Archives For consumer protection

On Wednesday, March 18, our fellow law-and-economics-focused brethren at George Mason’s Law and Economics Center will host a very interesting morning briefing on the intersection of privacy, big data, consumer protection, and antitrust. FTC Commissioner Maureen Ohlhausen will keynote and she will be followed by what looks like will be a lively panel discussion. If you are in DC you can join in person, but you can also watch online. More details below.
Please join the LEC in person or online for a morning of lively discussion on this topic. FTC Commissioner Maureen K. Ohlhausen will set the stage by discussing her Antitrust Law Journal article, “Competition, Consumer Protection and The Right [Approach] To Privacy“. A panel discussion on big data and antitrust, which includes some of the leading thinkers on the subject, will follow.
Other featured speakers include:

Allen P. Grunes
Founder, The Konkurrenz Group and Data Competition Institute

Andres Lerner
Executive Vice President, Compass Lexecon

Darren S. Tucker
Partner, Morgan Lewis

Nathan Newman
Director, Economic and Technology Strategies LLC

Moderator: James C. Cooper
Director, Research and Policy, Law & Economics Center

A full agenda is available click here.

Anybody who has spent much time with children knows how squishy a concept “unfairness” can be.  One can hear the exchange, “He’s not being fair!” “No, she’s not!,” only so many times before coming to understand that unfairness is largely in the eye of the beholder.

Perhaps it’s unfortunate, then, that Congress chose a century ago to cast the Federal Trade Commission’s authority in terms of preventing “unfair methods of competition.”  But that’s what it did, and the question now is whether there is some way to mitigate this “eye of the beholder” problem.

There is.

We know that any business practice that violates the substantive antitrust laws (the Sherman and Clayton Acts) is an unfair method of competition, so we can look to Sherman and Clayton Act precedents to assess the “unfairness” of business practices that those laws reach.  But what about the Commission’s so-called “standalone” UMC authority—its power to prevent business practices that seem to impact competition unfairly but are not technically violations of the substantive antitrust laws?

Almost two years ago, Commissioner Josh Wright recognized that if the FTC’s standalone UMC authority is to play a meaningful role in assuring market competition, the Commission should issue guidelines on what constitutes an unfair method of competition. He was right.  The Commission, you see, really has only four options with respect to standalone Section 5 claims:

  1. It could bring standalone actions based on current commissioners’ considered judgments about what constitutes unfairness. Such an approach, though, is really inconsistent with the rule of law. Past commissioners, for example, have gone so far as to suggest that practices causing “resource depletion, energy waste, environmental contamination, worker alienation, [and] the psychological and social consequences of producer-stimulated demands” could be unfair methods of competition. Maybe our current commissioners wouldn’t cast so wide a net, but they’re not always going to be in power. A government of laws and not of men simply can’t mete out state power on the basis of whim.
  2. It could bring standalone actions based on unfairness principles appearing in Section 5’s “common law.” The problem here is that there is no such common law. As Commissioner Wright has observed and I have previously explained, a common law doesn’t just happen. Development of a common law requires vigorously litigated disputes and reasoned, published opinions that resolve those disputes and serve as precedent. Section 5 “litigation,” such as it is, doesn’t involve any of that.
    • First, standalone Section 5 disputes tend not to be vigorously litigated. Because the FTC acts as both prosecutor and judge in such actions, their outcome is nearly a foregone conclusion. When FTC staff win before the administrative law judge, the ALJ’s decision is always affirmed by the full commission; when staff loses with the ALJ, the full Commission always reverses. Couple this stacked deck with the fact that unfairness exists in the eye of the beholder and will therefore change with the composition of the Commission, and we end up with a situation in which accused parties routinely settle. As Commissioner Wright observes, “parties will typically prefer to settle a Section 5 claim rather than go through lengthy and costly litigation in which they are both shooting at a moving target and have the chips stacked against them.”
    • The consent decrees that memorialize settlements, then, offer little prospective guidance. They usually don’t include any detailed explanation of why the practice at issue was an unfair method of competition. Even if they did, it wouldn’t matter much; the Commission doesn’t treat its own enforcement decisions as precedent. In light of the realities of Section 5 litigation, there really is no Section 5 common law.
  3. It could refrain from bringing standalone Section 5 actions and pursue only business practices that violate the substantive antitrust laws. Substantive antitrust violations constitute unfair methods of competition, and the federal courts have established fairly workable principles for determining when business practices violate the Sherman and Clayton Acts. The FTC could therefore avoid the “eye of the beholder” problem by limiting its UMC authority to business conduct that violates the antitrust laws. Such an approach, though, would prevent the FTC from policing conduct that, while not technically an antitrust violation, is anticompetitive and injurious to consumers.
  4. It could bring standalone Section 5 actions based on articulated guidelines establishing what constitutes an unfair method of competition. This is really the only way to use Section 5 to pursue business practices that are not otherwise antitrust violations, without offending the rule of law.

