Facebook has defended its new in-store tracking partnership with Datalogix, which gives Facebook access to our offline shopping habits via our rewards cards, by explaining that it doesn't violate any Federal Trade Commission regulations. Facebook says it will anonymize the data and is only interested in showing advertisers how their ads are converting to new sales. But it  led us to ask what exactly the FTC does protect in the data collection department. According to the social network, the hard-to-find opt-out link, which is located all the way over on the Datalogix website, clears the company of any privacy violations that might get the federal consumer protection agency involved. Considering how unclear that process is, we wondered how easy it is for a company like Facebook to gain access to our on- and offline buying habits. To get that answer we spoke with Ryan Calo, an affiliate scholar for the Center for Internet and Society and Assistant law professor at the University of Washington, who clued us in on what the FTC can and can't do about Facebook's new tracking program. 

What kind of law does the FTC have in place to protect us from online data collection?

None. Zero. Zip. "There is no overarching law in the U.S. that says you have to do XYZ as a privacy matter," Calo told The Atlantic Wire. 

Wait, so that means the FTC has no power over any of this?

Not at all. Under section 5 of the FTC Act are enforcement powers that say the agency can go after "unfair and deceptive practices." Calo says, "The FTC has run with that. They have decided they are going to be the policemen for online privacy," demonstrating growing involvement over the last 10 years. Example: Earlier this year the FTC handed a $22.5 million fine to Google for its iPhone tracking scandal. 

What might make something worthy of FTC intervention?

There are two ways to get the FTC involved, says Calo: "You are really, really big. Or do something really really bad." Facebook falls under the really, really big category, meaning it has a consent agreement with the FTC to behave in a certain way that makes the FTC happy. Something "really, really bad" would be if Facebook were not to let users opt out. Or, if the social network said that they were letting people opt out, but automatically opted them back in after a certain period of time. 

Does Facebook's new offline data-collection scheme violate this consent agreement?

Not necessarily. "The FTC could go back and look to see whether this partnership is consistent with the consent decree," says Calo. The agreement has two broad requirements: that Facebook gives notice to the consumer and that it also provides a choice to opt out of the service. 

As Facebook said, it has an opt-out button. So is everything okay, then?

Like we said, that opt-out option isn't easy to find, nor is it on the Facebook website. A user has to follow a bunch of links on Facebook that eventually lead to a page on the Datalogix site. "This is not best practices, that is very clear," said Calo after seeing the location. So, that might be an issue with which the FTC could disagree, though Calo says it is likely Facebook went to the agency before announcing this initiative to ask how to best do it, so as to not violate their agreement. 

Are we stuck with this?

Not necessarily. With enough pressure from press or consumers the FTC might consider looking into it on its own. Or, response could lead to a class action, like the recent (just settled) case against using people's faces next to sponsored stories. But both of those things depend on how much "harm" this program looks like it could incur on the average consumer. 

This is all anonymous, what kind of harm could it do?

There are two types of potential harm Calo sees. "Just the realization that you are being followed on- and offline in a continuous way, will just be subjectively harmful," he told us. "It's just uncomfortable. There are plenty of places where the law recognizes discomfort—it is a harm in its own right," he said. He also suggests there are ways this partnership could have "material adverse objective harm" that we can't anticipate now—even in an anonymous ad-tracking situation. For example, say you and your boyfriend use the same browser and all of a sudden ads for engagement rings pop up because of some Internetting done by your boyfriend: Surprise ruined; harm done. 

How likely is this to end up in a class action lawsuit?

Not very. "I'm not seeing an obvious legal hook," said Calo.