Recently I highlighted problems with the FTC’s enforcement actions targeting companies’ data security protection policies, and recommended that the FTC adopt a cost-benefit approach to regulation in this area. Yesterday the Heritage Foundation released a more detailed paper by me on this topic, replete with recommendations for new FTC guidance and specific reforms aimed at maintaining appropriate FTC oversight while reducing excessive burdens. Happy reading!
Archives For consumer protection
The U.S. Federal Trade Commission (FTC) continues to expand its presence in online data regulation. On August 13 the FTC announced a forthcoming workshop to explore appropriate policies toward “big data,” a term used to refer to advancing technologies that are dramatically expanding the commercial collection, analysis, use, and storage of data. This initiative follows on the heels of the FTC’s May 2014 data broker report, which recommended that Congress impose a variety of requirements on companies that legally collect and sell consumers’ personal information. (Among other requirements, companies would be required to create consumer data “portals” and implement business procedures that allow consumers to edit and suppress use of their data.) The FTC also is calling for legislation that would enhance its authority over data security standards and empower it to issue rules requiring companies to inform consumers of security breaches.
These recent regulatory initiatives are in addition to the Commission’s active consumer data enforcement efforts. Some of these efforts are pursuant to three targeted statutory authorizations – the FTC’s Safeguards Rule (promulgated pursuant to the Gramm-Leach-Bliley Act and directed at non-bank financial institutions), the Fair Credit Reporting Act (directed at consumer protecting agencies), and the Children’s Online Privacy Protection Act (directed at children’s information collected online).
The bulk of the FTC’s enforcement efforts, however, stem from its general authority to proscribe unfair or deceptive practices under Section 5(a)(1) of the FTC Act. Since 2002, pursuant to its Section 5 powers, the FTC has filed and settled over 50 cases alleging that private companies used deceptive or ineffective (and thus unfair) practices in storing their data. (Twitter, LexisNexis, ChoicePoint, GMR Transcription Services, GeneLink, Inc., and mobile device provider HTC are just a few of the firms that have agreed to settle.) Settlements have involved consent decrees under which the company in question agreed to take a wide variety of “corrective measures” to avoid future harm.
As a matter of first principles, one may question the desirability of FTC data security investigations under Section 5. Firms have every incentive to avoid data protection breaches that harm their customers, in order to avoid the harm to reputation and business values that stem from such lapses. At the same time, firms must weigh the costs of alternative data protection systems in determining what the appropriate degree of protection should be. Economic logic indicates that the optimal business policy is not one that focuses solely on implementing the strongest data protection system program without regard to cost. Rather, the optimal policy is to invest in enhancing corporate data security up to the point where the marginal benefits of additional security equal the marginal costs, and no further. Although individual businesses can only roughly approximate this outcome, one may expect that market forces will tend toward the optimal result, as firms that underinvest in data security lose customers and firms that overinvest in security find themselves priced out of the market. There is no obvious “market failure” that suggests the market should not work adequately in the data security area. Indeed, there is a large (and growing) amount of information on security systems available to business, and a thriving labor market for IT security specialists to whom companies can turn in designing their security programs. Nevertheless, it would be naive in the extreme to believe that the FTC will choose to abandon its efforts to apply Section 5 to this area. With that in mind, let us examine more closely the problems with existing FTC Section 5 data security settlements, with an eye to determining what improvements the Commission might beneficially make if it is so inclined.
The HTC settlement illustrates the breadth of decree-specific obligations the FTC has imposed. HTC was required to “establish a comprehensive security program, undergo independent security assessments for 20 years, and develop and release software patches to fix security vulnerabilities.” HTC also agreed to detailed security protocols that would be monitored by a third party. The FTC did not cite specific harmful security breaches to justify these sanctions; HTC was merely charged with a failure to “take reasonable steps” to secure smartphone software. Nor did the FTC explain what specific steps short of the decree requirements would have been deemed “reasonable.”
The HTC settlement exemplifies the FTC’s “security by design” approach to data security, under which the agency informs firms after the fact what they should have done, without exploring what they might have done to pass muster. Although some academics view the FTC settlements as contributing usefully to a developing “common law” of data privacy, supporters of this approach ignore its inherent ex ante vagueness and the costs decree-specific mandates impose on companies.
Another serious problem stems from the enormous investigative and litigation costs associated with challenging an FTC complaint in this area – costs that incentivize most firms to quickly accede to consent decree terms even if they are onerous. The sad case of LabMD, a small cancer detection lab, serves as warning to businesses that choose to engage in long-term administrative litigation against the FTC. Due to the cost burden of the FTC’s multi-year litigation against it (which is still ongoing as of this writing), LabMD was forced to wind down its operations, and it stopped accepting new patients in January 2014.
