Last week, the FTC announced its complaint and consent decree with Nomi Technologies for failing to allow consumers to opt-out of cell phone tracking while shopping in retail stores. Whatever one thinks about Nomi itself, the FTC’s enforcement action represents another step in the dubious application of its enforcement authority against deceptive statements.

In response, Geoffrey Manne, Ben Sperry, and Berin Szoka have written a new ICLE White Paper, titled, In the Matter of Nomi, Technologies, Inc.: The Dark Side of the FTC’s Latest Feel-Good Case.

Nomi Technologies offers retailers an innovative way to observe how customers move through their stores, how often they return, what products they browse and for how long (among other things) by tracking the Wi-Fi addresses broadcast by customers’ mobile phones. This allows stores to do what websites do all the time: tweak their configuration, pricing, purchasing and the like in response to real-time analytics — instead of just eyeballing what works. Nomi anonymized the data it collected so that retailers couldn’t track specific individuals. Recognizing that some customers might still object, even to “anonymized” tracking, Nomi allowed anyone to opt-out of all Nomi tracking on its website.

The FTC, though, seized upon a promise made within Nomi’s privacy policy to provide an additional, in-store opt out and argued that Nomi’s failure to make good on this promise — and/or notify customers of which stores used the technology — made its privacy policy deceptive. Commissioner Wright dissented, noting that the majority failed to consider evidence that showed the promise was not material, arguing that the inaccurate statement was not important enough to actually affect consumers’ behavior because they could opt-out on the website anyway. Both Commissioners Wright’s and Commissioner Ohlhausen’s dissents argued that the FTC majority’s enforcement decision in Nomi amounted to prosecutorial overreach, imposing an overly stringent standard of review without any actual indication of consumer harm.

The FTC’s deception authority is supposed to provide the agency with the authority to remedy consumer harms not effectively handled by common law torts and contracts — but it’s not a blank check. The 1983 Deception Policy Statement requires the FTC to demonstrate:

1. There is a representation, omission or practice that is likely to mislead the consumer;
2. A consumer’s interpretation of the representation, omission, or practice is considered reasonable under the circumstances; and
3. The misleading representation, omission, or practice is material (meaning the inaccurate statement was important enough to actually affect consumers’ behavior).

Under the DPS, certain types of claims are treated as presumptively material, although the FTC is always supposed to “consider relevant and competent evidence offered to rebut presumptions of materiality.” The Nomi majority failed to do exactly that in its analysis of the company’s claims, as Commissioner Wright noted in his dissent:

the Commission failed to discharge its commitment to duly consider relevant and competent evidence that squarely rebuts the presumption that Nomi’s failure to implement an additional, retail-level opt out was material to consumers. In other words, the Commission neglects to take into account evidence demonstrating consumers would not “have chosen differently” but for the allegedly deceptive representation.

As we discuss in detail in the white paper, we believe that the Commission committed several additional legal errors in its application of the Deception Policy Statement in Nomi, over and above its failure to adequately weigh exculpatory evidence. Exceeding the legal constraints of the DPS isn’t just a legal problem: in this case, it’s led the FTC to bring an enforcement action that will likely have the very opposite of its intended result, discouraging rather than encouraging further disclosure.

Moreover, as we write in the white paper:

Nomi is the latest in a long string of recent cases in which the FTC has pushed back against both legislative and self-imposed constraints on its discretion. By small increments (unadjudicated consent decrees), but consistently and with apparent purpose, the FTC seems to be reverting to the sweeping conception of its power to police deception and unfairness that led the FTC to a titanic clash with Congress back in 1980.

The Nomi case presents yet another example of the need for FTC process reforms. Those reforms could ensure the FTC focuses on cases that actually make consumers better off. But given the FTC majority’s unwavering dedication to maximizing its discretion, such reforms will likely have to come from Congress.

Find the full white paper here.

Filed under: consumer protection, data security, federal trade commission, international center for law & economics, technology Tagged: cell phone tracking, consumer protection, Deception, Federal Trade Commission, ftc, joshua wright, Materiality, Nomi Technologies, privacy

Please join the LEC in person or online for a morning of lively discussion on this topic. FTC Commissioner Maureen K. Ohlhausen will set the stage by discussing her Antitrust Law Journal article, “Competition, Consumer Protection and The Right [Approach] To Privacy“. A panel discussion on big data and antitrust, which includes some of the leading thinkers on the subject, will follow.

