Data Minimization: Centering Reasonable Consumer Expectation in the FTC’s Commercial Surveillance Rulemaking

We face a data privacy crisis in the United States. Unrestricted data collection has eroded consumer privacy. Consumers are surveilled through constant monitoring, profiling, and targeting online. The absence of a comprehensive privacy legislation or regulation has allowed data-driven abuses and harms to flourish. For two decades, online firms have been allowed to collect and commodify every bit of consumer data, depriving consumers of control over their personal information, heightening security risks, and leading to data misuse, the loss of autonomy, manipulation, and discrimination.

The excessive data collection and processing that fuels commercial surveillance systems is inconsistent with the expectations of consumers, who reasonably believe that the companies they interact with will safeguard their personal information. These exploitative practices don’t have to continue. The Federal Trade Commission has the authority to usher in a better, fairer future by requiring that businesses only collect, process, retain, and transfer personal data consistent with the reasonable expectations of consumers and to the extent reasonably necessary to provide the goods or services that consumers request.

Data Minimization

Consumers are persistently tracked online and subjected to far-reaching data collection. Often, data processing is “not directly in service of fulfilling a consumer’s request,” including out-of-context secondary uses of data that regularly exceed the scope of reasonable consumer expectations. Not only is this data collection and use harmful in itself, but it also necessarily subjects consumers to downstream security risks and privacy harms. The unfair, systemic overcollection and misuse of personal data leads to “invasive, discriminatory targeting that violates the privacy and autonomy of consumers.”

When consumers interact with a business online, they reasonably expect that their data will be collected and used for the limited purpose and duration necessary to provide the goods or services that they requested. For example, a consumer using a map application to obtain directions would not reasonably expect that their precise location data would be disclosed to third parties and combined with other data to profile them. And indeed, providing this service does not require selling, sharing, processing, or strong consumer data for an unrelated secondary purpose. Yet these business practices are widespread. Nearly every online interaction can be tracked and cataloged to build and enhance detailed profiles and retarget consumers. Even offline, credit card purchases, physical movements, and “smart” devices in homes create countless data points that are logged and tracked without consumer awareness or control. This data collection and surveillance can reveal or infer sensitive details about consumers. As EPIC has previously outlined, these extremely detailed profiles “can alter what we see, what prices we pay, and whether we are able to find the information that we seek online (including information about job opportunities, health services, and relationships).” The overcollection of consumer data can exacerbate the harm of security incidents and breaches, and consumers can also suffer privacy harms that range from economic and autonomy harm to psychological injury and reputational damage.

Although the FTC has brought a number of key privacy and data security enforcement actions, extractive commercial surveillance practices have persisted. There are powerful economic incentives for businesses to collect, track and commodify consumer data far beyond what is necessary or expected by consumers. Unsurprisingly, industry self-regulation has failed to meaningfully protect consumer privacy online. Ineffective “notice and choice” mechanisms have maintained an information asymmetry between consumers and businesses. Businesses expect consumers to read, understand, and accept extensive privacy policies that are often vague and incomplete. Although consumers want online privacy, “the ecosystem is so complicated and cumbersome that it is impossible to access online services without exposing personal information.” The status quo is an unfair system of persistent data overcollection and overuse that is inconsistent with the reasonable expectations of online consumers.

FTC Authority

The FTC has the authority to make meaningful change for consumers online. Section 5 of the Federal Trade Commission Act provides that unfair and deceptive trade practices are unlawful and empowers the Commission to prevent and protect consumers from those unfair and deceptive practices. A trade practice (such as commercial processing of personal data) is deceptive when it includes a representation or omission that is likely to mislead a consumer. Over the past two decades, the Commission has brought numerous data security and privacy enforcement actions under its deceptive practice authority. Recently the Commission has brought enforcement actions against CafePress and Chegg, Inc., for deceptive data security practices that failed to protect sensitive consumer information. Yet the Commission’s unfair practice authority, which is comparatively underdeveloped, holds significant potential for to addressing harmful personal data practices. The FTC’s Section 5 unfairness authority has been distilled over the years into a three part test, directing the FTC to use its unfairness authority to halt commercial practices that (1) cause substantial injury, (2) are not outweighed by any countervailing benefits to consumers or competition, and (3) consumers cannot reasonably avoid.

