Introduction

With increasing public scrutiny of privacy intrusions, legislators must not only grapple with creating new federal legislation to protect privacy, but also consider how such legislation should be enforced. Congress could expand the FTC’s authority or create a new federal agency to regulate privacy. Congress could also empower states to enforce federal rules as well as their own legislation, or empower individuals to play an enforcement role by including a private right of action.

This report builds on an event held by New America’s Open Technology Institute on October 8, 2019 that examined the different ways that Congress could create an enforcement regime as part of new privacy legislation. David Medine, former special counsel at the Consumer Financial Protection Bureau, former associate director for Financial Practices at the Federal Trade Commission, and former Chairman of the Privacy and Civil Liberties Oversight Board (PCLOB), delivered opening remarks. A panel moderated by Dylan Gilbert, policy counsel at Public Knowledge, followed. Panelists included Elizabeth Banker, vice president and associate general counsel at the Internet Association; Blake Bee, program counsel for the National Attorneys General Training & Research Institute Center for Consumer Protection at the National Association of Attorneys General; Bob Gellman, a privacy and information policy consultant; and Yosef Getachew, program director of the Media and Democracy program at Common Cause. The discussion covered the successes and shortcomings of the current privacy enforcement regime, including the FTC’s work thus far on enforcing data protection and privacy, the promise and downfalls of creating a new data protection agency, the role of state enforcement, and the implications for including a private right of action in federal privacy legislation.