Enforcing a Federal Privacy Law

California’s landmark privacy law, the California Consumer Privacy Act (CCPA), is set to go into effect on January 1st. As we approach the new year, however, there are still unresolved questions about how the law will be enforced, and Californians for Consumer Privacy has launched a ballot initiative to establish a new agency to enforce the law and protect California residents’ privacy rights.

As Congress considers federal privacy legislation, we must also confront these enforcement questions at the federal level. Unlike the situation in California, no federal proposal has moved beyond the stage of bill introduction at this point. But Congress is nonetheless exploring questions about enforcement now, as members refine their various legislative proposals for new privacy laws.

At this critical juncture, Congress can consider a variety of options for enforcing a new federal privacy law, including equipping the FTC with more authority, establishing a new federal agency to regulate privacy, empowering states, and/or including a private right of action for individuals to hold transgressors accountable. In a report published on Wednesday, OTI details the limits of the FTC’s authority over privacy, and explores the advantages and disadvantages that alternative and/or complementary enforcement mechanisms might present.

The Federal Trade Commission (FTC) is currently the principal entity tasked with protecting consumer privacy at the federal level, but its authority is limited. For instance, it faces growing criticism for not being aggressive enough in utilizing the full extent of its limited authority over privacy issues—including by one of its own commissioners regarding the record $5 billion settlement with Facebook for its deceptive privacy practices in July. Its approach relies primarily on quantifying privacy harms in terms of economic damage, even though privacy encompasses many things that cannot be quantified, such as social and political values, including dignity. Further, the bulk of the FTC’s authority over privacy stems from Section 5 of the FTC Act, which enables the agency to take action against “unfair or deceptive acts or practices.” Both causes of action are narrow, and the FTC has rarely invoked its “unfairness” authority to address privacy abuses. Lastly, the FTC has limited rulemaking authority to pass regulations pertaining to privacy. It is not clear whether granting the FTC more authority and resources would cure these problems.

Many have called attention to the FTC’s resource constraints as well. FTC Chairman Joseph Simons has repeatedly flagged the agency’s need for additional resources to Congress. In a recent hearing on antitrust enforcement, Simons testified, “Although the FTC has so far managed to allocate sufficient resources to fund the experts needed to support our [antitrust] cases, the agency is reaching the point where we will be unable to meet these needs without compromising our ability to fulfill other aspects of the mission”—including its ability to police privacy. The FTC has around 40 full-time staff working on privacy issues, which is significantly fewer than many foreign data protection authorities in smaller countries. It’s also unclear whether the FTC has the technological expertise it needs to enforce privacy laws.

As an alternative, Congress could consider establishing a new data protection agency. As some experts have argued, a new agency dedicated to enforcing privacy could provide for more robust enforcement of a new privacy law and be structured to prevent the inconsistent application of privacy laws from presidential administration to administration. At the same time, creating a new agency could take a long time and might be logistically difficult to set up.

In the absence of a federal privacy law and while Congress considers whether to establish a new data protection agency, many states are taking efforts into their own hands, as we’ve seen with California. As Congress inches closer to passing a comprehensive privacy law, it must consider whether to grant state Attorneys General the authority to enforce a federal privacy law, and whether state legislatures should continue to have the freedom to enact and enforce their own privacy laws. Enforcement by the states could also serve as a check against regulatory capture and any political pressure faced by a federal agency. On the other hand, if states take differing approaches to protecting their constituents’ privacy, it could cause compliance challenges for companies.

Finally, Congress could also include a private right of action in federal privacy legislation, which would allow individuals to enforce their own privacy rights. With a private right of action, an individual whose privacy rights are violated could sue the violating company directly, rather than relying on a federal or state enforcer. While there is some opposition to a private right of action from industry and lawmakers, private rights of action are an extension of democratic participation, like petitioning government, writing members of Congress, and talking to state legislators. A private right of action can therefore empower individuals to pursue enforcement on their own.

Congress should carefully consider all of these options as it works to craft new federal privacy legislation. Whatever privacy law Congress enacts, it’ll only be as effective as its enforcement. People are counting on Congress to ensure that their privacy is protected.