The LabMD case suggests that FTC data security initiatives, carried out without regard to the scale or resources of the affected companies, have the potential to harm competition. Relatively large companies are much better able to absorb FTC litigation and investigation costs. Thus, it may be in the large firms’ interests to encourage the FTC to support intrusive and burdensome new FTC data security initiatives, as part of a “raising rivals’ costs” strategy to cripple or eliminate smaller rivals. As a competition and consumer welfare watchdog, the FTC should keep this risk in mind when weighing the merits of expanding data security regulations or launching new data security investigations.
A common thread runs through the FTC’s myriad activities in data privacy “space” – the FTC’s failure to address whether its actions are cost-beneficial. There is little doubt that the FTC’s enforcement actions impose substantial costs, both on businesses subject to decree and investigation, and on other firms possessing data that must contemplate business system redesigns to forestall potential future liability. As a result, business innovation suffers. Furthermore, those costs are passed on at least in part to consumers, in the form of higher prices and a reduction in the quality and quantity of new products and services. The FTC should, consistent with its consumer welfare mandate, carefully weigh these costs against the presumed benefits flowing from a reduction in future data breaches. A failure to carry out a cost-benefit appraisal, even a rudimentary one, makes it impossible to determine whether the FTC’s much touted data privacy projects are enhancing or reducing consumer welfare.
FTC Commissioner Josh Wright recently gave voice to the importance of cost benefit analysis in commenting on the FTC’s data brokerage report – a comment that applies equally well to all of the FTC’s data protection and privacy initiatives:
“I would . . . like to see evidence of the incidence and scope of consumer harms rather than just speculative hypotheticals about how consumers might be harmed before regulation aimed at reducing those harms is implemented. Accordingly, the FTC would need to quantify more definitively the incidence or value of data broker practices to consumers before taking or endorsing regulatory or legislative action. . . . We have no idea what the costs for businesses would be to implement consumer control over any and all data shared by data brokers and to what extent these costs would ultimately be passed on to consumers. Once again, a critical safeguard to insure against the risk that our recommendations and actions do more harm than good for consumers is to require appropriate and thorough cost-benefit analysis before acting. This failure could be especially important where the costs to businesses from complying with any recommendations are high, but where the ultimate benefit generated for consumers is minimal. . . . If consumers have minimal concerns about the sharing of certain types of information – perhaps information that is already publicly available – I think we should know that before requiring data brokers to alter their practices and expend resources and incur costs that will be passed on to consumers.”
The FTC could take several actions to improve its data enforcement policies. First and foremost, it could issue Data Security Guidelines that (1) clarify the FTC’s enforcement actions regarding data security will be rooted in cost-benefit analysis, and (2) will take into account investigative costs as well as (3) reasonable industry self-regulatory efforts. (Such Guidelines should be framed solely as limiting principles that tie the FTC’s hands to avoid enforcement excesses. They should studiously avoid dictating to industry the data security principles that firms should adopt.) Second, it could establish an FTC website portal that features continuously updated information on the Guidelines and other sources of guidance on data security. Third, it could employ cost-benefit analysis before pursuing any new regulatory initiatives, legislative recommendations, or investigations related to other areas of data protection. Fourth, it could urge its foreign counterpart agencies to adopt similar cost-benefit approaches to data security regulation.
Congress could also improve the situation by enacting a narrowly tailored statute that preempts all state regulation related to data protection. Forty-seven states now have legislation in this area, which adds additional burdens to those already imposed by federal law. Furthermore, differences among state laws render the data protection efforts of merchants who may have to safeguard data from across the country enormously complex and onerous. Given the inherently interstate nature of electronic commerce and associated data breaches, preemption of state regulation in this area would comport with federalism principles. (Consistent with public choice realities, there is always the risk, of course, that Congress might be tempted to go beyond narrow preemption and create new and unnecessary federal powers in this area. I believe, however, that such a risk is worth running, given the potential magnitude of excessive regulatory burdens, and the ability to articulate a persuasive public policy case for narrow preemptive legislation.)
Stay tuned for a more fulsome discussion of these issues by me.
“Operation Choke Point” (OCP) is an interdepartmental initiative by the U.S. Department of Justice (DOJ) and federal financial services regulators to discourage financial intermediaries from dealing with consumer fraud-plagued industries. In an August 4 Heritage Foundation Legal Memorandum, I discuss the misapplication of this potentially beneficial project and recommend possible measures to reform OCP.
