Comparing the FTC and DPA

The privacy bills that delegate enforcement to the FTC and those that create a new agency are quite different in form, so it is helpful to compare the two options by their likely effectiveness. Taking a holistic view of agency performance, we will assess the options along six metrics: statutory authority, independence, resistance to regulatory capture, effectiveness of enforcement, budget, and feasibility. To make these comparisons, we will largely rely on past agency performance in the case of the FTC, and analogous agencies in the case of the proposed DPA. These analogous agencies are the CFPB and the various European DPAs.

In this section, statutory authority refers to an agency’s ability, as granted by a statute, to enforce a privacy law. This analysis will focus primarily on rulemaking authority. First, we will detail the current limitations of FTC statutory authority. Then, we will explore how new comprehensive federal privacy legislation could expand FTC statutory authority. Finally, we will compare this model of an empowered FTC to a model of a new DPA.

Legislation could empower either the FTC or a new agency to enforce a new statute specifically for data privacy. The relevant comparison is then between a new agency and an FTC empowered with expanded rulemaking authority by a comprehensive privacy law, not the current FTC limited to Section 5 authority. Therefore, it is not accurate to point to “the limitations of its generic statute” as proof that the FTC is not up to the task of regulating the digital economy,¹ because all proposals analyzed in this report that designate the FTC as the agency responsible for enforcement give the agency specific statutory authority in addition to their Section 5 authority. Indeed, Congress has already granted the agency the power to regulate specific domains of privacy, such as children’s online privacy, in addition to and separate from its Section 5 authority.

Currently, the FTC’s general data privacy regulation authority is based in its statutory authority under Section 5 of the FTC Act, which tasks the FTC with regulating “unfair or deceptive acts or practices.”² The FTC has applied its Section 5 consumer protection authority to privacy and security and developed a body of decisions that operate like common law.³ The FTC’s approach primarily relies on corporate self-regulation under the notice and consent model, bringing enforcement actions against companies that have deceptively violated their own privacy policies and public representations made to users about how they protect their privacy and security.⁴ While this strategy has led to a number of enforcement actions over the years,⁵ the notice and consent model relies on a number of faulty assumptions, including the notion that the average user can meaningfully consent to privacy policies.⁶ Section 5 enforcement actions relating to data privacy have largely been based on the deceptiveness standard. Since the 2015 Wyndham case, the FTC also brings actions against firms that unfairly open their users’ data to security risks.⁷

Proponents of FTC enforcement of a future federal privacy law assert that the agency’s history of Section 5 enforcement constitutes a rich body of accumulated common law forged through “complaints, consent decrees, and various reports” that provides a sound and flexible basis to enforce a comprehensive privacy law.⁸ The answer to how the FTC’s privacy enforcement under Section 5 would interact with comprehensive privacy legislation is ambiguous because bills designating the FTC as the enforcing authority have taken divergent approaches. The Setting an American Framework to Ensure Data Access, Transparency, and Accountability Act (SAFE DATA Act) would prevent the FTC from utilizing its UDAP authority in matters relating to data privacy or security in a manner inconsistent with the act.⁹ Contrastingly, the Consumer Online Privacy Rights Act (COPRA) would treat violations of the act as a UDAP under Section 5.¹⁰

In order to make a fair comparison between an empowered FTC and a DPA, we will review the FTC’s enforcement record of COPPA, the Children’s Online Privacy Protection Act of 1998.¹¹ COPPA is a federal privacy law that gives the FTC APA rulemaking authority to enforce the act.¹² Under COPPA, the FTC has promulgated rules every ten years as mandated by Congress: once in 2000 to implement the 1998 law, and again in 2013 to expand the definition of personally identifiable information (PII) to better reflect the increasing importance of cookies and geolocational data in surveilling young children.¹³ In 2019, the FTC opened a comment period to consider a new set of amendments to the COPPA rules, which may encourage general audience platforms to identify child-directed third-party content and ensure it complies with COPPA.¹⁴

