This note provides an economic approach to consumer privacy and data security based on the extensive economic literature on how information flows, and is used, in the marketplace. We apply that approach to consumer protection in privacy and data security, as a step toward the ultimate goal of facilitating well-grounded cost-benefit analysis of future policy and law enforcement action in this area. Over the past two decades, the FTC has led the governmental effort to protect the integrity of consumer privacy choices in the market. This note attempts to describe the economic basis for that work in one coherent piece. Given the scope of the topic, this note is only a first step in providing clarity on the economic perspective on consumer protection in this area. We hope the note will improve future actions in privacy and data security. As a matter of scope, we do not discuss the potential implications of privacy and data security for antitrust or competition. Nor do we discuss data access and data use beyond domestic commerce. We also do not claim to provide the economics of privacy and data security. Other authors have provided the basic research and surveys that this work builds on. Other perspectives might usefully focus on how property rights in information influence the creation and flow of information through the market, or how structuring privacy as a human right would change markets and influence social welfare. Such other perspectives might also facilitate cost-benefit analyses of privacy and data security policy and enforcement. In comparison, we articulate privacy and data security issues primarily in information economic terms. In particular, we highlight the distinction between process and outcome: while an individual’s privacy outcome is the realized restriction on the flow and use of information, the process that leads to that outcome depends on many parties. The decisions that each of those parties make about how that information flows, and the control that each party exercises over the flow of the individual’s information, all contribute to the privacy outcome. The distinction between process and outcome is important. This is in part because while consumers may prefer more or less privacy – the outcome – given a particular situation, they all want themselves, and by extension the sellers they interact with, to have a certain amount of control over the flow. In line with other areas of market intervention, a focus on the process ensures that consumers and sellers have the tools to exercise appropriate control on the process. In turn, this should help bolster a healthy market to facilitate and honor their choice of privacy. This approach is in contrast to a more paternalistic approach that attempts to determine consumer preferences on privacy outcomes and directly impose that determination on the market. Next, we articulate how consumer-to-seller information flows are more complicated in practice than the typical seller-to-consumer information flows that typically concern the FTC in other areas, such as advertising enforcement. In particular, information flows generated by a transaction can persist over time and create effects outside of that initial transaction. These persistent effects often complicate market incentives. Because the persistence of information can cause commitment problems, and tends to exacerbate information asymmetry and externality, it is more starkly important for policy makers to foster a healthy information environment about privacy outcomes and processes, to encourage industry to develop standards and mechanisms that support a healthy information market, and to police that market if necessary. In this document, we identify some market mechanisms that have arisen to address potential market failures, and when interventions in consumer protection are most likely justified. In light of these potential market failures, we then list potential policy tools and discuss their pros and cons.