A Closer Look at the Eshoo-Lofgren, Gillibrand, and Brown DPA Proposals

We will close the background section of the report by delineating the key differences between the Eshoo-Lofgren, Gillibrand, and Brown DPA bills so as to ground our subsequent analysis of the strengths and weaknesses of FTC versus DPA enforcement.

*These bills were introduced before Seila Law v. Consumer Financial Protection Bureau held this leadership structure unconstitutional.

These three bills use an agency structure led by a single director with a five-year term who can only be removed for cause. This directorship structure is identical to the CFPB, the financial regulator established by the Dodd-Frank Act in the wake of the 2008 financial crisis.¹ However, in June 2020, the Supreme Court ruled in Seila Law v. Consumer Financial Protection Bureau that the CFPB leadership structure is unconstitutional: a single director must be removable at will rather than only for cause.² In contrast to the single-director model, the FTC is headed by a five-person commission where no more than three members can be from the same party.³ The significance of Seila Law v. Consumer Financial Protection Bureau will be discussed in more depth in the “Independence” section below.

The three bills propose DPAs with differing levels of power. The Eshoo-Lofgren DPA has the narrowest mandate, while the Brown DPA has the broadest. The primary function of the Eshoo-Lofgren DPA is to enforce comprehensive privacy law. In practice, this would mean applying fines to entities that process data in such a way that is prohibited by their bill. The Brown DPA would broadly also fine violators of the bill’s framework, and would directly supervise large data processing entities.

In the following section, we will compare the Digital Privacy Agency model as outlined in the Eshoo-Lofgren privacy proposal with FTC enforcement of a comprehensive privacy law along six relevant metrics.