The FTC has brought almost 30 cases under COPPA. In 2019, the commission issued its two largest COPPA fines of $5.7 million and $170 million to ByteDance and YouTube, respectively.¹⁵ While the FTC lauded the outcome of the YouTube settlement,¹⁶ many considered the settlement ineffective. COPPA’s original sponsor, Senator Ed Markey (D-MA), claimed that the settlement lacked a deterrent value and did not provide sufficient structural injunctions because it would not prevent future violations.¹⁷ Advocacy groups have also criticized the FTC’s enforcement of COPPA, arguing that the agency has failed to rigorously enforce the policy.¹⁸

One example of this insufficient enforcement is the FTC’s failure to investigate Facebook for violations of COPPA. In February 2019, over a dozen advocacy organizations filed a complaint against Facebook¹⁹ accusing the company of violating COPPA by knowingly tricking children into making in-game purchases.²⁰ The commission has not followed up on this complaint. In fact, Facebook has never been fined under COPPA, despite multiple high-profile revelations that the company likely violated the law.²¹ At this time, it is unclear whether the FTC would effectively utilize the APA rulemaking authority granted to it by a future federal privacy law.

Generally, proposals for a U.S. DPA are modeled on the CFPB and the European DPAs.²² Therefore, this section’s analysis will make comparisons to the budget and personnel of the CFPB and European authorities when appropriate. The most detailed DPA proposal is the Eshoo-Lofgren proposal. This bill allocates a $550 million yearly budget to the new agency, which would use those funds to hire about 1,600 employees.²³ This budget seems to be proportional to the number of staff being hired. The CFPB, a comparable agency to the Eshoo-Lofgren DPA, had budget for FY 2019 of approximately $510 million and used those funds to employ 1,465 full-time staff.²⁴

The legislative proposals that do not establish a new agency do not increase FTC staff and budget at levels comparable to the DPA proposals. In FY 2019, the most recent year for which budget and full-time employee data is available, the FTC budget amounted to $311 million with 1,101 full-time staff.²⁵ As of 2020, only about 40 of those employees were doing privacy enforcement work.²⁶

Proposals delegating privacy law enforcement to the FTC generally bolster an existing bureau or establish a new bureau within the agency. Senator Wyden’s Mind Your Own Business Act of 2019 would create a new 50-person Bureau of Technology within the FTC and add 125 employees to the Bureau of Consumer Protection—100 of whom would do privacy enforcement work.²⁷ This would bring the total number of FTC employees doing privacy enforcement work up to about 190. While the Wyden bill does not provide figures for how much adding 175 new employees would cost, former FTC Chairman Joseph Simons estimated that a $50 million budget increase from Congress would enable the FTC to hire 160 new staff.²⁸ Under this proposal, the number of employees working on privacy would more than triple. However, it would still only be about one-tenth the size of the Eshoo-Lofgren DPA proposal.

Most pertinent to this analysis is the sheer personnel and budget disparity between a hypothetical DPA and an empowered FTC. As mentioned before, the Eshoo-Lofgren proposal gives the agency a yearly budget of $550 million and about 1,600 full time employees.²⁹ By contrast, the FTC currently has a budget of $311 million and 1,101 employees.³⁰ The Wyden proposal would boost the agency budget by about $55 million and lead to the hiring of 175 additional staff.³¹ In total, that would boost the commission’s budget to about $366 million and bring the number of staff up to 1,276. Those staff would have to add the enforcement of a federal privacy bill to a long list of existing responsibilities, including Section 9 antitrust investigations, merger review, international investigations, Section 5 enforcement, and many more.³² In contrast, the Eshoo-Lofgren DPA would largely be tasked with enforcing the federal privacy law and consulting with users, academia, and small businesses.

A further consideration beyond the structure of the DPA is the risk that a hostile administration or Congress could starve the agency of funds. The CFPB faced this issue under former President Donald Trump’s administration, when Mick Mulvaney became the director of the agency and asked staff to cut the budget by 20 percent.³³ Even in Europe, where DPAs have faced funding challenges, each of the European DPAs has funding and personnel levels dramatically higher than the FTC’s Division of Privacy and Identity Protection.³⁴ However, data privacy has historically been a bipartisan issue and is not likely to be as politically controversial as the CFPB.

