Welcome to New America, redesigned for what’s next.

A special message from New America’s CEO and President on our new look.

Read the Note

Close

shutterstock_1831684282.png

Does Data Privacy Need its Own Agency?

Table of Contents

Introduction

There is general consensus among members of the U.S. Congress, industry, civil society, and the public that the United States needs federal privacy legislation, but there is no consensus on how such legislation would be enforced and by whom.1 While the seemingly constant barrage of consumer data breaches and pervasive tracking across the internet have numbed the public and led to a sense of “privacy nihilism,” two major scandals in 2017 and 2018 managed to grab the public’s attention and cause Congress to consider policy solutions. Credit bureau Equifax announced in September 2017 that it exposed the personal information of 143 million (later revealed to be 147 million) people.2 Then, in March 2018, journalists broke the story that Facebook’s data practices enabled the harvesting of 50 million (later revealed to be 87 million) users’ personal data, which was sold to political analytics firm Cambridge Analytica.3 Congress held a series of hearings on both incidents and introduced various privacy and data security bills, but ultimately did not pass legislation. The Federal Trade Commission (FTC), however, brought enforcement actions in response to both events and reached settlements with the companies.

The FTC worked with the Consumer Financial Protection Bureau (CFPB) and state attorneys general to reach a settlement with Equifax that created a fund to offer affected consumers a cash payment of $125 or free credit monitoring.4 However, the fund was capped at $300 million,5 and high demand for cash payments led the FTC to encourage consumers to accept the free credit monitoring option.6 If every affected person filed a claim, the payout would only be 21 cents. So Equifax added an additional hurdle requiring that people had credit monitoring services before the breach to obtain the cash award.7 The demand for cash payments should have come as no surprise, given that the breach affected half the U.S. population and consumers were unlikely to trust the company that breached their personal information to protect them from identity theft.

The FTC also reached consent orders with both Facebook and Cambridge Analytica, levying a record-breaking $5 billion fine against Facebook.8 However, senators called the fine a “far cry from the type of monetary figure that would alter the incentives and behavior of Facebook and its peers.”9 New America’s Open Technology Institute (OTI) commented that Facebook “was rewarded on the stock market for the settlement, the settlement imposed no meaningful restrictions on Facebook’s data collection and sharing practices, and structural changes require a tenacious overseer to ensure compliance or they may lead to nothing.”10 Facebook was already under a consent order with the FTC when the Cambridge Analytica event occurred, and yet the third-party assessors responsible for monitoring compliance did not report it. The new consent order contained several changes to Facebook’s privacy practices, but the past failures of the FTC’s compliance system call its efficacy into question.

These two incidents helped Congress recognize that the privacy status quo is not working for consumers—but is it just because the United States lacks adequate privacy laws, or is the FTC also to blame? If Congress passes comprehensive privacy legislation, should the FTC be tasked with enforcing it? Or should Congress create a new agency?

OTI hosted an event and wrote a report in 2019 that explored different mechanisms of enforcement: federal agency (whether FTC or a new agency), state attorneys general and state legislation, and a private right of action empowering individuals to sue.11 This report builds on that work to compare the relative merits of FTC enforcement versus enforcement by a new agency. Data privacy has become an issue of national economic, political, and social significance over the past few decades. The implementation of the European General Data Protection Regulation (GDPR) in 2018,12 the California Consumer Privacy Act (CCPA) in 2020,13 and the passage of the Virginia Consumer Data Protection Act in 202114 have heightened political impetus to implement a comprehensive federal privacy law. Moreover, the California Privacy Rights Act,15 an extensive amendment to CCPA, established a new agency—the California Privacy Protection Agency—to enforce the CCPA/CPRA rather than relying on attorney general enforcement.16

Discussions regarding enforcement of proposed federal privacy laws prior to late 2019 tended to focus on the question of whether or not enforcement should be shared between the FTC and state attorneys general. A lengthy Congressional Research Service (CRS) report on data privacy laws from March 2019 only addresses the possibility of creating a new agency to enforce federal privacy laws in one footnote.17 However, growing recognition of the weak enforcement of the GDPR in the first three years of its existence has heightened the importance of enforcement mechanisms in U.S. privacy legislation.18

This report explores the question of whether comprehensive federal data privacy legislation should be enforced by the FTC or a new agency created by Congress. This report will use the acronym “DPA” to refer to the general concept of a new agency to enforce federal privacy law in the United States. In Europe, this acronym refers to Data Protection Authorities that enforce the GDPR—in this report, those will be referred to as European DPAs.19 In the U.S. context, the acronym DPA covers the different agency titles—Data Privacy Agency, Digital Privacy Agency, Data Protection Agency, and Data Protection Authority—that appear in various bills and proposals. To avoid confusion, this report will discuss particular DPA proposals in reference to their authorizing legislation.

A number of lawmakers, members of civil society, and privacy experts have called for the creation of a dedicated regulatory body to enforce federal privacy law. In 2019, Representatives Anna Eshoo (D-CA) and Zoe Lofgren (D-CA) introduced the Online Privacy Act of 2019, which would create a DPA.20 In 2020, senators also introduced two additional federal privacy bills that would establish DPAs: Senator Sherrod Brown’s (D-OH) Data Accountability and Transparency Act,21 and Senator Kirsten Gillibrand’s (D-NY) Data Protection Act.22 This report will compare these three bills to one another and to FTC enforcement. We will also draw comparisons between the DPA proposals and two relatively new federal agencies: the CFPB and the Privacy and Civil Liberties Oversight Board (PCLOB). This report will not cover proposals like the Digital Platform Agency proposed by former FCC Chairman Tom Wheeler23 and Public Knowledge’s Harold Feld,24 which are sector-specific agencies that would have jurisdiction much broader than privacy.

