that “the [FTC] injunctive order’s requirement of some RCT substantiation for disease claims directly advances, and is not more extensive than necessary to serve, the interest in preventing misleading commercial speech”, consistent with the test for evaluating commercial speech enunciated by the Supreme Court in Central Hudson.  The court, however, also held that “a categorical floor of two RCTs for any and all disease claims . . . fails Central Hudson scrutiny”.  The court stressed that the FTC “fails to demonstrate how such a rigid remedial rule bears the requisite ‘reasonable fit’ with the interest in preventing deceptive speech.”  Significantly, the court also enunciated a strong policy justification, rooted in First Amendment commercial speech concerns, for precluding a categorical “two RCTs” rule:

“Requiring additional RCTs without adequate justification exacts considerable costs, and not just in terms of the substantial resources often necessary to design and conduct a properly randomized and controlled human clinical trial.  If there is a categorical bar against claims about the disease-related benefits of a food product or dietary supplement in the absence of two RCTs, consumers may be denied useful, truthful information about products with a demonstrated capacity to treat or prevent serious disease.  That would subvert rather than promote the objectives of the commercial speech doctrine.”

Accordingly, the court modified the FTC’s order to require that POM possess at least one RCT in support of future health-related advertising claims.  Assuming that the D.C. Circuit’s POM decision is not appealed and remains in force, future advertisers investigated by the FTC will have stronger grounds to resist FTC efforts to impose “two or more RCT” requirements as part of a decree.

This is just a small step in badly-needed reforms, however.  Even a single RCT is unnecessarily onerous in many market settings (and, in my view, ignores the teachings of Central Hudson).  More broadly, as I have previously argued, the FTC should rethink its entire approach and issue new advertising substantiation guidelines that state the FTC:  (1) will seek to restrict commercial speech to the smallest extent possible, consistent with fraud prevention; (2) will apply strict cost-benefit analysis in investigating advertising claims and framing remedies in advertising substantiation cases; (3) will apply a reasonableness standard in such cases, consistent with general guidance found in a 1983 FTC policy statement; (4) will not require clinical studies be conducted in order to substantiate advertising claims; (5) will not require that the FDA or any other agency be involved in approving or reviewing advertising claims; and (6) will avoid excessive “fencing in” relief that extends well beyond the ambit of the alleged harm associated with statements that the FTC deems misleading.  Enactment of such guidelines may be a long-term project, requiring a change in Commission thinking, but it is well worth pursuing, in order to advance both free commercial speech and consumer welfare.

Today the Federal Trade Commission (FTC) missed the mark in authorizing release of a staff report calling for legislation and regulation of the “Internet of Things.”

The Internet of Things is already affecting the daily lives of millions of Americans through the adoption of health and fitness monitors, home security devices, connected cars and household appliances, among other applications.  Such devices offer the potential for improved health-monitoring, safer highways, and more efficient home energy use, and a myriad of other potential benefits.  The rapidly increasing use of such devices, which transfer data electronically, also raises privacy and security concerns.  In November 2014 the FTC convened a one-day workshop to study the rapidly changing Internet of Things.

On January 27, 2015, the FTC staff released a report based on the record established by the workshop and follow-on comments from the public.  Unfortunately, the report went far beyond describing the state of play and setting forth the views of interested parties.  In particular, the FTC staff recommended detailed approaches businesses should follow to promote security and privacy in the Internet of Things, and repeated its prior call for strong data security and breach notification legislation.  The FTC voted 4-1 to issue the staff report, with Commissioner Joshua Wright dissenting and Commissioner Maureen Ohlhausen concurring but expressing opposition to two of the report’s recommendations (calling for privacy legislation and for companies to delete “excessive” but valuable data).

Commissioner Wright’s thoughtful dissent centers on the report’s failure to apply cost-benefit analysis to its recommendations, without which it is not possible to determine whether the recommendations are socially beneficial or harmful.  As Wright points out (footnotes omitted):

“Acknowledging in passing, as the Workshop Report does, that various courses of actions related to the Internet of Things may well have some potential costs and benefits does not come close to passing muster as cost-benefit analysis. The Workshop Report does not perform any actual analysis whatsoever to ensure that, or even to give a rough sense of the likelihood that the benefits of the staff’s various proposals exceed their attendant costs. Instead, the Workshop Report merely relies upon its own assertions and various surveys that are not necessarily representative and, in any event, do not shed much light on actual consumer preferences as revealed by conduct in the marketplace. This is simply not good enough; there is too much at stake for consumers as the Digital Revolution begins to transform their homes, vehicles, and other aspects of daily life.”