Whether Congress decides to empower the FTC or create a new agency as the enforcer of privacy legislation, it will need to appropriate a larger budget and more personnel in order for enforcement to be meaningful.

Agency independence depends on the extent to which the executive branch can direct the work of the agency.³⁵ While there is no one specific feature of independence common to all independent executive agencies, there are agency design choices that make an agency more independent or less independent.³⁶ A central determinant of agency independence is the extent to which the president can remove the leadership personnel: at will, meaning for any reason, or for cause, meaning only for “inefficiency, neglect of duty, or malfeasance in office.”³⁷

Two Supreme Court cases challenging the independence of the FTC and CFPB have made it clear that there are two constitutionally permissible administrative agency models: either an agency is led by a single director serving at the will and direction of the president or an agency is led by a multi-member body that can only be removed for cause. The 1935 case Humphrey’s Executor v. United States held that the FTC structure was constitutional because “Congress could create expert agencies led by a group of principal officers removable by the President only for good cause.”³⁸ The 2020 case Seila Law v. Consumer Financial Protection Bureau held that the CFPB structure was unconstitutional because an independent administrative agency cannot be led by a single director, therefore any agency with a single director must be removable at will by the president.³⁹

In response to this decision, the CFPB will continue to be led by a single director, but that director will now be removable by the president for any reason, thereby limiting the agency’s independence. By contrast, the FTC is considered an independent administrative agency because it is led by a five-member Commission with statutory removal protections that insulate commissioners from the president’s direction.

All three DPA bills are based on the original leadership model of the CFPB and therefore must be modified to pass constitutional muster. The bill sponsors can decide to strike the for-cause removal requirements: § 301(c)(3) in Eshoo-Lofgren, § 4(c)(3) in Gillibrand, and § 301(c)(3) in Brown. Alternatively, they could revise their bills to adopt a multi-member body similar to the FTC. However, this seems unlikely because DPA advocates seek to differentiate their proposed agencies from the FTC, and a single director model is a significant point of distinction.

There are benefits to both the independence of the FTC and the single-director DPA model. Many federal agencies are led by a single director rather than a commission, including the administrator of the Environmental Protection Agency and the attorney general of the Department of Justice (DOJ). The tradeoff to their relative efficiency is less stability. The 2018 Sourcebook of United States Executive Agencies published by the Administrative Conference of the United States endorses the multi-member commission structure as the most stable. The Conference stated, “Among the most durable agencies,” meaning those least susceptible to elimination by hostile administrations, “are those multi-member bodies located outside the executive departments with features such as party-balancing limitations and fixed terms.”⁴⁰

A single-director DPA model is more likely to experience dramatic swings in policy dependent on the president in office, while the FTC model tends to be more consistent across administrations. The CFPB underwent extreme changes in policy under the Obama and Trump administrations that some attribute to the single-director structure.⁴¹ Some scholars argue, however, that single-director agencies are much more efficient than the alternative and that these ideological swings are simply the result of directors reflecting the partisan inclinations of whichever president they were appointed by.⁴² Moreover, data privacy legislation has more bipartisan support than Dodd-Frank did when it was passed and therefore would likely not be as susceptible to the dramatic partisan shifts as the CFPB.

The FTC’s multi-member structure requires three commissioners to vote for any significant agency action. The agency is often criticized by consumer advocates for failing to act forcefully to curtail industry abuses, and this weakness can at least be partially attributed to its multi-member structure. As Ralph Nader put it in a letter to the commissioners in 2019, “With slight surges over the past fifty years since our FTC report, The Nader Report on the Federal Trade Commission, was published in 1969, followed by some reforms, the FTC remains a largely moribund, sluggish, frightened, alleged watchdog for the American consumer.”⁴³ A single director can act more swiftly and decisively, whereas building consensus is inherently slower and typically requires compromise that tempers the desired outcome of the most progressive commissioner. In fact, this is part of the Supreme Court’s rationale behind the Seila Law decision: an agency led by a single director wields more power than an agency led by a multi-member body and therefore must be more accountable to the president.

