Consumer Protection at the FTC and the CFPB

In this paper, James Cooper, Timothy Muris, and Todd Zywicki examine and make recommendations to help improve consumer protection efforts at both the Federal Trade Commission and the Consumer Financial Protection Bureau.


James C. Cooper
Timothy J. Muris
Todd J. Zywicki


This paper was the work of multiple authors. No assumption should be made that any or all of the views expressed are held by any individual author. In addition, the views expressed are those of the authors in their personal capacities and not in their official/professional capacities.
To cite this paper: James C. Cooper, et. al., “Consumer Protection at the FTC and the CFPB”, released by the Regulatory Transparency Project of the Federalist Society, November 16, 2017 (

Executive Summary

Traditionally, consumer protection was seen as one of the core functions of modern government and one of the foundations of the modern administrative state — that is, broadly speaking, regulatory agencies and their collection of rules, regulations, and pronouncements. This understanding can be traced as far back as the creation of the Federal Trade Commission (FTC) and the legend of the creation of the Food and Drug Administration (FDA) in the wake of Upton Sinclair’s famous novel, The Jungle. According to the received wisdom, the growth of mass-produced, standardized goods and standard-form contracts deprived consumers of the ability to protect themselves through the ability to inspect and bargain for the goods and services that they desired. Led by Ralph Nader the first wave of consumer protection legislation and regulation — which successfully shepherded in myriad new government consumer protection rules across a range of industries — peaked in the 1970s. Before the close of the decade, however, economists and the American public also came to better appreciate the potential costs of poorly-designed consumer protection policies. Many of these regulations and regulatory institutions evolved from devices to promote consumer protection into tools that would dampen pro-consumer competition and innovation.

President Trump’s recent nomination of Joe Simons to serve as Chairman of the FTC — the nation’s premier consumer protection agency — should serve as a reminder of the impact that consumer protection regulation can have on the economy today. It also provides a timely opportunity to reevaluate what we have learned over decades of consumer protection enforcement, to reexamine how we have been handling recent cases, and to reassess the effectiveness of these approaches, particularly as innovative and high technology industries increasingly comprise our economy.

Indeed, as data increasingly suffuses nearly every aspect of our lives, the FTC’s enforcement actions and policy pronouncements concerning privacy and data security leave a growing regulatory footprint. For example, recent cases like LabMD1 and D-Link2 represent attempts by the FTC to impose broad data security requirements on the economy. Further, through a series of workshop reports and a host of consent orders involving data collection and use, the FTC has created de facto privacy guidelines and foisted concepts like “data minimization” and “privacy-by-design” on businesses.

While the FTC’s efforts in privacy and data security are focused on digital flows of personal information to businesses, it also has made important changes to the way it regulates another type of information flow: advertising. Recent FTC advertising decisions have moved away from a focus on the perception of an average consumer to that of a minority. Further, the FTC increasingly has called for companies making health claims to meet a substantiation standard which is akin to the FDA standard for drug approval. Finally, the FTC has begun to seek consumer redress from firms that make claims found to lack substantiation, a practice once reserved for fraudulent behavior. Although privacy and data security are important values, and consumers need truthful information to make informed choices, regulation in these areas has the potential unnecessarily to choke off the supply of valuable information to consumers and firms. As such, it is crucial that policy makers strike the correct balance, and do so using empirical evidence where possible.

Consumer protection regulation of the financial sector has also grown apace in recent years, largely driven by the Consumer Financial Protection Bureau (CFPB). The CFPB was created by the Dodd-Frank Financial Reform legislation in 2010 and was one of the “crown jewels” of that historic legislative initiative. Although CFPB touts itself as a “21st century, data-driven agency,”3 it has functioned much more like a 1970s-style command-and-control regulator, with a focus on product bans, substantive regulation, and a skepticism of innovation and development of new products and systems of information delivery. What’s more, a number of laws and regulations enacted in the post-crisis era have dampened innovation, erected new barriers to financial inclusion, and reduced the competitiveness of the banking sector.

This paper examines these three particularly relevant areas of modern consumer protection policy. Part I analyzes the FTC’s advertising regulation. It explains how recent changes to this enforcement break with the Commission’s traditional enforcement standards — which were based upon decades of experience and evidence — without adequate justification, often to the detriment consumers and legitimate businesses. Part II examines the Commission’s privacy and data security enforcement, with particular attention paid to the need to focus upon consumer harm as informed by economic analysis. Part III evaluates the CFPB’s mandate, goals, and actual enforcement efforts. It elaborates upon how the CFPB’s actions may, in practice, undermine its goals and offers recommendations for aligning actions and outcomes. Throughout its entirety, this paper pays specific attention to policies that might better promote innovation, choice, opportunity, and consumer protection.

I. Federal Trade Commission Advertising Regulation

The competitive benefits of advertising are by now well known: to quote Nobel Laureate George Stigler, advertising is “an immensely powerful instrument for the elimination of ignorance.”4 Former Director of the FTC’s Bureau of Consumer Protection Professor Beales further explained, “[i]nformed consumers drive the competitive process, benefitting all as sellers compete for the informed minority. Numerous economic studies have shown that restrictions on advertising increase prices to consumers, even when advertising does not mention price.”5 For decades, a bipartisan consensus at the FTC recognized and promoted the central role of advertising in a market economy. In the words of former Chairman Robert Pitofsky, the agency engaged in “a practical enterprise to ensure the existence of reliable data,” rather than “a broad theoretical effort to achieve Truth.”6

The FTC has recently changed course in advertising regulation in at least three notable ways: (1) its approach to interpreting advertising claims; (2) its evidentiary requirements for advertising claims; and (3) its efforts to obtain monetary relief in traditional advertising substantiation cases. These changes dispense with Commission best-practices premised upon decades of learning and experience, without providing any basis for doing so. The Commission’s failure to examine and justify alterations to well-established practices threatens to undermine rational and effective enforcement in the advertising space.

A.  Advertising Interpretation Should Focus on the Ordinary Consumer

Virtually any communication can be misunderstood by a minority, and that minority’s understanding may be completely wrong. This is an inherent problem of all communication, especially marketing messages, which are almost always brief and presented in times and places where most consumers do not usually pay full attention. Academic studies of brief communications show that 20 to 30 percent of the audience misunderstood some aspect of both advertising and editorial content.7 Meaningful protection for commercial speech requires, at the least, respect for the 70 to 80 percent of consumers who understand the message correctly. If regulators insist on communications that the minority cannot misunderstand, the result is likely to be communications that are also uninformative. This is precisely what the FTC is doing.

In its Deception Policy Statement, the FTC stated that an act or practice is deceptive if it is likely to mislead consumers, acting reasonably in the circumstances, to their detriment.8 The Policy Statement evaluates claims from the perspective of the “average listener,” the impression “on the general populace,” or the “expectations and understandings of the typical buyer.”9 A footnote states that “[a]n interpretation may be reasonable even though it is not shared by a majority of consumers in the relevant class, or by particularly sophisticated consumers. A material practice that misleads a significant minority of reasonable consumers is deceptive.”10 At the FTC today, contrary to the previous 25 years of practice under the deception statement, the footnote has swallowed the standard, and cases routinely are pursued because a “significant minority” is likely to be misled.