Now, if the FTC is to take this fourth approach—the only one that both allows for standalone Section 5 actions and honors rule of law commitments—it obviously has to settle on a set of guidelines.  Fortunately, it has almost done so!

Since Commissioner Wright called for Section 5 guidelines almost two years ago, much ink has been spilled outlining and critiquing proposed guidelines.  Commissioner Wright got the ball rolling by issuing his own proposal along with his call for the adoption of guidelines.  Commissioner Ohlhausen soon followed suit, proposing a slightly broader set of principles.  Numerous commentators then joined the conversation (a number doing so in a TOTM symposium), and each of the other commissioners has now stated her own views.

A good deal of consensus has emerged.  Each commissioner agrees that Section 5 should be used to prosecute only conduct that is actually anticompetitive (as defined by the federal courts).  There is also apparent consensus on the view that standalone Section 5 authority should not be used to challenge conduct governed by well-forged liability principles under the Sherman and Clayton Acts.  (For example, a practice routinely evaluated under Section 2 of the Sherman Act should not be pursued using standalone Section 5 authority.)  The commissioners, and the vast majority of commentators, also agree that there should be some efficiencies screen in prosecution decisions.  The remaining disagreement centers on the scope of the efficiencies screen—i.e., how much of an efficiency benefit must a business practice confer in order to be insulated from standalone Section 5 liability?

On that narrow issue—the only legitimate point of dispute remaining among the commissioners—three views have emerged:  Commissioner Wright would refrain from prosecuting if the conduct at issue creates any cognizable efficiencies; Commissioner Ohlhausen would do so as long as the efficiencies are not disproportionately outweighed by anticompetitive harms; Chairwoman Ramirez would engage in straightforward balancing (not a “disproportionality” inquiry) and would refrain from prosecution only where efficiencies outweigh anticompetitive harms.

That leaves three potential sets of guidelines.  In each, it would be necessary that a behavior subject to any standalone Section 5 action (1) create actual or likely anticompetitive harm, and (2) not be subject to well-forged case law under the traditional antitrust laws (so that pursuing the action might cause the distinction between lawful and unlawful commercial behavior to become blurred).  Each of the three sets of guidelines would also include an efficiencies screen—either (3a) the conduct lacks cognizable efficiencies, (3b) the harms created by the conduct are disproportionate to the conduct’s cognizable efficiencies, or (3c) the harms created by the conduct are not outweighed by cognizable efficiencies.

As Commissioner Wright has observed any one of these sets of guidelines would be superior to the status quo.  Accordingly, if the commissioners could agree on the acceptability of any of them, they could improve the state of U.S. competition law.

Recognizing as much, Commissioner Wright is wisely calling on the commissioners to vote on the acceptability of each set of guidelines.  If any set is deemed acceptable by a majority of commissioners, it should be promulgated as official FTC Guidance.  (Presumably, if more than one set commands majority support, the set that most restrains FTC enforcement authority would be the one promulgated as FTC Guidance.)

Of course, individual commissioners might just choose not to vote.  That would represent a sad abdication of authority.  Given that there isn’t (and under current practice, there can’t be) a common law of Section 5, failure to vote on a set of guidelines would effectively cast a vote for either option 1 stated above (ignore rule of law values) or option 3 (limit Section 5’s potential to enhance consumer welfare).  Let’s hope our commissioners don’t relegate us to those options.

The debate has occurred.  It’s time to vote.

In a previous Truth on the Market blog posting, I noted that the FTC recently revised its “advertising substantiation” policy in a highly problematic manner.  In particular, in a number of recent enforcement actions, an FTC majority has taken the position that it will deem advertising claims “deceptive” unless they are supported by two randomized controlled tests (RCTs), and (in the case of food and drug supplements) will require companies to obtain prior U.S. Food and Drug Administration (FDA) approval for future advertising claims.  As I explained in a Heritage Foundation Legal Memorandum, these and other new burdens “may deter firms from investing in new health-related product improvements, in which event consumers who are denied new and beneficial products (as well as useful information about the attributes of current products) will be the losers.  Competition will also suffer as businesses shy away from informational advertising that rewards the highest quality current products and encourages firms to compete on the basis of quality.  Furthermore, the broad scope of these requirements is in tension with the constitutional prohibition on restricting commercial speech no more than is necessary to satisfy legitimate statutory purposes.” (NOTABLY, Commissioner Maureen Ohlhausen has argued against categorically imposing a two RCTs requirement in all cases , explaining that “[i]f we demand too high a level of substantiation in pursuit of certainty, we risk losing the benefits to consumers of having access to information about emerging areas of science and the corresponding pressure on firms to compete on the health features of their products.”  Commissioner Joshua Wright has also opined “that a reflexive approach in requiring two RCTs as fencing-in relief might not always be in the best interest of consumers.”)

