Identity theft, not big data, should be at the top of the FTC’s priority list

James C. Cooper Director of Research & Policy, Law & Economics Center
Font Size:

Identity theft continues to be among consumers’ top worries. It leads the list of consumer privacy concerns in a recent Ponemon Institute survey, and for good reason. According to Javelin Strategy and Research, there were 12.6 million victims of identity theft in 2012, resulting in nearly $21 billion in consumer losses.

Not surprisingly, this threat is reflected in FTC complaint data: identity theft has been the top consumer complaint to the Federal Trade Commission for the last thirteen years, accounting for nearly one-fifth of all complaints in 2012 alone. At the same time, online tracking barely registers. A recent Zogby Analytics survey finds that only four percent of consumers consider behaviorally targeted advertising their top concern about the Internet, compared to 39 percent naming identity theft and 34 percent naming viruses and malware. And these results jive with FTC data; a recent examination of FTC consumer complaint data reveals that from 2004-2008, complaints about general privacy issues were one half of one percent (.005) of the 1.3 million complaints about identity theft.

Why then has the FTC appeared to shift its emphasis in recent years from preventing identity theft to limiting the online collection of data that has almost nothing to do with identity theft? Take the major privacy reports and workshops of the past couple years – which focus on topics like online tracking, behavioral advertising, facial recognition technology, mobile privacy disclosures – and the recently announced initiative to explore the privacy implications of the “Internet of things.” Moreover, in a recent speech on big data, FTC Chairwoman Edith Ramirez warned of the risks associated with the collection of data involving medical history, location, web sites visited, call logs, photos, and contacts.

It is clear that limiting online data collection has become a top priority of this Commission. However, the nexus between the personal data that has become the focal point of the FTC’s privacy agenda and that which an identity thief craves is weak at best; identity thieves want data that they can monetize quickly, like social security and credit card numbers, not browsing histories and information from ‘smart’ appliances.

The FTC’s raison d’etre is the prevention of consumer harm. The FTC Act prohibits unfair or deceptive acts and practices. Both proscriptions are grounded in consumer harm: a material lie harms consumers because by definition a statement is material only if it affects decision-making; and conduct is “unfair” only if it harms consumers more than it benefits them. The importance of this harm requirement cannot be overstated. It provides an objective constraint on the FTC’s enforcement authority. Absent the yardstick of consumer harm, the FTC would be left to import its own subjective judgments of which business practices are too unsavory to survive scrutiny under the FTC Act. Accordingly, FTC actions should be judged by the extent to which they address actual consumer harm.

Not only is online tracking merely a blip on consumers’ radar, the harms associated with the FTC’s privacy agenda are largely subjective and intangible, often boiling down to little more than the creepy feeling of being tracked online. The alleged harm in the FTC’s settlement with Facebook, for example, involved the revelation of “potentially embarrassing or political images to third parties.” The much-ballyhooed $22.5 million settlement with Google last summer, moreover, involved nothing more than third-party cookies and the threat of unwanted targeted ads. Juxtapose such “harm” with the billions of dollars identity thieves take from consumers’ bank accounts each year, or the financial and emotional suffering involved in reestablishing one’s identity once it’s been stolen.

The FTC’s most recent strategic plan calls on it “to make effective use of limited resources” by targeting conduct that is most harmful to consumers. Devoting so much attention to practices that appear of so little consequence to consumers seems an odd way for the FTC to go about fulfilling this plan. The FTC is a world-class agency, staffed with tremendously talented professionals who work tirelessly to protect consumers. They would have an easier time accomplishing this mission, however, if the FTC were to retrain its focus on the things that consumers really care about.

James C. Cooper