Other featured speakers include:

Allen P. Grunes
Founder, The Konkurrenz Group and Data Competition Institute

Andres Lerner
Executive Vice President, Compass Lexecon

Darren S. Tucker
Partner, Morgan Lewis

Nathan Newman
Director, Economic and Technology Strategies LLC

Moderator: James C. Cooper
Director, Research and Policy, Law & Economics Center

A full agenda is available click here.

Filed under: announcements, antitrust, consumer protection, privacy, truth on the market Tagged: antitrust, big data, consumer protection, Federal Trade Commission, ftc, George Mason University School of Law, Law and Economics Center

Summary

“Commissioner Brill and a few academics have described the FTC’s data security settlements as developing a “common law” of data security. It is not readily apparent, however, that the over 50 independent complaints and settlement agreements between the FTC and particular companies amounts to what is traditionally understood as the common law. Moreover, because the FTC’s enforcement and adjudication process differs so substantially from traditional civil adjudication, even if the FTC’s data security settlements have certain common law characteristics, it is likely that the content of the FTC’s data security law differs substantially from what would emerge from – and what would be desirable in – in a traditional common law process.

As it happens, however, we do have an actual common law of data security — that is, data security cases adjudicated in civil courts — with which to compare the FTC’s process and settlements.

Those who defend the notion of an FTC data security common law identify the shortcomings of common law in civil courts—alleging, in essence, a sort of “market failure”—and they suggest that the FTC’s common law approach can and should correct this market failure, in part because the FTC does have a common law process. These claims are often largely descriptive, but, as suggested, there must be a normative preference inherent in the “common law” conclusion – or else, who cares?

This paper attempts to analyze this alleged administrative “common law” with reference to the actual common law baseline of data security developing in federal courtrooms. We consider the dynamics in both processes, and assess to what extent they comport with the attributes of common law, and whether they likely further the desirable aspects of a common law process.”

Summary

“To the American ear, there is perhaps no uglier word than “discrimination.” The mere mention brings to mind Bull Connor, turning police dogs and fire hoses onto Martin Luther King, Jr.’s non violent demonstrators against Jim Crow in Birmingham, back in the 1962. Or perhaps subtler manifestations of racism.We all want America to be that nation King spoke of, where everyone “will not be judged by the color of their skin, but by the content of their character.” Yet this is precisely what “Big Data” offers: by studying correlations in larger data sets, “data scientists” can craft algorithms that distinguish better between superficial attributes like race, sex, and sexual orientation and deeper attributes like reliability, honesty, credit-worthiness and other aspects of the “content of our character.””

Yet this is precisely what “Big Data” offers: by studying correlations in larger data sets, “data scientists” can craft algorithms that distinguish better between superficial attributes like race, sex, and sexual orientation and deeper attributes like reliability, honesty, credit worthiness and other aspects of the “content of our character.” In short, Big Data may mean less of  the Bull Connor kind of discrimination and more of the kind that would have seemed natural to Jane Austen’s readers (Merriam Webster’s second definition). This is precisely what credit scoring did: replacing the old system where bankers made!lending decision! based on the banker’s personal judgment — and biases — with one that discriminated between good and bad credit risks, regardless of superficial attributes or the simple social proximity between banker and borrower…”

Summary

“…A serious assessment of the need for new privacy legislation, and the right way to frame it, would not begin by assuming the premise that a particular framework is necessary.
Specifically, before recommending any new legislation, the NTIA should do – or ensure that someone does – what the Federal Trade Commission has steadfastly refused to do: carefully
assess what is and is not already covered by existing U.S. laws…”

“Existing laws might well be inadequate to deal with some of the specific the challenges raised by Big Data. But until they are more carefully examined, we will not know where the
gaps are. Even those who might insist that there would be no harm to redundancy should agree that we must learn from the lessons of past experience with these laws. Moreover, it
is essential to understand what existing law covers because either (a) it will co-exist with any future privacy law, in which case companies will have potentially conflicting…”

UPDATE: I’ve been reliably informed that Vint Cerf coined the term “permissionless innovation,” and, thus, that he did so with the sorts of private impediments discussed below in mind rather than government regulation. So consider the title of this post changed to “Permissionless innovation SHOULD not mean ‘no contracts required,’” and I’ll happily accept that my version is the “bastardized” version of the term. Which just means that the original conception was wrong and thank god for disruptive innovation in policy memes!

