There is general consensus among members of the U.S. Congress, industry, civil society, and the public that the United States needs federal privacy legislation, but there is no consensus on how such legislation would be enforced and by whom.¹ While the seemingly constant barrage of consumer data breaches and pervasive tracking across the internet have numbed the public and led to a sense of “privacy nihilism,” two major scandals in 2017 and 2018 managed to grab the public’s attention and cause Congress to consider policy solutions. Credit bureau Equifax announced in September 2017 that it exposed the personal information of 143 million (later revealed to be 147 million) people.² Then, in March 2018, journalists broke the story that Facebook’s data practices enabled the harvesting of 50 million (later revealed to be 87 million) users’ personal data, which was sold to political analytics firm Cambridge Analytica.³ Congress held a series of hearings on both incidents and introduced various privacy and data security bills, but ultimately did not pass legislation. The Federal Trade Commission (FTC), however, brought enforcement actions in response to both events and reached settlements with the companies.

The FTC worked with the Consumer Financial Protection Bureau (CFPB) and state attorneys general to reach a settlement with Equifax that created a fund to offer affected consumers a cash payment of $125 or free credit monitoring.⁴ However, the fund was capped at $300 million,⁵ and high demand for cash payments led the FTC to encourage consumers to accept the free credit monitoring option.⁶ If every affected person filed a claim, the payout would only be 21 cents. So Equifax added an additional hurdle requiring that people had credit monitoring services before the breach to obtain the cash award.⁷ The demand for cash payments should have come as no surprise, given that the breach affected half the U.S. population and consumers were unlikely to trust the company that breached their personal information to protect them from identity theft.

The FTC also reached consent orders with both Facebook and Cambridge Analytica, levying a record-breaking $5 billion fine against Facebook.⁸ However, senators called the fine a “far cry from the type of monetary figure that would alter the incentives and behavior of Facebook and its peers.”⁹ New America’s Open Technology Institute (OTI) commented that Facebook “was rewarded on the stock market for the settlement, the settlement imposed no meaningful restrictions on Facebook’s data collection and sharing practices, and structural changes require a tenacious overseer to ensure compliance or they may lead to nothing.”¹⁰ Facebook was already under a consent order with the FTC when the Cambridge Analytica event occurred, and yet the third-party assessors responsible for monitoring compliance did not report it. The new consent order contained several changes to Facebook’s privacy practices, but the past failures of the FTC’s compliance system call its efficacy into question.

These two incidents helped Congress recognize that the privacy status quo is not working for consumers—but is it just because the United States lacks adequate privacy laws, or is the FTC also to blame? If Congress passes comprehensive privacy legislation, should the FTC be tasked with enforcing it? Or should Congress create a new agency?

OTI hosted an event and wrote a report in 2019 that explored different mechanisms of enforcement: federal agency (whether FTC or a new agency), state attorneys general and state legislation, and a private right of action empowering individuals to sue.¹¹ This report builds on that work to compare the relative merits of FTC enforcement versus enforcement by a new agency. Data privacy has become an issue of national economic, political, and social significance over the past few decades. The implementation of the European General Data Protection Regulation (GDPR) in 2018,¹² the California Consumer Privacy Act (CCPA) in 2020,¹³ and the passage of the Virginia Consumer Data Protection Act in 2021¹⁴ have heightened political impetus to implement a comprehensive federal privacy law. Moreover, the California Privacy Rights Act,¹⁵ an extensive amendment to CCPA, established a new agency—the California Privacy Protection Agency—to enforce the CCPA/CPRA rather than relying on attorney general enforcement.¹⁶

Discussions regarding enforcement of proposed federal privacy laws prior to late 2019 tended to focus on the question of whether or not enforcement should be shared between the FTC and state attorneys general. A lengthy Congressional Research Service (CRS) report on data privacy laws from March 2019 only addresses the possibility of creating a new agency to enforce federal privacy laws in one footnote.¹⁷ However, growing recognition of the weak enforcement of the GDPR in the first three years of its existence has heightened the importance of enforcement mechanisms in U.S. privacy legislation.¹⁸

This report explores the question of whether comprehensive federal data privacy legislation should be enforced by the FTC or a new agency created by Congress. This report will use the acronym “DPA” to refer to the general concept of a new agency to enforce federal privacy law in the United States. In Europe, this acronym refers to Data Protection Authorities that enforce the GDPR—in this report, those will be referred to as European DPAs.¹⁹ In the U.S. context, the acronym DPA covers the different agency titles—Data Privacy Agency, Digital Privacy Agency, Data Protection Agency, and Data Protection Authority—that appear in various bills and proposals. To avoid confusion, this report will discuss particular DPA proposals in reference to their authorizing legislation.

