Government agencies such as the National Institute for Standards and Technology and industry groups such as the Internet Association have embraced privacy as a matter of risk management. This is certainly the right way to go.\u00a0 But, to make it work as part of a new national privacy law, companies need a good understanding of what risks they will be required to mitigate.\nDuring her tenure as chair of the Federal Trade Commission (FTC), Maureen Ohlhausen identified several types of consumer informational injuries that she extracted from examining cases brought under the FTC\u2019s authority to prohibit unfair or deceptive acts or practice.\u00a0 This broad, but determinate notion of informational injury provides a good guide for identifying privacy risks in a new national privacy law.\nInformational injuries include deception, financial injury, health and safety injuries, unwanted intrusion, and reputational injuries\nDeception occurs when a company misleads consumers with a materially false claim or omission about a product or service.\u00a0 This injury arises from some, but not necessarily all, failures to notify consumers. The lack of full disclosure constitutes a legal injury when reasonable consumers might have chosen differently if they had fuller information.\nConsumers are harmed financially when fraudsters use consumer data to steal money or commit identity theft.\u00a0 Misuse of data can cost consumers loss of time and earnings when they have to report fraud and identity theft and take steps to protect themselves from further losses.\u00a0\nInjuries to health and safety arise in privacy and data breach cases. For instance, the unauthorized disclosure of personal information can expose people to harassment and surveillance from stalkers and abusive spouses. Revenge porn sites often expose their victims to threats and other harassment.\nThe prevention of unwarranted intrusion into people\u2019s private lives was one of the motivations for the FTC\u2019s Do Not Call rule, which allowed consumers to opt out of intrusive marketing calls.\u00a0 Similar intrusions can take place through the installation of spyware on computers that enable the recording of users engaged in private activities.\nThe same abusive conduct that can give rise to these informational injuries can also cause reputational damage. An early FTC online privacy case involved a pharmaceutical company that harmed the reputation of its customers by disclosing online a list of patients using Prozac. The reputational damage from unauthorized disclosure of a person\u2019s psychological or medical condition or social activities could lead to job loss.\nPrivacy risks go beyond economic losses\nMany who embrace the notion that privacy rules should protect consumers against harm also want to restrict the notion of harm to economic or tangible harm.\u00a0 But that is far too narrow.\u00a0\nFormer FTC chair Tim Muris, one of the leading proponents of treating privacy as harm-prevention, said at a recent FTC workshop that people have more in their utility functions than money.\u00a0 David Vladeck, former head of the FTC\u2019s consumer protection bureau, agreed that the fallout from misuse of consumer information extends beyond economic loss.\u00a0 Both urged the current FTC to issue guidance clarifying that the FTC\u2019s notion of consumer injury for privacy purposes is broader than economic loss and should be understood to include other harms like the invasion of privacy tort.\u00a0\nTo be clear, it is a different question whether the FTC should impose civil fines for privacy violations that do not involve economic loses, an authority they currently do not have.\u00a0 Such damages might best be left to privacy tort suits where extensive case law has defined connections between privacy intrusions and financial penalties.\nClarification of privacy risks is needed as part of new national privacy laws\nOf course, a new national privacy law should cover notice, control, access, correction, deletion, and portability.\u00a0 But It should also recognize this larger and more adequate notion of consumer injury by treating unreasonable uses of information as unfair or deceptive practices subject to prohibition by the FTC.\u00a0\nThis would establish privacy as consumer protection right \u2013 the right to be protected from harm generated by the collection, dissemination, or use of personal information.\u00a0 It would be a useful counterpoint to the idea, embodied in the European General Data Protection Regulation and the California Consumer Privacy Act, that privacy should be entirely or primarily about protecting the judgment of individuals on how their information should be collected and used. The consumer protection approach to privacy would rely, to some degree, on individual control, but would also protect consumers from harm when information practices are so complex and omnipresent that no amount of alertness can make consumers safe.\nBut this new law has to cabin the notion of consumer injury in the ways that Commission Ohlhausen identified. Businesses and consumers need to know where the lines are, what can be done, and what cannot.\u00a0 This calls for the specification in the law of practices that are to be proscribed and, equally important, practices that are reasonable for companies to engage in and for consumers to expect.\nThere\u2019s a tension between privacy as a matter of protecting the \u201creasonable expectations\u201d that people have in particular contexts and privacy as matter of protecting people against consumer harm. They don\u2019t always come to the same thing.\u00a0 For instance, a practice such as being tracked by your smart TV might be totally unexpected but have no real harm associated with it.\nThe law needs to address this tension in some way. One way forward is to treat what people might normally expect in context as something to be taken into account when determining if a practice is reasonable. The basic standard is harm, but when a practice is at extreme variance from ordinary expectations, that might in some circumstances make it unreasonable. The particular facts and circumstances can help the FTC to decide in specific cases.\nThe challenges in putting together a new privacy law are many.\u00a0 But the time for industry, advocates, and scholars to engage is now.