Researchers to FTC: We’ve got problems, potential solutions

While the U.S. Federal Trade Commission has held workshops in the past, on everything from facial recognition technology to big data use, yesterday’s PrivacyCon event was clearly the commission’s most significant undertaking ever in the privacy and information security space. A no-nonsense event starting at 9 a.m. and finishing up well past 5:30 in Washington’s Constitution Center, 19 different research papers were presented, accompanied by five separate panel discussions of the papers’ findings, before some 600 attendees.

The result was a textured picture of consumer expectations and interactions with the digital marketplace, alongside a look at vulnerabilities in the Internet of Things and Mobile industries. With no opportunity for questions, it was an intense download of information for front-row FTC commissioners and attendees alike.

“Strong research informs strong policy,” said FTC Chairwoman Edith Ramirez in her opening remarks, and the cadence of PrivacyCon did sometimes feel like a drumbeat of privacy and security “problems,” followed by grasps at potential policy solutions.

As Ramirez noted, tech researchers were vital parts of enforcement efforts against the likes of Snapchat, Fandango, and Oracle, and it was clear the commissioners were eager to better understand where they should best focus their efforts in the future.

We must craft policies that are based on innovative thinking and breakthroughs we make through research. -FTC Chairwoman Edith Ramirez

“We’re just now scratching the surface of what is to come as a result of technological advancement,” Ramirez said. “We must craft policies that are based on innovative thinking and breakthroughs we make through research.”

Some of the papers presented contained data that many privacy professionals wouldn’t find particularly surprising. A University of Pennsylvania project led by Joseph Turow, for example, found “most Americans don’t have the basic knowledge to make informed cost-benefit choices” when navigating the web. The paper, “The Tradeoff Fallacy,” comes to the conclusion that American consumers, rather than being okay with trading bits of personal information for discounts or services, are rather simply resigned to the fact that “they have no other choice if they want to live in this world,” Turow said.

In fact, this idea of a tradeoff “is a figleaf marketers use to justify what they’re doing.”

Of course, this idea that consumers don’t fully understand how their data is being collected and how it’s being used is something the privacy community has been grappling with since the advent of targeted advertising and data collection.

Ashwini Rao and colleagues at Carnegie Mellon University presented similar findings in “Expecting the Unexpected: Understanding Mismatched Privacy Expectations Online,” which focused on issues like consumer ideas that just the existence of a privacy policy means that a site can’t sell data to third parties. The paper suggests that policies could be simplified and targeted at just those issues that are commonly misunderstood.

Along the same lines, California-Berkeley’s Chris Jay Hoofnagle presented “Alan Westin’s Privacy Homo Economicus,” which challenges further the idea that consumers are making rational cost-benefit decisions with their personal data. “The key point,” Hoofnagle said, “is that Alan Westin’s theory was based on rational choice theory, and his main thesis was that public policy should serve the privacy pragmatists, people who weigh choices in the marketplace and make informed choices.”

However, the paper’s findings show “most [consumers] are simply uninformed.”

To pile on, Andelka Phillips of University of Oxford and Jen Charbonneau of University of Tasmania presented “Giving Away More Than Your Genome Sequence,” a look at genetic testing services that found “consumers often display inattentional blindness online.” Even when dealing with the most sensitive of data classes, genetic information.

So, what to do? Carnegie Mellon’s Norman Sadeh, CIPT, presented a still un-published paper describing an intriguing “personalized privacy assistant,” whereby a user could set general privacy preferences and have the assistant apply settings automatically when an app is downloaded or a web site visited. One of the barriers, however, is that it would require industry to open up application program interfaces that are currently closed for the most part. 

In the shorter term, “We could start seeing privacy policies as seals,” Hoofnagle offered. Like “organic” labels on fruit, “we could start saying that 'privacy' means certain things.” Already, he noted, if a policy says anything about security, the FTC has interpreted that to mean you have to actually provide some kind of baseline of adequate protection. 

Similarly, University of Oregon’s Heather Shoenberger and University of Florida’s Jasmine McNealy suggest in their abstract for “Offline v. Online: Re-Examining the Reasonable Consumer Standard in the Digital Context” that some use of iconography and heuristics may move the needle in aligning consumer expectations with reality.