A number of lawmakers, members of civil society, and privacy experts have called for the creation of a dedicated regulatory body to enforce federal privacy law. In 2019, Representatives Anna Eshoo (D-CA) and Zoe Lofgren (D-CA) introduced the Online Privacy Act of 2019, which would create a DPA.²⁰ In 2020, senators also introduced two additional federal privacy bills that would establish DPAs: Senator Sherrod Brown’s (D-OH) Data Accountability and Transparency Act,²¹ and Senator Kirsten Gillibrand’s (D-NY) Data Protection Act.²² This report will compare these three bills to one another and to FTC enforcement. We will also draw comparisons between the DPA proposals and two relatively new federal agencies: the CFPB and the Privacy and Civil Liberties Oversight Board (PCLOB). This report will not cover proposals like the Digital Platform Agency proposed by former FCC Chairman Tom Wheeler²³ and Public Knowledge’s Harold Feld,²⁴ which are sector-specific agencies that would have jurisdiction much broader than privacy.

Comprehensive privacy legislation will only have a substantive effect on business practices if there is a federal agency with the will, ability, and resources to enforce the law rigorously. We do not conclude that a new agency or an enhanced FTC is inherently a better enforcement agency. Rather, we argue that Congress should assess the effectiveness of proposals for either type of enforcement model using key metrics: authority, independence, resistance to regulatory capture, effectiveness of enforcement, budget, and feasibility.

This report first explains the differences between proposals that empower the FTC and proposals that create a DPA to enforce privacy legislation. It then explains the similarities and differences between the DPAs proposed by the Eshoo-Lofgren, Gillibrand, and Brown bills. The final section of the report defines each metric, explains why it is important for Congress to consider, and evaluates how an empowered FTC and DPA would compare along the metrics.

Editorial disclosure: This report discusses policies by Facebook and Google, both of which are funders of work at New America but did not contribute funds directly to the research or writing of this piece. New America is guided by the principles of full transparency, independence, and accessibility in all its activities and partnerships. New America does not engage in research or educational activities directed or influenced in any way by financial supporters. View our full list of donors at www.newamerica.org/our-funding.

To provide context into our analysis of whether data privacy should be regulated by the FTC or a new agency, we will first detail the current shortcomings of FTC regulation of data privacy along with proposals to address these limitations in authority and resources. Next, we will explain why a growing number of lawmakers and members of civil society are calling for the establishment of a new agency that would be narrowly focused on enforcing federal privacy law. Finally, we will briefly outline the three bills put forward by lawmakers.

Federal privacy law in the United States consists of many distinct statutes that regulate data practices in different industries rather than a comprehensive or “omnibus” approach. While Congress has delegated enforcement authority for several specific privacy statutes to the FTC, that has never included general privacy authority. Under this sectoral approach to privacy, the enforcement of privacy statutes is delegated to different federal agencies based on subject matter. For example, the Health Insurance Portability and Accountability Act (HIPAA) is enforced by the U.S. Department of Health and Human Services,²⁵ the Family Educational Rights and Privacy Act is enforced by the U.S. Department of Education,²⁶ and the Telephone Consumer Protection Act is enforced by the Federal Communications Commission (FCC).²⁷

Congress has assigned the FTC enforcement responsibility for the Children's Online Privacy Protection Act (COPPA),²⁸ the Fair Credit Reporting Act,²⁹ the Fair and Accurate Credit Transactions Act,³⁰ the Gramm-Leach-Bliley Act,³¹ the Identity Theft Assumption and Deterrence Act,³² the Telemarketing and Consumer Fraud and Abuse Prevention Act,³³ and the Controlling the Assault of Non-Solicited Pornography and Marketing Act.³⁴ These statutes comprise only a small fraction of the 82 statutes enforced by the FTC.³⁵

The FTC is an enforcement agency with the dual mission to protect consumers and promote competition in the American economy.³⁶ The agency has three bureaus: the Bureau of Competition, the Bureau of Consumer Protection, and the Bureau of Economics.³⁷ The Division of Privacy and Identity Protection is one of eight divisions within the Bureau of Consumer Protection.³⁸ Despite privacy comprising such a small component of the FTC’s organizational structure, the agency has been treated as the de facto privacy authority in the United States.

The Federal Trade Commission Act of 1914 gave the FTC authority to stop “unfair or deceptive acts or practices in or affecting commerce” (UDAP),³⁹ and the commission applies this authority to privacy and data security where a sector-specific privacy statute is inapplicable. The FTC applies UDAP authority to questions of data privacy not covered by specific statute because the United States does not have a designated general privacy authority.⁴⁰ What constitutes an “unfair or deceptive” activity with regard to data processing has been decided on a case-by-case basis over many years in a process that scholars have labelled a “Common Law of Privacy.”⁴¹ With a privacy law in place, a regulator would be able to refer to a set of codified data privacy standards rather than rely primarily on a common law approach.

