The Commission's remedial authority to deter unfair and deceptive conduct in privacy and data security matters
Like most people in most situations, online consumers are not perfectly rational regarding their privacy choices. One central deviation from rationality is Non-Belief in the Law of Large Numbers. This leads consumers to make suboptimal choices in decisions that involve aggregating different pieces of information about them. In short, people are bad at estimating how these pieces of information are combined. They suffer from a form of information overload and end up with biased beliefs. A particularly severe context for this is ISP tracking. Consumers are unable to accurately estimate how much ISPs can learn about them based on their data. This fact provides both a foundation for regulatory intervention and suggestions for the form that these interventions should take. This fact is relevant not only for ISP tracking but for any policy that wishes to address consumer privacy in a behavioral world. While it is particularly important in the ISP context, the implications of NBLLN for consumer privacy are relevant for all companies working with behavioral profiling. Forbidding the practice or forcing an opt-in consent will miss the mark, just as simply applying contract law principles is unlikely to be effective. Instead, a better way forward is through direct privacy regulations that enhance understanding. This approach would increase consumer welfare while maintaining profitable and legitimate business strategies. Please see attached files.