If OCP properly focused on helping financial intermediaries better identify indicia of fraud, it would be a laudable initiative. A recent report by the House Committee on Government Oversight and Government Reform, however, reveals that financial services agencies, such as the Federal Deposit Insurance Corporation, have under the aegis of OCP created lists of disfavored but lawful industries. Payday lenders are on the list, but so are such business categories as firearms sales, ammunition sales, and credit repair services, to name just a few. Apparently third party financial intermediaries may have been “encouraged” by federal regulators not to deal with firms in “disfavored” sectors. To the extent this is happening, it raises serious rule of law concerns. Regulators have no legal authority to direct private financial services away from government-disfavored but fully legal activity – such actions promote unfair legally disparate treatment of commercial actors. Moreover, financial intermediaries and the firms they are pressured into “choking off” suffer welfare losses from such conduct, as do the consumers who are denied access to (or pay higher prices for) desired goods and services supplied by the “choked off” merchants.
Another problem associated with OCP is the Federal Trade Commission’s recent litigation against lawful payment processors and other financial intermediaries for dealing with businesses allegedly engaged in fraud. The FTC has taken these actions without proof that the intermediaries knew that their clients were engaging in fraud. The FTC’s actions also may be undermining the usefulness of private sector self-regulatory efforts – embodied, for example, in April 2014 guidelines by the Electronic Transactions Association providing underwriting and monitoring standards that could help payment processors better spot fraud.
My Heritage Legal Memorandum suggests the following measures could reorient OCP in a socially beneficial direction:
- DOJ and all Financial Fraud Enforcement Task Force agencies (federal regulators) should inform the bank and non-bank financial intermediaries they regulate that they are rescinding all lists of “problematic” industries engaging in lawful activities (for example, legal gun sellers) that may trigger federal enforcement concern.
- In implementing OCP, the federal regulators should state publicly that they oppose all discrimination against companies on grounds that are not directly related to a proven propensity for engaging in fraud or other serious illegal conduct.
- In implementing OCP, if backed by empirical evidence, federal regulators should issue very specific red-flag indicia of fraud by merchants which, if discovered by financial intermediaries, may justify termination of the intermediaries’ relationships with those merchants, as well as informing the appropriate regulatory agencies. This guidance should clarify that the onus is not being placed on the intermediaries to uncover the indicia and that the intermediaries will not be subject to federal investigation or sanction if fraud by the merchants subsequently is revealed so long as the merchants acted with reasonable prudence, consistent with sound business practices.
- The FTC should issue a policy statement providing that it will not sue payment processors based on alleged fraud by merchants unless there is evidence that the processors knowingly participated in fraud. Further, the statement should express a preference for deferring in the first place and whenever reasonable to industry self-regulation.
Adoption by federal regulators of recommendations along these lines would protect consumers from financial fraud without hobbling legitimate business interests and depriving consumers of full access to the legal products and services they desire.
The Federal Trade Commission’s recent enforcement actions against Amazon and Apple raise important questions about the FTC’s consumer protection practices, especially its use of economics. How does the Commission weigh the costs and benefits of its enforcement decisions? How does the agency employ economic analysis in digital consumer protection cases generally?
Join the International Center for Law and Economics and TechFreedom on Thursday, July 31 at the Woolly Mammoth Theatre Company for a lunch and panel discussion on these important issues, featuring FTC Commissioner Joshua Wright, Director of the FTC’s Bureau of Economics Martin Gaynor, and several former FTC officials. RSVP here.
Commissioner Wright will present a keynote address discussing his dissent in Apple and his approach to applying economics in consumer protection cases generally.
Geoffrey Manne, Executive Director of ICLE, will briefly discuss his recent paper on the role of economics in the FTC’s consumer protection enforcement. Berin Szoka, TechFreedom President, will moderate a panel discussion featuring:
- Martin Gaynor, Director, FTC Bureau of Economics
- David Balto, Fmr. Deputy Assistant Director for Policy & Coordination, FTC Bureau of Competition
- Howard Beales, Fmr. Director, FTC Bureau of Consumer Protection
- James Cooper, Fmr. Acting Director & Fmr. Deputy Director, FTC Office of Policy Planning
- Pauline Ippolito, Fmr. Acting Director & Fmr. Deputy Director, FTC Bureau of Economics
The FTC recently issued a complaint and consent order against Apple, alleging its in-app purchasing design doesn’t meet the Commission’s standards of fairness. The action and resulting settlement drew a forceful dissent from Commissioner Wright, and sparked a discussion among the Commissioners about balancing economic harms and benefits in Section 5 unfairness jurisprudence. More recently, the FTC brought a similar action against Amazon, which is now pending in federal district court because Amazon refused to settle.