It is the norm among industrialized countries to have independent regulators for privacy and data protection and omnibus—rather than sectoral—privacy laws. The United States is the only country in the Organisation for Economic Co-operation and Development (OECD) without a DPA.⁴² The Global Privacy Assembly began in 1979 and convenes 130 privacy and data protection authorities from around the world.⁴³ The FTC represents the United States at these convenings, even though the United States is one of the few countries without a dedicated privacy agency.⁴⁴ European countries have had DPAs since a 1995 EU directive.⁴⁵

The FTC fulfills some of the roles that foreign privacy authorities do, including collaborating with European DPAs on enforcement matters.⁴⁶ However, the FTC cannot be considered America’s privacy regulator because there are several other U.S. agencies that enforce various privacy statutes. In the absence of comprehensive privacy legislation, the United States does not have an omnibus privacy law to enforce.⁴⁷ The FTC’s existing role as the closest approximation to a U.S. privacy regulator has led many lawmakers drafting federal comprehensive privacy legislation to propose delegating enforcement authority to the FTC.⁴⁸ Competing proposals to delegate enforcement of privacy legislation to a new DPA have challenged the assumption that the FTC should enforce an omnibus privacy law. This report seeks to evaluate the strengths and weaknesses of different enforcement agency approaches.

Stakeholders that advocate for FTC enforcement agree that the agency would need additional authority and resources if Congress decides to delegate enforcement authority of new privacy legislation to the FTC.⁴⁹ Broadly speaking, these concerns stem from constraints on the agency’s rulemaking authority and resources along with a perception that the FTC has too many competing priorities within its broad mandate to focus sufficiently on regulating data privacy.⁵⁰ After a brief discussion of these concerns, we will outline the various solutions to these shortcomings proposed by lawmakers and members of civil society.

Privacy advocates argue that current restraints on FTC rulemaking would limit effective enforcement of a future comprehensive privacy law unless Congress explicitly takes steps to address these obstacles. Rulemaking is the process by which government agencies draft and implement regulations in order to fulfill their mandate and implement laws passed by Congress.⁵¹ Normally, agencies engage in rulemaking in accordance with the standards set forth by the Administrative Procedures Act (APA).⁵² However, with a few exceptions, the FTC must adhere to stricter standards for rulemaking under the Magnuson-Moss Warranty Act.⁵³

Congress passed Magnuson-Moss specifically to make rulemaking more burdensome for the agency after a series of FTC rules in the 1970s were perceived by some to be an overextension of the commission’s mandate, particularly the attempted ban on advertising directed at children.⁵⁴ The Magnuson-Moss procedures include about 20 additional procedures and analysis requirements not found in the APA.⁵⁵

FTC rulemaking under this stricter standard takes, on average, six-times longer than rulemaking done under the APA standard.⁵⁶ Under APA procedures, the FTC was able to issue rules in 2.94 years on average. Since Magnuson-Moss was passed, it takes the agency 5.57 years on average.⁵⁷ Congress has granted APA rulemaking powers to the FTC pursuant to the enforcement of certain statutes, but the commission lacks the ability to utilize the APA standard when dealing with matters of consumer protection that fall outside of these statutes. That is why the FTC is in the peculiar position of being able to utilize APA rulemaking to oversee the privacy of individuals below the age of 13 under COPPA but cannot do the same for adults.⁵⁸ Congress allowed the FTC to use APA rulemaking 12 times between 1993 and 2009, and the agency was able to issue rules in 287.25 days on average under this typical rulemaking process.⁵⁹

In a future privacy law, this limitation could easily be addressed by specifying that FTC rulemaking pursuant to the new law would be done under APA rather than Magnuson-Moss standards. FTC Commissioner Christine S. Wilson has advocated for the inclusion of such a provision in any future privacy legislation.⁶⁰ Proposed privacy bills from both Republicans and Democrats—such as Senator Roger Wicker’s (R-MS) proposal⁶¹ and Senator Maria Cantwell’s (D-WA) proposal⁶²—would provide the FTC at least some form of APA rulemaking powers to enforce a new privacy law.

The FTC’s small size and limited resources have also contributed to the agency’s weak privacy enforcement record. As of April 2019, the agency had only about 40 full-time employees overseeing data privacy.⁶³ That’s only about one-third the size of the Irish Data Protection Commission, the lead European authority responsible for supervising Google and Facebook, which is responsible for bringing more cases than any other European DPA. The FTC’s budget and personnel will be discussed in more depth later in the report.