Moreover, the FTC’s focus on a “significant minority” is particularly troubling because the agency usually decides which ads are deceptive based solely on a majority of its five members’ own reading of the ad — without outside evidence of how real consumers actually interpret the communication. Indeed, deference to the FTC’s “expertise” in interpreting advertising is perplexing. Former Chairman Pitofsky put it thusly:

Why questions of meaning should be submitted to the virtually unreviewable discretion of five Commissioners of the FTC has never been articulated. Unlike other instances of deference to regulators as part of the administrative process, there is no reason to believe that commissioners of the FTC have unusual capacity or experience in coping with questions of meaning, nor any indication that successful regulation of advertising requires a balance of related regulatory considerations that commissioners are in a special position to handle.11

A logical approach to advertising interpretation would be to return to a focus on the average viewer. Outside evidence can help to strike the appropriate balance when, as is often the case, a communication informs some consumers and misinforms others. Crucially, the evidence should be a guide as to whether there is an alternative way to communicate a truthful message in a way that is less likely to be misleading. Prohibiting communications because some consumers will misunderstand would likely leave most consumers in relative ignorance — the opposite of what the FTC should seek to accomplish.

B.  The FTC’s Evidentiary Requirements for Advertising Claims Should Balance the Benefits and Costs of the Statements and Reflect that Different Statements are Substantiated Best with Different Tests

The FTC’s advertising substantiation policy requires that advertisers have a “reasonable basis” for claims before making them. Traditionally, the core principle of substantiation recognized the uncertainty surrounding many claims, and balanced the benefits of truthful claims against the costs of false ones.12 Recently, the FTC moved from balancing to a firm rule that requires clinical trials even if the benefits of the claim, if true, overwhelmingly exceed the costs of the claim, if false. If continued, this approach would prohibit some claims about the relationship between diet and disease that most scientists regard as prudent public health recommendations despite the absence of well controlled clinical trials.

Rather than relying on the traditional balancing test, the FTC’s recent decisions regarding proof of ad claims reflect a more rigid standard, one more closely modeled on the FDA’s stringent standard for drug approval.13 For example, instead of requiring “competent and reliable scientific evidence” for ad claims, the FTC has required claim substantiation about the relationship between nutrients and disease with two randomized, placebo controlled, double blind clinical trials (RCTs).14 This standard is excessive in most cases, and is likely to deprive consumers of valuable, truthful information.

The randomized, double blind, placebo-controlled clinical trial has been dubbed the gold standard of medical research. For some specific questions, it is the only methodology that experts accept as yielding accurate and reliable results. Despite the value of clinical trials, sometimes they are simply not necessary. A systematic review of randomized trials of parachutes, unsurprisingly, would not yield any results. Notwithstanding the lack of randomized trials of parachutes, few would recommend jumping from an airplane without one because of the failure to conduct such studies. Again, sometimes they are simply not necessary.

C.  The FTC Should Focus Monetary Relief on Fraud Cases and Limit Such Relief in Traditional Substantiation Cases

Since 1981, the FTC has systematically targeted fraud by, “in proper cases,” using its authority to freeze companies’ assets and compel the surrender of ill-gotten gains.15 More recently, the FTC has claimed the authority to expand this practice beyond fraud cases, suggesting that it could seek consumer redress even against legitimate companies when they allegedly lack substantiation for claims made as part of national advertising campaigns. This claim of remedial authority is particularly problematic.

Typically, such cases involve a reputable national advertiser making claims about the features or benefits of its products or services.16 Although such claims may highlight something new, the product will often have been on the market for many years based on other claims. Moreover, such cases often involve disputes over scientific details about the proof and the required level of evidence, with well-regarded experts on both sides. The FTC’s ability to find implied claims that the advertiser believes it did not make — and for which it is thus unlikely to have evidence — only exacerbates the problem. What is more, even if the particular claims about the effects of the advertised products arguably lack a reasonable basis, such claims generally are not the sole (or even primary) reason that most consumers purchase the products.

The knowledge that the FTC might seek consumer redress could discourage companies from providing information that they thought consumers would want about the products they use. The risk is particularly acute when, as discussed above, the traditional standard for substantiation is changing. Even with the “right” substantiation standard, however, uncertainty will exist about how it will be applied in a particular case. With monetary penalties, the increased risk, in combination with the uncertainty, will engender greater fear about making truthful claims.

Accordingly, it is clear that ill-considered changes to the FTC’s advertising regulation policy can perversely undermine the Commission’s consumer protection goals — doing consumers more harm than good. To effectively protect consumers and enhance outcomes, the Commission should reconsider these deviations and return to policies that are premised upon decades of experience and empirical evidence.

The FTC has recently changed course in advertising regulation in at least three notable ways: (1) its approach to interpreting advertising claims; (2) its evidentiary requirements for advertising claims; and (3) its efforts to obtain monetary relief in traditional advertising substantiation cases. These changes dispense with Commission best-practices premised upon decades of learning and experience, without providing any basis for doing so. The Commission’s failure to examine and justify alterations to well-established practices threatens to undermine rational and effective enforcement in the advertising space.

II. Federal Trade Commission Privacy Regulation

Although there are a variety of privacy laws aimed at specific industries (e.g., HIPPA, FERPA), the U.S. has no general privacy regulation. The FTC has emerged to fill this vacuum, using its broad mandate under Section 5 of the FTC Act — which prohibits “unfair or deceptive acts or practices”17 — to become the nation’s privacy and data security cop. Data is the lifeblood of today’s economy; by some estimates, the information economy accounts for six percent of GDP.18 Accordingly, the FTC’s actions in this space stand to leave a large footprint. Unfortunately, a policy driven by settlements and reports devoid of economic analysis has failed to provide a coherent analytic framework to identify practices that are actually harmful to consumers.

Below we examine several of the shortcomings of the FTC’s current approach to privacy and data security and offer suggestions. Notably, the FTC needs to focus on practices that are harmful to consumers, rather than relying on ex ante notice and choice requirements. Related to this goal, the FTC needs to engage the vast body of work on the economics of information and privacy, including empirical studies of consumer values of privacy when making policy in this area. The FTC also should be careful to distinguish privacy harms from impacts resulting from different treatment, and also continue to cabin privacy considerations from its competition policy.

A.  The Benefits of a Harms-based Enforcement Regime

Why is a focus on harm so important? If conduct is not harmful, prohibiting it provides no benefits, and at best squanders governmental resources, and at worst deters beneficial conduct. At the outset, it’s important to explain why ex post enforcement focused on harmful data practices is likely to be better for consumers than an ex ante consent-based model found in the Fair Information Practice Principles (FIPPS). A FIPPS regime — like that adopted explicitly in the Federal Communications Commission’s recent broadband ISP privacy rule, and promoted by the FTC through tiered notice-and-consent regimes based on the sensitivity of data, and calls for Internet of Things (IoT) companies to develop workable consumer interfaces — ignores the cost of information processing. Vast research shows that consumers ignore these (and most other) notices, and tend to stick with defaults.19 As a result, relying on notice and choice is likely to discourage beneficial data uses. While obtaining consent for data practices beforehand will alleviate privacy concerns, the converse is not true: lack of ex ante notice-and-choice does not automatically give birth to privacy harm.20 This means that a consent-based regime is likely to end up squandering valuable data uses without providing consumers anything meaningful in return.21 Requiring the FTC precisely to identify — and to quantify, to the extent possible — the privacy harm at stake (e.g., unwanted intrusions, loss of autonomy, affronts to dignity, physical threats, or financial losses) will avoid this pitfall.22