The “FTC: Technology and Reform” project brings together a unique collection of experts on the law, economics, and technology of competition and consumer protection to consider challenges facing the FTC in general, and especially regarding its regulation of technology. The Project’s initial report, released in December 2013, identified critical questions facing the agency, Congress, and the courts about the FTC’s future, and proposed a framework for addressing them.
Thursday, July 31
11:45 am – 12:15 pm — Lunch and registration
12:15 pm – 2:00 pm — Keynote address, paper presentation & panel discussion
See ICLE’s and TechFreedom’s other work on FTC reform, including:
- Geoffrey Manne’s Congressional testimony on the the FTC@100
- Op-ed by Berin Szoka and Geoffrey Manne, “The Second Century of the Federal Trade Commission”
- Two posts by Geoffrey Manne on the FTC’s Amazon Complaint, here and here.
About The International Center for Law and Economics:
The International Center for Law and Economics is a non-profit, non-partisan research center aimed at fostering rigorous policy analysis and evidence-based regulation.
TechFreedom is a non-profit, non-partisan technology policy think tank. We work to chart a path forward for policymakers towards a bright future where technology enhances freedom, and freedom enhances technology.
Today the FTC filed its complaint in federal district court in Washington against Amazon, alleging that the company’s in-app purchasing system permits children to make in-app purchases without parental “informed consent” constituting an “unfair practice” under Section 5 of the FTC Act.
As I noted in my previous post on the case, in bringing this case the Commission is doubling down on the rule it introduced in Apple that effectively converts the balancing of harms and benefits required under Section 5 of the FTC Act to a per se rule that deems certain practices to be unfair regardless of countervailing benefits. Similarly, it is attempting to extend the informed consent standard it created in Apple that essentially maintains that only specific, identified practices (essentially, distinct notification at the time of purchase or opening of purchase window, requiring entry of a password to proceed) are permissible under the Act.
Such a standard is inconsistent with the statute, however. The FTC’s approach forecloses the ability of companies like Amazon to engage in meaningful design decisions and disregards their judgment about which user interface designs will, on balance, benefit consumers. The FTC Act does not empower the Commission to disregard the consumer benefits of practices that simply fail to mimic the FTC’s preconceived design preferences. While that sort of approach might be defensible in the face of manifestly harmful practices like cramming, it is wholly inappropriate in the context of app stores like Amazon’s that spend considerable resources to design every aspect of their interaction with consumers—and that seek to attract, not to defraud, consumers.
Today’s complaint occasions a few more observations:
- Amazon has a very strong case. Under Section 5 of the FTC Act, the Commission will have to prevail on all three elements required to prove unfairness under Section 5: that there is substantial injury, that consumers can’t reasonably avoid the injury and that any countervailing benefits don’t outweigh the injury. But, consistent with its complaint and consent order in Apple, the Amazon complaint focuses almost entirely on only the first of these. While that may have been enough to induce Apple to settle out of court, the FTC will actually have to make out a case on reasonable avoidance and countervailing benefits at trial. It’s not at all clear that the agency will be able to do so on the facts alleged here.
- On reasonable avoidance, over and above Amazon’s general procedures that limit unwanted in-app purchases, the FTC will have a tough time showing that Amazon’s Kindle Free Time doesn’t provide parents with more than enough ability to avoid injury. In fact, the complaint doesn’t mention Free Time at all.
- Among other things, the complaint asserts that Amazon knew about issues with in-app purchasing by December of 2011 and claims that “[n]ot until June 2014 did Amazon change its in-app charge framework to obtain account holders’ informed consent for in-app charges on its newer mobile devices.” But Kindle Free Time was introduced in September of 2012. While four FTC Commissioners may believe that Free Time isn’t a sufficient response to the alleged problem, it is clearly a readily available, free and effective (read: reasonable) mechanism for parents to avoid the alleged harms. It may not be what the design mavens at the FTC would have chosen to do, but it seems certain that avoiding unauthorized in-app purchases by children was part of what motivated Amazon’s decision to create and offer Free Time.
- On countervailing benefits, as Commissioner Wright discussed in detail in his dissent from the Apple consent order, the Commission seems to think that it can simply assert that there are no countervailing benefits to Amazon’s design choices around in-app purchases. Here the complaint doesn’t mention 1-Click at all, which is core to Amazon’s user interface design and essential to evaluating the balance of harms and benefits required by the statute.
- Even if it can show that Amazon’s in-app purchase practices caused harm, the Commission will still have to demonstrate that Amazon’s conscious efforts to minimize the steps required to make purchases doesn’t benefit consumers on balance. In Apple, the FTC majority essentially (and improperly) valued these sorts of user-interface benefits at zero. It implicitly does so again here, but a court will require more than such an assertion.