If Congress passes privacy legislation that assigns enforcement authority to the FTC, it could increase the agency’s budget to hire more staff and create a fourth bureau in addition to the agency’s Bureau of Competition, Bureau of Consumer Protection, and Bureau of Economics.⁶⁴ Proponents of creating a Bureau of Technology within the FTC, such as former Commissioner Terrell McSweeny, argue that organizing the work the commission does on technology within its own bureau will enable the FTC to better attract the personnel needed to enforce relevant data privacy laws.⁶⁵ Senator Ron Wyden’s (D-OR) Mind Your Own Business Act of 2019 would add 125 new staff to existing bureaus and 50 staff to a new Bureau of Technology.⁶⁶ The FTC could also create a new bureau without legislation if it obtained approval from the Congressional Appropriations Committees.⁶⁷

Members of Congress have introduced three bills that would establish a new agency to enforce comprehensive federal privacy legislation. These proposals reflect a concern that simply allocating more resources to the FTC or expanding its rulemaking power would not necessarily equip the agency to sufficiently protect user privacy rights. Some argue that the FTC lacks the “digital DNA” to regulate the distinctive digital economy.⁶⁸ Others point to the FTC’s lackluster track record on regulating digital platforms as reason to create a new agency.⁶⁹

DPA proposals call for the creation of a dedicated agency to enforce federal data privacy law. Much of DPA discourse draws from foreign data privacy enforcement models. The Eshoo-Lofgren DPA, in many ways, draws from the EU’s GDPR. In addition to including many of the GDPR’s privacy rights, the Eshoo-Lofgren DPA proposal—and, indeed, most DPA proposals—are modeled after the EU’s Data Protection Authorities, the entities tasked with enforcing the GDPR.⁷⁰ Under the European model, the DPA investigates breaches of privacy laws and, if applicable, levies fines.⁷¹ In addition to this investigative and punitive function, the DPA consults with industry and civil society to promote compliance and refine the enforcement of federal privacy law.⁷²

We will close the background section of the report by delineating the key differences between the Eshoo-Lofgren, Gillibrand, and Brown DPA bills so as to ground our subsequent analysis of the strengths and weaknesses of FTC versus DPA enforcement.

*These bills were introduced before Seila Law v. Consumer Financial Protection Bureau held this leadership structure unconstitutional.

These three bills use an agency structure led by a single director with a five-year term who can only be removed for cause. This directorship structure is identical to the CFPB, the financial regulator established by the Dodd-Frank Act in the wake of the 2008 financial crisis.⁷³ However, in June 2020, the Supreme Court ruled in Seila Law v. Consumer Financial Protection Bureau that the CFPB leadership structure is unconstitutional: a single director must be removable at will rather than only for cause.⁷⁴ In contrast to the single-director model, the FTC is headed by a five-person commission where no more than three members can be from the same party.⁷⁵ The significance of Seila Law v. Consumer Financial Protection Bureau will be discussed in more depth in the “Independence” section below.

The three bills propose DPAs with differing levels of power. The Eshoo-Lofgren DPA has the narrowest mandate, while the Brown DPA has the broadest. The primary function of the Eshoo-Lofgren DPA is to enforce comprehensive privacy law. In practice, this would mean applying fines to entities that process data in such a way that is prohibited by their bill. The Brown DPA would broadly also fine violators of the bill’s framework, and would directly supervise large data processing entities.

In the following section, we will compare the Digital Privacy Agency model as outlined in the Eshoo-Lofgren privacy proposal with FTC enforcement of a comprehensive privacy law along six relevant metrics.

The privacy bills that delegate enforcement to the FTC and those that create a new agency are quite different in form, so it is helpful to compare the two options by their likely effectiveness. Taking a holistic view of agency performance, we will assess the options along six metrics: statutory authority, independence, resistance to regulatory capture, effectiveness of enforcement, budget, and feasibility. To make these comparisons, we will largely rely on past agency performance in the case of the FTC, and analogous agencies in the case of the proposed DPA. These analogous agencies are the CFPB and the various European DPAs.

In this section, statutory authority refers to an agency’s ability, as granted by a statute, to enforce a privacy law. This analysis will focus primarily on rulemaking authority. First, we will detail the current limitations of FTC statutory authority. Then, we will explore how new comprehensive federal privacy legislation could expand FTC statutory authority. Finally, we will compare this model of an empowered FTC to a model of a new DPA.

Legislation could empower either the FTC or a new agency to enforce a new statute specifically for data privacy. The relevant comparison is then between a new agency and an FTC empowered with expanded rulemaking authority by a comprehensive privacy law, not the current FTC limited to Section 5 authority. Therefore, it is not accurate to point to “the limitations of its generic statute” as proof that the FTC is not up to the task of regulating the digital economy,⁷⁶ because all proposals analyzed in this report that designate the FTC as the agency responsible for enforcement give the agency specific statutory authority in addition to their Section 5 authority. Indeed, Congress has already granted the agency the power to regulate specific domains of privacy, such as children’s online privacy, in addition to and separate from its Section 5 authority.