The problem of establishing consumer harm also has arisen in the data security context. An unfairness claim under Section 5 requires “substantial consumer injury” to be actual or likely. The extent to which the “likely” element is satisfied when a firm employs shoddy security practices has arisen in two recent FTC cases, both of which are being litigated. First, in LabMD the FTC sued a medical testing lab that inadvertently exposed a file containing sensitive patient information to a peer-to-peer (P2P) network.23 The FTC alleged that LabMD’s data security practices were unfair, but at trial the administrative law judge (ALJ) found that the FTC failed to meet its burden of proof; other than expert witness speculation that these types of data breaches can lead to harm, the FTC did not provide any evidence that anyone actually suffered identity theft or dignitary harm. On appeal to the full Commission, the FTC reversed the ALJ’s decision. The Commission found that exposing sensitive information to a P2P network alone satisfied the harm requirement because others may have viewed it. The Commission also held that LabMD’s actions were “likely” to cause substantial harm when the incident occurred in 2009, despite the fact that it provided no evidence that actual harm had occurred six years after the breach.24

The FTC’s recent case against D-Link goes a step further, alleging that failure “to take reasonable steps” to protect its routers and Internet cameras “from widely known and reasonable foreseeable risks of unauthorized access” alone satisfies the harm requirement of an unfairness claim.25 Specifically, the FTC alleges that there is a “significant risk” that hackers will exploit D-Link’s vulnerabilities, and thus “put consumers at significant risk of harm,” for example, by stealing sensitive financial information or through surreptitious monitoring.26 Importantly, the complaint raises only the specter of harm, alleging neither a breach involving D-Link products nor any consumer injury.

LabMD and D-Link, taken together, effectively read the harm requirement for unfairness out of Section 5. If these cases stand, the Commission would become the nation’s de facto data security standard setter, able to proscribe any security practice it deems “unreasonable” based on the assumption that lax security means that “substantial consumer injury” is always likely. Fortunately, to date, the two courts that have had the opportunity to review these cases have failed to embrace the FTC’s theory of harm under Section 5. In D-Link the court dismissed the Commission’s unfairness claim, noting that the FTC’s allegations “make out a mere possibility of injury at best . . . [t]he absence of any concrete facts makes it just as possible that [D-Link’s] devices are not likely to substantially harm consumers.”27 The Eleventh Circuit expressed similar skepticism when it granted LabMD’s request to stay the FTC’s order, explaining that it is unclear whether Congress intended Section 5 to cover intangible harms and further noting that “we do not read the word ‘likely’ to include something that has a low likelihood.”28

B.  Use Economics to Focus on Tradeoffs

FTC privacy reports have at least as much policy impact as enforcement actions.29 Although these reports do not put forth binding rules, they act as de facto guidelines for privacy professionals advising companies.30 What is more, many of these reports make legislative recommendations.

Embedded in these reports are tradeoffs between privacy and other values. Take for example the concepts of “privacy by design” and “data minimization,” which have become core tenants of FTC privacy policy and have formed the basis for enforcement actions.31 Because data collection and use necessarily impact other product or service attributes, these policies are based on an implicit assumption that consumers prefer privacy over other dimensions, such as functionality, price, or customization. The trouble with both these concepts is how they came about: absent any attempt to identify the harms at stake, how harms may vary based across contexts or people, or identifying beneficial uses of data that are impacted with privacy regulation. Instead, they merely rest on notions like the need to live up to “consumer expectations” and fostering “consumer trust” in the Internet ecosystem, which are based on workshop testimony and comments, as well as occasional references to surveys on consumers’ attitudes toward privacy.32

At best, these types of evidence are “stated preference,” and tell us only the trivial fact that privacy, like most other things, has value. They cannot answer the real question for policy makers: how willing are consumers to share personal data in order to receive other things they value?33 Toward this end, the FTC needs to incorporate into its analysis the vast literature on the economics of information, which includes well-developed frameworks for thinking about the economics of privacy.34

The FTC also needs to reconcile two sources of empirical evidence with its privacy policy. First, far from illustrating that consumers are reticent to engage the online ecosystem, observed behavior suggests that consumers are largely comfortable with the tradeoffs they make in their digital lives: there are 1.32 billion daily Facebook users,35 150 million people use Snapchat daily,36 health tracking apps and wearables continue to grow apace,37 and nearly half of US households have an Amazon Prime account.38 Second, a growing body of empirical work suggests that while consumers value control over their personal information, they also are willing to provide that information in return for the type of free goods and services that they receive online.39 If the FTC’s position is that the empirical evidence is not relevant because consumers systematically underestimate privacy harms or otherwise are incapable of making informed tradeoffs between privacy and other values, it should state so clearly and present an empirical basis to support this position. This evidence is not only germane to consumer harm in the context of unfairness, but also is relevant to the FTC’s deception enforcement. The FTC uses its deception authority to hold companies to their promises regarding data collection and use, most often found in privacy policies.40 Deception requires a representation, omission or practice to be “material,” in that it “is likely to affect the consumer’s conduct or decision with regard to a product or service.”41 In privacy, the FTC has relied on a presumption of materiality for express claims.42 This presumption is questionable in light of the empirical evidence that most consumers do not read, or seem to care about, privacy policies, and the fact that privacy policies are not designed to attract consumers, but to comply with state law and self-regulatory regimes.43 The FTC should engage in empirical research to determine the validity of its continuing maintenance. If this research suggests that a larger proportion of consumers do not make decisions based on privacy policies, the FTC should no longer be able to rely on this presumption in its enforcement.

C.  Uncertainty over Standards

The FTC developed its privacy and data security norms largely though settlements and workshop reports. These endeavors, however, leave much to be desired when it comes to establishing a coherent analytic framework to identify harmful practices. Settling FTC charges avoids the social costs of litigation, but it also deprives the public at large of the informational benefits from adjudication when the law is unclear — information that would help identify the extent to which data practices identified by the FTC are harmful to consumers.44 What this has meant is that the FTC law of privacy has been defined by a series of agreements between the FTC and private parties to avoid the direct and collateral consequences of litigation. The resulting set of norms that have developed are quite different than those that would have arisen via a common-law type adjudicatory mechanism.

First, unlike private litigation, in which the closest cases are most likely to be litigated, the FTC tends to select cases that are most likely to settle. For example, it has chosen large tech companies (e.g., Google, Facebook, Twitter, Amazon, Apple) as targets to set norms for the entire industry, realizing that due to reputational costs, these companies are unlikely to litigate absent extraordinary circumstances.45 What’s more, many of its data security cases involve failure to take the most basic precautions to significantly reduce risk, not the type of “close calls” that would generate the type of uncertainty that typically drives the decision to litigate.46 Second, because consent orders involve only cases in which the FTC’s claims are accepted, we never see the set of facts that do not violate Section 5. Thus, these settlements provide little information on where the boundary between legal and illegal behavior lies. Third, and perhaps most importantly, there is no adversarial process to test the FTC’s liability theory. Allegations contained in settled complaints become the legal standard, meaning that the FTC is able unilaterally to determine the reach of Section 5.

That the FTC often includes “fencing in” relief in consent orders — requirements placed on the defendant that go beyond the conduct that was declared illegal in the complaint — to announce new enforcement standards only exacerbates these problems. Although the FTC does not allege that the conduct proscribed in fencing-in provisions violates Section 5, through subsequent reports, speeches, testimony, and consent orders, these fencing-in provisions become de facto Section 5 violations. Take, for example, how the “rule” that merging firms need opt-in consent to combine their consumer data came into being. Settling the Google Buzz case, the FTC required Google to obtain express opt-in consent for changes in privacy policies.47 In the wake of these consents, FTC staff remarked publicly on the FTC’s Twitter feed that although the “terms of the order apply only to Google . . . best practices set forth in the order should serve as a guide to industry.”48 This provision next was included in Facebook’s consent order settling charges related to changes in its privacy interface, and later used by the FTC to impede the ability of WhatsApp to share data with Facebook after their merger.49 Soon thereafter, the FTC made public statements that all merging firms have a duty to obtain opt-in consent when combining data already collected.50 A common sense reform would be to limit the FTC’s use of fencing-in relief to cases that present clear evidence that the settling firm is likely to be a recidivist or otherwise poses a danger to consumers absent the fencing-in provisions.

