The FTC is Currently the Primary Privacy Enforcer but its Authority is Limited

At present, the FTC has the broadest federal jurisdiction over protecting consumer privacy. Congress originally created the agency to enforce the antitrust laws through the FTC Act of 1914, but later added consumer protection issues to its portfolio in 1938 when Congress expanded the agency’s authority under Section 5 of the FTC Act to prohibit “unfair or deceptive acts or practices.”¹ Since then, Congress has also given the FTC additional statutory authority to protect privacy through such statutes as the Fair Credit Reporting Act and the Children’s Online Privacy Protection Act (COPPA).

Despite these additional statutes, the FTC’s authority is limited and creates challenges in relying on the agency to protect privacy. Not only does the agency lack a strong record on enforcing privacy, but it also lacks sufficient capacity to do so. Congress could grant the agency more authority and resources to protect privacy, but it is unclear whether it would lead to stronger enforcement.

The FTC has limited privacy authority. It is constrained as an enforcement agency that focuses primarily on interstate commerce and consumers. As Banker argued, “a lot of the criticism that the FTC is receiving about [its enforcement record] is not necessarily fair, because … to date, it has not been given a clear mandate, a clear set of rules to work with, and the resources to go with it, in order to be that strong enforcer [on privacy].”² The FTC’s core Section 5 authority does not define standards for unfairness and deception. Because its privacy enforcement must fit within this authority, the agency’s current jurisdiction does not allow it to sufficiently protect against myriad privacy threats that are not easily characterized as unfair or deceptive practices. Further, not only are there questions about whether FTC enforcement provides strong enough incentives for companies to avoid violating existing laws, there are also questions about the extent to which the FTC’s enforcement actions under Section 5 actually protect consumers if they primarily seek to address companies’ disclosure and notice to consumers. In addition, it is not clear whether the FTC is best equipped to address privacy harms because it lacks capacity, especially on technological expertise. Its authority is further restricted by its limited rulemaking authority under Magnuson-Moss.

First, the FTC’s current approach focuses on privacy harms that can be quantified in terms of economic damage. This approach, as Gellman critiqued, may overlook harms that cannot be quantified in these terms. Privacy, he said, represents soft values with “social, political, and informational consequences”—i.e., it has no clear monetary value. Gellman suggested that the FTC’s structure means that it inherently focuses on economic damages, since the Bureau of Economics is on par with the Bureau of Consumer Protection in terms of hierarchy, and the economic implications of privacy harms are a critical factor in the agency’s decision-making.

Similarly, as an agency created to focus primarily on commerce and consumers,³ the FTC may not be best positioned to tackle the full breadth of privacy issues, especially those that go beyond commerce and affect more than just consumers. After all, privacy intrusions create externalities that implicate individuals who do not use a product or service, in that one consumer’s data may also reveal information about a non-user. While Banker recognized that “consumer protection in and of itself is a value,” Medine suggested that because “privacy is about values and rights … a new organization that is committed to … that approach, as opposed to [the FTC’s] approach, would be very beneficial.”

Second, Section 5—which forms the core of the FTC’s jurisdiction over privacy—does not give the agency sufficient authority to protect privacy. Section 5 empowers the commission to pursue actions against “unfair or deceptive acts or practices.” An act or practice is considered unfair if it “causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”⁴ An act or practice is considered deceptive if it involves a material representation, omission, or practice that is likely to mislead a reasonable consumer.⁵ This enforcement regime, which primarily addresses companies’ notice and disclosure policies, has created incentives for companies to simply avoid promising clear privacy protections so they can avoid the risk that they may be held accountable for violating those promises. Gellman argued, for instance, that cases brought under the agency’s deception authority have resulted in company disclosure through “vaguer and less clear privacy notices” to which companies cannot be held accountable. Instead, the FTC should wield its unfairness authority more: if the goal is to change company practices, as Gellman suggested, “you can do that more through unfairness and set standards for everybody else than you can through [the] deception” authority.

However, the FTC’s existing unfairness authority as currently utilized also fails to ensure strong privacy protections. Getachew noted that “one of the challenges of the unfairness standard is that it's not only [asking] is something unfair, but is that practice outweighed by any benefits that a consumer might receive? Are there any economic advantages to that practice? And is that better than anything that could be considered unfair?” Thus, even if a practice could be considered unfair, if the FTC finds that the practice potentially benefits some consumers in some way, the balancing test may prevent the agency from taking action.

Third, the FTC has limited rulemaking authority under the Magnuson-Moss Act. The Act requires the FTC to show “substantial evidence in the rulemaking record” that a practice is prevalent or widespread before it can be declared an unfair and deceptive act or practice.⁶ Since Magnuson-Moss was enacted in 1975, the FTC has rarely issued regulations under its rulemaking authority. As Getachew explained, “the key ingredient [the FTC is] missing is rulemaking authority, particularly for areas of concern [like] data processing [and] data practices that harm [members of marginalized communities or general consumers]. We’ve seen the Section 5 unfair and deceptive [authority] extend to as much as it can, but without clear rules, without strong rules, it’s hard to really go further than that.”

To facilitate more effective enforcement of privacy regulations, Congress could grant the FTC more authority, such as general rulemaking authority under the Administrative Procedure Act. FTC Chairman Joseph Simons, however, has asked Congress not to give the agency broad rulemaking authority, and instead has advocated for targeted rulemaking authority.⁷ While federal privacy legislation will ultimately determine what the FTC’s rulemaking authority looks like, Getachew explained that,

you want to have a broad scope for an agency to enact rules encompassing a lot of different areas when it comes to privacy. So that could be transparency provisions, so consumers have easy, understandable notices on what … data is being collected. [Or] use restrictions on what data can and cannot be collected, particularly around sensitive data. I think the big point is making sure that rulemaking authority is constantly used or adopted when we're seeing new harms arise, as opposed to a piece of legislation that might limit an agency to just a few set of provisions.

If Congress is not willing to go so far, it could at least grant targeted rulemaking authority over particular aspects of a privacy law or specific, complex provisions. This approach could allow more technical or specific aspects of a law to be decided through a rulemaking process at an agency, such as the FTC, instead of by Congress.

The FTC currently lacks capacity to exercise its jurisdiction over privacy regulations effectively. First, the FTC lacks the staffing resources it needs to carry out its privacy work. The FTC has around 40 full-time staff working on privacy issues, which is significantly fewer than many foreign data protection authorities in smaller countries.⁸ For instance, the U.K. Information Commissioners’ Office employs over 500 people to regulate data privacy,⁹ and the Irish Data Protection Commissioner employs about 130 people to enforce the General Data Protection Regulation.¹⁰ The agency charged with enforcing privacy in the United States should be properly staffed to ensure that when companies violate privacy rules, they are directly held accountable. As FTC Chairman Joseph Simons wrote to Rep. Frank Pallone Jr. (D-N.J.), the agency has “brought on average about twenty privacy and data security cases per year over the past five years … With more staff we would be able to bring more cases under our existing authority; providing us with additional authority would notably improve our ability to bring significantly more privacy and data security cases.”¹¹ With only 40 full-time staff dedicated to the issue, the FTC simply cannot be aggressive in protecting privacy across the country.

Second, it is unclear whether the FTC has the technological expertise it needs to enforce privacy laws. Not only has the office of the chief technologist been vacant since May 2018,¹² but as of April 2019, the agency also only employs around five technologists on staff, with only around three technologists working on privacy and security research and casework.¹³ FTC Chairman Simons has asked Congress for additional resources to hire an estimated ten to fifteen technologists to support ongoing work in these areas,¹⁴ and former Commissioner Terrell McSweeny has called for the creation of a freestanding Bureau of Technology to bolster the agency’s technological expertise.¹⁵ Without a robust understanding of technology—including online advertising methods, algorithmic tools, and machine learning—the FTC will be hampered in its ability to protect privacy.