The Federal Trade Commission (FTC) is considering whether to finalize a proposed settlement with consumer analytics company Nomi Technologies.  This obscure consent agreement deserves attention not merely as an isolated instance of regulatory overreach, but as emblematic of an enforcement policy that has become unmoored from the concept of consumer harm.

Nomi markets a technology that allows retailers to track consumer movements in stores. This helps with internal marketing strategies such as in-store banner placement.  Importantly, this process does not involve the retention of personal information: Nomi identifies shoppers using sensors to detect Media Access Control (MAC) addresses on cell phones and subsequently “hashes” them to prevent easy identification.

ADVERTISEMENT
Despite no legal obligation to do so, Nomi sought to assuage consumers by stating in its privacy policy that they could opt-out of tracking both online and at store locations. While Nomi provided the promised opt-out on its website, it failed to ensure that its retailer clients held up their ends of the bargain.

Nomi clearly violated the express terms of its privacy policy. However, the FTC’s challenge is not in the public interest.

Thirty years ago, in its Policy Statement on Deception (“PSD”), the Commission made the decision to limit its deception jurisdiction to statements that are “material” – that is, to statements “likely to affect that consumer’s conduct or decision with regard to the product or service.”  In this manner, the legal concept of “materiality” acts as an indirect harm requirement—when a false statement is material, it can be assumed to cause harm because it triggered a consumer purchase that otherwise would not have happened. This harm-based approach has helped lead the FTC from an agency once ridiculed as the “National Nanny” to a world-class consumer protection enforcer. 

Unfortunately, in Nomi, the Commission appears to assume away the PSD’s strictures. It had zero evidence that the ability to opt out of Nomi’s encrypted in-store tracking was important to consumers’ decisions to frequent stores.  Indeed, the impact of this misstatement was likely trivial, especially given that a mere 146 privacy conscious consumers opted-out on Nomi’s Web site.  How did the Commission get around the facts?  By presuming the materiality of Nomi’s promise to provide an in-store opt-out. 

It makes perfect sense to assume that express claims in advertisements are meant to sway consumers – and hence material – but it flies in the face of reality to presume that businesses use privacy policies for the same purpose. Unlike advertisements, privacy policies are not designed by marketers to attract consumers. Most people simply do not read them, and for good reason—they are written in dense legalese, and research shows that there simply isn’t enough time to read all the policies one is likely to encounter day-to-day.

Does it make any sense to presume the materiality of statements in a document that nobody reads or understands? 

This episode highlights a larger deficiency in Commission process—a lack of empirical grounding. The FTC’s privacy enforcement agenda rests almost solely on testimony in FTC workshops.  In this instance, the Commission relied on testimony discussing surveys reflecting consumer privacy concerns about location history – a completely different animal than in-store tracking.  With a bureau of nearly 100 Ph.D. economists, the Commission can do better.

By enforcing the FTC act against trivial misstatements in privacy policies that nobody reads, the Commission has been able to put an increasingly large number of firms in the digital economy under 20-year orders. The orders often mandate intrusive monitoring and reporting.  What’s more, the FTC can obtain substantial monetary penalties for order violations—just ask Google, which was hit with a $22.5 million fine for a misstatement on its FAQ page about how to disable cookies in Safari (which by all indications impacted nobody). 

Not only do these actions threaten to chill innovation in the digital economy, they will - to quote Commissioner Joshua Wright’s dissent - deter firms from “engaging in voluntary practices that promote consumer choice and transparency – the very principles that lie at the heart of the Commission’s consumer protection mission.”

Over thirty years ago, the Commission righted the ship by confining its authority to conduct that harms consumers.  Imposing liability for trivial conduct that results in no harm risks returning the FTC to the dark days of the 1970s.  

Cooper is director of Research and Policy at the Law & Economics Center and a lecturer in Law at George Mason University School of Law. Cooper also spent several years at the Federal Trade Commission as an adviser to Commissioner William Kovacic and as acting director of the Office of Policy Planning. He is the editor of The Regulatory Revolution at the FTC: A Thirty-Year Perspective on Competition and Consumer Protection.