None of the above should be taken to suggest that litigation is necessary — or even desirable — to provide business with much-needed information about what sort of data practices are likely to violate Section 5. Here, the FTC should take a page from its merger enforcement program, which also relies on a relatively discretionary standard (“may substantially lessen competition”) and has few litigated cases.51 The difference between these two enforcement endeavors is transparency: there have been merger guidelines for nearly four decades, most recently updated in 2010, and staff regularly provides commentary and data to give parties visibility into both the transactions that are likely to be challenged and those the Commission is likely to approve.52 Although there has been some progress in this area with regard to data security practices,53 the Commission could be more transparent about the factors that go into its privacy and data security enforcement decisions, especially with respect to decisions to close investigations.54

D.  Distinguishing Privacy Harms from Harms Due to Differential Treatment

Under the broad rubric of a focus on consumer harm, the FTC also should be careful to distinguish between privacy harms and disparate treatment from data-driven classifications; they are not the same thing. For example, the IOT, Big Data, and Data Broker reports identify as a potential harm the possibility of being treated differently based on accurate inferences — for example, receiving different advertisements, credit offers, or insurance rates based on algorithmic predictions.55 But the FTC needs to distinguish between harms due to the direct utility loss from unwanted observation and harms flowing from worse terms due to a counterparty having more accurate information. Any regulation to prevent accurate classifications based on traits that big data analytics can ferret out should be rooted in antidiscrimination law — which embodies the choices that society has made about which traits are fair game for classification — rather than the FTC Act. 56

E.  Privacy Should Remain Out of Antitrust Considerations

Finally, the FTC would be wise to continue to prevent privacy from entering antitrust discussions. Beginning with the Google-Double Click merger, and continuing to the Google antitrust investigation, and the Facebook-WhatsApp merger, there have been increasing calls to incorporate privacy into antitrust analysis, analogizing increased data collection or use to an increase in price. To date, the FTC prudently has ignored these calls. Antitrust’s sole focus on competition has served consumers well, and integrating subjective notions like privacy into antitrust would be a mistake on a number of grounds.57 First, it ignores the benefits built into new uses of data in the form of richer and more personalized content — collecting data is a cost incurred by firms in order to target ads or increase customization or content. With heterogeneous consumer preferences, these are net benefits to some, and net costs to others. In this manner, data cannot be analogized to an increase in price. Second, restrictions on the collection and use of data that feed into advertising are likely to have First Amendment implications. Finally, given the subjectivity of privacy concerns, inclusion would lead to uncertain legal standards, and concomitant rent-seeking that goes along with greater regulatory discretion.

Notably, the FTC needs to focus on practices that are harmful to consumers, rather than relying on ex ante notice and choice requirements. Related to this goal, the FTC needs to engage the vast body of work on the economics of information and privacy, including empirical studies of consumer values of privacy when making policy in this area. The FTC also should be careful to distinguish privacy harms from impacts resulting from different treatment, and also continue to cabin privacy considerations from its competition policy.

III. Financial Regulation and the Consumer Financial Protection Bureau

The CFPB was created by the Dodd-Frank Financial Reform legislation in 2010 and was one of the “crown jewels” of that historic legislative initiative. Below, we discuss how actions taken by the CFPB, as well as other financial regulations, have impacted financial markets, with special attention paid to the competitiveness of the banking sector.58

A.  The CFPB

The CFPB was catalyzed in response to a discrete historic event — the 2008 financial crisis, which was in turn catalyzed by a wave of residential home foreclosures that swept across a handful of cities in the United States. The proximate intellectual cause of the CFPB’s creation was a short article written by then-Professor Elizabeth Warren for an obscure journal called Democracy, where she called for a new Financial Product Safety Commission (FPSC), modeled on the Consumer Products Safety Commission (CPSC) that would regulate consumer credit products, terms, and providers as the CPSC does for consumer products.59 As presented at the time, her article reflected pure command-and-control style central planning by the federal government. In a 2008 article, co-authored with leading behavioral law and economics scholar Orin Bar-Gill, however, Warren and Bar-Gill purported to harness the CFPB to the idea of behavioral law and economics, offering a variety of behavioral economics-based speculations about consumer financial products and their supposed link to the financial crisis.60 According to its own proclamations, the CFPB touts itself as a “21st century, data-driven agency” and purports to be animated by a spirit of innovation and to complement market processes to improve consumer welfare.61

In practice, however, the CFPB has functioned much more like a 1970s-style command-and-control regulatory agency, with a focus on product bans, substantive regulation, and a skepticism of innovation and development of new products and systems of information delivery. This focus is evident in such policies as: the proposed rule-making that would essentially outlaw mandatory arbitration clauses in consumer credit contracts (a proposal likely to benefit only class action lawyers with no discernible benefit for consumers),62 and the small-dollar loan rule that would essentially outlaw the payday loan and auto title loan industries in the United States as well as substantially curtailing access to other products, such as traditional unsecured installment loans.

Although many of the CFPB’s most onerous rules that would restrict access to consumer credit products have not yet become effective, the CFPB has actually promulgated a number of rules that have increased the cost and reduced access to consumer credit products for consumers, while providing little in the way of increased consumer financial protection. Most notably, the CFPB issued “Qualified Mortgages” and “Ability-to-Repay” rules on mortgages that increased the costs and risks of mortgage lending, leading to higher costs and slower closing times for mortgages.63 At the same time, independent analysis of those rules has concluded that despite their costs they would do little to prevent future foreclosures or otherwise protect consumers, thus resulting in new costs with few if any apparent benefits and hampering the recovery of the residential real estate market.64

B.  Post-Crisis Financial Regulation

Innovation and technological development are particularly promising sources to increase financial inclusion for traditionally excluded consumers, such as low-income, minority, and younger consumers. Unfortunately, in addition to the adverse effects of the CFPB, a number of laws and regulations enacted in the post-crisis era have dampened innovation and provided new barriers to financial inclusion. For example, the Durbin Amendment which was included as part of Dodd-Frank, imposed price controls on debit card interchange fees. Faced with a loss of approximately $6-$8 billion per year in revenue, affected banks responded by reducing access to free checking by consumers and imposing new and higher fees on consumers. These actions and new fees fell disproportionately heavily on lower-income consumers who were unable to meet the higher minimum balance and other requirements to preserve access to free checking. This foreseeable result of interchange fee price controls led to many low-income consumers paying more for basic banking services or simply dropping their bank accounts completely, leading to an increase in the number of unbanked and underbanked Americans.65 At the same time, the Credit CARD Act of 2009 and the Federal Reserve regulations that preceded it led to a reduction of access to credit cards, especially among lower-income and higher-risk consumers, by limiting the ability of issuers to adjust contract terms as the borrower’s risk changed and limited their ability to charged behavior-based fees in response to risky behavior by consumers.66 The combination of the Durbin Amendment and the CARD Act (and the regulations that preceded it) have thus had the combined impact of dramatically reducing access to mainstream financial products for millions of Americans, especially low-income, younger, and minority consumers who already faced limited choices for consumer credit products. The overall effect has been to drive those consumers to make increased use of payday loans, pawn shops, prepaid cards, overdraft protection, and other non-mainstream consumer credit products.

