The Federal Trade Commission's (FTC) recently released report on data brokers is, by my count, the fourth major government privacy report in the last two years to propose new policy remedies for privacy "harms." Yet, like its predecessors, it fails to actually find these harms. The best the commission can do in the most recent report is point to "potential risks" from data brokers, advertising that "some consumers may find troubling," and marketing classifications that "may be disconcerting." Although the report describes in detail many benefits from data brokers, evidence of actual harms due to their activities is apparently difficult to uncover or, more likely, nonexistent. Despite this lack of evidence, the commission unanimously recommends that Congress consider enacting legislation. If the phrase were not so overused these days, one might suggest this is a solution in search of a problem.
Consumers might not benefit, but additional transparency requirements will "allow other key stakeholders — including regulators, policymakers, academics, industry, and consumer advocates — to assess whether data brokers are clearly and accurately describing their practices to consumers." Presumably, if a data broker slips up in describing its practices, the FTC will be there with an enforcement action, regardless of whether consumers have suffered any harm.
A major rationale for the FTC's concern about data brokers is that they don't interact directly with consumers. But this is ubiquitous in the economy. Any firm that supplies an intermediate good doesn't interact directly with consumers, but that doesn't mean those firms are not responsive to consumers. A muffler manufacturer is still accountable to the consumer through the consumer's relationship with the producer of the final product, the automobile company. That automobile company has no less of an incentive to install a quality muffler if it decides it is more efficient to buy the muffler from a third party.
Similarly, it is more efficient for many users of data services to buy them from a third party. Data brokers can be viewed as producers of intermediate goods, who sell to the final good producers who do interact with, and are directly responsible to, their customers. Consumers will generally be pleased with fraud prevention services, even if they have no idea how the fraud is prevented, and even if they don't pay for the services directly. Marketers have the same incentive not to violate their customers' privacy or to annoy them with unwanted advertising messages whether they produce the algorithm themselves or purchase it.
The commission does recognize "it will be important to weigh the costs and benefits of more concrete legislative proposals as they are developed." This cost-benefit analysis should be the commission’s job, and the FTC's Bureau of Economics contains a large group of economists who are well-qualified to do it. But, to my knowledge the commission has never produced such an analysis for any of the privacy proposals it has made over the years. One would suspect this is because the Bureau of Economics has never been given the task. Of course, it would be difficult for the commission's proposals to pass a cost-benefit test, since the first step is to show benefits and without demonstrated harms, privacy regulation cannot provide any real benefits.
Finally, it is disappointing that the FTC report does not reflect some of the new thinking found in the two recent White House reports on big data, which suggest refocusing the privacy discussion on specific harms, if there are any. For example, the report by PCAST (the President's Council of Advisors on Science and Technology) concludes, "Policy attention should focus more on the actual uses of big data and less on its collection and analysis. By actual uses, we mean the specific events where something happens that can cause an adverse consequence or harm to an individual or class of individuals."
The data broker report provides useful and interesting insight into the operations of data brokers. However, much like previous privacy reports, the harms identified are hypothetical. This is not an adequate basis for a new regulatory program aimed at the data broker industry.
Lenard is president and a senior fellow at the Technology Policy Institute.