In a January 30, 2015 decision, POM Wonderful, LLC v. FTC, the D.C. Circuit took an initial step that may help rein in FTC enthusiasm for imposing a “two RCTs” requirement on future advertising by a firm.  The FTC ruled in 2013 that POM Wonderful, a producer and seller of pomegranate products, violated the FTC Act by making advertisements that suggested POM products could treat, prevent, or reduce heart disease, prostate cancer, and erectile dysfunction.  According to the FTC, the ads were false and misleading because POM lacked valid and adequate scientific evidence to substantiate its claims.  (The FTC determined that scientific findings cited by POM, based on over $35 million of pomegranate-related research, had not been supported by subsequent studies.)   The FTC entered a cease and desist order that barred POM from making future disease claims (claims that its products treat, prevent, or reduce a disease) about its products without “competent and reliable” scientific evidence.  Specifically, the FTC’s order required that such future claims be supported by at least two RCTs.  (NOTABLY, Commissioner Ohlhausen disagreed with the majority’s view that two RCTs were warranted and would have required only one RCT, regarding that study in light of other available scientific evidence.)

POM appealed to the D.C. Circuit, which unanimously held that there was no basis for setting aside the FTC’s finding that many of POM’s ads made false or misleading claims; that there was no First Amendment protection for deceptive advertising; and that requiring an RCT was not too onerous and did not violate the First Amendment.  The court concluded that “the [FTC] injunctive order’s requirement of some RCT substantiation for disease claims directly advances, and is not more extensive than necessary to serve, the interest in preventing misleading commercial speech”, consistent with the test for evaluating commercial speech enunciated by the Supreme Court in Central Hudson.  The court, however, also held that “a categorical floor of two RCTs for any and all disease claims . . . fails Central Hudson scrutiny”.  The court stressed that the FTC “fails to demonstrate how such a rigid remedial rule bears the requisite ‘reasonable fit’ with the interest in preventing deceptive speech.”  Significantly, the court also enunciated a strong policy justification, rooted in First Amendment commercial speech concerns, for precluding a categorical “two RCTs” rule:

“Requiring additional RCTs without adequate justification exacts considerable costs, and not just in terms of the substantial resources often necessary to design and conduct a properly randomized and controlled human clinical trial.  If there is a categorical bar against claims about the disease-related benefits of a food product or dietary supplement in the absence of two RCTs, consumers may be denied useful, truthful information about products with a demonstrated capacity to treat or prevent serious disease.  That would subvert rather than promote the objectives of the commercial speech doctrine.”

Accordingly, the court modified the FTC’s order to require that POM possess at least one RCT in support of future health-related advertising claims.  Assuming that the D.C. Circuit’s POM decision is not appealed and remains in force, future advertisers investigated by the FTC will have stronger grounds to resist FTC efforts to impose “two or more RCT” requirements as part of a decree.

This is just a small step in badly-needed reforms, however.  Even a single RCT is unnecessarily onerous in many market settings (and, in my view, ignores the teachings of Central Hudson).  More broadly, as I have previously argued, the FTC should rethink its entire approach and issue new advertising substantiation guidelines that state the FTC:  (1) will seek to restrict commercial speech to the smallest extent possible, consistent with fraud prevention; (2) will apply strict cost-benefit analysis in investigating advertising claims and framing remedies in advertising substantiation cases; (3) will apply a reasonableness standard in such cases, consistent with general guidance found in a 1983 FTC policy statement; (4) will not require clinical studies be conducted in order to substantiate advertising claims; (5) will not require that the FDA or any other agency be involved in approving or reviewing advertising claims; and (6) will avoid excessive “fencing in” relief that extends well beyond the ambit of the alleged harm associated with statements that the FTC deems misleading.  Enactment of such guidelines may be a long-term project, requiring a change in Commission thinking, but it is well worth pursuing, in order to advance both free commercial speech and consumer welfare.

Today the Federal Trade Commission (FTC) missed the mark in authorizing release of a staff report calling for legislation and regulation of the “Internet of Things.”

The Internet of Things is already affecting the daily lives of millions of Americans through the adoption of health and fitness monitors, home security devices, connected cars and household appliances, among other applications.  Such devices offer the potential for improved health-monitoring, safer highways, and more efficient home energy use, and a myriad of other potential benefits.  The rapidly increasing use of such devices, which transfer data electronically, also raises privacy and security concerns.  In November 2014 the FTC convened a one-day workshop to study the rapidly changing Internet of Things.

On January 27, 2015, the FTC staff released a report based on the record established by the workshop and follow-on comments from the public.  Unfortunately, the report went far beyond describing the state of play and setting forth the views of interested parties.  In particular, the FTC staff recommended detailed approaches businesses should follow to promote security and privacy in the Internet of Things, and repeated its prior call for strong data security and breach notification legislation.  The FTC voted 4-1 to issue the staff report, with Commissioner Joshua Wright dissenting and Commissioner Maureen Ohlhausen concurring but expressing opposition to two of the report’s recommendations (calling for privacy legislation and for companies to delete “excessive” but valuable data).