C.  The CFPB’s Actual Impact on Competition and Consumers67

While the CFPB and various regulations have interfered with consumer choice and raised prices for consumers, they have also had a detrimental impact on competition in consumer credit markets by reducing competition and erecting new barriers to entry for banks. For example, JP Morgan Chase CEO Jamie Dimon observed that the aggregate costs of complying with all of the rules, regulations, and capital costs associated with Dodd-Frank has built a “bigger moat” to protect his bank from competition from smaller rivals.68 Similarly, Goldman Sachs CEO Lloyd Blankfein announced in 2010 that the bank would be “among the biggest beneficiaries” of Dodd-Frank as its regulatory costs and regulatory-created profit opportunities would be particularly advantageous to large banks that could bear those costs more easily than smaller competitors.69

As a result of the regulations imposed by Dodd-Frank and the CFPB, many smaller banks have simply chosen to exit the market rather than to bear the regulatory cost and risk. According to a survey of small banks conducted by the Mercatus Center at George Mason University, 64 percent of small banks reported that they were making changes to their mortgage offerings because of Dodd-Frank and 15 percent said that they had either exited or were considering exiting residential mortgage markets entirely.70 Nearly 60 percent of small banks reported that the CFPB or the qualified mortgage rule had a “significant negative impact” on their mortgage operations. Nearly 60 percent said that the CFPB has had a significant negative effect on bank earnings and more than 60 percent said that changes in mortgage regulations had had a significant negative effect on bank earnings.71 A recent analysis by economists at the Philadelphia Federal Reserve echoed this effect: “To sum up, the qualified mortgage rule affects a significant share of mortgage lending by small banks, and by some measures, the effect appears to be greatest for the smallest banks.”72

Moreover, by imposing a one-size-fits-all mechanical underwriting system for mortgages, the Qualified Mortgage rule has deprived community banks of a significant competitive advantage over megabanks: their intimate familiarity with their customers and their ability to engage in relationship lending with their customers. One illustration of the value of the traditional relationship-lending model for residential mortgages is that the default rate for residential mortgages made by community banks (with less than $1 billion in assets) was 3.47 percent in 2013 compared to a default rate of 10.42 percent for banks with more than $1 billion in assets.73 Thus, this regulatory-induced decline in the market share of small banks is not only hurting consumers, it is making the banking system less stable and less effective. Consumers face a market with fewer choices, less innovation, and less competition than before.

As many banks have exited the mortgage market, non-bank lenders (typically less-regulated than banks) have filled the market demand, increasing their share of mortgage lending from 10 percent in 2009 to 43 percent in 2015.74 Ironically, one consequence of Dodd-Frank and the CFPB’s aggressive regulation and litigation against banks has been to drive consumers toward a variety of lenders with less regulatory scrutiny, whether non-bank mortgage lenders or pawnbrokers and payday loan shops.75

As a result of the heavier relative costs of complying with Dodd-Frank’s regulations as well as these other factors that make it increasingly difficult for smaller banks to compete, community banks are facing difficulty competing with larger banks. For example, a recent study by scholars at the Kennedy School of Government found that in the period since Dodd-Frank was enacted, the asset bases of smaller banks have shrunk twice as fast after Dodd-Frank’s enactment compared to before, a result that they attribute to the high regulatory costs imposed by Dodd-Frank.76 In addition, the Mercatus Center study of the impact of Dodd-Frank on smaller banks found that the law has imposed huge compliance costs on small banks and that they have been less able to bear those costs than large banks.77 Overall, according to the Mercatus Center study, 71 percent of small banks stated that the CFPB has affected their business activities.78

The ripple effects of the displacement of smaller banks by large banks are not limited to the direct impact on the consumer banking system but carry over to other markets as well, including agricultural and small business loans. Community banks traditionally have provided a disproportionate share of small-business lending in the economy.79 According to the summary of one report by Goldman Sachs:

While there is some added subtlety to the results of our analysis, we find in general that low-income consumers and small businesses – which generally have fewer or less effective alternatives to bank credit – have paid the largest price for increased bank regulation. For example, for a near-minimum wage worker who has maintained some access to bank credit (and it is important to note that many have not in the wake of the financial crisis), the added annual interest expenses associated with a typical level of debt would be roughly equivalent to one week’s wages. For small and mid-sized businesses the damage from increased bank regulation is even greater: their funding costs have increased 175 basis points (bp) more than those of their larger peers, when measured against the pre-crisis period. That funding cost differential is enough to seriously damage the ability of smaller firms to compete with their larger competitors. This fact has become all too evident in the economic statistics and is already changing the shape of American business, as small and mid-sized firms, the historic engines of US job creation, shrink and sometimes disappear, displaced by large corporations.80

As community banks have been driven out of the market by regulatory costs, small business credit has contracted as well, dampening entrepreneurship and economic growth. As noted by one analysis, large firms have performed well since the financial crisis and subsequent recovery, but small firms have suffered low rates of formation, employment growth, and wage growth.81 Indeed, the number of small firms in the economy actually declined over the period since the crisis, as more small firms disappeared than were created, the first time that this has happened since data became available in the 1970s.82

A primary explanation for this drop in small business formation and growth is Dodd-Frank and increased financial regulation since the financial crisis, which has fallen especially hard on smaller banks relative to larger banks.83 Overall, a recent analysis of FDIC data found that while bank loans to small businesses had declined by 16 percent since 2008, loans to large businesses had increased by 37 percent over that same period.84 As one commenter described the situation, large banks “have effectively abandoned the small business market.”85 Another analysis concluded that small business loans are down about 20 percent since the financial crisis while loans to larger businesses have increased by about four percent over the same period.86 It appears that some of the unmet demand from the reduction in community bank lending is being served by non-bank lenders that charge higher rates than traditional small business bank loans and which, ironically, are much less-regulated that the traditional banks that they have replaced.87

According to Wells Fargo Quarterly survey of small business owners in July 2016, in the 3rd Quarter of 2016, just 36 percent of small business owners surveyed stated that it would be “somewhat easy” or “very easy” to obtain credit if they needed it and 20 percent said that it would be “somewhat difficult” or “very difficult.”88 These low rates of confidence in access to credit have been consistent for several years and differ considerably from the pre-crisis and pre-Dodd-Frank era. For example, during the period from the 1Q2004-4Q2007, an average 51 percent of small business owners said that it was “very easy” or “somewhat easy” to obtain credit if they needed it, and about 12 percent said it would be difficult.89 In addition, among those who said that it was easy to obtain credit in the 2004-07 period, two thirds of those reported it was “very easy” compared to “somewhat easy,” whereas only about half of those who said that it would be easy in the 2015 pool reported that it would be “very easy.”90

D.  Recommendations to Enhance CFPB Enforcement

A consumer financial protection policy that is friendlier toward innovation, consumers, competition and economic growth would be animated by the following policies:

  • Provide systems of democratic accountability and effective oversight of the CFPB’s mission, operations, and budgeting decisions: This would include bringing the structure of the CFPB into alignment with traditional constitutional systems of democratic accountability, such as providing Congress with appropriations authority and formally structuring CFPB as an Executive agency or multi-member independent agency.
  • Promote consumer protection, welfare, choice, innovation, and financial inclusion by providing benefit-cost analysis of proposed regulations and formally charging the CFPB with a dual mission of consumer protection and the promotion of competition in consumer financial products. Legislation and regulation should be particularly focused on promoting financial inclusion for all Americans and the promotion of online lending and banking platforms that can reduce costs and promote innovation and consumer choice.
  • Create a level playing field for all providers of consumer financial products to treat American consumers as responsible adults, to respect consumer sovereignty, and to aid American families to find and select the products that best meet the needs of their families. Current regulatory policies have resuscitated traditional command-and-control paternalistic approaches to consumer financial protection. These policies have raised costs and reduced choices for consumers. A robust modern consumer protection policy should recognize that consumers and the financial services providers that they choose, not Washington bureaucrats, typically know better which products are best suited to meet the needs of their families. Regulatory policy should recognize this truth.
  • Promote economic prosperity and financial stability by relieving the excessive regulatory burden on small banks that has resulted in reduced choice for consumers and reduced access to necessary capital for small businesses.
  • To promote economic prosperity by preserving access to needed credit for small businesses, including those small businesses that rely on personal credit products to start and grow their businesses.