- Given these lapses, there is even a chance that the complaint will be thrown out on a motion to dismiss. It’s a high bar, but if the court agrees that there are insufficient facts in the complaint to make out a plausible case on all three elements, Amazon could well prevail on a motion to dismiss. The FTC’s approach in the Apple consent order effectively maintains that the agency can disregard reasonable avoidance and countervailing benefits in contravention of the statute. By following the same approach here in actual litigation, the FTC may well meet resistance from the courts, which have not yet so cavalierly dispensed with the statute’s requirements.
The Wall Street Journal reports this morning that Amazon is getting — and fighting — the “Apple treatment” from the FTC for its design of its in-app purchases:
Amazon.com Inc. is bucking a request from the Federal Trade Commission that it tighten its policies for purchases made by children while using mobile applications.
In a letter to the FTC Tuesday, Amazon said it was prepared to “defend our approach in court,” rather than agree to fines and additional record keeping and disclosure requirements over the next 20 years, according to documents reviewed by The Wall Street Journal.
According to the documents, Amazon is facing a potential lawsuit by the FTC, which wants the Seattle retailer to accept terms similar to those that Apple Inc. agreed to earlier this year regarding so-called in-app purchases.
From what I can tell, the Commission has voted to issue a complaint, and Amazon has informed the Commission that it will not accept its proposed settlement.
I am thrilled that Amazon seems to have decided to fight the latest effort by a majority of the FTC to bring every large tech company under 20-year consent decree. I should say: I’m disappointed in the FTC, sorry for Amazon, but thrilled for consumers and the free marketplace that Amazon is choosing to fight rather than acquiesce.
What’s particularly notable about the Apple case – and presumably will be in future technology enforcement actions predicated on unfairness – is the unique relevance of the attributes of the conduct at issue to its product. Unlike past, allegedly similar, cases, Apple’s conduct was not aimed at deceiving consumers, nor was it incidental to its product offering. But by challenging the practice, particularly without the balancing of harms required by Section 5, the FTC majority failed to act with restraint and substituted its own judgment, not about some manifestly despicable conduct, but about the very design of Apple’s products. This is the sort of area where regulatory humility is more — not less — important.
In failing to observe common sense limits in Apple, the FTC set a dangerous precedent that, given the agency’s enormous regulatory scope and the nature of technologically advanced products, could cause significant harm to consumers.
Here that failure is even more egregious. Amazon has built its entire business around the “1-click” concept — which consumers love — and implemented a host of notification and security processes hewing as much as possible to that design choice, but nevertheless taking account of the sorts of issues raised by in-app purchases. Moreover — and perhaps most significantly — it has implemented an innovative and comprehensive parental control regime (including the ability to turn off all in-app purchases) — Kindle Free Time — that arguably goes well beyond anything the FTC required in its Apple consent order. I use Kindle Free Time with my kids and have repeatedly claimed to anyone who will listen that it is the greatest thing since sliced bread. Other consumers must feel similarly. Finally, regardless of all of that, Amazon has nevertheless voluntarily implemented additional notification procedures intended to comply with the Apple settlement, even though it didn’t apply to Amazon.
If the FTC asserts, in the face of all of that, that it’s own vision of what “appropriate” in-app purchase protections must look like is the only one that suffices to meet the standard required by Section 5’s Unfairness language, it is either being egregiously disingenuous, horrifically vain, just plain obtuse, or some combination of the three.
As I wrote in my testimony:
The application of Section 5’s “unfair acts and practices” prong (the statute at issue in Apple) is circumscribed by Section 45(n) of the FTC Act, which, among other things, proscribes enforcement where injury is “not outweighed by countervailing benefits to consumers or to competition.”
And as Commissioner Wright noted in his dissent in the Apple case,
[T]he Commission effectively rejects an analysis of tradeoffs between the benefits of additional guidance and potential harm to some consumers or to competition from mandating guidance…. I respectfully disagree. These assumptions adopt too cramped a view of consumer benefits under the Unfairness Statement and, without more rigorous analysis to justify their application, are insufficient to establish the Commission’s burden.
We won’t know until we see the complaint whether the FTC has failed to undertake the balancing it neglected to perform in Apple and that it is required to perform under the statute. But it’s hard to believe that it could mount a case against Amazon in light of the facts if it did perform such a balancing. There’s no question that Amazon has implemented conscious and consumer-welfare-enhancing design choices here. The FTC’s effort to nevertheless mandate a different design (and put Amazon under a 20 year consent decree) based on a claim that Amazon’s choices impose greater harms than benefits on consumers seems manifestly unsupportable.