Can we dispense with the bastardization of the “permissionless innovation” concept (best developed by Adam Thierer) to mean “no contracts required”? I’ve been seeing this more and more, but it’s been around for a while. Some examples from among the innumerable ones out there:

Vint Cerf on net neutrality in 2009:

We believe that the vast numbers of innovative Internet applications over the last decade are a direct consequence of an open and freely accessible Internet. Many now-successful companies have deployed their services on the Internet without the need to negotiate special arrangements with Internet Service Providers, and it’s crucial that future innovators have the same opportunity. We are advocates for “permissionless innovation” that does not impede entrepreneurial enterprise.

Net neutrality is replete with this sort of idea — that any impediment to edge providers (not networks, of course) doing whatever they want to do at a zero price is a threat to innovation.

Chet Kanojia (Aereo CEO) following the Aereo decision:

It is troubling that the Court states in its decision that, ‘to the extent commercial actors or other interested entities may be concerned with the relationship between the development and use of such technologies and the Copyright Act, they are of course free to seek action from Congress.’ (Majority, page 17)That begs the question: Are we moving towards a permission-based system for technology innovation?

At least he puts it in the context of the Court’s suggestion that Congress pass a law, but what he really wants is to not have to ask “permission” of content providers to use their content.

Mike Masnick on copyright in 2010:

But, of course, the problem with all of this is that it goes back to creating permission culture, rather than a culture where people freely create. You won’t be able to use these popular or useful tools to build on the works of others — which, contrary to the claims of today’s copyright defenders, is a key component in almost all creativity you see out there — without first getting permission.

Fair use is, by definition, supposed to be “permissionless.” But the concept is hardly limited to fair use, is used to justify unlimited expansion of fair use, and is extended by advocates to nearly all of copyright (see, e.g., Mike Masnick again), which otherwise requires those pernicious licenses (i.e., permission) from others.

The point is, when we talk about permissionless innovation for Tesla, Uber, Airbnb, commercial drones, online data and the like, we’re talking (or should be) about ex ante government restrictions on these things — the “permission” at issue is permission from the government, it’s the “permission” required to get around regulatory roadblocks imposed via rent-seeking and baseless paternalism. As Gordon Crovitz writes, quoting Thierer:

“The central fault line in technology policy debates today can be thought of as ‘the permission question,’” Mr. Thierer writes. “Must the creators of new technologies seek the blessing of public officials before they develop and deploy their innovations?”

But it isn’t (or shouldn’t be) about private contracts.

Just about all human (commercial) activity requires interaction with others, and that means contracts and licenses. You don’t see anyone complaining about the “permission” required to rent space from a landlord. But that some form of “permission” may be required to use someone else’s creative works or other property (including broadband networks) is no different. And, in fact, it is these sorts of contracts (and, yes, the revenue that may come with them) that facilitates people engaging with other commercial actors to produce things of value in the first place. The same can’t be said of government permission.

Don’t get me wrong – there may be some net welfare-enhancing regulatory limits that might require forms of government permission. But the real concern is the pervasive abuse of these limits, imposed without anything approaching a rigorous welfare determination. There might even be instances where private permission, imposed, say, by a true monopolist, might be problematic.

But this idea that any contractual obligation amounts to a problematic impediment to innovation is absurd, and, in fact, precisely backward. Which is why net neutrality is so misguided. Instead of identifying actual, problematic impediments to innovation, it simply assumes that networks threaten edge innovation, without any corresponding benefit and with such certainty (although no actual evidence) that ex ante common carrier regulations are required.

“Permissionless innovation” is a great phrase and, well developed (as Adam Thierer has done), a useful concept. But its bastardization to justify interference with private contracts is unsupported and pernicious.

Filed under: contracts, copyright, cost-benefit analysis, intellectual property, Knowledge Problem, licensing, markets, net neutrality, patent, privacy, regulation, technology, telecommunications, television Tagged: Aereo, airbnb, contracts, copyright, innovation, net neutrality, permissionless innovation, Tesla, uber

Summary

The FTC oversees nearly every company in America. It polices competition by enforcing the antitrust laws. It tries to protect consumers by punishing deception and practices it deems “unfair.” It’s the general enforcer of corporate promises made in privacy policies and codes of conduct generated by industry and multi-stakeholder processes. It’s the de facto regulator of the media, from traditional advertising to internet search and social networks. It handles novel problems of privacy, data security, online child protection, and patents, among others.