As EPIC has argued, the FTC has the ability to rein in unfair data practices by promulgating a data minimization rule through its commercial surveillance rulemaking. Specifically, an effective data minimization rule would establish that it is an unfair trade practice to collect, use, transfer, or retain personal data beyond what is reasonably necessary and proportionate to the primary purpose for which it was collected, consistent with consumer expectations and the context in which the data was collected. The Commission has already described how a data minimization framework is central to addressing these commercial surveillance harms: “[t]his makes sense not only from a consumer privacy perspective, but also from a business perspective because it reduces the risk of liability due to potential data exposure. Businesses should collect the data necessary to provide the service the consumer requested, and nothing more.”

Reasonable Consumer Expectations

The concept of reasonable consumer expectations is critical to an effective data minimization framework. By using reasonable consumer expectations to guide and limit data collection, the FTC can advance consumer data protection without placing additional burdens on consumers to protect their own privacy. This framework would provide consumers with peace of mind about their data privacy and security without imposing an impossible burden on them to police privacy policies or develop a sophisticated understanding of complex tracking and commercial surveillance systems.

The California Consumer Protection Act (CCPA) regulations are instructive for properly framing a reasonable consumer expectation standard. Section 7002 of the regulations detailing restrictions on the collection and use of personal information provide two basic avenues for data collection, retention, and use. The first considers whether the data collection is reasonably necessary and proportionate to achieve the original purpose for which the information was collected or processed, provided that this purpose is “consistent with the reasonable expectations of the consumer.” To determine the reasonable expectation of the consumer, the regulations set out five factors: (1) The relationship between the consumer and the business, (2) the nature of the personal information that a business seeks to collect or process, (3) the source of the personal information and method for collection or processing, (4) the “specificity, explicitness, prominence, and clarify of disclosures to the consumer,” and (5) the degree to which the involvement of contractors, service providers or third parties are apparent to the consumer. The second avenue for data processing is whether the processing is reasonably necessary and proportionate to achieve a secondary purpose that is both disclosed to the individual and compatible with the context in which the personal data was originally collected.

California’s regulations consider the context of the interaction to determine reasonable consumer expectation. This evaluation necessarily goes beyond a disclosure or privacy policy. Consumers typically do not completely read or understand disclosures or privacy policies before agreeing to a policy that includes data collection. The California regulations rightly shift the privacy protection burden to businesses collecting data, requiring a realistic consideration of their relationship with the consumer. In addition to California’s regulations, the proposed American Data Privacy and Protection Act also contemplates consumer expectation within a data minimization framework. By restricting collection of covered data to what is only reasonably necessary and proportionate to the requested product or other permissible purposes, ADPPA implicitly requires businesses to analyze consumer expectations.  An FTC data minimization rule centering reasonable consumer expectation for data collection and use should also consider the type of data to be collected, the nature of the relationship between the consumer and business, and secondary or potential downstream third-party use, among other factors.

To be clear: while the public may rightly fear or be resigned to the idea that companies will misuse their personal data, it is important that a reasonable consumer expectation standard not doom consumers to the lowest possible level of data protection they can imagine, or that it would otherwise crystalize the existing regime of harmful data practices. Rather, the objective is to protect the consumer’s reasonable expectation that their data will be safeguarded by the businesses they entrust it to and used only in ways consistent with the purpose for it was collected. A standard to this effect would upend the existing notice and choice regime and prevent businesses from extracting nominal “consent” for unrestricted collection of use of personal data.

Reasonable Consumer Expectation in an FTC Rule

The FTC should use its unfairness authority to incorporate a data minimization standard based on reasonable consumer expectation into its forthcoming commercial surveillance rule. By doing so, the Commission can provide a workable, positive standard for consumer privacy without increasing the onus on consumers to protect their own data. In addition to considering substantial injury and countervailing benefits, the Section 5 unfairness test focuses on whether a consumer can reasonably avoid a harmful data practice—a concept that is also at the heart of reasonable consumer expectation. Courts have identified two different paradigmatic examples of when harmful business practices are unavoidable: (1) situations where market forces leave consumers without a reasonable choice, and (2) cases in which consumers could not have anticipated or avoided the harm. If data collection or use falls outside of reasonable consumer expectation, then the practice is likely unfair because consumers could not have chosen differently or reasonably avoided the harm they did not anticipate.

Commercial surveillance practices have subverted the ability of consumers to make meaningful, informed decisions in the marketplace, hindering notice and consent mechanisms. Because these data collection and use practices have become so complex, even the most effective notice and transparency requirements cannot, by themselves, fully protect against the abuse of personal data. Consumers do not have the ability to reasonably avoid harm from excessive data collection or commercial surveillance generally. The Commission should shift the burden to avoid consumer harm to on businesses collecting data, requiring data use and collection practices to reflect reasonable consumer expectations.