On December 12, 2017, the FTC hosted a workshop to discuss informational injuries that consumers may suffer when their personal information is misused. Discussion topics included the types of informational injuries consumers suffer and business and consumer perspectives about costs, benefits and risks of collecting information.
Some categories of injuries include: deception injuries or subversion of consumer choice when companies don’t abide by privacy and data protection policies that they may advertise; financial injuries, such as credit card fraud; health or safety injuries, such as stalking or break-ins that could occur due to a leak in home addresses; unwarranted intrusion injuries, which could occur through the piecing together of various data sets to confirm private information about consumers; and reputational injuries, which could occur if personal health information is leaked about a consumer. The challenge regarding informational injuries is that it is often difficult to identify injuries that are concrete and measurable and injuries vary based on the context and consumer.
There are two schools of thought when it comes to regulating privacy and data protection. One school of thought involves the opponents of regulatory enforcement actions, who claim that enforcement should only be limited to cases in which there is actual harm. The other school of thought involves the proponents of regulatory enforcement actions, who claim that potential future injuries should be important considerations and regulatory agencies and consumer advocates, such as consumer unions, provide consumers with more agency and help remedy one of the types of informational injuries, such as loss of consumer power.
Although there is disagreement between the two schools of thought about enforcement and regulation, both schools can agree that businesses can and should implement better protocols for protecting consumers. First, it is important to note that there is a difference between data privacy procedures and procedures for misuse of consumer information. Both are important, but should be distinguished. In order to prevent the misuse of consumer information, companies should practice good data minimization. In other words, companies should purge data that they don’t need on a regular basis and they should not unnecessarily collect data that they don’t need. In order to protect consumer privacy, companies should consider using more secure channels to share consumer information. For example, businesses should consider using encrypted messages to share personal information, instead of emails. Another way to protect consumer privacy is for companies to switch to cloud computing security, rather than traditional IT systems. Finally, smaller businesses can emulate the security and data minimization protocols of bigger, established companies such as Google, Apple, Facebook and Amazon—otherwise known as “GAFA.” GAFA each have skilled in-house teams dedicated to data privacy and data minimization and are ahead of the curve with technology and methods such as differential privacy to practice data minimization.
Takeaway: regardless of one’s beliefs about regulatory enforcement of data protection and data minimization, it is good practice for companies to keep their data protection and data minimization protocols current and equipped to handle the potential informational injuries that consumers face on a regular basis.