FTC Counsels Privacy-By-Design But Enforces by “Gotcha”

For years the U.S. Federal Trade Commission (FTC) banged the “privacy-by-design” drum – telling developers to build privacy into their apps and services – and avoided “gotcha” cases. But its latest action against Nomi Technologies (Nomi) suggests a change of heart.

Nomi embraced privacy-by-design. It built an in-store tracking technology with a universal opt-out for customers – an online opt-out used by hundreds of consumers. And Nomi avoided collecting any personal information about customers, recording only the MAC address of a device and immediately hashing the address so devices couldn’t be identified outside of Nomi’s system. This is the kind of “privacy-by-design” the FTC has been counseling companies to adopt since 2012.

But rather than crediting Nomi for its privacy-by-design technology, the FTC chose to prosecute Nomi for a non-material error in their privacy policy.

The basis for the complaint against Nomi stems from a statement in Nomi’s privacy policy saying consumers could also opt-out of in-store tracking via tools provided in-store. While Nomi accurately stated in its privacy policy the availability of a global opt-out on its website, the in-store tools were not available.

FTC policies that punish businesses for a hypothetical problem go against the FTC’s charter of protecting customers from real harm.

The FTC asserts that because the in-store tools were not available, Nomi engaged in a deceptive trade practice. But, FTC policy states a representation cannot be deceptive in the absence of materiality. As FTC Commissioner Wright explained in his dissent, there was clear evidence to rebut the presumption of materiality in this case – data revealing that a meaningful amount of consumers used Nomi’s online opt-out. There was no reported evidence of consumers who wanted to opt-out in-store. Rather, the majority decision only posited various hypothetical situations where consumers may have preferred an in-store opt-out. Here’s a counter-hypothetical: customers could access Nomi’s website opt-out via their smartphone while standing in a store.

But in a court of law, hypotheticals are usually dismissed. Although the FTC seems to say hypotheticals are enough to derive a complaint, determine violations and pursue enforcement. Despite the realities of the privacy practices in place at Nomi, the FTC chose to use non-material errors as an excuse to bring down the heavy hammer. And since the FTC couldn’t show any real damage to consumers, the commission’s action fits the definition of a “gotcha” case.

We aren’t sure why the FTC brought this enforcement action. But, what we are sure of is that FTC policies that punish businesses for a hypothetical problem go against the FTC’s charter of protecting customers from real harm.

This type of “gotcha” enforcement will lead to less innovation and investment in privacy-by-design development.   If this is the new direction of the FTC, we’re asking for an about-face.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply