FTC's low fines could cost the agency its privacy reputation
How good a job does the Federal Trade Commission do with its existing privacy authority? This is an important question because expansion of the commission's privacy-enforcer role seems to arise regularly.
Recent commission actions offer insight. In 2005, the FTC charged that Experian marketed free credit reports for years without adequately disclosing that consumers would automatically be signed up for a credit report monitoring service costing $79.95 annually if they didn't cancel within 30 days. Experian agreed to offer refunds to some consumers and to pay a nearly $1 million fine.
This story has a second chapter. Experian was again charged with deceptive advertising. In a second consent decree in January 2007, Experian promised to provide adequate disclosure and pay a fine of $300,000.
In the second case, the FTC says that it required Experian to give up $300,000. The FTC did not reveal how it arrived at the amount of the fine.
In February, the commission took action against DirectRevenue. The charge was that the company used unfair and deceptive methods to download adware onto consumers' computers and to prevent consumers from removing the adware.
The settlement bars future downloads of DirectRevenue's adware without the express consent of consumers. The company also must provide a reasonable way for consumers to locate and remove the adware from their computers. The fine was $1.5 million.
One of the commissioners voted against accepting the consent decree. In his dissenting opinion Jon Leibowitz called the result "a disappointment because it apparently leaves DirectRevenue's owners lining their pockets with more than $20 million from a business model based on deceit."
Two aspects of Mr. Leibowitz's opinion are noteworthy. First, he actually dissented. Most consent decrees approved by the commission fail to adequately justify the nature of the relief obtained, the harm imposed on consumers or the size of the fine. Mr. Leibowitz deserves great credit for raising these issues.
Second, the dissenting opinion included financial information about the company. It suggested that the revenues from DirectRevenue's activities exceeded $23 million, making the fine another relative pittance. Mr. Leibowitz cited an article that appeared in BusinessWeek for his numbers.
Again, we don't know how the fine was determined. Let's assume that the commission had revenue and profit figures. Perhaps Mr. Leibowitz couldn't reveal confidential data from the settlement. But we can safely assume that he quoted published figures that must be close to the truth. Here, too, it appears that the commission was willing to let the company keep most of the rewards of its misconduct.
A March 2007 settlement of a case against Zango, another adware company, suggests more of the same. When confronted by Ben Edelman, a spyware authority and Harvard Business School assistant professor, with evidence that company revenue and profits greatly exceeded the fine, the commission responded that the fine was enough. The commission fails to explain its actions adequately on the public record.
The world and the Internet are filled with deceptive or unfair trade practices. We see stories regularly about some offensive practice that harms consumers. Many of these activities fall within the FTC's jurisdiction, but FTC actions make no visible dent in the volume of rip-offs.
I recognize that the commission has limited resources. But when the commission actually manages to catch that one fish in a 1,000 or 10,000, it should make a real example. I agree with Mr. Leibowitz's concluding comment in the DirectRevenue case:
"I would rather go to trial and risk losing, than settle for a compromise that makes an FTC action just a cost of doing business," he said.
Fines for these violations should be a significant percentage of a company's revenue from its improper actions, perhaps as high as 100 percent, or more. If the fine does not really hurt, then the message sent is that the FTC is a paper tiger and that crime pays.
The FTC owes it to the public to reveal more about the size of the fines in relation to the size of the crime. Let's not worry about protecting financial data from companies that violated the law in the first place.
Should businesses care that the FTC lets some law violators off cheap? If the Congress and the public recognize that the FTC does little to truly protect consumers, they will demand better enforcement, including private litigation and class actions. If those are the alternatives, I'd bet that more businesses would agree that real FTC enforcement might not be so bad after all.