Commissioner Wright’s thoughtful dissent centers on the report’s failure to apply cost-benefit analysis to its recommendations, without which it is not possible to determine whether the recommendations are socially beneficial or harmful.  As Wright points out (footnotes omitted):

“Acknowledging in passing, as the Workshop Report does, that various courses of actions related to the Internet of Things may well have some potential costs and benefits does not come close to passing muster as cost-benefit analysis. The Workshop Report does not perform any actual analysis whatsoever to ensure that, or even to give a rough sense of the likelihood that the benefits of the staff’s various proposals exceed their attendant costs. Instead, the Workshop Report merely relies upon its own assertions and various surveys that are not necessarily representative and, in any event, do not shed much light on actual consumer preferences as revealed by conduct in the marketplace. This is simply not good enough; there is too much at stake for consumers as the Digital Revolution begins to transform their homes, vehicles, and other aspects of daily life.”

More specifically, Wright critiques the FTC’s proposal that companies limit the scope of data retention (“data minimization”) to protect consumers’ “reasonable expectations” and deter data thieves – as he explains, this proposal fails to discuss the magnitude of such costs to consumers and supplies no evidence demonstrating that the benefits of data minimization will outweigh its costs to consumers.  In a similar vein, Wright opposes the report’s proposal that companies adopt specific “security by design” measures, noting that:

“Relying upon the application of these concepts and the Fair Information Practice Principles to the Internet of Things can instead substitute for the sort of rigorous economic analysis required to understand the tradeoffs facing firms and consumers. An economic and evidence-based approach sensitive to those tradeoffs is much more likely to result in consumer-welfare enhancing consumer protection regulation. To the extent concepts such as security by design or data minimization are endorsed at any cost – or without regard to whether the marginal cost of a particular decision exceeds its marginal benefits – then application of these principles will result in greater compliance costs without countervailing benefit. Such costs will be passed on to consumers in the form of higher prices or less useful products, as well as potentially deter competition and innovation among firms participating in the Internet of Things.”

In sum, Wright concludes:

“Before setting forth industry best practices and recommendations for broad-based privacy legislation relating to the Internet of Things – proposals that could have a profound impact upon consumers – the Commission and its staff should, at a minimum, undertake the necessary work not only to identify the potential costs and benefits of implementing such best practices and recommendations, but also to perform analysis sufficient to establish with reasonable confidence that such benefits are not outweighed by their costs at the margin of policy intervention.”

The FTC does best when it rigorously evaluates the costs and benefits of its regulatory recommendations and proposed enforcement actions.  Unfortunately, in recent years it has lost sight of this common sense principle (particularly in the consumer protection area) in imposing highly burdensome advertising substantiation and data security enforcement requirements through litigation and consent decrees.  The detailed recommendations in the Internet of Things report suggest that the FTC may be eyeing public reports as a new source of “friendly persuasion.”  Because many firms may choose to adopt costly FTC business practice “suggestions” so as to avoid costly investigations and litigation, the actual harm in foregone business innovation and consumer welfare losses may not be readily apparent.  The competitive process and American consumers, however, are the losers – as are smaller companies that can less afford to absorb the costs of FTC micromanagement than their larger rivals.

In my just published Heritage Foundation Legal Memorandum, I argue that the U.S. Federal Trade Commission (FTC) should substantially scale back its overly aggressive “advertising substantiation” program, which disincentivizes firms from providing the public with valuable information about the products they sell.  As I explain:

“The . . . [FTC] has a long history of vigorously combating false and deceptive advertising under its statutory authorities, but recent efforts by the FTC to impose excessive ‘advertising substantiation’ requirements on companies go far beyond what is needed to combat false advertising. Such actions threaten to discourage companies from providing useful information that consumers value and that improves the workings of the marketplace. They also are in tension with constitutional protection for commercial speech. The FTC should reform its advertising substantiation policy and allow businesses greater flexibility to tailor their advertising practices, which would further the interests of both consumers and businesses. It should also decline to seek ‘disgorgement’ of allegedly ‘ill-gotten gains’ in cases involving advertising substantiation.”

In particular, I recommend that the FTC issue a revised policy statement explaining that it will seek to restrict commercial speech to the minimum extent possible, consistent with fraud prevention, and will not require onerous clinical studies to substantiate non-fraudulent advertising claims.  I also urge that the FTC clarify that it will only seek equitable remedies (including injunctions and financial exactions) in court for cases of clear fraud.

Recently I highlighted problems with the FTC’s enforcement actions targeting companies’ data security protection policies, and recommended that the FTC adopt a cost-benefit approach to regulation in this area.  Yesterday the Heritage Foundation released a more detailed paper by me on this topic, replete with recommendations for new FTC guidance and specific reforms aimed at maintaining appropriate FTC oversight while reducing excessive burdens.  Happy reading!