As community banks have been driven out of the market by regulatory costs, small business credit has contracted as well, dampening entrepreneurship and economic growth. As noted by one analysis, large firms have performed well since the financial crisis and subsequent recovery, but small firms have suffered low rates of formation, employment growth, and wage growth.81 Indeed, the number of small firms in the economy actually declined over the period since the crisis, as more small firms disappeared than were created, the first time that this has happened since data became available in the 1970s.82


Both the FTC and the CFPB play important roles in consumer protection policy. Unfortunately, both agencies have tended to overreach in certain areas. The FTC has expanded its authority to prevent deceptive advertising in a manner that threatens to impede consumer access to useful information. The FTC’s use of its Section 5 authority to become the nation’s primary privacy and data security enforcer also has been problematic, as it has done so without any reliance on economic analysis or empirical evidence. As a result, privacy policy has drifted from one originally focused on consumer harm — a focus that facilitated better consumer outcomes — to one increasingly centered on notice and choice and regulation of certain practices — a focus that largely fails to account for the costs of agency intervention and unintended consequences. Similarly, the CFPB has functioned like a command-and-control regulatory agency, with a focus on product bans, substantive regulation, and skepticism of innovation and development of new products and systems of information delivery. This misguided approach, along with other financial regulation such as Dodd-Frank, not only has reduced consumer choice but also negatively impacted competition in the banking sector.

Although each of these regulatory shortcomings have different roots, and suggest discrete solutions, they all could be ameliorated by greater attention to the costs and benefits of market intervention. Limiting regulation — especially with respect to information flows and financial markets — to shown instances of market failures will inure to the benefit of consumers in the form of greater choice, lower prices, and increased innovation.


1 LabMD, Inc. v. FTC, 678 F. App’x 816 (11th Cir. 2016).

2 FTC v. D-Link Sys., Inc., No. 3:17-cv-00039-JD, 2017 WL 4150873 (N.D. Cal. Sept. 19, 2017).

3 Press Release, U.S. Consumer Fin. Prot. Bureau, CFPB Releases Report Showcasing 2012 Highlights (July 30, 2012), [hereinafter CFPB 2012 Highlights].

4 George J. Stigler, The Economics of Information, 64 J. Pol. Econ. 213, 220 (1961).

5 The FTC at 100: Views from the Academic Experts: Hearing Before the Subcomm. on Com., Mfg., and Trade of the H. Comm. on Energy and Com., 113th Cong. (2014) (statement of J. Howard Beales, III, Professor of Strategic Management and Public Policy at George Washington School of Business), (internal citations omitted). The FTC itself has summarized the empirical evidence regarding the impact of advertising on prices. See In re Polygram Holding, Inc., 136 F.T.C. 310, 356 n.52 (2003).

6 Robert Pitofsky, Beyond Nader: Consumer Protection and the Regulation of Advertising, 90 Harv. L. Rev. 661, 671 (1977).

7 Regarding televised messages, see Jacob Jacoby et al., Miscomprehension of Televised Communications 64 (1980). Regarding print communications, see Jacob Jacoby & Wayne D. Hoyer, The Comprehension and Miscomprehension of Print Communications (1987). Both studies compare advertisements with excerpts of editorial content designed to be roughly equal in length, and find no significant differences in the extent of miscomprehension.

8 U.S. Fed. Trade Comm’n, FTC Policy Statement on Deception (1983), appended to Cliffdale Assoc., Inc., 103 F.T.C. 110, 174 (1984), [hereinafter Policy Statement on Deception].

9 Id.

10 Id. n.20 (emphasis added).

11 Pitofsky, supra note 6, at 678.

12 In re Pfizer, Inc., 81 F.T.C. 23, 27-28 (1972).

13 See POM Wonderful, LLC v. FTC, 777 F.3d 478, 504-05 (D.C. Cir. 2015), cert. denied.

14 See id. at 501, 504-05. The POM Court found the requirement of a second test inconsistent with the First Amendment.

15 15 U.S.C. § 53(b)(2).

16 See, e.g., Stipulated Final Judgment, FTC v. Sketchers U.S.A., Inc., No. 1:12-cv-01214 (N.D. Ohio May 16, 2012) (finding that Sketchers deceived consumers by claiming “Shape-up” shoes would help customers lose weight).

17 15 U.S.C. § 45(a)(1).

18 Press Release, Internet Ass’n, New Report Calculates the Size of the Internet Economy (Dec. 10, 2015),

19 See Omri Ben-Shahar & Carl Schnieder, More Than You Wanted to Know: The Failure of Mandated Disclosure (2014); Omri Ben-Shahar & Adam S. Chilton, Simplification of Privacy Disclosures: An Experimental Test (University of Chicago Coase-Sandor Institute for Law & Econ. Research Paper No. 737, Apr. 2016),

20 See J. Howard Beales, III & Timothy J. Muris, Choice or Consequence: Protecting Privacy in Commercial Information, 75 U. Chi. L. Rev. 109, 113 (2008) (“[T]he absence of a privacy problem when consumers understand and have a choice about the information collection or use does not imply that a privacy problem exists whenever consumers are ignorant of the information use or lack a choice about it.”). See also Complaint at 8-9, FTC v. Vizio, Inc., No. 2:17-cv-00758 (D.N.J. Feb. 6, 2017). This principle is illustrated in the FTC’s recent settlement with Vizio, Inc. involving tracking of consumer television viewing and sharing of de-identified data with third-party analytic and advertising firms. The Commission unfairness claim based on an allegation that this tracking was done “through a medium that consumers would not expect . . . without consumers’ consent.” Id. But lack of consent or being outside of the scope of consumer expectations does not convert Vizio’s surveillance into privacy harm; the sole issue is whether Vizio’s collection and use harmed consumers.

21 See generally Jin-Hyuk Kim & Liad Wagman, Screening Incentives and Privacy Protection in Financial Markets: A Theoretical and Empirical Analysis, 46 RAND J. Econ. 1 (2015) (presenting empirical evidence that an opt-in requirement for selling consumers’ financial information reduces the marketability of these data, and hence firms’ incentives to assure its accuracy, leading to higher foreclosure rates); Amalia R. Miller & Catherine E. Tucker, Can Health Care Information Technology Save Babies?, 119 J. Pol. Econ. 289 (2011) (finding that increased consent requirements for sharing health care data reduces incentives to adopt health information technology, leading to worse health outcomes); Avi Goldfarb & Catherine E. Tucker, Privacy Regulation and Online Advertising, 57 Mgmt. Sci. 57 (2011) (finding that the EU Privacy Directive decreased advertising effectiveness in the EU by 65 percent on average compared to the rest of the world).