Currently, the FTC’s general data privacy regulation authority is based in its statutory authority under Section 5 of the FTC Act, which tasks the FTC with regulating “unfair or deceptive acts or practices.”⁷⁷ The FTC has applied its Section 5 consumer protection authority to privacy and security and developed a body of decisions that operate like common law.⁷⁸ The FTC’s approach primarily relies on corporate self-regulation under the notice and consent model, bringing enforcement actions against companies that have deceptively violated their own privacy policies and public representations made to users about how they protect their privacy and security.⁷⁹ While this strategy has led to a number of enforcement actions over the years,⁸⁰ the notice and consent model relies on a number of faulty assumptions, including the notion that the average user can meaningfully consent to privacy policies.⁸¹ Section 5 enforcement actions relating to data privacy have largely been based on the deceptiveness standard. Since the 2015 Wyndham case, the FTC also brings actions against firms that unfairly open their users’ data to security risks.⁸²

Proponents of FTC enforcement of a future federal privacy law assert that the agency’s history of Section 5 enforcement constitutes a rich body of accumulated common law forged through “complaints, consent decrees, and various reports” that provides a sound and flexible basis to enforce a comprehensive privacy law.⁸³ The answer to how the FTC’s privacy enforcement under Section 5 would interact with comprehensive privacy legislation is ambiguous because bills designating the FTC as the enforcing authority have taken divergent approaches. The Setting an American Framework to Ensure Data Access, Transparency, and Accountability Act (SAFE DATA Act) would prevent the FTC from utilizing its UDAP authority in matters relating to data privacy or security in a manner inconsistent with the act.⁸⁴ Contrastingly, the Consumer Online Privacy Rights Act (COPRA) would treat violations of the act as a UDAP under Section 5.⁸⁵

In order to make a fair comparison between an empowered FTC and a DPA, we will review the FTC’s enforcement record of COPPA, the Children’s Online Privacy Protection Act of 1998.⁸⁶ COPPA is a federal privacy law that gives the FTC APA rulemaking authority to enforce the act.⁸⁷ Under COPPA, the FTC has promulgated rules every ten years as mandated by Congress: once in 2000 to implement the 1998 law, and again in 2013 to expand the definition of personally identifiable information (PII) to better reflect the increasing importance of cookies and geolocational data in surveilling young children.⁸⁸ In 2019, the FTC opened a comment period to consider a new set of amendments to the COPPA rules, which may encourage general audience platforms to identify child-directed third-party content and ensure it complies with COPPA.⁸⁹

The FTC has brought almost 30 cases under COPPA. In 2019, the commission issued its two largest COPPA fines of $5.7 million and $170 million to ByteDance and YouTube, respectively.⁹⁰ While the FTC lauded the outcome of the YouTube settlement,⁹¹ many considered the settlement ineffective. COPPA’s original sponsor, Senator Ed Markey (D-MA), claimed that the settlement lacked a deterrent value and did not provide sufficient structural injunctions because it would not prevent future violations.⁹² Advocacy groups have also criticized the FTC’s enforcement of COPPA, arguing that the agency has failed to rigorously enforce the policy.⁹³

One example of this insufficient enforcement is the FTC’s failure to investigate Facebook for violations of COPPA. In February 2019, over a dozen advocacy organizations filed a complaint against Facebook⁹⁴ accusing the company of violating COPPA by knowingly tricking children into making in-game purchases.⁹⁵ The commission has not followed up on this complaint. In fact, Facebook has never been fined under COPPA, despite multiple high-profile revelations that the company likely violated the law.⁹⁶ At this time, it is unclear whether the FTC would effectively utilize the APA rulemaking authority granted to it by a future federal privacy law.

Generally, proposals for a U.S. DPA are modeled on the CFPB and the European DPAs.⁹⁷ Therefore, this section’s analysis will make comparisons to the budget and personnel of the CFPB and European authorities when appropriate. The most detailed DPA proposal is the Eshoo-Lofgren proposal. This bill allocates a $550 million yearly budget to the new agency, which would use those funds to hire about 1,600 employees.⁹⁸ This budget seems to be proportional to the number of staff being hired. The CFPB, a comparable agency to the Eshoo-Lofgren DPA, had budget for FY 2019 of approximately $510 million and used those funds to employ 1,465 full-time staff.⁹⁹

The legislative proposals that do not establish a new agency do not increase FTC staff and budget at levels comparable to the DPA proposals. In FY 2019, the most recent year for which budget and full-time employee data is available, the FTC budget amounted to $311 million with 1,101 full-time staff.¹⁰⁰ As of 2020, only about 40 of those employees were doing privacy enforcement work.¹⁰¹

Proposals delegating privacy law enforcement to the FTC generally bolster an existing bureau or establish a new bureau within the agency. Senator Wyden’s Mind Your Own Business Act of 2019 would create a new 50-person Bureau of Technology within the FTC and add 125 employees to the Bureau of Consumer Protection—100 of whom would do privacy enforcement work.¹⁰² This would bring the total number of FTC employees doing privacy enforcement work up to about 190. While the Wyden bill does not provide figures for how much adding 175 new employees would cost, former FTC Chairman Joseph Simons estimated that a $50 million budget increase from Congress would enable the FTC to hire 160 new staff.¹⁰³ Under this proposal, the number of employees working on privacy would more than triple. However, it would still only be about one-tenth the size of the Eshoo-Lofgren DPA proposal.