Like the Ad Choices icon? Turow’s paper found no one seems to see it.

Genie Barton, director of the Advertising Self-Regulator Council’s accountability program, with a fresh pair of enforcement actions in hand regarding a missing Ad Choices icon, was willing to listen. “The Council of the Better Business Bureau’s whole mission is to increase marketplace trust by improving relationships between consumers and ethical marketers,” she said in a hallway interview. “I wish the research community and the industry community were less antagonistic toward one another.”

Barton noted that education is a problem for lots of industries. “I looked at the statistics around recycling knowledge,” she said, “and after years of seeing the recycling symbol on a trashcan in a public place, now a majority of people know what the symbol means. But under 30 percent of them knew what to recycle. And that’s a lot simpler than digital privacy.”

What about the contents of my Chipotle burrito?” he wondered aloud. “I don’t necessarily know where all the contents were sourced from, but it doesn’t really matter until I get sick. -Alan McQuinn, Information Technology and Innovation Foundation

On a different tack, IAPP VP of Research and Education Omer Tene played Devil’s Advocate in suggesting consumers, rather than being resigned as Turow suggests, are “actually thrilled, even delirious, about these technologies. They can hail the Uber and rate the driver and get the new Android or iPhone and, yippee!, a selfie on their Snapchat … There seems to be something more complex at play here. We see it in other contexts: I care about health, but I eat a cheeseburger. I care about the environment, but I drive an SUV. Winters are rough in New England.”

As a corollary, the Information Technology and Innovation Foundation’s Alan McQuinn was among a few speakers who wanted to make sure harm was considered in the context of the papers. “What about the contents of my Chipotle burrito?” he wondered aloud. “I don’t necessarily know where all the contents were sourced from, but it doesn’t really matter until I get sick. We’re talking about what’s in the burrito, not the food poisoning.”

This led Jasmine McNealy to rejoin that if Chipotle mischaracterized the contents of their burritos, for example leading people to believe the contents were organic when they were not, most people would take issue with that, whether there was actual harm from eating the non-organic contents or not.

In the end, it was clear that the Federal Trade Commission has its hands full as it navigates its options for regulating the use of personal data and how that data is protected. New FTC Chief Technologist Lorrie Cranor, CIPT, herself a researcher at Carnegie Mellon, closed the conference with short remarks that noted her intention to bring policymakers and researchers more closely together, to continue the FTC’s mission of making good policy by using good data and information.

“Knowing what consumers want isn’t enough,” Cranor said. “What do we do with that information and how do we use it to start to create actual transparency?” 

The privacy profession will be heavily invested in the answers to those questions.

Written By

Sam Pfeifle

1 Comment

If you want to comment on this post, you need to login.

  • Sterling Miller Jan 16, 2016

    Interesting.  Would have to see the research and the statistical rigor to understand if consumers are truly this uniformed.  I tend to agree with Omer Tene's thoughts that consumers know and they just don't care.  Similarly, agree with Alan McQuinn that the FTC should not regulate or should temper any regulation in light of actual harm (vs. just a theory).  Thanks for the summary Sam.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Privacy Core® e-learning Library Expands Again

Two innovative additions to our Privacy Awareness curriculum coming in April: Recognizing and Avoiding Social Engineering and Identifying Phishing Attacks.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

IAPP-OneTrust Website Scanning & Cookie Compliance Tool

Scan your website for cookies, tags, forms and policies and create a custom, dynamically updated cookie policy based on the results of your scans.

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

More Resources »

Global Privacy Summit 2017

What an amazing Summit! Looking for session presentations? Click through to the webpage and look in the session's description for a link to view slides.

Canada Privacy Symposium 2017

Early Bird discounts may be gone, but not your chance to catch this year's stellar lineup! Register today.

Asia Privacy Forum 2017

Join us in Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region.

Privacy. Security. Risk. 2017

We're bringing the best of the best in privacy and infosecurity to sunny San Diego. Early registration for P.S.R. opens in May.

Europe Data Protection Congress 2017

Your source for European policy debate, multi-level strategic thinking and thought-provoking discussion. Registration opens in early June.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»