On February 28, 2018, the Federal Trade Commission (FTC) hosted its third Privacy Con conference in Washington D.C., an event that highlights research and facilitates discussion of the latest research and trends related to consumer privacy and data security. The FTC welcomes privacy and data security researches to inform it of their latest findings, and encourages the dialogue between researches and policymakers to continue well after the conference. The 2018 conference was well attended by many professionals in the data privacy field, who shared the results of their studies and research in data privacy.

The Acting Chairman of the FTC, Maureen K. Ohlhausen, delivered the opening remarks at Privacy Con. Chairman Ohlhausen stated that the FTC has been and will continue to be active in the data privacy field and will continue to bring important cases. She emphasized that this year the FTC will focus on an “economic approach” to data privacy. Chairman Ohlhausen explained this approach does not necessarily require crunching numbers, but rather, will involve applying tools of economic analysis to assess the amount of resources that should be devoted to certain matters. Chairman Ohlhausen said that the FTC will try to better understand the types of injuries consumers suffer from a data breach and devote attention to data privacy cases that cause greater injuries, some of which may be personal and not economic.

Following Chairman Ohlhausen’s opening remarks, professors with technical backgrounds provided in-depth analysis regarding data privacy concerns pertaining to, among other things, email tracking, browser extensions, smart devices, web session recordings, social media advertising, interactive use, smart toys, and crowd sourcing. In short, the key takeaways from these studies are: (1) companies need to have greater transparency regarding voluntary and involuntary leaks of personal information to third parties so that consumers can take greater measures to safeguard their personal identifiable information (PII); and (2) balancing the need to inform consumers about PII leaks, with consumers’ desire to not be inundated with too many requests for permission before PII is disclosed.

With respect to the first point, the panelists identified different circumstances where a consumer’s PII is shared with third parties, which consumers may not even be aware. For example, most consumers are not aware of how intrusive web browser extensions can be, that web sessions on certain sites are recorded and sold to third parties, or that children’s smart toys may be recording conversations and posting them on social media. The panelists emphasized that it is critical for companies to disclose to consumers that their PII is disclosed to the public or third parties through these mechanisms so that they can make informed decisions regarding how to safeguard their privacy.

For the second point, the panelists described the studies they conducted regarding consumers’ privacy expectations to determine under what circumstances consumers would like to provide express permission before PII is disclosed and situations where consumers are comfortable providing implicit consent through predictive behavior and usage. The panelists found that if the information was for a beneficial purpose (such as safety) or information obtained in a public setting, consumers are comfortable disclosing their PII without providing express consent. However, if the information was obtained in a private area or was not for a beneficial purpose, consumers said that they did not want their PII disclosed unless they gave express consent. In short, the results of these studies indicate that consumers’ privacy expectations are content and context dependent.

In sum, the 2018 Privacy Con opened up a great dialogue regarding consumer expectations for data privacy, and the FTC’s focus this year on studying the types of injuries consumers can suffer from a data privacy breach.