Most pertinent to this analysis is the sheer personnel and budget disparity between a hypothetical DPA and an empowered FTC. As mentioned before, the Eshoo-Lofgren proposal gives the agency a yearly budget of $550 million and about 1,600 full time employees.¹⁰⁴ By contrast, the FTC currently has a budget of $311 million and 1,101 employees.¹⁰⁵ The Wyden proposal would boost the agency budget by about $55 million and lead to the hiring of 175 additional staff.¹⁰⁶ In total, that would boost the commission’s budget to about $366 million and bring the number of staff up to 1,276. Those staff would have to add the enforcement of a federal privacy bill to a long list of existing responsibilities, including Section 9 antitrust investigations, merger review, international investigations, Section 5 enforcement, and many more.¹⁰⁷ In contrast, the Eshoo-Lofgren DPA would largely be tasked with enforcing the federal privacy law and consulting with users, academia, and small businesses.

A further consideration beyond the structure of the DPA is the risk that a hostile administration or Congress could starve the agency of funds. The CFPB faced this issue under former President Donald Trump’s administration, when Mick Mulvaney became the director of the agency and asked staff to cut the budget by 20 percent.¹⁰⁸ Even in Europe, where DPAs have faced funding challenges, each of the European DPAs has funding and personnel levels dramatically higher than the FTC’s Division of Privacy and Identity Protection.¹⁰⁹ However, data privacy has historically been a bipartisan issue and is not likely to be as politically controversial as the CFPB.

Whether Congress decides to empower the FTC or create a new agency as the enforcer of privacy legislation, it will need to appropriate a larger budget and more personnel in order for enforcement to be meaningful.

Agency independence depends on the extent to which the executive branch can direct the work of the agency.¹¹⁰ While there is no one specific feature of independence common to all independent executive agencies, there are agency design choices that make an agency more independent or less independent.¹¹¹ A central determinant of agency independence is the extent to which the president can remove the leadership personnel: at will, meaning for any reason, or for cause, meaning only for “inefficiency, neglect of duty, or malfeasance in office.”¹¹²

Two Supreme Court cases challenging the independence of the FTC and CFPB have made it clear that there are two constitutionally permissible administrative agency models: either an agency is led by a single director serving at the will and direction of the president or an agency is led by a multi-member body that can only be removed for cause. The 1935 case Humphrey’s Executor v. United States held that the FTC structure was constitutional because “Congress could create expert agencies led by a group of principal officers removable by the President only for good cause.”¹¹³ The 2020 case Seila Law v. Consumer Financial Protection Bureau held that the CFPB structure was unconstitutional because an independent administrative agency cannot be led by a single director, therefore any agency with a single director must be removable at will by the president.¹¹⁴

In response to this decision, the CFPB will continue to be led by a single director, but that director will now be removable by the president for any reason, thereby limiting the agency’s independence. By contrast, the FTC is considered an independent administrative agency because it is led by a five-member Commission with statutory removal protections that insulate commissioners from the president’s direction.

All three DPA bills are based on the original leadership model of the CFPB and therefore must be modified to pass constitutional muster. The bill sponsors can decide to strike the for-cause removal requirements: § 301(c)(3) in Eshoo-Lofgren, § 4(c)(3) in Gillibrand, and § 301(c)(3) in Brown. Alternatively, they could revise their bills to adopt a multi-member body similar to the FTC. However, this seems unlikely because DPA advocates seek to differentiate their proposed agencies from the FTC, and a single director model is a significant point of distinction.

There are benefits to both the independence of the FTC and the single-director DPA model. Many federal agencies are led by a single director rather than a commission, including the administrator of the Environmental Protection Agency and the attorney general of the Department of Justice (DOJ). The tradeoff to their relative efficiency is less stability. The 2018 Sourcebook of United States Executive Agencies published by the Administrative Conference of the United States endorses the multi-member commission structure as the most stable. The Conference stated, “Among the most durable agencies,” meaning those least susceptible to elimination by hostile administrations, “are those multi-member bodies located outside the executive departments with features such as party-balancing limitations and fixed terms.”¹¹⁵

A single-director DPA model is more likely to experience dramatic swings in policy dependent on the president in office, while the FTC model tends to be more consistent across administrations. The CFPB underwent extreme changes in policy under the Obama and Trump administrations that some attribute to the single-director structure.¹¹⁶ Some scholars argue, however, that single-director agencies are much more efficient than the alternative and that these ideological swings are simply the result of directors reflecting the partisan inclinations of whichever president they were appointed by.¹¹⁷ Moreover, data privacy legislation has more bipartisan support than Dodd-Frank did when it was passed and therefore would likely not be as susceptible to the dramatic partisan shifts as the CFPB.

