For years the U.S. Federal Trade Commission (FTC) banged the “privacy-by-design” drum – telling developers to build privacy into their apps and services – and avoided “gotcha” cases. But its latest action against Nomi Technologies (Nomi) suggests a change of heart.
Nomi embraced privacy-by-design. It built an in-store tracking technology with a universal opt-out for customers – an online opt-out used by hundreds of consumers. And Nomi avoided collecting any personal information about customers, recording only the MAC address of a device and immediately hashing the address so devices couldn’t be identified outside of Nomi’s system. This is the kind of “privacy-by-design” the FTC has been counseling companies to adopt since 2012.
FTC policies that punish businesses for a hypothetical problem go against the FTC’s charter of protecting customers from real harm.
The FTC asserts that because the in-store tools were not available, Nomi engaged in a deceptive trade practice. But, FTC policy states a representation cannot be deceptive in the absence of materiality. As FTC Commissioner Wright explained in his dissent, there was clear evidence to rebut the presumption of materiality in this case – data revealing that a meaningful amount of consumers used Nomi’s online opt-out. There was no reported evidence of consumers who wanted to opt-out in-store. Rather, the majority decision only posited various hypothetical situations where consumers may have preferred an in-store opt-out. Here’s a counter-hypothetical: customers could access Nomi’s website opt-out via their smartphone while standing in a store.
But in a court of law, hypotheticals are usually dismissed. Although the FTC seems to say hypotheticals are enough to derive a complaint, determine violations and pursue enforcement. Despite the realities of the privacy practices in place at Nomi, the FTC chose to use non-material errors as an excuse to bring down the heavy hammer. And since the FTC couldn’t show any real damage to consumers, the commission’s action fits the definition of a “gotcha” case.
We aren’t sure why the FTC brought this enforcement action. But, what we are sure of is that FTC policies that punish businesses for a hypothetical problem go against the FTC’s charter of protecting customers from real harm.
This type of “gotcha” enforcement will lead to less innovation and investment in privacy-by-design development. If this is the new direction of the FTC, we’re asking for an about-face.