More specifically, Wright critiques the FTC’s proposal that companies limit the scope of data retention (“data minimization”) to protect consumers’ “reasonable expectations” and deter data thieves – as he explains, this proposal fails to discuss the magnitude of such costs to consumers and supplies no evidence demonstrating that the benefits of data minimization will outweigh its costs to consumers.  In a similar vein, Wright opposes the report’s proposal that companies adopt specific “security by design” measures, noting that:

“Relying upon the application of these concepts and the Fair Information Practice Principles to the Internet of Things can instead substitute for the sort of rigorous economic analysis required to understand the tradeoffs facing firms and consumers. An economic and evidence-based approach sensitive to those tradeoffs is much more likely to result in consumer-welfare enhancing consumer protection regulation. To the extent concepts such as security by design or data minimization are endorsed at any cost – or without regard to whether the marginal cost of a particular decision exceeds its marginal benefits – then application of these principles will result in greater compliance costs without countervailing benefit. Such costs will be passed on to consumers in the form of higher prices or less useful products, as well as potentially deter competition and innovation among firms participating in the Internet of Things.”

In sum, Wright concludes:

“Before setting forth industry best practices and recommendations for broad-based privacy legislation relating to the Internet of Things – proposals that could have a profound impact upon consumers – the Commission and its staff should, at a minimum, undertake the necessary work not only to identify the potential costs and benefits of implementing such best practices and recommendations, but also to perform analysis sufficient to establish with reasonable confidence that such benefits are not outweighed by their costs at the margin of policy intervention.”

The FTC does best when it rigorously evaluates the costs and benefits of its regulatory recommendations and proposed enforcement actions.  Unfortunately, in recent years it has lost sight of this common sense principle (particularly in the consumer protection area) in imposing highly burdensome advertising substantiation and data security enforcement requirements through litigation and consent decrees.  The detailed recommendations in the Internet of Things report suggest that the FTC may be eyeing public reports as a new source of “friendly persuasion.”  Because many firms may choose to adopt costly FTC business practice “suggestions” so as to avoid costly investigations and litigation, the actual harm in foregone business innovation and consumer welfare losses may not be readily apparent.  The competitive process and American consumers, however, are the losers – as are smaller companies that can less afford to absorb the costs of FTC micromanagement than their larger rivals.

In my just published Heritage Foundation Legal Memorandum, I argue that the U.S. Federal Trade Commission (FTC) should substantially scale back its overly aggressive “advertising substantiation” program, which disincentivizes firms from providing the public with valuable information about the products they sell.  As I explain:

“The . . . [FTC] has a long history of vigorously combating false and deceptive advertising under its statutory authorities, but recent efforts by the FTC to impose excessive ‘advertising substantiation’ requirements on companies go far beyond what is needed to combat false advertising. Such actions threaten to discourage companies from providing useful information that consumers value and that improves the workings of the marketplace. They also are in tension with constitutional protection for commercial speech. The FTC should reform its advertising substantiation policy and allow businesses greater flexibility to tailor their advertising practices, which would further the interests of both consumers and businesses. It should also decline to seek ‘disgorgement’ of allegedly ‘ill-gotten gains’ in cases involving advertising substantiation.”

In particular, I recommend that the FTC issue a revised policy statement explaining that it will seek to restrict commercial speech to the minimum extent possible, consistent with fraud prevention, and will not require onerous clinical studies to substantiate non-fraudulent advertising claims.  I also urge that the FTC clarify that it will only seek equitable remedies (including injunctions and financial exactions) in court for cases of clear fraud.

Recently I highlighted problems with the FTC’s enforcement actions targeting companies’ data security protection policies, and recommended that the FTC adopt a cost-benefit approach to regulation in this area.  Yesterday the Heritage Foundation released a more detailed paper by me on this topic, replete with recommendations for new FTC guidance and specific reforms aimed at maintaining appropriate FTC oversight while reducing excessive burdens.  Happy reading!