The FTC’s multi-member structure requires three commissioners to vote for any significant agency action. The agency is often criticized by consumer advocates for failing to act forcefully to curtail industry abuses, and this weakness can at least be partially attributed to its multi-member structure. As Ralph Nader put it in a letter to the commissioners in 2019, “With slight surges over the past fifty years since our FTC report, The Nader Report on the Federal Trade Commission, was published in 1969, followed by some reforms, the FTC remains a largely moribund, sluggish, frightened, alleged watchdog for the American consumer.”¹¹⁸ A single director can act more swiftly and decisively, whereas building consensus is inherently slower and typically requires compromise that tempers the desired outcome of the most progressive commissioner. In fact, this is part of the Supreme Court’s rationale behind the Seila Law decision: an agency led by a single director wields more power than an agency led by a multi-member body and therefore must be more accountable to the president.

However, the Commission’s multi-member structure leaves a record of dissent that agencies led by single directors lack. Contentious decisions in the FTC are usually accompanied by at least one dissenting statement because of the multi-member commission structure and party balancing requirements. As time passes and market conditions change, these dissents can be vital in informing legislative and regulatory action. To give a prominent example, in 2007, Pamela Jones Harbour was the only FTC commissioner to dissent from the FTC’s decision to allow Google’s acquisition of DoubleClick.¹¹⁹ Harbour emphasized that the decision would not only lead to anticompetitive outcomes but would also degrade the data privacy of Google users.¹²⁰ With Google currently under scrutiny for its acquisition of Fitbit¹²¹ and facing a DOJ antitrust suit,¹²² Harbour’s dissent has found new relevancy. In 2020, Harbour’s dissent was invoked by academics,¹²³ DOJ staff,¹²⁴ and FTC commissioners.¹²⁵

In short, the multi-member commission structure allows the agency and other interested bodies to have a public paper trail for controversial decisions and draw on those documents if circumstances change. However, privacy advocates, academics, and other experts also oppose agency decisions they view as harmful to privacy, serving essentially the same function as commissioner dissents. Therefore, while the dissents of commissioners are valuable, other stakeholders would be able to fulfill that role in an agency under a single director.

If Congress decides to delegate enforcement of new privacy legislation to the FTC, the multi-member body structure would provide continued stability. However, this structure may exacerbate the agency’s record of perceived insufficient enforcement that was the impetus for the sponsors of the three DPA bills to prefer a new agency. The single-director DPA model can provide more agility and nimbleness but will not have independence from the president. Members of Congress will view the tradeoff between efficiency and independence differently, leading them to prefer one leadership structure over the other.

Regulatory capture refers to conditions where an agency is ineffective because it is so heavily influenced by the entities it regulates.¹²⁶ If the enforcer of a future comprehensive privacy law is (or becomes) captured by the tech industry, the law will not have the intended result of improving privacy protections. Conventional wisdom holds that agencies with broad mandates are less prone to regulatory capture than sector-specific agencies because they are “more likely to resist pressure from any one interest group.”¹²⁷ This argument assumes that a DPA would be more likely to be captured than the FTC. However, the reality is more complex because a DPA differs from the typical sector-specific regulator.

Sector-specific regulators solely regulate certain industries and develop specialized expertise due to their focus.¹²⁸ The FCC and CFPB, for example, regulate the telecommunications industry and the consumer finance industry, respectively. The FTC differs from this model. It has a broad mandate to “protect consumers and promote competition” across the economy.¹²⁹ The FCC is often seen as being more susceptible to industry influence than the FTC: a 2015 report from the Edmond J. Safra Center for Ethics found that the FCC suffers from extensive regulatory capture from the telecommunications industry.¹³⁰ However, while the FTC may not be as prone to regulatory capture as other agencies, it is not immune. Capture can occur through personnel changes: 63 percent of top FTC officials “have revolving door conflicts of interest involving work on behalf of the technology sector.”¹³¹

While the three proposed DPAs all have much narrower mandates than the FTC, they are not typical sector-specific agencies because they are technically industry neutral. The DPAs would have an outsized regulatory impact on companies like Google, Amazon, Facebook, and Apple, but their scope would not be limited to digital platforms. Rather, they would regulate the data practices of companies across various industries. For example, the Eshoo-Lofgren bill defines a covered entity as any non-natural person who “intentionally collects, processes, or maintains personal information; and sends or receives such personal information over the internet or a similar communications network.”¹³² These three DPAs differ from Digital Platform Agency proposals that define jurisdiction based on the type of entity, defining “digital platform” as the covered sector.¹³³ While the focus of the DPAs would likely be on digital platforms initially, as different sectors of the economy rely more on data-intensive practices, this focus could shift and expand over time to other sectors. Therefore, a DPA should not be assumed to fall prey to the same level of regulatory capture that sector-specific regulators often experience.

Effectiveness of enforcement is the capacity of a regulatory agency to enforce the statutes and regulations it is responsible for in a manner that deters future violations. While it is difficult to assess the enforcement effectiveness of a hypothetical empowered FTC and a DPA, we can look to analogous cases to bolster our analysis.

