Consumer Protection In The Digital Age

Ashima Obhan

24 Aug 2020 4:54 AM GMT

  • WhatsApp Privacy Policy Dilemma

    We, and every generation before us, have always put great import in the promise of an unquantifiable yet unanimously glorious future. The right to access the internet is now at par with other fundamental rights across the globe, but just as the internet is steadily becoming our most bankable future, the issue of access has shifted from the internet to information, ubiquitous yet closely held. The new bastions of power are the ones with information, or rather, data, as a staggering amount of data is created each day and businesses have come to realise the vast potential of harnessing this data for their purposes. The twin technologies of Artificial Intelligence (AI) and the Internet of Things (IoT), when used successfully, can enable companies to tap huge amounts of consumer data or 'big data', both offline as well as online. AI and IoT has already been deployed in both traditional as well as online markets to achieve highly precise outcomes.

    The use of AI and IoT is primarily concerned with predicting consumer behaviour and preferences, thus ultimately helping businesses gain a competitive advantage[1]. Data mined in this manner is mainly used for (i) targeted advertising, (ii) dynamic pricing, and (iii) personalised pricing. Targeted advertising is a form of online advertising based on information collected about the consumer, including their browser history[2], whereas dynamic pricing is a pricing strategy contingent on cumulative factors such as the time of day, demand of the product, etc. Personalised pricing, however, is customised in accordance with the individual consumer's personal attributes such as affluence, credit score, etc. Researchers have observed that the extent to which personalised practices have been implemented in online markets is difficult to ascertain and the frequency of the same remains largely mired in mystery. One of the most famous examples of dynamic pricing is the Uber 'surge-pricing' system. Uber elaborates on its policy of dynamic pricing on its the website itself and clarifies that any difference in price experienced by a user is attributable to aggregate parameters including time and distance of the route, rider-to-driver demand, traffic density, etc. While, prima facie these practices seem to steer clear of any personalised pricing biases, a more intrusive look reveals that the business models followed by Uber and Lyft are inching ever closer personalised pricing, a practice which is much more difficult to justify in the legal context.

    A complex cross-section of laws governs and regulates consumer protection in the digital realm in different jurisdictions, with the obvious suspects being unfair trade practices and data protection, among others. Below we take a look at the legal matrix surrounding digital consumers in the United States and the European Union, before moving to the extant Indian scenario in regard to the same:

    In the United States, the Federal Trade Commission ("FTC") is the department that has been tasked with "Protecting America's Consumers", as it proclaims itself. The Federal Trade Commission Act ("FTCA") defines an act or practice as unfair "if it causes or is likely to cause substantial injury to consumers; cannot be reasonably avoided by consumers; and is not outweighed by countervailing benefits to consumers or to competitors. Amongst the three criteria above, the FTC states that unjustified injury is the primary focus of the FTCA[3]. The FTC does not seem favour an approach which hinges on increased regulations on the flow of information, tying it in with reduced incentives to innovation[4]. Therefore, it becomes clear that the FTCA and interpretations thereunder betray a certain reluctance to penalise businesses and an injured consumer has a relatively high threshold to meet before it is successful in establishing its case, a conclusion noted by the Organisation for Economic Cooperation and Development (OECD) also[5]. In addition to the FTC, another line of statute, which is generally deployed to protect the civil rights of the populace, may be triggered in cases of violation of consumer rights. For instance, courts in California, while confirming that discrimination based on neutral economic factors in pursuit of legitimate businesses would not be a violation of the California Unruh Civil Rights Act ("Unruh Act"), intentional discrimination practiced by businesses could attract a potential ban under the Unruh Act[6]. Based on the above, a strong argument can be out forth by companies practicing dynamic pricing about the mutually beneficial nature of the pricing model, with no indication of discrimination on one's personal characteristics. Personalised pricing would however not be as lucky under the Unruh Act.

    In comparison to the United States, the European Union (EU) is more stringent in ensuring as well as enforcing consumer welfare. There are several key pieces of legislation governing the same in the EU, including the Unfair Commercial Practices Directive ("UCPD"), the General Data Protection Regulation ("GDPR") as well as the ePrivacy Directive ("EPD"). The UCPD is applicable to all business-to-consumer relationships and Article 5 of the same bars unfair commercial practices. The UCPD prohibits a material distortion of the economic behaviour of consumers[7], and further explicitly lays down that deception with regard to price or the manner in which price is calculated will be a misleading action for the purposes of the UCPD[8]. In lieu of the above, it is not very difficult to envisage that certain personalisation practices and algorithmic pricing methods adopted by businesses could trigger an offence under the UCPD. In relation to transparency, the GDPR, which has harmonised the collection and storage of data across the EU member states, stipulates that 'any processing of personal data should be lawful and fair'[9]. The GDPR is designed to ensure that the data subject is at all times apprised of the data that is being collected and has been collected about it by entities. All such data has to be collected for lawful purposes for a fixed duration, thus adding another layer of regulation to data silos where data is stored indefinitely by businesses involved in processing 'big data'. The EPD supplements the GDPR and is known as the 'cookie law' since it seeks to regulate the caches created online by websites.

    In India, the narrative surrounding digital consumer protection is not as nuanced currently. The Indian consumer is not yet fully conscious of the manner in which prices are tweaked to maximise profits of the businesses, sometimes to the detriment of the consumer. The primary law for consumer redressal in India is the Consumer Protection Act, which was revised in 2019. The Consumer Protection Act, 2019, while laying down the definition of 'unfair trade practices', has included within its ambit, 'materially misleading the public concerning the price at which a product or like products or goods or services, have been or are, ordinarily sold or provided'[10]. With respect to data protection, only the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 ("SPDI Rules") deal with the processing and storage of sensitive personal data in a limited sense. However, the rules are nowhere nearly comprehensive enough to deal with the twin technologies of AI and IoT. That, in part, will be rectified when the Personal Data Protection Bill, 2019 ("PDP") becomes law as it addresses consent, the purpose of processing data, and establishes the necessary safeguards for storage of data.

    As the Indian consumer gains more awareness about the practice of dynamic and personalised pricing, it is but natural that the self-preservation instincts related with heightened knowledge will also kick in. A requirement of compensation for non-compliance could be a beneficial way of ensuring that businesses adhere to fair trade practices and reimburse the consumers for any price differences caused by their actions. Additionally, while the PDP covers privacy by design, we would do well to incorporate the approach embodied by the EU of "placing the individual more firmly at the heart of technological development"[11].

    Ashima Obhan is a Partner and Nishtha Jaisingh is an Associate at Obhan and Associates.

    [1] Page 60, 'Consumer market study on online market segmentation through personalised pricing/offers in the European Union' (2018) European Commission <>

    [2] Page 46, ibid

    [4] ibid

    [5] Page 33, 'Personalised Pricing in the Digital Era: Background Note by the Secretariat' OECD (28 November 2018) <>

    [6]Alan Friel, Hannah Bloink 'Take Care in Using Consumer Data to Drive Dynamic Pricing of E-Commerce' JDSupra (06 May 2015) <>

    [7] Article 5(2)(b) of the 'Directive 2005/29/EC of the European Parliament and of the Council of 11 May 2005 concerning unfair business-to-consumer commercial practices in the internal market' <>

    [8]Article 6(1)(d) of the 'Directive 2005/29/EC of the European Parliament and of the Council of 11 May 2005 concerning unfair business-to-consumer commercial practices in the internal market' <>

    [9] Recital 39 of the 'Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data' < 91

    [11]Page 97, 'Consumer market study on online market segmentation through personalised pricing/offers in the European Union' (2018) European Commission <>

    Next Story