The U.S. Federal Trade Commission (FTC) continues to expand its presence in online data regulation.  On August 13 the FTC announced a forthcoming workshop to explore appropriate policies toward “big data,” a term used to refer to advancing technologies that are dramatically expanding the commercial collection, analysis, use, and storage of data.  This initiative follows on the heels of the FTC’s May 2014 data broker report, which recommended that Congress impose a variety of requirements on companies that legally collect and sell consumers’ personal information.  (Among other requirements, companies would be required to create consumer data “portals” and implement business procedures that allow consumers to edit and suppress use of their data.)  The FTC also is calling for legislation that would enhance its authority over data security standards and empower it to issue rules requiring companies to inform consumers of security breaches.

These recent regulatory initiatives are in addition to the Commission’s active consumer data enforcement efforts.  Some of these efforts are pursuant to three targeted statutory authorizations – the FTC’s Safeguards Rule (promulgated pursuant to the Gramm-Leach-Bliley Act and directed at non-bank financial institutions), the Fair Credit Reporting Act (directed at consumer protecting agencies), and the Children’s Online Privacy Protection Act (directed at children’s information collected online).

The bulk of the FTC’s enforcement efforts, however, stem from its general authority to proscribe unfair or deceptive practices under Section 5(a)(1) of the FTC ActSince 2002, pursuant to its Section 5 powers, the FTC has filed and settled over 50 cases alleging that private companies used deceptive or ineffective (and thus unfair) practices in storing their data.  (Twitter, LexisNexis, ChoicePoint, GMR Transcription Services, GeneLink, Inc., and mobile device provider HTC are just a few of the firms that have agreed to settle.)  Settlements have involved consent decrees under which the company in question agreed to take a wide variety of “corrective measures” to avoid future harm.

As a matter of first principles, one may question the desirability of FTC data security investigations under Section 5.  Firms have every incentive to avoid data protection breaches that harm their customers, in order to avoid the harm to reputation and business values that stem from such lapses.  At the same time, firms must weigh the costs of alternative data protection systems in determining what the appropriate degree of protection should be.  Economic logic indicates that the optimal business policy is not one that focuses solely on implementing the strongest data protection system program without regard to cost.  Rather, the optimal policy is to invest in enhancing corporate data security up to the point where the marginal benefits of additional security equal the marginal costs, and no further.  Although individual businesses can only roughly approximate this outcome, one may expect that market forces will tend toward the optimal result, as firms that underinvest in data security lose customers and firms that overinvest in security find themselves priced out of the market.  There is no obvious “market failure” that suggests the market should not work adequately in the data security area.  Indeed, there is a large (and growing) amount of information on security systems available to business, and a thriving labor market for IT security specialists to whom companies can turn in designing their security programs.   Nevertheless, it would be naive in the extreme to believe that the FTC will choose to abandon its efforts to apply Section 5 to this area.  With that in mind, let us examine more closely the problems with existing FTC Section 5 data security settlements, with an eye to determining what improvements the Commission might beneficially make if it is so inclined.

The HTC settlement illustrates the breadth of decree-specific obligations the FTC has imposed.  HTC was required to “establish a comprehensive security program, undergo independent security assessments for 20 years, and develop and release software patches to fix security vulnerabilities.”  HTC also agreed to detailed security protocols that would be monitored by a third party.  The FTC did not cite specific harmful security breaches to justify these sanctions; HTC was merely charged with a failure to “take reasonable steps” to secure smartphone software.  Nor did the FTC explain what specific steps short of the decree requirements would have been deemed “reasonable.”

The HTC settlement exemplifies the FTC’s “security by design” approach to data security, under which the agency informs firms after the fact what they should have done, without exploring what they might have done to pass muster.  Although some academics view the FTC settlements as contributing usefully to a developing “common law” of data privacy, supporters of this approach ignore its inherent ex ante vagueness and the costs decree-specific mandates impose on companies.

Another serious problem stems from the enormous investigative and litigation costs associated with challenging an FTC complaint in this area – costs that incentivize most firms to quickly accede to consent decree terms even if they are onerous.  The sad case of LabMD, a small cancer detection lab, serves as warning to businesses that choose to engage in long-term administrative litigation against the FTC.  Due to the cost burden of the FTC’s multi-year litigation against it (which is still ongoing as of this writing), LabMD was forced to wind down its operations, and it stopped accepting new patients in January 2014.

The LabMD case suggests that FTC data security initiatives, carried out without regard to the scale or resources of the affected companies, have the potential to harm competition.  Relatively large companies are much better able to absorb FTC litigation and investigation costs.  Thus, it may be in the large firms’ interests to encourage the FTC to support intrusive and burdensome new FTC data security initiatives, as part of a “raising rivals’ costs” strategy to cripple or eliminate smaller rivals.  As a competition and consumer welfare watchdog, the FTC should keep this risk in mind when weighing the merits of expanding data security regulations or launching new data security investigations.

