What are the hottest topics on the Federal Trade Commission’s (FTC) radar these days?
We gathered members of DataGrail’s Privacy Community (join us here) for our first ever watch party of the FTC’s PrivacyCon event to find out.
Marykaren Ripple, JD, CIPP/E, CIPM Privacy Counsel and Austin Smith, Data Privacy Attorney led our group’s robust discussion. We collectively attended the introductory session along with the first two panels – an Economics panel and a Consumer Attitudes and Behaviors panel. Below is a summary.
Key Takeaways from DataGrail Community Members
“Expect a lot more from the FTC on privacy enforcement this year… They are drawing clear lines in the sand that privacy principles matter: purpose limitation, minimization, proportionality, retention, protection of vulnerable populations and sensitive data.” – Gwen Takagawa
“The FTC will focus enforcement on the abuse of sensitive personal data, what counts as sensitive is changing fast, so smart companies will find ways to grow with clearly non-sensitive data.” – Steve Lappenbush
“The FTC is building on its location data enforcement wins with strident views regarding sensitive browsing data. But big questions remain as the US has no consistent legal definition of “sensitive” data at the federal or state level..” – Alex Krylov
“It seems to me that, from recent changes to the Safeguards Rule to what was being discussed today, the FTC is keenly interested in demonstrating commanding oversight in consumer privacy.” – Mike Pedrick
“I was surprised about the intensity surrounding the “pay or consent” issue.” – Philip Mason
“This particular moment resonated with me, highlighting our role as dedicated stewards of data privacy whom you can trust and I couldn’t agree more with Lina Khan, ‘Now is the time to ensure we don’t promote “race to the bottom” technology.’” – Ryan Gutierrez
The FTC sent a “clear message to anyone collecting data: the law is, in fact, keeping up with technology, at least as far as FTC Section 5 enforcement is concerned.” – M Celine Takatsuno
“Provocative insights and potential for true innovation happen when different lenses, interests, and perspectives are convened (and people are open to learn). The event itself brought CS, Econ, HCI, Industry, Law, Policy, and more together; our awesome watch party did the same!”- M Celine Takatsuno
Summary of FTC Chair Lina Khan’s Opening
Lina Khan, Chair of the FTC, opened the event stressing the FTC’s position to ensure they don’t promote a “race to the bottom” technology market in the US.
Lina Khan laid out three areas of enforcement priority including:
- Accounting for how businesses drive unlawful conduct, such as with AI technology. She also said that businesses’ incentives to collect data, including collecting data to train models, cannot override existing regulations and said the FTC will be investigating data collection and retention issues, and will use their disgorgement powers for enforcement in this area.
- Certain types of data are off limits, such as data implicating where someone lives and the websites they browse. She stated the FTC will be monitoring collection of data without consent. This echoes the FTC’s written statement that “Browsing and location data are sensitive.” in their March 4, 2024 post reviewing proposed settlements with Avast, X-Mode, and InMarket. I recommend reading this post.
- The FTC will investigate “upstream” actors to establish liability for driving and enabling unlawful business practices downstream. This would entail focusing not only on front-end consumer apps, but also the backend systems, intermediaries, and middlemen that fuel the selling and sharing of sensitive data.
The Economics of Privacy – First Panel Session
The first session of PrivacyCon was about “pay-or-OK” models, particularly common on news sites. My biggest takeaway was how few people utilized the pay function when engaging with a “pay-or-tracking” choice to access content. Fewer than 1% of people presented with a pay-or-tracking option pay, with more than 99% choosing the tracking, per researcher Timo Müller-Tribbensee of the Goethe University Frankfurt. He said that offering a pay-or-tracking choice did not lead to a decline in traffic and that the economics work in publishers favor, with revenue increasing 16.4% when offering pay-or-tracking.
Resource: ICO launches “consent or pay” call for views and updates on cookie compliance work
In the DataGrail community, we discussed if paying for privacy is a luxury.
Another interesting presentation was about the impact of Apple’s App Tracking Transparency (ATT) initiative and how this impacted publisher’s revenues, presented by Bernd Skiera of the Goethe University Frankfurt. Results from the study show that an opt-in vs opt-out approach to tracking resulted in fewer people being tracked. This effect is that ATT substantially decreased the opportunities for targeted advertising, e.g., via behavioral advertising or retargeting and negatively impacted their revenues.
Resources from the Economics panel:
- Paying for Privacy: Pay-or-Tracking Walls
- Regulatory CI: Adaptively Regulating Privacy as Contextual Integrity
- Economic Impact of Opt-in versus Opt-out Requirements for Personal Data Usage: The Case of Apple’s App Tracking Transparency (ATT)
Consumer Attitudes and Behaviors – Second Panel Session
The first panelist, Byron M. Lowens of the University of Michigan, talked about individuals’ reactions to data breaches, citing many individuals’ lack of awareness and inaction when faced with evidence of a breach. He shared that 74% of people polled were unaware of breaches that impacted them. When faced with knowledge of a breach, many people do not take action due to apathy, perceived costs, forgetfulness, resignation toward breaches, and account issues.
Later in this panel, Monika Leszczyńska of Columbia Law School, covered unfair trade practices. She highlighted the deceptive design known as “roach moteling” which is a dysphemism for “hard-to-cancel”.
What is roach motelling? Check out common deceptive design patterns here.
The last speaker, Klaus Miller of HEC Paris, discussed how consumers perceive privacy enhancing technologies to improve their privacy — or not. Two takeaways that stood out to me:
- Perceived privacy violations are reduced if data never leaves a consumer’s device.
- Not tracking across websites reduces perceived privacy violations significantly.
Resources from the Consumer Attitudes and Behaviors panel:
- Awareness, Intention, (In)Action: Individuals’ Reactions to Data Breaches
- Defining the Boundaries of Marketing Influence: Public Perception and Unfair Trade Practices in the Digital Era
- Using the Dual-Privacy Framework to Understand Consumers’ Perceived Privacy Violations Under Different Firm Practices in Online Advertising
Conclusion
Our watch party covered the first two sessions of the FTC event — their Economics panel and the Consumer Attitudes and Behaviors panel. The FTC’s PrivacyCon webinar continued after these sessions with talks on privacy enhancing technologies and design analysis, health privacy, artificial intelligence and machine learning, mobile device security, and deepfakes.
DataGrail’s watch party of the FTC PrivacyCon was fun! Thank you to all of the DataGrail Community members who joined us live or later on in our Slack group.