The US Federal Trade Commission’s recently proposed consent decree with Nomi Technologies is a cautionary tale for businesses everywhere wrestling with data innovation and privacy and security protection.
Nomi, a small business formed in 2013, is a retail tracking company that gathers customer data to provide insight to traditional brick and mortar retailers about consumer traffic in their stores. In Nomi’s privacy policy, the company offers consumers an opt out of Nomi’s services online and at retail locations using the technology. Nomi is not required to offer consumers an opt out of this data collection because Nomi does not collect information that could identify specific customers. Nomi chose to offer these options and heeded the FTC’s admonition to businesses to innovate for consumers’ benefit in privacy and security practices.
The FTC brought an enforcement action against Nomi for failing to provide the promised in-store opt out. For a single misstatement, Nomi is subject to a twenty-year consent order, resulting in twenty years of government privacy audits and other compliance burdens.
As a parent of a three-year-old child who is learning to test limits, I often think about appropriate discipline versus encouragement. If any penalty is too harsh my daughter may over correct, but if it is too lenient she might not learn to avoid doing the thing that will injure her or others. The FTC faces a similar challenge in both exhorting businesses to offer new, privacy-enhancing features for customers and, in the case of data security, requiring ever more from businesses to protect customers.
Nomi’s privacy policy was inaccurate and should have been corrected. The severity of the conditions Nomi agreed to, however, suggest that the FTC’s penalty options, particularly with data privacy and security cases, are not carefully calibrated to produce the desired results. The FTC needs more gradation in its penalties between a slap on the wrist and decades long oversight for companies that violate consumers’ data privacy, particularly for cases where little or no consumer injury occurred. This might encourage more privacy innovations, while allowing the FTC to police more violations.
In this case, Nomi did not follow through on its privacy promise. The FTC may not and should not ignore clear examples of practices not matching commitments. By offering protections from data collection that their retail store customers did not actually offer, Nomi may have deceived some consumers, and should have policed its retail customers or amended its inaccurate policy. It is worth asking, however, whether the punishment fit the crime, and whether any consumers were actually affected by the inaccuracy. Perhaps an easier-to-enforce penalty might result in more compliance and require less enforcement by the FTC’s overstretched team. Perhaps penalties that track how consumers were affected and offer redress for any injury would serve businesses and consumers better.
The subsequent affects of the Order are likely to extend to all companies, particularly small businesses. Even without an onerous order hanging over its head, Nomi is a startup that might not be around in two years, let alone twenty years. Yet Nomi was given the same punishment as multi-billion dollar companies such as Microsoft, Google and Facebook for their alleged data privacy violations.
Consumers should worry about the unintended consequences of the proposed Order against Nomi because the FTC may actually deter companies from innovating with and competing on privacy and security offerings, resulting in fewer options for consumers. It is rare for third party companies to offer opt outs of data collection, but consumers want and deserve privacy innovations regarding business' data collection, use, sharing and storage to become standard practice. Businesses benefit too, by building trust through increasing transparency.
Inherently, businesses’ privacy risks increase when they offer more privacy options, making privacy policies more complex, more challenging to implement, and more likely to be inaccurate. Recent data privacy and security consent decrees may not recognize this tension and suggest enforcement efforts may not be calibrated carefully enough to both encourage privacy innovation and business care to execute on those innovations.
Disproportionate penalties might lead general counsels to resist privacy innovations and oversimplify privacy policies because it is safer to have a broad policy with fewer privacy choices that is less likely to contain inaccuracies. The irony is that simplified privacy policies undermine one of the FTC’s own goals – transparency. The unintended consequences of the FTC’s Nomi efforts may be ultimately net negative for consumers and leave businesses without clear guidance about whether or how to innovate on privacy and security options for consumers.
The FTC must act to deter businesses from failing to uphold their privacy and security commitments and general counsels everywhere should push their company to ensure ongoing compliance to those commitments. Where, however, a company unintentionally fails to execute on a promise that advances consumer privacy, a flexible system that adjusts penalties based on the severity of the offense is more likely to protect consumers, ensure businesses receive proportionate penalties that deter others from similar violations, and encourages consumer-benefiting privacy and security innovations.