Such a claim almost certainly represents an abuse of the agency’s discretion, and I expect Amazon to trounce the FTC if this case goes to trial.
FTC Commissioner Josh Wright will give a keynote luncheon address titled, “The Need for Limits on Agency Discretion and the Case for Section 5 UMC Guidelines.” Project members will discuss the themes raised in our inaugural report and how they might inform some of the most pressing issues of FTC process and substance confronting the FTC, Congress and the courts. The afternoon will conclude with a Fireside Chat with former FTC Chairmen Tim Muris and Bill Kovacic, followed by a cocktail reception.
- Lunch and Keynote Address (12:00-1:00)
- FTC Commissioner Joshua Wright
- Introduction to the Project and the “Questions & Frameworks” Report (1:00-1:15)
- Gus Hurwitz, Geoffrey Manne and Berin Szoka
- Panel 1: Limits on FTC Discretion: Institutional Structure & Economics (1:15-2:30)
- Jeffrey Eisenach (AEI | Former Economist, BE)
- Todd Zywicki (GMU Law | Former Director, OPP)
- Tad Lipsky (Latham & Watkins)
- Geoffrey Manne (ICLE) (moderator)
- Panel 2: Section 5 and the Future of the FTC (2:45-4:00)
- Paul Rubin (Emory University Law and Economics | Former Director of Advertising Economics, BE)
- James Cooper (GMU Law | Former Acting Director, OPP)
- Gus Hurwitz (University of Nebraska Law)
- Berin Szoka (TechFreedom) (moderator)
- A Fireside Chat with Former FTC Chairmen (4:15-5:30)
- Tim Muris (Former FTC Chairman | George Mason University) & Bill Kovacic (Former FTC Chairman | George Washington University)
- Reception (5:30-6:30)
Please join us at the Willard Hotel in Washington, DC on December 16th for a conference launching the year-long project, “FTC: Technology and Reform.” With complex technological issues increasingly on the FTC’s docket, we will consider what it means that the FTC is fast becoming the Federal Technology Commission.
The FTC: Technology & Reform Project brings together a unique collection of experts on the law, economics, and technology of competition and consumer protection to consider challenges facing the FTC in general, and especially regarding its regulation of technology.
For many, new technologies represent “challenges” to the agency, a continuous stream of complex threats to consumers that can be mitigated only by ongoing regulatory vigilance. We view technology differently, as an overwhelmingly positive force for consumers. To us, the FTC’s role is to promote the consumer benefits of new technology — not to “tame the beast” but to intervene only with caution, when the likely consumer benefits of regulation outweigh the risk of regulatory error. This conference is the start of a year-long project that will recommend concrete reforms to ensure that the FTC’s treatment of technology works to make consumers better off. Continue Reading…
Mike Sykuta and I recently co-authored a short article discussing the latest evidence on, and proper legal treatment of, minimum resale price maintenance (RPM). Following is a bit about the article (which is available here).
Despite the U.S. Supreme Court’s Leegin decision holding that minimum RPM must be evaluated under antitrust’s Rule of Reason, the battle over the proper legal treatment of the practice continues to rage at both the federal and state levels.
At the federal level, courts, commentators, and regulators have split over what sort of Rule of Reason should apply. Some, like yours truly, have argued that because RPM is usually pro- rather than anticompetitive, challengers should bear the burden of proving likely anticompetitive effect (at a minimum, the structural prerequisites to such an effect) under a full-blown Rule of Reason. Others contend that RPM should be assessed using some version of “quick look” Rule of Reason, under which a challenged instance of RPM is presumed anticompetitive if the plaintiff makes some fairly narrow showing (e.g., that consumer prices have risen, or that the RPM was dealer-initiated, or that the RPM is imposed on homogeneous products that are not sold with dealer services that are susceptible to free-riding).
At the state level, a number of states have simply decided not to follow Leegin and to retain, under state antitrust law, the per se rule of Dr. Miles (the 1911 decision overruled by Leegin). At least nine states have taken this tack.
We advocates of a full-blown Rule of Reason for minimum RPM have generally emphasized two things. First, we have observed that while the structural prerequisites to RPM’s potentially anticompetitive harms (facilitation of dealer-level or manufacturer-level cartels, or exclusion by a dominant dealer or manufacturer) are rarely satisfied, the necessary conditions for RPM’s procompetitive benefits (avoidance of free-riding, facilitating entry, encouraging non-free-rideable dealer services) are frequently met. Second, we have shown that the pre-Leegin empirical evidence on RPM’s effects generally confirmed what theory would predict: Most instances of RPM that have been examined closely have proven output-enhancing.
