Making good on her promise to focus on concrete consumer injury, Acting Chair of the Federal Trade Commission Maureen K. Ohlhausen announced a December workshop on “informational injury.”
From the beginning of her tenure leading the FTC, Ohlhausen has prioritized enforcement actions that address concrete consumer injury, particularly in the context of data security and consumer privacy.
Speaking before the Federal Communications Bar Association, she continued her theme. “Government does the most good with the fewest unintended side effects when it focuses on stopping substantial consumer injury instead of expanding resources to prevent hypothetical injuries,” she told attendees.
In order to better understand consumer injury in the context of privacy and data security—which informs what cases to bring and what remedy to seek—Ohlhausen identified five patterns of injury that can be found in FTC enforcement actions, with example cases of each.
Deception injury or subversion of consumer choice frequently forms the basis for agency cases, she said, and “a company’s false promise to provide certain privacy or data security protections harms consumers like any false material promise about a product. The consumer is injured if he or she would have chosen differently but for the deceptive claim.” Ohlhausen reached back to the agency’s 2011 action against Google as an example.
Another category of consumer injury is financial injury, which can include direct financial loss (such as the cost of paying for identity theft and fraudulent charges as the result of a data breach, as in the action against Wyndham), or indirect losses such as time or other valuable resources, Ohlhausen said.
Health or safety injuries (with the example of at least one suicide associated with the data breach of infidelity-promoting website Ashley Madison), unwarranted intrusion injury (found in an action against a company that installed software on rental computers that secretly monitored consumers), and reputational injury (which generally overlaps with other types of injury) rounded out the list.
Ohlhausen said that in addition to considering the type of consumer injury, the FTC reflects on the magnitude of the injury—both to individuals and in total—as well as the strength of the evidence linked to the consumer injury and the likelihood of future consumer injury.
Since questions remain, even with these parameters, the agency has scheduled a workshop to consider informational injury in depth. Ohlhausen told attendees she has three goals for the workshop.
“First, better identify the qualitatively different types of injury to consumers and businesses from privacy and data security incidents. Second, explore frameworks for how we might approach quantitatively measuring such injuries and estimate the risk of their occurrence. And third, better understand how consumers and businesses weigh these injuries and risks when evaluating the tradeoffs to sharing, collecting, storing, and using information. Ultimately, the goal is to inform our case selection and enforcement choices going forward.”
The workshop is scheduled for Dec. 12.
To read Ohlhausen’s remarks, click here.
Why it matters: Ohlhausen has repeatedly emphasized the need for concrete consumer injury to form the basis of an enforcement action, as opposed to spending agency time and resources on mere hypothetical injury. The December workshop will further these efforts.