22 See id. The FTC also needs to recognize that who is collecting the data matters: faceless servers scanning emails to target ads should not be treated the same as an actual person engaging in unwanted observation. See also Benjamin Wittes & Jodie C. Liu, The Privacy Paradox: The Privacy Benefits of Privacy Threats, Ctr. for Tech. Innovation at Brookings (May 2015),

23 See LabMD, Inc. v. FTC, 678 F. App’x 816, 818 (11th Cir. 2016).

24 Id. at 818-19, 822. Had the FTC brought the case against LabMD shortly after the breach, it is possible that it could have presented evidence of probabilities of future harm from the compromised data (based on prior breaches) to make a case that substantial consumer injury was likely to occur. With several years elapsed, however, we can know whether the predicted harm actually occurred. The case is currently on appeal to the Eleventh Circuit. The court, in granting LabMD’s motion to stay the order pending appeal, expressed skepticism at the FTC’s approach.

25 Complaint ¶ 15, FTC v. D-Link Corp., No. 3:17-cv-00039-JD (N.D. Cal. Mar. 20, 2017).

26 Id. at 6.

27 FTC v. D-Link Sys., Inc., No. 3:17-cv-00039-JD, 2017 WL 4150873, at *5 (N.D. Cal. Sept. 19, 2017).

28 LabMD, Inc., 678 F. App’x at 821. The opinion continues, “[w]e do not believe an interpretation that does this is reasonable.” Id.

29 These reports are, fundamentally, staff’s distillation of expert panels — mostly comprising a combination of industry representatives, privacy advocates, and academics — discussing a variety of issues related to privacy policy.

30 See, e.g., Dana Rosenfeld & Alysa Hutnik, FTC Releases Best Practices for Protecting Consumer Privacy, Kelley Drye & Warren (Apr. 2, 2012),; The Privacy and Data Security Group, Internet of Things: Federal Agencies Offer Privacy and Data Security Best Practices, Ballard Spahr LLP (Jan. 29, 2015),

31 See, e.g., Complaint, In re HTC Am. Inc., No. C-4406 (June 25, 2013),

32 See, e.g., U.S. Fed. Trade Comm’n Staff Rep., Internet of Things: Privacy & Security in a Connected World, at 44 (2015), [hereinafter IOT Report] (“If a company decides that a particular data use is beneficial and consumers disagree with that decision, this may erode consumer trust.”); U.S. Fed. Trade Comm’n Rep., Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers, at 8 (2012), (“[A]lthough it recognizes that imposing new privacy protections will not be costless, the Commission believes doing so not only will help consumers but also will benefit businesses by building consumer trust in the marketplace.”).

33 See J. Howard Beales, III & Timothy J. Muris, FTC Consumer Protection at 100: 1970s Redux of Protecting Markets to Protect Consumers?, 83 Geo. Wash. L. Rev. 2157, 2218-19 (2015) (discussing the large gap between stated and revealed preference for locally grown produce and organic foods).

34 See George Akerlof, Michael Spence, or Joseph Stiglitz for seminal contributions to the economics of information. See, e.g., George Akerlof, The Market for “Lemons”: Quality Uncertainty and the Market Mechanism, 84 Q.J. Econ. 488 (1970); Michael Spence, Job Market Signaling, 87 Q.J. Econ. 355 (1973); Joseph E. Stiglitz & Michael Spence, Equilibrium in Competitive Insurance Markets: An Essay on the Economics of Imperfect Information, 90 Q.J. Econ. 629 (1976). Drawing on this work, the Journal of Legal Studies published a symposium edition in 1980 that explored the economics of privacy, including contributions from such luminaries as Posner, Stigler, Hirshleifer, and Becker. See generally Symposium, The Law and Economics of Privacy, 9 J. Legal Stud. 621 (1980). For a review of this literature and more modern contributions to the economics of privacy, see Alessandro Acquisti et al., The Economics of Privacy, 52 J. Econ. Lit. 442 (2016).

35 Stats, Facebook, (last visited Oct. 26, 2017).

36 Sarah Frier, Snapchat Passes Twitter in Daily Usage, Bloomberg News (June 2, 2016),

37 Stephen McInerney, Can You Diagnose Me Now? A Proposal to Modify the FDA’s Regulation of Smartphone Mobile Health Applications with A Pre-Market Notification and Application Database Program, 48 U. Mich. J.L. Reform 1073, 1080 (2015) (by 2015, an estimated 500 million people worldwide will use a mobile health app); Andrew Meola, Wearables and Mobile Health App Usage has Surged by 50% Since 2014, Bus. Insider (Mar. 7, 2016), (health tracker use increased from 16 percent in 2014 to 33 percent in 2015). See also Susannah Fox, The Self-Tracking Data Explosion, Pew Res. Ctr. (June 4, 2013),

38 See Krystina Gustafson, Half of America Could Have Amazon Prime by the End of the Year, CNBC (Sept. 26, 2016),

39 See, e.g., James C. Cooper, Anonymity, Autonomy, and the Collection of Personal Data: Measuring the Privacy Impact Google’s 2012 Privacy Policy Change (George Mason Law & Econ. Research Paper No. 17-06, Jan. 2017), (finding a small and transient reduction in sensitive Google search after Google’s 2012 privacy policy change); Lior Strahilevitz & Matthew B. Kugler, Is Privacy Policy Language Irrelevant to Consumers?, 45 J. Leg. Stud. (forthcoming 2017), (among a panel of Gmail users who find privacy concerns with Gmail scanning, 65% of consumers would not pay anything to avoid scanning). For a full review of this literature see Acquisti et al., supra note 34.

40 The FTC also has used its deception authority to challenge disclosures that, while present, were deemed to be inadequate, or to find implied promises in user interfaces beyond privacy policies. See, e.g., Decision and Order at 2-3, In re SnapChat Inc., No. C-4501 (Dec. 23, 2014); Decision and Order at 3-4, In re Sears Holdings Mgmt. Co., No. C-4264 (Aug. 31, 2009). See also Woodrow Hartzog & Daniel J. Solove, The FTC and the New Common Law of Privacy, 114 Colum. L. Rev. 583 (2014).

41 See Policy Statement on Deception, supra note 8, at 5.

42 Id.

43 See, e.g., Ben-Shahar & Chilton, supra note 19.

44 The inability to capture the full informational benefits from litigation is precisely why it is individually rational for firms to settle privacy and data security charges with the FTC, rather than test these theories in court.

45 See, e.g., Press Release, U.S. Fed. Trade Comm’n, Uber Settles FTC Allegations that It Made Deceptive Privacy and Data Security Claims (Aug. 15, 2017),; Press Release, U.S. Fed. Trade Comm’n, Apple Inc. Will Provide Full Consumer Refunds of at least $32.5 Million to Settle FTC Complaint It Charged for Kids’ In-App Purchases without Parental Consent (Jan. 15, 2014),; Press Release, U.S. Fed. Trade Comm’n, Facebook Settles FTC Charges that It Deceived Consumers by Failing to Keep Privacy Promises (Nov. 29, 2011),; Complaint, In re Google Inc., No. C-4336 (Oct. 13, 2011),

46 See Beales & Muris, supra note 33, at 2212 (“Many cases challenge the failure to take exceedingly cheap security precautions that would significantly reduce risk, such as using ‘a commonly known default user id and password’ or the failure to use ‘readily available security measures to limit wireless access.’” (internal citations omitted)).

47 Because defaults are sticky, an opt-in requirement will greatly hinder the ability of merging firms to combine data sets.

