The Federal Trade Commission (FTC) recently published a paper recapping its December 2017 Informational Injury Workshop. Workshop participants, including academics, industry experts, consumer advocates, and government researchers, discussed what types of consumer harm might qualify as “substantial injury” under the FTC Act and what factors should be considered. The paper noted that several important points emerged from the workshop:
Informational Injuries: Examples and Harms
- In cases involving medical identity theft, some participants noted that consumer injuries can go beyond financial harm and often include inaccurate information in medical files. They argued that this can lead to more serious issues for treatment and patient safety.
- Some victims of doxing, the deliberate and targeted release of private information about an individual, can lose access to important devices, files, and services that can be used to extort the victim.
- Some participants noted that disclosure of private information may cause both market (e.g., ability to obtain or maintain employment) and non-market (e.g., relationships with friends and family).
- Some participants also asserted that privacy and data breaches can lead to an erosion of trust in the ability of businesses to protect their data. Some believed that this can lead to disengagement that harms both the affected businesses and the consumers themselves as they miss out on the full range of benefits available.
Balancing Benefits and Harms
Participants noted that informational injuries, and the risk of such injuries, must be balanced against the benefits gained from information collection. The ad-supported Internet is a key benefit of information collection; consumers do not have to pay for services. Participants noted that some websites and online services rely heavily on user- and third-party data inputs, and that web users generally benefit from personalization.
Should Government Intervene?
There was robust debate over whether and when government should intervene over informational injuries. Participants noted the importance of flexibility and innovation and wanted to avoid unintended consequences from government innovation. Some suggested three factors the government should consider before intervening:
- How sensitive is the data?
- How will the information be used?
- Will the information be anonymized or identifiable?
Should the Definition of Injury Include Risk of Injury?
One participant argued that the increased risk of harm created by certain practices should be taken into account, not just the harm itself. Another participant disagreed, arguing that if risk of injury constituted injury then “literally everything, literally the existence of these businesses, would increase the risk of injury and therefore be actionable.”
The Privacy Paradox
The privacy paradox – where people say in surveys they care about privacy but their behavior does not reflect that – was discussed at length. Participants discussed several explanations for the paradox. People may not understand the privacy risks of their behaviors or care differently about their privacy depending on context. One participant suggested that people may not file suit over data breaches because they do not want to make their name public as part of a lawsuit.
More Research Needed
Participants agreed that more research is needed on privacy and data security to help guide policymakers. In June 2019, the FTC will host its annual PrivacyCon conference that will explore new academic perspectives and ongoing research into privacy and data security issues. Additionally, the FTC is conducting an ongoing series of hearings on Competition and Consumer Protection in the 21st Century, including on privacy and data security issues.
Gregory Oshel, in our Baltimore office, contributed to this post.