The FTC's data broker report: Waiting for Godot?

 

The Federal Trade Commission's (FTC) recently released report on data brokers is, by my count, the fourth major government privacy report in the last two years to propose new policy remedies for privacy "harms." Yet, like its predecessors, it fails to actually find these harms. The best the commission can do in the most recent report is point to "potential risks" from data brokers, advertising that "some consumers may find troubling," and marketing classifications that "may be disconcerting." Although the report describes in detail many benefits from data brokers, evidence of actual harms due to their activities is apparently difficult to uncover or, more likely, nonexistent. Despite this lack of evidence, the commission unanimously recommends that Congress consider enacting legislation. If the phrase were not so overused these days, one might suggest this is a solution in search of a problem.

ADVERTISEMENT
With no evidence of harm, the fallback seems to be "transparency." The notion that consumers should understand who is collecting their data and how those data are being used is appealing and the report claims, undoubtedly correctly, that consumers have little awareness of data brokers and what they do. But transparency doesn't really help consumers. The FTC report acknowledges that "it would be virtually impossible for a consumer to determine how a data broker obtained his or her data." The commission also "recognizes the reality that many consumers will not seek access to the data maintained by the data brokers and those that do may not understand the nuances of how their data is used." That's probably an understatement. In this big-data era, data brokers and others may collect hundreds if not thousands of data points on any individual from a broad range of sources and use those data to develop complex algorithms for marketing, authentication, fraud detection and other purposes.

Consumers might not benefit, but additional transparency requirements will "allow other key stakeholders — including regulators, policymakers, academics, industry, and consumer advocates — to assess whether data brokers are clearly and accurately describing their practices to consumers." Presumably, if a data broker slips up in describing its practices, the FTC will be there with an enforcement action, regardless of whether consumers have suffered any harm.

A major rationale for the FTC's concern about data brokers is that they don't interact directly with consumers. But this is ubiquitous in the economy. Any firm that supplies an intermediate good doesn't interact directly with consumers, but that doesn't mean those firms are not responsive to consumers. A muffler manufacturer is still accountable to the consumer through the consumer's relationship with the producer of the final product, the automobile company. That automobile company has no less of an incentive to install a quality muffler if it decides it is more efficient to buy the muffler from a third party.

Similarly, it is more efficient for many users of data services to buy them from a third party. Data brokers can be viewed as producers of intermediate goods, who sell to the final good producers who do interact with, and are directly responsible to, their customers. Consumers will generally be pleased with fraud prevention services, even if they have no idea how the fraud is prevented, and even if they don't pay for the services directly. Marketers have the same incentive not to violate their customers' privacy or to annoy them with unwanted advertising messages whether they produce the algorithm themselves or purchase it.

The commission does recognize "it will be important to weigh the costs and benefits of more concrete legislative proposals as they are developed." This cost-benefit analysis should be the commission’s job, and the FTC's Bureau of Economics contains a large group of economists who are well-qualified to do it. But, to my knowledge the commission has never produced such an analysis for any of the privacy proposals it has made over the years. One would suspect this is because the Bureau of Economics has never been given the task. Of course, it would be difficult for the commission's proposals to pass a cost-benefit test, since the first step is to show benefits and without demonstrated harms, privacy regulation cannot provide any real benefits.

Finally, it is disappointing that the FTC report does not reflect some of the new thinking found in the two recent White House reports on big data, which suggest refocusing the privacy discussion on specific harms, if there are any. For example, the report by PCAST (the President's Council of Advisors on Science and Technology) concludes, "Policy attention should focus more on the actual uses of big data and less on its collection and analysis. By actual uses, we mean the specific events where something happens that can cause an adverse consequence or harm to an individual or class of individuals."

The data broker report provides useful and interesting insight into the operations of data brokers. However, much like previous privacy reports, the harms identified are hypothetical. This is not an adequate basis for a new regulatory program aimed at the data broker industry.

Lenard is president and a senior fellow at the Technology Policy Institute.