Ohlhausen should direct FTC to focus on real harms to privacy

When was the last time you read a privacy policy? I mean actually read it, not just clicked “I agree”?

The FTC has said time and time again that “consumers don’t read privacy policies.”  They’ve been doing this for nearly a decade. In 2007, then-Federal Trade Commissioner Jon Leibowitz declared that “in many cases, consumers don’t notice, read, or understand the privacy policies.” Likewise, study after study has substantiated this fact.

{mosads}Of course, it doesn’t take an FTC chairman, or a researcher to tell us this, we all know that we rarely, if ever, read the privacy policies we’re presented.

Which brings me to a key question when the FTC uses its “deception” authority against errors in a business’s privacy policy. If consumers don’t read privacy policies, how can consumers be deceived? It’s a kind of “tree falling in the woods and no one is around to hear it” type conundrum – if consumers don’t read privacy policies then how can they be deceived by errors in a privacy policy?

Unfortunately, in the past it felt like the FTC wasn’t seeing this conundrum or following the lessons of the 2007 FTC – at least when it came to enforcement action.

Since 2007, the FTC has engaged in several “gotcha” cases: bringing enforcement actions exclusively for errors in privacy policies. In 2009, the FTC took action against Sears for not making a disclosure in a privacy policy obvious enough. Likewise, in 2015 the FTC took action against Nomi for an error in its privacy policy even though the FTC couldn’t show a single consumer misunderstood.

If the goal of the FTC is to protect against consumer harm, then there should be a likelihood of harm before bringing an action.

Now I’m not saying that intentionally deceiving consumers is okay. Or that privacy policies aren’t just as enforceable as the terms in a home mortgage.

But we hope that Acting Chair Maureen Ohlhausen will realign the FTC to look for more than just an error in a privacy policy. A refocused FTC could look to see if consumers suffered harm.

With a dozen years of work with the FTC, Ohlhausen is an ideal candidate to bring this renewed focus. In 2015, she pointed out, “the commission should use its limited resources to pursue cases that involve consumer harm” and raised concerns with “procrustean problem with prescriptive regulation.”

This might also help the FTC better serve consumers. As I mentioned in a previous editorial, the FTC’s own data shows that of the 2,582,851 consumer complaints reported for 2014, complaints about Internet services ranked last – 83 percent of consumer complaints had nothing to do with privacy policies.

Rather than appropriating valuable resources on privacy-policy “gotcha” cases, the FTC should find consumer harm, like was suggested in 2007.

Fortunately, it’s possible that the 2017 FTC doesn’t need to enforce these errors in privacy policies.  The 2007 FTC suggested that market competition will improve privacy policies. “The leading search engines have been tripping over each other to have the strongest privacy protections,” Leibowitz said at the time. Likewise, a 2012 FTC staff report said, “Consumers pay more for better privacy policies.”

And we are seeing this today. The industry is moving away from just using long-form privacy policies. They are adding “just in time notification” to provide consumers the privacy information they need when they are making decisions.

So perhaps we need neither a carrot nor a stick from the FTC when it comes to privacy policies.  Instead, the competitive landscape is driving businesses to protect consumer privacy, not fear of the FTC.

Carl Szabo is senior policy counsel for NetChoice, a trade association of eCommerce businesses including AOL, Facebook, and 21st Century Fox.

The views expressed by contributors are their own and are not the views of The Hill.