About web

This author has not yet filled in any details.
So far web has created 110 blog entries.

One Reason So Many FTC Cases Settle

Some complain that the FTC’s cases are never litigated and thus are not law. Why are not more FTC cases litigated? The class action suit against Trump University demonstrates one reason. In that case, discovery has turned up calling scripts and the like that portray the organization negatively.

Modern businesses, in order to swindle big, need employees and infrastructure. Managing those employees and infrastructure requires recordkeeping, and that paperwork is enough to prove the FTC’s case. So defendants often roll over because their own documents offer a roadmap of its deceptive/unfair practices.

June 1st, 2016|History|

What We Buy When We “Buy Now”

Many internet business models seem to take advantage of the confusion between online and offline contexts. Social networks make strangers and mere acquaintances your “friends.” Privacy policies borrow from offline norms of confidentiality. Websites have our “trust” yet act in ways that contravene basic principles of the pre-internet idea of trust. My most recent paper with Professor Aaron Perzanowski looks as the context confusion between physical and digital products. In What We Buy When We “Buy Now,” forthcoming in volume 165 of the Pennsylvania Law Review, and covered today by David Lazarus in the LA Times, we present data from the first-ever survey of consumer expectations in digital media products. Here are the highlights:


Percentage of respondents who believe that “buy now” confers rights in digital goods (n=333).


First, we surveyed nearly 1,300 internet users using a mock up of a website that is similar to Amazon.com where one could purchase physical books, mp3s, ebooks, and digital movies. The resulting data reveal a number of insights about how consumers understand and misunderstand digital transactions. The switch to a digital platform offers convenience but also makes consumer access more contingent. Unlike a purchase at a book store, a digital media transaction is continuous, linking buyer and seller and giving the seller post-transaction power impossible in physical markets. Although DRM technologies have had some setbacks in the music space, content control mechanisms are alive and even thriving in other contexts, such as games and movies.  Yet we found that a surprisingly high percentage of consumers believe that when they “buy now,” they acquire the same sorts of rights to use and transfer digital media goods that they enjoy for physical goods.

figure_4 _mp3

A quarter of respondents were presented with this short notice concerning rights in digital goods.

One should expect some confusion in any marketplace. But the confusion surrounding digital media rights is a big deal–the marketplace for digital media is a 11-figure business. At least some of that business is based on the misconceptions surrounding the affordances of digital technology. In its recent White Paper on Remixes, First Sale, and Statutory Damages, the Department of Commerce noted that the “the record before

[it] is devoid of any actual evidence as to what consumers understand when they click on the ‘buy’ button.” Nonetheless, it expressed concern that “it does not appear that consumers have a clear understanding whether they own or license the products and services they purchase online due in part to the length and opacity of most EULAs, the labelling of the ‘buy’ button, and the lack of clear and conspicuous information regarding ownership status on websites.”

So what to do about it? Aaron, who has no training in design, created this short notice, and we tested it to see whether it could improve consumers’ understanding.

Overall, we found that the short notice was more effective in reducing consumer misperceptions of their rights. Despite just seeing the short notice once, affirmative responses to the ownership question (do you own the media?) dropped significantly for each of the three media types we tested—23% for ebooks, 20% for mp3s, and 13% for movies.

Presumably, if consumers knew of the limited bundle of rights they were acquiring, the market could drive down the price of digital media or generate competitive business models that offered a different set of rights. Respondents said that digital media rights were important to them, that they would be willing to pay more to enjoy them, and that some were willing to result to streaming services or even piracy.  buy_nowfigure_10

Although our short notice could undoubtedly be improved through testing alternative designs, placements, and interactions, it is a remarkably low-cost intervention. And where false consumer perceptions can be avoided at little cost, we might be especially inclined to impose a legal obligation to do so.

Thus, in the final part of the paper, we turn to legal interventions such as state false advertising law, the Lanham Act, and federal unfair and deceptive trade practice law as possible remedies for digital media deception. Because of impediments to suit, including arbitration clauses and basic economic disincentives for plaintiffs, we conclude that the FTC could help align business practices with consumer perceptions. The FTC’s deep expertise in consumer disclosures, along with a series of investigations into companies that interfered with consumers’ use of media through digital rights management makes the agency a good fit for deceptions that result when we “buy now.”

A final note for the methods geeks. Aaron came up with an innovative idea that I have never seen in advertising copy testing experiments. To give more meaning to the idea of materiality, Aaron set up the survey so that the respondent got to choose among a set of popular products. The respondent chose among a bevy of books, movies, and music, and that product followed the respondent through the survey. This may be a better way to make materiality more palpable and have the respondent more engaged in the testing.