The U.S. Federal Trade Commission (FTC) continues to expand its presence in online data regulation.  On August 13 the FTC announced a forthcoming workshop to explore appropriate policies toward “big data,” a term used to refer to advancing technologies that are dramatically expanding the commercial collection, analysis, use, and storage of data.  This initiative follows on the heels of the FTC’s May 2014 data broker report, which recommended that Congress impose a variety of requirements on companies that legally collect and sell consumers’ personal information.  (Among other requirements, companies would be required to create consumer data “portals” and implement business procedures that allow consumers to edit and suppress use of their data.)  The FTC also is calling for legislation that would enhance its authority over data security standards and empower it to issue rules requiring companies to inform consumers of security breaches.

These recent regulatory initiatives are in addition to the Commission’s active consumer data enforcement efforts.  Some of these efforts are pursuant to three targeted statutory authorizations – the FTC’s Safeguards Rule (promulgated pursuant to the Gramm-Leach-Bliley Act and directed at non-bank financial institutions), the Fair Credit Reporting Act (directed at consumer protecting agencies), and the Children’s Online Privacy Protection Act (directed at children’s information collected online).

The bulk of the FTC’s enforcement efforts, however, stem from its general authority to proscribe unfair or deceptive practices under Section 5(a)(1) of the FTC ActSince 2002, pursuant to its Section 5 powers, the FTC has filed and settled over 50 cases alleging that private companies used deceptive or ineffective (and thus unfair) practices in storing their data.  (Twitter, LexisNexis, ChoicePoint, GMR Transcription Services, GeneLink, Inc., and mobile device provider HTC are just a few of the firms that have agreed to settle.)  Settlements have involved consent decrees under which the company in question agreed to take a wide variety of “corrective measures” to avoid future harm.

As a matter of first principles, one may question the desirability of FTC data security investigations under Section 5.  Firms have every incentive to avoid data protection breaches that harm their customers, in order to avoid the harm to reputation and business values that stem from such lapses.  At the same time, firms must weigh the costs of alternative data protection systems in determining what the appropriate degree of protection should be.  Economic logic indicates that the optimal business policy is not one that focuses solely on implementing the strongest data protection system program without regard to cost.  Rather, the optimal policy is to invest in enhancing corporate data security up to the point where the marginal benefits of additional security equal the marginal costs, and no further.  Although individual businesses can only roughly approximate this outcome, one may expect that market forces will tend toward the optimal result, as firms that underinvest in data security lose customers and firms that overinvest in security find themselves priced out of the market.  There is no obvious “market failure” that suggests the market should not work adequately in the data security area.  Indeed, there is a large (and growing) amount of information on security systems available to business, and a thriving labor market for IT security specialists to whom companies can turn in designing their security programs.   Nevertheless, it would be naive in the extreme to believe that the FTC will choose to abandon its efforts to apply Section 5 to this area.  With that in mind, let us examine more closely the problems with existing FTC Section 5 data security settlements, with an eye to determining what improvements the Commission might beneficially make if it is so inclined.

The HTC settlement illustrates the breadth of decree-specific obligations the FTC has imposed.  HTC was required to “establish a comprehensive security program, undergo independent security assessments for 20 years, and develop and release software patches to fix security vulnerabilities.”  HTC also agreed to detailed security protocols that would be monitored by a third party.  The FTC did not cite specific harmful security breaches to justify these sanctions; HTC was merely charged with a failure to “take reasonable steps” to secure smartphone software.  Nor did the FTC explain what specific steps short of the decree requirements would have been deemed “reasonable.”

The HTC settlement exemplifies the FTC’s “security by design” approach to data security, under which the agency informs firms after the fact what they should have done, without exploring what they might have done to pass muster.  Although some academics view the FTC settlements as contributing usefully to a developing “common law” of data privacy, supporters of this approach ignore its inherent ex ante vagueness and the costs decree-specific mandates impose on companies.

Another serious problem stems from the enormous investigative and litigation costs associated with challenging an FTC complaint in this area – costs that incentivize most firms to quickly accede to consent decree terms even if they are onerous.  The sad case of LabMD, a small cancer detection lab, serves as warning to businesses that choose to engage in long-term administrative litigation against the FTC.  Due to the cost burden of the FTC’s multi-year litigation against it (which is still ongoing as of this writing), LabMD was forced to wind down its operations, and it stopped accepting new patients in January 2014.

The LabMD case suggests that FTC data security initiatives, carried out without regard to the scale or resources of the affected companies, have the potential to harm competition.  Relatively large companies are much better able to absorb FTC litigation and investigation costs.  Thus, it may be in the large firms’ interests to encourage the FTC to support intrusive and burdensome new FTC data security initiatives, as part of a “raising rivals’ costs” strategy to cripple or eliminate smaller rivals.  As a competition and consumer welfare watchdog, the FTC should keep this risk in mind when weighing the merits of expanding data security regulations or launching new data security investigations.

A common thread runs through the FTC’s myriad activities in data privacy “space” – the FTC’s failure to address whether its actions are cost-beneficial.  There is little doubt that the FTC’s enforcement actions impose substantial costs, both on businesses subject to decree and investigation, and on other firms possessing data that must contemplate business system redesigns to forestall potential future liability.  As a result, business innovation suffers.  Furthermore, those costs are passed on at least in part to consumers, in the form of higher prices and a reduction in the quality and quantity of new products and services.  The FTC should, consistent with its consumer welfare mandate, carefully weigh these costs against the presumed benefits flowing from a reduction in future data breaches.  A failure to carry out a cost-benefit appraisal, even a rudimentary one, makes it impossible to determine whether the FTC’s much touted data privacy projects are enhancing or reducing consumer welfare.

FTC Commissioner Josh Wright recently gave voice to the importance of cost benefit analysis in commenting on the FTC’s data brokerage report – a comment that applies equally well to all of the FTC’s data protection and privacy initiatives:

“I would . . . like to see evidence of the incidence and scope of consumer harms rather than just speculative hypotheticals about how consumers might be harmed before regulation aimed at reducing those harms is implemented.  Accordingly, the FTC would need to quantify more definitively the incidence or value of data broker practices to consumers before taking or endorsing regulatory or legislative action. . . .  We have no idea what the costs for businesses would be to implement consumer control over any and all data shared by data brokers and to what extent these costs would ultimately be passed on to consumers.  Once again, a critical safeguard to insure against the risk that our recommendations and actions do more harm than good for consumers is to require appropriate and thorough cost-benefit analysis before acting.  This failure could be especially important where the costs to businesses from complying with any recommendations are high, but where the ultimate benefit generated for consumers is minimal. . . .  If consumers have minimal concerns about the sharing of certain types of information – perhaps information that is already publicly available – I think we should know that before requiring data brokers to alter their practices and expend resources and incur costs that will be passed on to consumers.”

The FTC could take several actions to improve its data enforcement policies.  First and foremost, it could issue Data Security Guidelines that (1) clarify the FTC’s enforcement actions regarding data security will be rooted in cost-benefit analysis, and (2) will take into account investigative costs as well as (3) reasonable industry self-regulatory efforts.  (Such Guidelines should be framed solely as limiting principles that tie the FTC’s hands to avoid enforcement excesses.  They should studiously avoid dictating to industry the data security principles that firms should adopt.)  Second, it could establish an FTC website portal that features continuously updated information on the Guidelines and other sources of guidance on data security. Third, it could employ cost-benefit analysis before pursuing any new regulatory initiatives, legislative recommendations, or investigations related to other areas of data protection.  Fourth, it could urge its foreign counterpart agencies to adopt similar cost-benefit approaches to data security regulation.

Congress could also improve the situation by enacting a narrowly tailored statute that preempts all state regulation related to data protection.  Forty-seven states now have legislation in this area, which adds additional burdens to those already imposed by federal law.  Furthermore, differences among state laws render the data protection efforts of merchants who may have to safeguard data from across the country enormously complex and onerous.  Given the inherently interstate nature of electronic commerce and associated data breaches, preemption of state regulation in this area would comport with federalism principles.  (Consistent with public choice realities, there is always the risk, of course, that Congress might be tempted to go beyond narrow preemption and create new and unnecessary federal powers in this area.  I believe, however, that such a risk is worth running, given the potential magnitude of excessive regulatory burdens, and the ability to articulate a persuasive public policy case for narrow preemptive legislation.)

Stay tuned for a more fulsome discussion of these issues by me.