The Federal Trade Commission is currently the most aggressive enforcement agency on privacy and data security. The agency kicked off 2016 with PrivacyCon on January 14, which put the spotlight on academic research on consumer privacy and security.
The conference, which drew 400 attendees to Southwest D.C. and 1,500 more streaming online, showcased 19 papers on topics ranging from mismatched consumer privacy expectations online to the costs and causes of cyber incidents, with many papers focusing on the technology of online tracking. While the papers presented do not necessarily reflect the view of the FTC, it is likely that they selected presenters and findings that are consistent with their enforcement priorities.
FTC Chairwoman Edith Ramirez began the conference by emphasizing the agency’s role in going after unfair and deceptive trade practices, and how those efforts have recently targeted many tech companies, including Snapchat and Oracle. Researchers and technologists can help both the government and businesses understand what consumers expect, how they are being targeted, and how to address any unfairness.
Many of the papers highlighted areas where the FTC has previously said consumers are being unfairly targeted, with some of the more striking findings possibly signaling future enforcement priorities.
In a panel on “The Current State of Online Privacy,” one researcher presented a paper showing that the number of tracking cookies on popular websites had doubled in the past few years. Most of the cookies are placed by third-party hosts.
“We found that users who merely visit the home pages of the top 100 most popular sites would collect 6,000 cookies, twice as many as we detected in 2012,” said Ibrahim Ataweel of the University of California, Berkeley.
In response to this finding, the FTC could push back more aggressively on the unfairness of tracking Internet users without their knowledge or consent.
Another paper described the involvement that most consumers actually have with the notice and choice process and how likely they are to make rational decisions. This and other papers on how much consumers understand privacy notices offered guidance on how to assist consumers, such as by reducing the notices they need to see or automatically configuring their settings rather than expecting them to be rational in protecting their interests. As one researcher suggested, the FTC must do more to study consumer behavior in order to design protective policies.
‘If you look at today’s Commission actions, their false advertising theories are much more in line with how consumers really understand ads and how consumers really act,” said Chris Jay Hoofnagle of the UC Berkeley School of Law. “That has not come over to the privacy side.”
Acting on such advice, research on how data subjects actually weigh the value of giving up their data against their privacy and whether they pay attention to privacy notices may help the FTC decide whether businesses’ notice and consent processes are sufficient or if they unfairly take advantage of consumer fatigue or lack of understanding.
Commissioner Julie Brill pointed out that cars have become computers on wheels, yet auto companies have kept them simple to use for the average consumer. “Companies can do the same for privacy,” she said. Commissioner Brill went on to identify two principles that she believes should guide the development on privacy and data security issues going forward: (1) consumer awareness of how their data will be collected and used, and (2) caution against relying too heavily on only one data security measure (e.g., encryption).
Does the workshop indicate that a more aggressive approach by the FTC may be in the works? Perhaps. As we know, both the FTC and the courts have supported the idea that it’s reasonable to expect companies to protect their customers’ information, data and privacy. However, the current state of privacy regulation oftentimes creates confusion among companies engaging in data collection practices. At the very least, we can anticipate the FTC pushing companies to be more transparent in their notices to consumers about their data collection and use practices.
To view videos and transcripts from the workshop, click here.