But perhaps most importantly, the Federal Trade Commission has become, for better or worse, the Federal *Technology* Commission, and technology creates a special problem for regulators.

Inherent limitations on anyone’s knowledge about the future nature of technology, business, and social norms caution skepticism as regulators attempt to predict whether any given business conduct will, on net, improve or harm consumer welfare. In fact, a host of factors suggests that even the best-intentioned regulators may tend toward overconfidence and the erroneous condemnation of novel conduct that benefits consumers in ways that are difficult for regulators to understand.

One thing is certain: A top-down, administrative regulatory model of regulation is ill-suited for technology, and this technocratic model of regulation is inconsistent with the regulatory humility required in the face of fast-changing, unexpected—and immeasurably valuable—technological advance.

In assessing the FTC, three themes emerge as being crucial to the Agency’s continued success: humility, institutional structure, and economic rigor. Together these three elements serve the essential function of restraining this powerful Agency’s discretion.

This essay discusses how these constraints have operated (or failed to operate) in the past, and offers some suggestions for reform to improve their operation in the future.

Summary

While several scholars and policymakers have proposed that threats to privacy and competition from concentration of data be incorporated into antitrust analysis, no one has yet articulated a coherent theory as to how degrading privacy or aggregating data can be anticompetitive — nor even what, precisely, privacy harms are in this context. In this paper, we survey and evaluate the various attempts to incorporate privacy concerns into antitrust’s domain. We find that those more skeptical of antitrust law’s ability to deal with privacy concerns have the better of the argument.

We approach the question by applying law and economics insights, including the error cost framework associated with antitrust scholars such as Frank Easterbrook, Joshua Wright, and Douglas Ginsburg. This is the first paper in the literature to evaluate all of the proposed approaches in a systematic way. While there have been a few skeptics of incorporating privacy into antitrust, we complement those papers by considering the literature arguing the aggregation of data can itself be a privacy harm that has developed since their publication.

We highlight several problems with the theories advanced thus far. First, some of the theories rely on outdated economic models that assume big is bad, rather than on modern consumer welfare analysis. Second, none of the proposed approaches adequately defines the market for data. Third, none of the proposed approaches adequately explains how concentrations of data alter a firm’s ability or incentive to degrade privacy, nor why such degradations would amount to anticompetitive conduct. Fourth, the theories of harm identified by advocates of including privacy in antitrust analysis are inconsistent with one another: Some of the competitive harms identified have little to do with privacy, and some of the privacy harms identified are not antitrust-relevant, or at least not of the type normally condemned by antitrust law. Finally, there are no reasonable or antitrust-relevant remedies available for alleged anticompetitive harms arising from data or the privacy threats supposedly posed by increased data aggregation.

Insofar as privacy harms need a public policy response, common law remedies of tort and contract supplemented by the FTC’s ongoing enforcement of consumer protection law are a better alternative to antitrust law. There are pro-competitive reasons for allegedly privacy-invasive practices like data collection, analysis, behavioral advertising, and even price discrimination. Applying an error cost framework suggests that barring such activity outright will lead to a decrease in consumer welfare. Targeted enforcement against anti-consumer abuses through common law and consumer protection law could preserve the benefits of data collection and analysis while ameliorating and deterring privacy harms.

This paper is an outgrowth of a presentation given by Geoffrey Manne at the George Mason Law Review’s Symposium on Privacy Regulation and Antitrust on January 17, 2013.

The Children’s Online Privacy Protection Act (COPPA) continues to be a hot button issue for many online businesses and privacy advocates. On November 14, Senator Markey, along with Senator Kirk and Representatives Barton and Rush introduced the Do Not Track Kids Act of 2013 to amend the statute to include children from 13-15 and add new requirements, like an eraser button. The current COPPA Rule, since the FTC’s recent update went into effect this past summer, requires parental consent before businesses can collect information about children online, including relatively de-identified information like IP addresses and device numbers that allow for targeted advertising.

Read the full piece here.