A common thread runs through the FTC’s myriad activities in data privacy “space” – the FTC’s failure to address whether its actions are cost-beneficial.  There is little doubt that the FTC’s enforcement actions impose substantial costs, both on businesses subject to decree and investigation, and on other firms possessing data that must contemplate business system redesigns to forestall potential future liability.  As a result, business innovation suffers.  Furthermore, those costs are passed on at least in part to consumers, in the form of higher prices and a reduction in the quality and quantity of new products and services.  The FTC should, consistent with its consumer welfare mandate, carefully weigh these costs against the presumed benefits flowing from a reduction in future data breaches.  A failure to carry out a cost-benefit appraisal, even a rudimentary one, makes it impossible to determine whether the FTC’s much touted data privacy projects are enhancing or reducing consumer welfare.

FTC Commissioner Josh Wright recently gave voice to the importance of cost benefit analysis in commenting on the FTC’s data brokerage report – a comment that applies equally well to all of the FTC’s data protection and privacy initiatives:

“I would . . . like to see evidence of the incidence and scope of consumer harms rather than just speculative hypotheticals about how consumers might be harmed before regulation aimed at reducing those harms is implemented.  Accordingly, the FTC would need to quantify more definitively the incidence or value of data broker practices to consumers before taking or endorsing regulatory or legislative action. . . .  We have no idea what the costs for businesses would be to implement consumer control over any and all data shared by data brokers and to what extent these costs would ultimately be passed on to consumers.  Once again, a critical safeguard to insure against the risk that our recommendations and actions do more harm than good for consumers is to require appropriate and thorough cost-benefit analysis before acting.  This failure could be especially important where the costs to businesses from complying with any recommendations are high, but where the ultimate benefit generated for consumers is minimal. . . .  If consumers have minimal concerns about the sharing of certain types of information – perhaps information that is already publicly available – I think we should know that before requiring data brokers to alter their practices and expend resources and incur costs that will be passed on to consumers.”

The FTC could take several actions to improve its data enforcement policies.  First and foremost, it could issue Data Security Guidelines that (1) clarify the FTC’s enforcement actions regarding data security will be rooted in cost-benefit analysis, and (2) will take into account investigative costs as well as (3) reasonable industry self-regulatory efforts.  (Such Guidelines should be framed solely as limiting principles that tie the FTC’s hands to avoid enforcement excesses.  They should studiously avoid dictating to industry the data security principles that firms should adopt.)  Second, it could establish an FTC website portal that features continuously updated information on the Guidelines and other sources of guidance on data security. Third, it could employ cost-benefit analysis before pursuing any new regulatory initiatives, legislative recommendations, or investigations related to other areas of data protection.  Fourth, it could urge its foreign counterpart agencies to adopt similar cost-benefit approaches to data security regulation.

Congress could also improve the situation by enacting a narrowly tailored statute that preempts all state regulation related to data protection.  Forty-seven states now have legislation in this area, which adds additional burdens to those already imposed by federal law.  Furthermore, differences among state laws render the data protection efforts of merchants who may have to safeguard data from across the country enormously complex and onerous.  Given the inherently interstate nature of electronic commerce and associated data breaches, preemption of state regulation in this area would comport with federalism principles.  (Consistent with public choice realities, there is always the risk, of course, that Congress might be tempted to go beyond narrow preemption and create new and unnecessary federal powers in this area.  I believe, however, that such a risk is worth running, given the potential magnitude of excessive regulatory burdens, and the ability to articulate a persuasive public policy case for narrow preemptive legislation.)

Stay tuned for a more fulsome discussion of these issues by me.

“Operation Choke Point” (OCP) is an interdepartmental initiative by the U.S. Department of Justice (DOJ) and federal financial services regulators to discourage financial intermediaries from dealing with consumer fraud-plagued industries.  In an August 4 Heritage Foundation Legal Memorandum, I discuss the misapplication of this potentially beneficial project and recommend possible measures to reform OCP.

If OCP properly focused on helping financial intermediaries better identify indicia of fraud, it would be a laudable initiative.  A recent report by the House Committee on Government Oversight and Government Reform, however, reveals that financial services agencies, such as the Federal Deposit Insurance Corporation, have under the aegis of OCP created lists of disfavored but lawful industries.  Payday lenders are on the list, but so are such business categories as firearms sales, ammunition sales, and credit repair services, to name just a few.  Apparently third party financial intermediaries may have been “encouraged” by federal regulators not to deal with firms in “disfavored” sectors.  To the extent this is happening, it raises serious rule of law concerns.  Regulators have no legal authority to direct private financial services away from government-disfavored but fully legal activity – such actions promote unfair legally disparate treatment of commercial actors.  Moreover, financial intermediaries and the firms they are pressured into “choking off” suffer welfare losses from such conduct, as do the consumers who are denied access to (or pay higher prices for) desired goods and services supplied by the “choked off” merchants.