However, the Commission’s multi-member structure leaves a record of dissent that agencies led by single directors lack. Contentious decisions in the FTC are usually accompanied by at least one dissenting statement because of the multi-member commission structure and party balancing requirements. As time passes and market conditions change, these dissents can be vital in informing legislative and regulatory action. To give a prominent example, in 2007, Pamela Jones Harbour was the only FTC commissioner to dissent from the FTC’s decision to allow Google’s acquisition of DoubleClick.⁴⁴ Harbour emphasized that the decision would not only lead to anticompetitive outcomes but would also degrade the data privacy of Google users.⁴⁵ With Google currently under scrutiny for its acquisition of Fitbit⁴⁶ and facing a DOJ antitrust suit,⁴⁷ Harbour’s dissent has found new relevancy. In 2020, Harbour’s dissent was invoked by academics,⁴⁸ DOJ staff,⁴⁹ and FTC commissioners.⁵⁰

In short, the multi-member commission structure allows the agency and other interested bodies to have a public paper trail for controversial decisions and draw on those documents if circumstances change. However, privacy advocates, academics, and other experts also oppose agency decisions they view as harmful to privacy, serving essentially the same function as commissioner dissents. Therefore, while the dissents of commissioners are valuable, other stakeholders would be able to fulfill that role in an agency under a single director.

If Congress decides to delegate enforcement of new privacy legislation to the FTC, the multi-member body structure would provide continued stability. However, this structure may exacerbate the agency’s record of perceived insufficient enforcement that was the impetus for the sponsors of the three DPA bills to prefer a new agency. The single-director DPA model can provide more agility and nimbleness but will not have independence from the president. Members of Congress will view the tradeoff between efficiency and independence differently, leading them to prefer one leadership structure over the other.

Regulatory capture refers to conditions where an agency is ineffective because it is so heavily influenced by the entities it regulates.⁵¹ If the enforcer of a future comprehensive privacy law is (or becomes) captured by the tech industry, the law will not have the intended result of improving privacy protections. Conventional wisdom holds that agencies with broad mandates are less prone to regulatory capture than sector-specific agencies because they are “more likely to resist pressure from any one interest group.”⁵² This argument assumes that a DPA would be more likely to be captured than the FTC. However, the reality is more complex because a DPA differs from the typical sector-specific regulator.

Sector-specific regulators solely regulate certain industries and develop specialized expertise due to their focus.⁵³ The FCC and CFPB, for example, regulate the telecommunications industry and the consumer finance industry, respectively. The FTC differs from this model. It has a broad mandate to “protect consumers and promote competition” across the economy.⁵⁴ The FCC is often seen as being more susceptible to industry influence than the FTC: a 2015 report from the Edmond J. Safra Center for Ethics found that the FCC suffers from extensive regulatory capture from the telecommunications industry.⁵⁵ However, while the FTC may not be as prone to regulatory capture as other agencies, it is not immune. Capture can occur through personnel changes: 63 percent of top FTC officials “have revolving door conflicts of interest involving work on behalf of the technology sector.”⁵⁶

While the three proposed DPAs all have much narrower mandates than the FTC, they are not typical sector-specific agencies because they are technically industry neutral. The DPAs would have an outsized regulatory impact on companies like Google, Amazon, Facebook, and Apple, but their scope would not be limited to digital platforms. Rather, they would regulate the data practices of companies across various industries. For example, the Eshoo-Lofgren bill defines a covered entity as any non-natural person who “intentionally collects, processes, or maintains personal information; and sends or receives such personal information over the internet or a similar communications network.”⁵⁷ These three DPAs differ from Digital Platform Agency proposals that define jurisdiction based on the type of entity, defining “digital platform” as the covered sector.⁵⁸ While the focus of the DPAs would likely be on digital platforms initially, as different sectors of the economy rely more on data-intensive practices, this focus could shift and expand over time to other sectors. Therefore, a DPA should not be assumed to fall prey to the same level of regulatory capture that sector-specific regulators often experience.

Effectiveness of enforcement is the capacity of a regulatory agency to enforce the statutes and regulations it is responsible for in a manner that deters future violations. While it is difficult to assess the enforcement effectiveness of a hypothetical empowered FTC and a DPA, we can look to analogous cases to bolster our analysis.