In recent months, advocates of stricter RPM rules have pointed to an ambitious new study that they say supports their position. The study authors, University of Chicago economics PhD candidates Alexander MacKay and David Aron Smith, purported to conduct “a natural experiment to estimate the effects of Leegin on product prices and quantity.” In particular, MacKay & Smith compared post-Leegin changes in price and output levels in states retaining a rule of per se illegality with those in states likely to assess RPM under the Rule of Reason. Utilizing Nielsen consumer product data for 1,083 “product modules” (i.e., narrowly defined product categories such as “vegetables-broccoli-frozen”), the authors assessed price and output changes between the six month period immediately preceding Leegin (January-June 2007) and the last six months of 2009.
With respect to price changes, MacKay & Smith found that 15% of the product modules exhibited price increases that were higher, by a statistically significant margin, in Rule of Reason states than in per se states. In only 6.9% of modules were price increases higher, to a statistically significant degree, in per se states than in Rule of Reason states. With respect to quantity changes, 14.7% of modules saw a statistically significant decrease in quantity in Rule of Reason states versus per se states, whereas only 3% of modules exhibited a statistically significant quantity increase in Rule of Reason states over per se states. MacKay & Smith thus conclude that greater leniency on minimum RPM is associated with higher prices and lower output levels, a conclusion that, they say, supports the view that RPM is more frequently anticompetitive than procompetitive.
Mike and I contend that the MacKay & Smith study is flawed and does not justify restrictive RPM policies. First, the study provides very little support for the view that RPM has caused anticompetitive harm within the group of product markets examined. As an initial matter (and as the authors admit), the study does not demonstrate that actual RPM agreements have caused anticompetitive harm in the post-Leegin era. To make such a showing, one would have to demonstrate that (1) minimum RPM was actually imposed on a product after the Leegin decision, (2) the RPM policy raised the price of that product from what it otherwise would have been, and (3) the quantity of the product sold fell from what it otherwise would have been. The authors present no evidence that RPM policies were actually implemented on any of the product categories for which they identified statistically significant price increases and quantity decreases. As they concede, their study could show only that legal environments treating RPM leniently (not RPM agreements themselves) are conducive to anticompetitive outcomes.
But the authors’ data provide little support for even that claim. To prove anticompetitive harm stemming from an “RPM-permissive” legal environment, one would have to show that the transition from per se illegality to rule of reason treatment occasioned, for a substantial number of products, both a statistically significant price increase and a statistically significant output reduction on the same product. An output reduction not accompanied by an increase in price suggests that something besides minimum RPM (or even a “permissive attitude” toward RPM) caused output to fall. A price increase without a reduction in output is consistent with the view that RPM induced demand-enhancing dealer activities that mitigated the effect of the price increase, albeit by not as much as the producer may have hoped. (A price increase without an output decrease could also indicate that demand for the product at issue was inelastic, but MacKay & Smith presented no evidence suggesting that demand for any of the product categories exhibiting price increases but not quantity decreases was particularly inelastic.)
According to the authors’ list of “modules with significant price or quantity changes” (Appendix A of their study), only 17 of the 1,083 product categories examined—a mere 1.6%—exhibited both a price increase and a quantity decrease. And those effects were for categories of products (e.g., barbecue sauces as a whole), not necessarily particular brands of a product (e.g., KC Masterpiece or Sweet Baby Ray’s). It could well be that within the 1.6% of categories exhibiting both an average price increase and an average output decrease, there were no individual brands exhibiting both effects at once. Indeed, most of the seventeen product categories involve dealer and manufacturer markets that are neither cartelizable (so neither the dealer nor manufacturer collusion theory of anticompetitive harm could apply) nor dominated by a powerful manufacturer or dealer (so neither the dominant manufacturer nor dominant dealer theory could apply). To the extent MacKay & Smith’s findings provide any evidence that RPM-permissiveness occasions anticompetitive harm in household consumer products markets, that evidence is awfully thin.
Moreover, in limiting their examination to the product categories included in the Nielsen Consumer Panel Data, MacKay & Smith excluded most products for which one of the procompetitive rationales for minimum RPM—the “avoidance of free-riding” rationale—would apply. As the authors observe, only about “30% of household consumption is accounted for by the categories in the data.” That 30% is comprised mainly of groceries, other consumable household products, and small appliances. The study thus excludes data related to purchases of large appliances, complicated electronics projects, and other relatively expensive products that are frequently sold along with “free-rideable” amenities such as product demonstrations, consumer education, and set-up or repair services. Because the MacKay & Smith study systematically disregards information on transactions likely to reflect a procompetitive use of minimum RPM, it fails to establish the authors’ conclusion that “the harm to consumers resulting from rule-of-reason treatment of minimum RPM seems to outweigh its benefits.”
