• by Wendy Davis  @wendyndavis, October 31, 2017

The Federal Trade Commission should only take action over privacy or security practices that have caused "concrete injuries" to consumers, the Interactive Advertising Bureau and other ad groups say.

"A concrete injury standard creates predictability for businesses and consumers while also protecting consumers who have legitimate claims of injury," the IAB, American Advertising Federation, American Association of Advertising Agencies, Association of National Advertisers, Data & Marketing Association and Network Advertising Initiative write in comments submitted to the FTC late last week.

The groups' comments come in advance of a planned FTC workshop on "informational injury" to consumers. The agency plans to address issues including injuries posed by privacy glitches and data security breaches, businesses weigh the costs and benefits of data collection, and how consumers assess the pros and cons of sharing information about themselves.

The ad groups are urging the FTC to avoid bringing enforcement actions if a privacy or security practice causes only "subjective emotional distress."

"An injury standard based on subjective emotional distress is too vague to be applied consistently," they write. "Since emotional privacy injuries are subjective to the individual, the same information use or sharing practice may be interpreted entirely differently by two people."

Some privacy advocates counter that "subjective" injuries shouldn't be discounted. The Center for Democracy & Technology tells the FTC that people "rightly perceive that they lack control over how information about them is collected, shared, and used."

The group adds that this perceived lack of control leads to "the pervasive fears, discomforts, and other chilling effects that are emblematic of ... subjective privacy harms."

FTC Commissioner Maureen Ohlhausen has previously said she thinks the agency should focus on concrete injuries, as opposed to speculative ones. In 2015, she dissented from a decision to prosecute analytics company Nomi Technologies, which tracks consumers in retail environments.

In that case, the FTC alleged in an enforcement action that Nomi failed to adhere to its privacy policy, which said consumers could opt out of retail tracking at any retailer using the company's technology. Despite that language, the company did not require its retail clients to disclose whether they used the technology; most of its clients failed to do so, according to the FTC.

Ohlhausen said she dissented because Nomi "went beyond its legal obligations by offering a working global 'opt out' for consumers, but had a partially inaccurate privacy policy," and that the agency "lacked any evidence of consumer harm."