48 See U.S. Fed. Trade Comm’n (@FTC), Twitter (Mar. 30, 2011, 9:46 AM),

49 See Letter from Jessica L. Rich, Dir. U.S. Fed. Trade Comm’n Bur. of Consumer Protection, to Erin Egan, Chief Privacy Officer, Facebook, & Anne Hoge, General Counsel, WhatsApp Inc. (Apr. 10, 2014), This requirement has become relevant again as WhatsApp altered its privacy policy in August 2016 to allow opt-out sharing of data with Facebook. See Shruri Dhapola, WhatsApp’s Privacy Policy: Might be no Way to Keep Info Out of Facebook, The Indian Express (Aug. 29, 2016),

50 Jamie Hine, Mergers and Privacy Promises, U.S. Fed. Trade Comm’n Bus. Blog (Mar. 25, 2015), Further, given that these orders typically last 20 years, and place limitations on data collection and use beyond what Section 5 requires, they are likely to reduce the effectiveness of the firm under order as a competitor.

51 See Beales & Muris, supra note 33, at 2213-14.

52 See, e.g., U.S. Dep’t of Justice & Fed. Trade Comm’n, Horizontal Merger Guidelines (2010),; U.S. Dep’t of Justice & Fed. Trade Comm’n, Commentary on the Horizontal Merger Guidelines (2006),

53 See U.S. Fed. Trade Comm’n, Start With Security: A Guide for Business (2015),

54 Acting FTC Chairman Ohlhausen appears to be making some promising moves in this direction. See Press Release, U.S. Fed. Trade Comm’n, Process Reform Initiatives Already Underway at the Federal Trade Commission (Apr. 17, 2017),; Maureen Ohlhausen, Acting Chairman, U.S. Fed. Trade Comm’n, Opening Keynote at the ABA 2017 Consumer Protection Conference (Feb. 2, 2017),

55 See, e.g., IOT Report, supra note 32, at 14-16; U.S. Fed. Trade Comm’n rep., Big Data: A Tool for Inclusion or Exclusion?, at 8-9 (2016),; U.S. Fed. Trade Comm’n, Data Brokers: A Call for Transparency and Accountability, at v-vii (2014),

56 See, e.g., Equal Credit Opportunity Act, 15 U.S.C. § 1691; Fair Housing Act, 42 U.S.C. § 3601; Genetic Information Nondiscrimination Act, 42 U.S.C. § 2000e.

57 See James C. Cooper, Privacy and Antitrust: Underpants Gnomes, The First Amendment, and Subjectivity, 20 Geo. Mason L. Rev. 1129 (2013).

58 This section draws from, among other sources, Todd J. Zywicki, The Consumer Financial Protection Bureau and the Return of Paternalistic Command-and-Control Regulation, 16 Engage 55 (July 2015).

59 Elizabeth Warren, Unsafe at Any Rate, 5 Democracy J. (Summer 2007),

60 Oren Bar-Gill & Elizabeth Warren, Making Credit Safer, 157 U. Pa. L. Rev. 101 (2008).

61 See CFPB 2012 Highlights, supra note 3.

62 See Jason Scott Johnston & Todd J. Zywicki, The Consumer Financial Protection Bureau’s Arbitration Study: A Summary and Critique (George Mason Law & Econ. Research Paper No. 15-25, 2015),

63 U.S. Consumer Fin. Prot. Bureau, Ability-to-Repay and Qualified Mortgage Rule (2014),

64 See Peter J. Wallison, Hidden in Plain Sight: What Really Caused the World’s Worst Financial Crisis – and Why it Could Happen Again (2015); The Dodd-Frank Act Five Years Later: Are We More Stable?: Hearing Before the Com. On Fin. Serv., 114th Cong. (2015), at 13 n.16 (Statement of Mark A. Calabria, Ph.D. Director, Financial Regulation Studies, Cato Institute), (“The presence of a DTI in excess of 41 percent increases the probability of default by 0.25, 0.08, and 0.59 for fixed rate, long-term ARM and Hybrid ARM, respectively. Accordingly [sic] to GAO’s analysis, reducing the prevalence of mortgages with a DTI in excess of 41 will have barely notice [sic] effects (although statistically significant in all cases.”).

65 See Todd J. Zywicki, Geoffrey A. Manne & Julian Morris, Price Controls on Payment Card Interchange Fees: The U.S. Experience (George Mason Law & Econ. Research Paper No. 14-18, 2014),

66 For a summary of the evidence, see Thomas A. Durkin, Gregory Elliehausen & Todd J. Zywicki, An Assessment of Behavioral Law and Economics Contentions and What We Know Empirically About Credit Card Use by Consumers, 22 Sup. Ct. Econ. Rev. 1 (2014).

67 This section draws from Todd Zywicki’s April 2016 written testimony before the U.S. Senate Committee on Banking, Housing, and Urban Affairs. Assessing the Effects of Consumer Finance Regulations, Hearing before the U.S. Senate Committee on Banking, Housing, and Urban Affairs, 114 Cong., S. Hrg. 114-318 (2016) (Statement of Todd Zywicki),

68 Rick Rouan, Dimon Says Dodd-Frank Puts ‘Bigger Moat’ around JPMorgan Chase, Colum. Bus. First (Feb. 5, 2013),

69 Timothy P. Carney, Goldman and JPMorgan sit safely behind the walls of Dodd-Frank, Wash. Examiner (Feb. 12, 2015),

70 Hester Peirce, Ian Robinson & Thomas Stratmann, How Are Small Banks Fairing Under Dodd-Frank? (Mercatus Ctr. Working Paper No. 14-05, Feb. 2014),

71 Id.

72 James DiSalvo & Ryan Johnston, How Dodd-Frank Affects Small Bank Costs, U.S. Fed. Res. Bank of Phila. Res. Dep’t Banking Trends 14, 16 (1Q 2016),

73 See Statistics on Depository Institutions, U.S. Fed. Deposit Ins. Corp., (last visited Oct. 27, 2017). Loans in default are defined as nonaccrual loans or loans past due thirty or more days. These data include one to four family residential properties.

74 See Diana Olick, How Dodd-Frank Changed Housing, for Good and Bad, CNBC (July 16, 2015),

75 To be clear, this is not to imply that just because non-bank lenders are more lightly regulated and supervised, one should infer that they are engaging in malfeasance. But for the architects of Dodd-Frank it is hard to see how this would be considered a desirable effect of the law and regulation. See Capital Flows, Dodd-Frank’s Costs Will Be Paid For By Low-Income Bank Customers, Forbes (Sept. 26, 2013),

76 Marshall Lux & Robert Greene, The State and Fate of Community Banking (M-RCBG Associate Working Paper No. 37, Feb. 2015),

77 See Peirce, supra note 70.

78 Id. at 47.

79 Goldman Sachs, The Two-Speed Economy, at 11 (Apr. 2015),; Lux & Greene, supra note 76, at 2 (noting that community banks provide 77 percent of agricultural and over half of small business loans).

80 Goldman Sachs, Who Pays for Bank Regulation?, at 2-3 (June 2014),

81 Goldman Sachs, The Two-Speed Economy, supra note 79, at 2.

82 Id.

83 Goldman Sachs, Who Pays for Bank Regulation?, supra note 80.

84 Ruth Simon, Big Banks Cut Back on Loans to Small Business, Wall St. J. (Nov. 26, 2015),

85 Id.

86 See Karen Gordon Mills & Brayden McCarthy, The State of Small Business Lending: Credit Access During the Recovery and How Technology May Change the Game, at 4 (Harvard Bus. Sch. Working Paper 15-004, July 22, 2014),

87 Id.

88 Gallup & Wells Fargo, Q3 2016 Small Business Survey Results, at 24 (responses to Question 11) (2016),

89 Id. at 24-25.

90 Id.

Skip to content