Another problem associated with OCP is the Federal Trade Commission’s recent litigation against lawful payment processors and other financial intermediaries for dealing with businesses allegedly engaged in fraud.  The FTC has taken these actions without proof that the intermediaries knew that their clients were engaging in fraud.  The FTC’s actions also may be undermining the usefulness of private sector self-regulatory efforts – embodied, for example, in April 2014 guidelines by the Electronic Transactions Association providing underwriting and monitoring standards that could help payment processors better spot fraud.

My Heritage Legal Memorandum suggests the following measures could reorient OCP in a socially beneficial direction:

  • DOJ and all Financial Fraud Enforcement Task Force agencies (federal regulators) should inform the bank and non-bank financial intermediaries they regulate that they are rescinding all lists of “problematic” industries engaging in lawful activities (for example, legal gun sellers) that may trigger federal enforcement concern.
  • In implementing OCP, the federal regulators should state publicly that they oppose all discrimination against companies on grounds that are not directly related to a proven propensity for engaging in fraud or other serious illegal conduct.
  • In implementing OCP, if backed by empirical evidence, federal regulators should issue very specific red-flag indicia of fraud by merchants which, if discovered by financial intermediaries, may justify termination of the intermediaries’ relationships with those merchants, as well as informing the appropriate regulatory agencies. This guidance should clarify that the onus is not being placed on the intermediaries to uncover the indicia and that the intermediaries will not be subject to federal investigation or sanction if fraud by the merchants subsequently is revealed so long as the merchants acted with reasonable prudence, consistent with sound business practices.
  • The FTC should issue a policy statement providing that it will not sue payment processors based on alleged fraud by merchants unless there is evidence that the processors knowingly participated in fraud. Further, the statement should express a preference for deferring in the first place and whenever reasonable to industry self-regulation.

Adoption by federal regulators of recommendations along these lines would protect consumers from financial fraud without hobbling legitimate business interests and depriving consumers of full access to the legal products and services they desire.

The Federal Trade Commission’s recent enforcement actions against Amazon and Apple raise important questions about the FTC’s consumer protection practices, especially its use of economics. How does the Commission weigh the costs and benefits of its enforcement decisions? How does the agency employ economic analysis in digital consumer protection cases generally?

Join the International Center for Law and Economics and TechFreedom on Thursday, July 31 at the Woolly Mammoth Theatre Company for a lunch and panel discussion on these important issues, featuring FTC Commissioner Joshua Wright, Director of the FTC’s Bureau of Economics Martin Gaynor, and several former FTC officials. RSVP here.

Commissioner Wright will present a keynote address discussing his dissent in Apple and his approach to applying economics in consumer protection cases generally.

Geoffrey Manne, Executive Director of ICLE, will briefly discuss his recent paper on the role of economics in the FTC’s consumer protection enforcement. Berin Szoka, TechFreedom President, will moderate a panel discussion featuring:

  • Martin Gaynor, Director, FTC Bureau of Economics
  • David Balto, Fmr. Deputy Assistant Director for Policy & Coordination, FTC Bureau of Competition
  • Howard Beales, Fmr. Director, FTC Bureau of Consumer Protection
  • James Cooper, Fmr. Acting Director & Fmr. Deputy Director, FTC Office of Policy Planning
  • Pauline Ippolito, Fmr. Acting Director & Fmr. Deputy Director, FTC Bureau of Economics

Background

The FTC recently issued a complaint and consent order against Apple, alleging its in-app purchasing design doesn’t meet the Commission’s standards of fairness. The action and resulting settlement drew a forceful dissent from Commissioner Wright, and sparked a discussion among the Commissioners about balancing economic harms and benefits in Section 5 unfairness jurisprudence. More recently, the FTC brought a similar action against Amazon, which is now pending in federal district court because Amazon refused to settle.

Event Info

The “FTC: Technology and Reform” project brings together a unique collection of experts on the law, economics, and technology of competition and consumer protection to consider challenges facing the FTC in general, and especially regarding its regulation of technology. The Project’s initial report, released in December 2013, identified critical questions facing the agency, Congress, and the courts about the FTC’s future, and proposed a framework for addressing them.

The event will be live streamed here beginning at 12:15pm. Join the conversation on Twitter with the #FTCReform hashtag.

When:

Thursday, July 31
11:45 am – 12:15 pm — Lunch and registration
12:15 pm – 2:00 pm — Keynote address, paper presentation & panel discussion

Where:

Woolly Mammoth Theatre Company – Rehearsal Hall
641 D St NW
Washington, DC 20004

Questions? – Email mail@techfreedom.orgRSVP here.