As proponents of a DPA have noted, the FTC has not effectively followed through with its own enforcement actions.⁵⁹ The effectiveness of enforcement is difficult to define and measure because it is affected by many different variables. Even if the FTC were to receive additional funding and personnel, the commission's mandate is so broad that there is a significant risk that it would not be able to regulate data privacy as effectively as a new agency with a single mission. Congress has already tasked the FTC with the enforcement of more than 70 laws, eight of which can be categorized as privacy and data security laws.⁶⁰ The FTC would need to make an effort to prioritize privacy over other consumer protection issues, otherwise privacy legislation could just become another statute to add to the agency’s list. Moreover, Congress has constrained FTC authority multiple times in history, and it is possible that the commission's authority could be constrained again in the future.⁶¹

Perhaps the best example to illustrate the FTC's inadequate enforcement is the agency's lackluster response to Facebook's breach of its 2011 consent decree with the FTC. While the FTC has been lauded for fining Facebook a historic $5 billion in 2019 for violating the decree, there is ample evidence that the commission could have punished the company for violations much sooner, possibly preventing the Cambridge Analytica scandal.⁶² The 2019 fine only represented a month of Facebook's revenue and the company’s stock rose in the aftermath of the announcement.⁶³ That the Cambridge Analytica scandal occurred while Facebook was under an FTC consent decree throws further doubt on the commission’s ability to effectively enforce data privacy regulations and ultimately protect internet users in a timely way.

As discussed in the budget and personnel section, the Eshoo-Lofgren DPA would have a staff of about 1,600. Due to the sector specific focus of this DPA, it could focus on hiring staff with deep knowledge and expertise in the digital economy and data privacy. The staff and budget size would give the DPA the expertise, personnel, and resources to effectively respond to consumer complaints regarding tech companies, actively enforce the laws it would be tasked with, and consult with relevant stakeholders (such as civil society, industry, or users) regarding the best allocation of its resources.

Feasibility in this section means the logistical ease of operations. It is relatively more feasible for Congress to empower the FTC with additional funding and rulemaking authority to enforce a federal privacy law than it is to have Congress create a new agency for this purpose.

On a basic level, empowering the FTC is more feasible than standing up a new agency because of path dependency. The FTC would be better positioned than other existing agencies to become the U.S.’s official data privacy agency because it already enforces some sectoral privacy statutes and brings enforcement actions under its general consumer protection authority, and regularly hosts bilateral discussions on data privacy and security with data protection authorities from around the world.⁶⁴ While the FTC has not always effectively utilized its authority, the FTC’s accumulated experience places it in a position to become the enforcer of a comprehensive privacy legislation more quickly than a DPA.

If Congress did establish a DPA through legislation, it would need to overcome substantial barriers to stand up a new independent agency. The case of the PCLOB—the Privacy and Civil Liberties Oversight Board—is instructive. Congress established the PCLOB as an independent agency in 2007 to review counterterrorism activities to ensure that they include adequate safeguards for privacy and civil liberties.⁶⁵ However, the agency did not actually come into existence until 2012 when the Senate confirmed its first four board members.⁶⁶ This five-year period delayed the agency’s ability to fulfill its mission and serve the public.

After authorization of the entity and confirmation of leadership, a new independent agency will face basic hurdles to set up agency infrastructure and operations that can be mitigated through agency design. A new agency needs office space; internet, email, and phone service; and a complete complement of staff including not only subject matter experts but also everything from human resources to internal information technology specialists. At a prior OTI panel, David Medine, who served as the first chairman of the PCLOB and also previously served as special counsel at the CFPB, argued that a new agency should “sit on the structure of the old agency until it’s ready to separate.”⁶⁷ Medine noted that unlike with the PCLOB, the CFPB staff benefited from being able to use Treasury Department payroll, email, and website infrastructure before the agency was ready to stand on its own. The Brown DPA is the only DPA proposal to use this model of operating on the Federal Reserve System infrastructure.⁶⁸ Therefore, while it is more feasible for an existing agency to begin its enforcement duties, a DPA could avoid initial operational problems that other new agencies have faced if it utilized an existing agency’s infrastructure.