As proponents of a DPA have noted, the FTC has not effectively followed through with its own enforcement actions.¹³⁴ The effectiveness of enforcement is difficult to define and measure because it is affected by many different variables. Even if the FTC were to receive additional funding and personnel, the commission's mandate is so broad that there is a significant risk that it would not be able to regulate data privacy as effectively as a new agency with a single mission. Congress has already tasked the FTC with the enforcement of more than 70 laws, eight of which can be categorized as privacy and data security laws.¹³⁵ The FTC would need to make an effort to prioritize privacy over other consumer protection issues, otherwise privacy legislation could just become another statute to add to the agency’s list. Moreover, Congress has constrained FTC authority multiple times in history, and it is possible that the commission's authority could be constrained again in the future.¹³⁶

Perhaps the best example to illustrate the FTC's inadequate enforcement is the agency's lackluster response to Facebook's breach of its 2011 consent decree with the FTC. While the FTC has been lauded for fining Facebook a historic $5 billion in 2019 for violating the decree, there is ample evidence that the commission could have punished the company for violations much sooner, possibly preventing the Cambridge Analytica scandal.¹³⁷ The 2019 fine only represented a month of Facebook's revenue and the company’s stock rose in the aftermath of the announcement.¹³⁸ That the Cambridge Analytica scandal occurred while Facebook was under an FTC consent decree throws further doubt on the commission’s ability to effectively enforce data privacy regulations and ultimately protect internet users in a timely way.

As discussed in the budget and personnel section, the Eshoo-Lofgren DPA would have a staff of about 1,600. Due to the sector specific focus of this DPA, it could focus on hiring staff with deep knowledge and expertise in the digital economy and data privacy. The staff and budget size would give the DPA the expertise, personnel, and resources to effectively respond to consumer complaints regarding tech companies, actively enforce the laws it would be tasked with, and consult with relevant stakeholders (such as civil society, industry, or users) regarding the best allocation of its resources.

Feasibility in this section means the logistical ease of operations. It is relatively more feasible for Congress to empower the FTC with additional funding and rulemaking authority to enforce a federal privacy law than it is to have Congress create a new agency for this purpose.

On a basic level, empowering the FTC is more feasible than standing up a new agency because of path dependency. The FTC would be better positioned than other existing agencies to become the U.S.’s official data privacy agency because it already enforces some sectoral privacy statutes and brings enforcement actions under its general consumer protection authority, and regularly hosts bilateral discussions on data privacy and security with data protection authorities from around the world.¹³⁹ While the FTC has not always effectively utilized its authority, the FTC’s accumulated experience places it in a position to become the enforcer of a comprehensive privacy legislation more quickly than a DPA.

If Congress did establish a DPA through legislation, it would need to overcome substantial barriers to stand up a new independent agency. The case of the PCLOB—the Privacy and Civil Liberties Oversight Board—is instructive. Congress established the PCLOB as an independent agency in 2007 to review counterterrorism activities to ensure that they include adequate safeguards for privacy and civil liberties.¹⁴⁰ However, the agency did not actually come into existence until 2012 when the Senate confirmed its first four board members.¹⁴¹ This five-year period delayed the agency’s ability to fulfill its mission and serve the public.

After authorization of the entity and confirmation of leadership, a new independent agency will face basic hurdles to set up agency infrastructure and operations that can be mitigated through agency design. A new agency needs office space; internet, email, and phone service; and a complete complement of staff including not only subject matter experts but also everything from human resources to internal information technology specialists. At a prior OTI panel, David Medine, who served as the first chairman of the PCLOB and also previously served as special counsel at the CFPB, argued that a new agency should “sit on the structure of the old agency until it’s ready to separate.”¹⁴² Medine noted that unlike with the PCLOB, the CFPB staff benefited from being able to use Treasury Department payroll, email, and website infrastructure before the agency was ready to stand on its own. The Brown DPA is the only DPA proposal to use this model of operating on the Federal Reserve System infrastructure.¹⁴³ Therefore, while it is more feasible for an existing agency to begin its enforcement duties, a DPA could avoid initial operational problems that other new agencies have faced if it utilized an existing agency’s infrastructure.

In this report, we have endeavored to use six metrics—authority, independence, resistance to regulatory capture, effectiveness of enforcement, budget, and feasibility—to assess proposals for an expanded FTC or a new DPA to enforce a new federal privacy law. As these proposals are refined and new ones are introduced, we should continue to use these criteria to measure the strengths and weaknesses of each option. Neither the FTC nor a new DPA is inherently a better option across all of the metrics we have identified. Moreover, members of Congress can take steps to design solutions to optimize a proposal’s performance on each of these standards.

Given the importance of digital privacy to civil rights,¹⁴⁴ commerce,¹⁴⁵ and self-determination,¹⁴⁶ the question of which agency will enforce a national privacy regime cannot and should not be taken lightly. As Congress considers the various comprehensive privacy bills, members should consider the different factors that affect optimal agency design for the enforcement of a federal privacy law.