May 13th, 2016|History|

FTC 6(b)s the PCI Assessors

The shoes are dropping on the companies that assess PCI compliance. Our first signal comes from the LifeLock case. In LifeLock, the FTC alleged that the company “failed to establish and maintain a comprehensive information security program…” as required by a 2010 order. Lifelock settled the case for over $100M, despite the fact that the company claimed it had a clean bill of health from a reputable third party PCI assessor, and according to Commissioner Olhausen, LifeLock suffered no breach.

How could it be the case that a company that receives a clean PCI-DSS assessment could also fail to establish a security program? Several possibilities come to mind: First, the FTC could have come to the conclusion that PCI-DSS is an unreliable or too fragile standard. Second, the assessor could have done a terrible job–one so bad that even LifeLock should have realized it. Third, perhaps the FTC suspected that LifeLock gamed the assessment process. Like the restaurant that gets warning of the inspector’s arrival and quickly cleans the kitchen once, perhaps LifeLock cleaned up its act but then reverted to some bad security state. Finally, perhaps the assessor is complicit in gaming the system, by preparing two reports–one for use by the company and another for the FTC.

The second shoe dropped today–the FTC is using its broad ranging §6(b) authority to investigate PCI assessment companies, including PriceWaterhouseCoopers. Section 6(b) is not used often, but it is a powerful tool. With it, the FTC can compel private parties to complete special reports that are submitted under oath.

The order, which much be complied with in 45 days, suggests that the FTC is suspicious of several aspects of the PCI assessment process. The order is 7 pages long and it is accompanied by an 8-page-long appendix of definitions and procedures. Among the issues the FTC is probing include:

  • The qualifications of assessors
  • How many times the assessors refused to issue an “compliant” determination
  • How much the assessors charge for their services
  • How assessors scope their inquiries
  • How/whether assessors choose to use testing
  • Whether the assessor provides a “draft report” for the client that the client can edit
  • Whether the assessor surfaces problems that the client is allowed to remediate
  • Whether the assessor certifies clients as compliant based on the promise that the client will remediate a problem

The FTC does not ask questions like this and put high-profile companies through the wringer for nothing. The FTC’s cases must be arousing suspicion, or–more likely–a competitor has ratted out assessing firms that are engaging in shady practices.

[I updated this post on March 8th to clarify that the 6(b) letters are focused only on the PCI-DSS process, rather than on all forms of assessment.]


March 7th, 2016|History|

Q&A in BNA

Here is a link (free version here) to a Q&A with Bloomberg BNA Privacy & Data Security News Senior Legal Editor Jimmy H. Koo. Thank you, Jimmy for letting me discuss the early history of the FTC and how turn-of-the-century tensions shape how we regulate privacy today.

[pdf-embedder url=”https://hoofnagle.berkeley.edu/ftcprivacy/wp-content/uploads/2016/02/newhoofnagleInt.pdf”]

February 15th, 2016|History|

Oped in the Hill

I would have chosen a different title for this one, perhaps “Citizens Rejoice! The ‘Libertarians’ Think The FTC Has Lost Credibility.” It is much more about the anti-FTC lobbying rhetoric than specific business practices.

The Federal Trade Commission’s strategic enforcement of privacy cases has struck a nerve. The business lobby has responded on the opinion pages of DC newspapers, portraying the FTC as an agency out of control. The FTC tramples the rights of companies. It stifles innovation. It chases headlines instead of fraudsters and real harms to consumers. The FTC is losing credibility. Consumers however should be comforted by these headlines. The attacks on the FTC are actuated by the agency’s successes in the courts and its increasing sophistication in protecting privacy.

Read the rest at The Hill.

February 4th, 2016|History|

First Review In

The prolific GULC Professor Rebecca Tushnet comments on 43(B)log on FTC Privacy Law and Policy:

This is a detailed, clearly written guide to the FTC, with specific attention to its privacy practices but including an extensive discussion of its overall history and jurisdiction, at least on the consumer protection side; the antitrust side receives much less attention, which is not a complaint (at least not from me!). I learned a lot, and I’m going to recount some of the highlights.

And then there is indeed a recounting! Eight pages worth. Rebecca really has an eye for detail and she uncovers some of the most interesting aspects of the book. Thank you, Rebecca!

February 1st, 2016|History|