Daniel J. Solove and Woodrow Hartzog, The FTC and the New Common Law of Privacy

Daniel J. Solove and Woodrow Hartzog, The FTC and the New Common Law of Privacy

Comment by: Gerald Stegmaier & Chris Jay Hoofnagle

PLSC 2013

Published version available here:

Workshop draft comment:

One of the great ironies about information privacy law is that the primary regulation of privacy in the United States is not really law and has barely been studied in a scholarly way.  Since the late 1990s, the Federal Trade Commission (FTC) has been enforcing companies’ privacy policies through its authority to police unfair and deceptive trade practices.  Despite over fifteen years of FTC enforcement, there is no meaningful body of case law to show for it.  The cases have nearly all resulted in settlement agreements.  Nevertheless, companies look to these agreements to guide their decisions regarding privacy practices.  Those involved with helping businesses comply with privacy law – from chief privacy officers to inside counsel to outside counsel – parse and analyze the FTC’s settlement agreements, reports, and activities as if they were pronouncements by the High Court.

In this article, we contend that the FTC’s privacy jurisprudence is the functional equivalent to a body of common law, and we examine it as such.  The FTC has said quite a lot through its actions and settlement agreements. And FTC privacy jurisprudence is the broadest and most influential regulating force on information privacy in United States – more so than nearly any privacy statute and any common law tort.  The statutory law regulating privacy is diffuse and discordant, and the common law torts fail to regulate the majority of activities concerning privacy.  Despite the central governing role of the FTC’s privacy activity, it has not received much scholarly attention.

In Part I of this article, we discuss how the FTC’s actions function practically as a body of common law for privacy.   In the late 1990s, it was far from clear that the body of law regulating privacy policies would come from the FTC and not from traditional contract and promissory estoppel.  Though privacy policies often have all the indicia of enforceable promises, they have rarely been utilized as contracts.  On the few occasions when contract law is invoked for privacy policies, it usually fails. We explore how and why the current state of affairs developed.  In Part II, we examine the principles that emerge from this body of law.  These principles extend far beyond merely honoring promises.   We discuss how these principles compare to principles in other legal domains, such as contract law. In Part III, we explore the implications of these developments and the ways that this body of law could develop.

Chris Jay Hoofnagle & Jan Whittington, The Price of “Free”

Chris Jay Hoofnagle & Jan Whittington, The Price of “Free”

Comment by: David Medine

PLSC 2012

Published version available here:

Workshop draft abstract:

It’s free and always will be.


Offers of “free” services abound on the internet.  These offers cause a conundrum for consumer protection.  Courts are apt to discount users’ claims against such services; one recently held that users are not “consumers” for purposes of California consumer protection law.  Industry leaders push to monitor users ubiquitously, an imperative driven by the desire to fund “free” content.  Policymakers struggle with this imperative and weigh it against vague consumer preferences for privacy, which users seem to happily abrogate to get the next new free service.  These problems, we argue, flow from attention to the price of free offers instead of their costs.

To elucidate these costs, we apply a transaction cost economic (TCE) approach to “free” personal information transactions (“PITs”).  TCE provides a framework for analyzing PITs even where the price of the product seems to be zero.  Free offers employ a form of cross-subsidy, a technique widely accepted in virtually every infrastructure industry, and a basic tool used to support the equitable delivery of products and services with the understanding that some have more willingness and ability to pay than others. However, we argue that information intensive companies misuse “free” to promote products and services that are packed with non-pecuniary costs.

Part and parcel of a grey market for personal information, current governance structures allow firms to collect valuable information ex ante and monetize it ex post, despite consumer preferences for privacy and the impression, given to the consumer, that the transaction would be “free.” Thus, what may begin as ex ante misalignment between the interests of the firm and consumer becomes ex post maladaptation when the firm realizes the financial gains possible from monetizing the consumer’s personal information.

We then turn to potential governance structures to lessen the propensity of firms to raise transaction costs, in the hope of making exchange, individually and in aggregate for markets and societies, more efficient.  At the most basic level, users would be more strongly protected if free services were understood to involve an exchange for value.

One source for legal intervention is the Federal Trade Commission’s “Free Guidelines.”  These guidelines will be reviewed in 2012, offering an opportunity to reconsider the fairness of free offers conditioned on provision of personal information.  As currently written, they do not directly address PITs.  Still, two remedies flow from the FTC Guide: clearer disclosures that personal information forms the basis of the transaction, and the requirement to establish a regular price before marketing a service as free.

While behavioral economics may support an outright ban of free offers because of their biasing effects, TCE suggests other strategies for reform, focused upon placing business risk more firmly in the hands of businesses, and making the consumer whole.  These interventions go beyond the traditional transparency and accuracy requirements suggested by privacy law.  Organizational and enforcement characteristics matter; remedies must reduce transaction costs for the industry, in aggregate and inclusive of the cost of implementing the remedy. Robust cancellation procedures, prohibitions on certain uses of information, structures to reinforce consumer choice such as do-not-sell and do-not-track options, increasing the age limit on protections for children, substantive breach notification, and a “data-back guarantee” are necessary to free consumers from free services.