Redefining Privacy Harms Would Unleash a Flood of Litigation

In recent years, the Federal Trade Commission (FTC) has aggressively scrutinized the tech sector, going after virtual reality, artificial intelligence, online marketplaces, and Internet service providers. Now in its latest case against data brokers, the FTC and the courts could change the definition of privacy harms, unleashing a flood of litigation and potentially undermining the data economy.

The FTC originally sued Idaho-based data broker Kochava in 2022 for engaging in unfair practices by selling individuals’ geolocation data, alleging that this data could enable others to identify individuals and lead to secondary privacy harms such as stigma, stalking, discrimination, job loss, and physical violence. The U.S. District Court for the District of Idaho dismissed the FTC’s complaint in 2023, ruling that the FTC needed to show a substantial risk of these secondary privacy harms occurring rather than arguing merely that such harms are theoretically possible.

In response, the FTC amended its complaint, providing more details about the alleged privacy harms of Kochava’s data practices, while Kochava disputed that these allegations were “knowingly false” and “misleading.” The same district court denied Kochava’s motion to dismiss the FTC’s amended complaint on February 9, 2024, agreeing with the FTC this time that Kochava’s practices potentially created a significant risk that consumers will suffer secondary privacy harms.

More importantly, the court also ruled that Kochava’s practices potentially represent a substantial injury to consumers by invading their privacy. In other words, if this argument continues to hold water, any invasion of privacy itself—regardless of whether any secondary privacy harms occurred, such as the aforementioned stigma, stalking, discrimination, job loss, and physical violence—would be enough for the FTC to take action against a company.

This would represent a significant change in privacy enforcement. Currently, the FTC needs to prove not only that a company violated consumers’ privacy but that this violation led to harm. If the invasion of privacy is itself a harm, that second step is eliminated. The FTC could take enforcement actions against companies for privacy violations that did not cause any tangible harm to consumers, resulting in costly litigation and fines for companies.

With higher legal and compliance costs, companies that handle consumer data—not just data brokers, but virtually any business—will have less money to put toward innovation that benefits consumers such as new and improved features. But even more broadly, threatening companies with litigation and fines for violating consumer privacy even if harm does not occur will produce a chilling effect on all forms of data collection. It will also force firms to spend as much preventing low and no-risk privacy threats as they do on high-risk privacy threats since they would face similar treatment from the FTC.

For some privacy fundamentalists—the minority of individuals who value privacy above all else—less data collection is always a good thing. But in reality, the results of data collection are often a public good. Data has led to improvements in healthcare, infrastructure, education, and much more. In order to fully realize the transformative potential of data for innovation while protecting consumers, FTC enforcement should focus on privacy violations that lead to tangible harm, not theoretical harm.