Speaking at a conference in Atlanta on Feb. 2, Ohlhausen drew a distinction between a "notice-and-choice approach" to privacy protection and a "harms-based approach," an approach one privacy advocate called "outrageous."
The difference? The "notice-and-choice" approach, generally favored by the Obama FTC, basically gives consumers the choice to "opt out" of sharing certain types of information. The "harms-based" approach, on the other hand, seeks to protect consumers only from privacy breaches that are harmful.
As Ohlhausen sees it, consumers are not harmed when their movements on the web are tracked by marketing research companies and used to target advertising and conduct research into consumer behavior.
"The overwhelming majority of consumer benefits emerge from a free and honest market," she said. "Our job, then, is to address unfair and deceptive practices that harm the market process and harm consumers. And we must do so in a way that avoids hindering market-generated consumer benefits."
But Sophia Cope, staff attorney for the Electronic Frontier Foundation, calls the harm-based approach outrageous and says it is "exactly what companies have been hoping for."
"It removes consumer choice and control over their privacy," Cope said in an email to ConsumerAffairs. "Now bureaucrats get to decide that certain data practices are not harmful, even if they include collecting highly sensitive information about people and what they do online, engaging in non-stop online surveillance, monetizing that information for commercial gain, and sharing that information with numerous unknown parties. Consumers deserve better from the FTC."
Should consumers be told?
The harms-based approach is clearly a switch from the philosophy represented by a recent FTC staff report that warned of the privacy risks presented by "cross-device tracking" of consumers -- the practice of tracking consumer actions on desktop devices, on their smartphones, and at ATMs, retail point-of-sale terminals, and elsewhere.
The FTC report recommends that, at the very least, companies that engage in cross-device tracking have an obligation to tell consumers they're doing it and to offer them a chance to opt out. Those who track such sensitive data as health and financial information should be required to seek permission in advance, the report recommends.
While Ohlhausen did not refer to that report specifically, she made it clear that chasing theoretically harmful actions wouldn't be her top priority, saying that the agency's limited resources should be devoted to stopping practices that are clearly harmful.
"The agency should focus on cases with objective, concrete harms such as monetary injury and unwarranted health and safety risks. The agency should not focus on speculative injury, or on subjective types of harm," she said.
Before prosecuting a company, she said, the commission should ask itself: "How were consumers harmed? And how does this action address that harm?
"This focus on consumer harm is part of our statutory mandate, but it is also good policy. Asking and answering these two questions will focus our limited resources where they can do the most good," she said.
Citing instances of "concrete" consumer harm, she pointed to the Ashley Madison and Eli Lilly cases. In the Ashley Madison case, there was evidence that several consumers committed suicide after their identities were reveled in a hack of the adultery-dating site. The Eli Lilly case involved the exposure of sensitive medical information.
Ohlhausen said the FTC has in the past "ventured onto less sure ground, and into areas where consumer injury is not as well understood." She said one of her major priorities will be "to deepen the FTC's understanding of the economics of privacy."