In the end, then, Mike and I conclude that the new RPM evidence provides no reason to reject the persuasive theory- and evidence-based arguments in favor of lenient, full-blown Rule of Reason treatment of minimum RPM. Of course, we welcome comments on our article.
The Children’s Online Privacy Protection Act (COPPA) continues to be a hot button issue for many online businesses and privacy advocates. On November 14, Senator Markey, along with Senator Kirk and Representatives Barton and Rush introduced the Do Not Track Kids Act of 2013 to amend the statute to include children from 13-15 and add new requirements, like an eraser button. The current COPPA Rule, since the FTC’s recent update went into effect this past summer, requires parental consent before businesses can collect information about children online, including relatively de-identified information like IP addresses and device numbers that allow for targeted advertising.
Often, the debate about COPPA is framed in a way that makes it very difficult to discuss as a policy matter. With the stated purpose of “enhanc[ing] parental involvement in children’s online activities in order to protect children’s privacy,” who can really object? While there is recognition that there are substantial costs to COPPA compliance (including foregone innovation and investment in children’s media), it’s generally taken for granted by all that the Rule is necessary to protect children online. But it has never been clear what COPPA is supposed to help us protect our children from.
Then-Representative Markey’s original speech suggested one possible answer in “protect[ing] children’s safety when they visit and post information on public chat rooms and message boards.” If COPPA is to be understood in this light, the newest COPPA revision from the FTC and the proposed Do Not Track Kids Act of 2013 largely miss the mark. It seems unlikely that proponents worry about children or teens posting their IP address or device numbers online, allowing online predators to look at this information and track them down. Rather, the clear goal animating the updates to COPPA is to “protect” children from online behavioral advertising. Here’s now-Senator Markey’s press statement:
“The speed with which Facebook is pushing teens to share their sensitive, personal information widely and publicly online must spur Congress to act commensurately to put strong privacy protections on the books for teens and parents,” said Senator Markey. “Now is the time to pass the bipartisan Do Not Track Kids Act so that children and teens don’t have their information collected and sold to the highest bidder. Corporations like Facebook should not be profiting from the personal and sensitive information of children and teens, and parents and teens should have the right to control their personal information online.”
The concern about online behavioral advertising could probably be understood in at least three ways, but each of them is flawed.
- Creepiness. Some people believe there is something just “creepy” about companies collecting data on consumers, especially when it comes to children and teens. While nearly everyone would agree that surreptitiously collecting data like email addresses or physical addresses without consent is wrong, many would probably prefer to trade data like IP addresses and device numbers for free content (as nearly everyone does every day on the Internet). It is also unclear that COPPA is the answer to this type of problem, even if it could be defined. As Adam Thierer has pointed out, parents are in a much better position than government regulators or even companies to protect their children from privacy practices they don’t like.
- Exploitation. Another way to understand the concern is that companies are exploiting consumers by making money off their data without consumers getting any value. But this fundamentally ignores the multi-sided market at play here. Users trade information for a free service, whether it be Facebook, Google, or Twitter. These services then monetize that information by creating profiles and selling that to advertisers. Advertisers then place ads based on that information with the hopes of increasing sales. In the end, though, companies make money only when consumers buy their products. Free content funded by such advertising is likely a win-win-win for everyone involved.
- False Consciousness. A third way to understand the concern over behavioral advertising is that corporations can convince consumers to buy things they don’t need or really want through advertising. Much of this is driven by what Jack Calfee called The Fear of Persuasion: many people don’t understand the beneficial effects of advertising in increasing the information available to consumers and, as a result, misdiagnose the role of advertising. Even accepting this false consciousness theory, the difficulty for COPPA is that no one has ever explained why advertising is a harm to children or teens. If anything, online behavioral advertising is less of a harm to teens and children than adults for one simple reason: Children and teens can’t (usually) buy anything! Kids and teens need their parents’ credit cards in order to buy stuff online. This means that parental involvement is already necessary, and has little need of further empowerment by government regulation.
COPPA may have benefits in preserving children’s safety — as Markey once put it — beyond what underlying laws, industry self-regulation and parental involvement can offer. But as we work to update the law, we shouldn’t allow the Rule to be a solution in search of a problem. It is incumbent upon Markey and other supporters of the latest amendment to demonstrate that the amendment will serve to actually protect kids from something they need protecting from. Absent that, the costs very likely outweigh the benefits.