See ICLE’s and TechFreedom’s other work on FTC reform, including:

  • Geoffrey Manne’s Congressional testimony on the the FTC@100
  • Op-ed by Berin Szoka and Geoffrey Manne, “The Second Century of the Federal Trade Commission”
  • Two posts by Geoffrey Manne on the FTC’s Amazon Complaint, here and here.

About The International Center for Law and Economics:

The International Center for Law and Economics is a non-profit, non-partisan research center aimed at fostering rigorous policy analysis and evidence-based regulation.

About TechFreedom:

TechFreedom is a non-profit, non-partisan technology policy think tank. We work to chart a path forward for policymakers towards a bright future where technology enhances freedom, and freedom enhances technology.

Today the FTC filed its complaint in federal district court in Washington against Amazon, alleging that the company’s in-app purchasing system permits children to make in-app purchases without parental “informed consent” constituting an “unfair practice” under Section 5 of the FTC Act.

As I noted in my previous post on the case, in bringing this case the Commission is doubling down on the rule it introduced in Apple that effectively converts the balancing of harms and benefits required under Section 5 of the FTC Act to a per se rule that deems certain practices to be unfair regardless of countervailing benefits. Similarly, it is attempting to extend the informed consent standard it created in Apple that essentially maintains that only specific, identified practices (essentially, distinct notification at the time of purchase or opening of purchase window, requiring entry of a password to proceed) are permissible under the Act.

Such a standard is inconsistent with the statute, however. The FTC’s approach forecloses the ability of companies like Amazon to engage in meaningful design decisions and disregards their judgment about which user interface designs will, on balance, benefit consumers. The FTC Act does not empower the Commission to disregard the consumer benefits of practices that simply fail to mimic the FTC’s preconceived design preferences. While that sort of approach might be defensible in the face of manifestly harmful practices like cramming, it is wholly inappropriate in the context of app stores like Amazon’s that spend considerable resources to design every aspect of their interaction with consumers—and that seek to attract, not to defraud, consumers.

Today’s complaint occasions a few more observations:

  1. Amazon has a very strong case. Under Section 5 of the FTC Act, the Commission will have to prevail on all three elements required to prove unfairness under Section 5: that there is substantial injury, that consumers can’t reasonably avoid the injury and that any countervailing benefits don’t outweigh the injury. But, consistent with its complaint and consent order in Apple, the Amazon complaint focuses almost entirely on only the first of these. While that may have been enough to induce Apple to settle out of court, the FTC will actually have to make out a case on reasonable avoidance and countervailing benefits at trial. It’s not at all clear that the agency will be able to do so on the facts alleged here.
  2. On reasonable avoidance, over and above Amazon’s general procedures that limit unwanted in-app purchases, the FTC will have a tough time showing that Amazon’s Kindle Free Time doesn’t provide parents with more than enough ability to avoid injury. In fact, the complaint doesn’t mention Free Time at all.
  3. Among other things, the complaint asserts that Amazon knew about issues with in-app purchasing by December of 2011 and claims that “[n]ot until June 2014 did Amazon change its in-app charge framework to obtain account holders’ informed consent for in-app charges on its newer mobile devices.” But Kindle Free Time was introduced in September of 2012. While four FTC Commissioners may believe that Free Time isn’t a sufficient response to the alleged problem, it is clearly a readily available, free and effective (read: reasonable) mechanism for parents to avoid the alleged harms. It may not be what the design mavens at the FTC would have chosen to do, but it seems certain that avoiding unauthorized in-app purchases by children was part of what motivated Amazon’s decision to create and offer Free Time.
  4. On countervailing benefits, as Commissioner Wright discussed in detail in his dissent from the Apple consent order, the Commission seems to think that it can simply assert that there are no countervailing benefits to Amazon’s design choices around in-app purchases. Here the complaint doesn’t mention 1-Click at all, which is core to Amazon’s user interface design and essential to evaluating the balance of harms and benefits required by the statute.
  5. Even if it can show that Amazon’s in-app purchase practices caused harm, the Commission will still have to demonstrate that Amazon’s conscious efforts to minimize the steps required to make purchases doesn’t benefit consumers on balance. In Apple, the FTC majority essentially (and improperly) valued these sorts of user-interface benefits at zero. It implicitly does so again here, but a court will require more than such an assertion.
  6. Given these lapses, there is even a chance that the complaint will be thrown out on a motion to dismiss. It’s a high bar, but if the court agrees that there are insufficient facts in the complaint to make out a plausible case on all three elements, Amazon could well prevail on a motion to dismiss. The FTC’s approach in the Apple consent order effectively maintains that the agency can disregard reasonable avoidance and countervailing benefits in contravention of the statute. By following the same approach here in actual litigation, the FTC may well meet resistance from the courts, which have not yet so cavalierly dispensed with the statute’s requirements.