Comprehensive privacy legislation will only have a substantive effect on business practices if there is a federal agency with the will, ability, and resources to enforce the law rigorously. We do not conclude that a new agency or an enhanced FTC is inherently a better enforcement agency. Rather, we argue that Congress should assess the effectiveness of proposals for either type of enforcement model using key metrics: authority, independence, resistance to regulatory capture, effectiveness of enforcement, budget, and feasibility.

This report first explains the differences between proposals that empower the FTC and proposals that create a DPA to enforce privacy legislation. It then explains the similarities and differences between the DPAs proposed by the Eshoo-Lofgren, Gillibrand, and Brown bills. The final section of the report defines each metric, explains why it is important for Congress to consider, and evaluates how an empowered FTC and DPA would compare along the metrics.

Editorial disclosure: This report discusses policies by Facebook and Google, both of which are funders of work at New America but did not contribute funds directly to the research or writing of this piece. New America is guided by the principles of full transparency, independence, and accessibility in all its activities and partnerships. New America does not engage in research or educational activities directed or influenced in any way by financial supporters. View our full list of donors at www.newamerica.org/our-funding.

Citations
  1. Sam Sabin, “States Are Moving on Privacy Bills. Over 4 in 5 Voters Want Congress to Prioritize Protection of Online Data,” Morning Consult, April 27, 2021, source
  2. “Equifax Announces Cybersecurity Incident Involving Consumer Information,” Equifax, September 7, 2017, source
  3. Carole Cadwalladr and Emma Graham-Harrison, “Revealed: 50 million Facebook profiles harvested for Cambridge Analytica in major data breach,” Guardian, March 17, 2018, source
  4. “Equifax to Pay $575 Million as Part of Settlement with FTC, CFPB, and States Related to 2017 Data Breach,” Federal Trade Commission, July 22, 2019, source
  5. Alfred Ng and Steven Musil, “Equifax data breach may affect nearly half the US population,” CNET, September 7, 2017, source
  6. Robert Schoshinski, “Equifax data breach: Pick free credit monitoring,” Federal Trade Commission, July 31, 2019, source
  7. Charlie Warzel, “Equifax Doesn’t Want You to Get Your $125. Here’s What You Can Do.” New York Times, September 16, 2019, source
  8. “FTC Imposes $5 Billion Penalty and Sweeping New Privacy Restrictions on Facebook,” Federal Trade Commission, July 24, 2019, source ; “FTC Grants Final Approval to Settlement with Former Cambridge Analytica CEO, App Developer over Allegations they Deceived Consumers over Collection of Facebook Data,” Federal Trade Commission, December 18, 2019, source
  9. Senators Markey, Blumenthal, and Hawley Demand Answers from FTC over Reported Facebook Settlement, July 16, 2019, source
  10. “FTC Announces Historic, Yet Insufficient, Settlement with Facebook for Privacy Violations,” press release, Open Technology Institute, July 24, 2019, source
  11. Becky Chao, Eric Null, and Claire Park, “Enforcing a New Privacy Law: Who Should Hold Companies Accountable?,” Open Technology Institute, November 20, 2019, source
  12. “General Data Protection Regulation: GDPR,” Intersoft Consulting, June 3, 2017, source
  13. “California Consumer Privacy Act (CCPA),” Xavier Becerra: Attorney General, August 14, 2020, source
  14. Rebecca Klar, “Virginia governor signs comprehensive data privacy law,” The Hill, March 2, 2021, source
  15. “The California Privacy Rights Act of 2020,” IAPP, February 5, 2021, source
  16. “California Officials Announce California Privacy Protection Agency Board Appointments,” Office of Governor: Gavin Newsom, March 17, 2021, source
  17. “Data Protection Law: An Overview,” Congressional Research Service, March 25, 2019, source
  18. “GDPR: Three years in, and its future and success are still up in the air,” AccessNow, May 25, 2021, source
  19. “What are Data Protection Authorities (DPAs)?,” European Commission, June 22, 2018, source
  20. “H.R.4978 – Online Privacy Act of 2019,” Congress.gov, December 18, 2019, source
  21. “Data Accountability and Transparency Act of 2020,” United States Senate Committee on Banking, Housing, and Urban Affairs, June 18, 2020, www.banking.senate.gov/imo/media/doc/Brown%20-%20DATA%202020%20Discussion%20Draft.pdf
  22. “S.3300 – Data Protection Act of 2020,” Congress.gov, February 13, 2020, source
  23. Tom Wheeler, Phil Verveer, and Gene Kimmelman, “New Digital Realities; New Oversight Solutions,” Shorenstein Center on Media, Politics and Public Policy, August 20, 2020, source
  24. Harold Feld, “The Case for the Digital Platform Act: Market Structure and Regulation of Digital Platforms,” Roosevelt Institute and Public Knowledge, May 8, 2019, source

Close

Introduction

View as PDF

Table of Contents

Close

Does Data Privacy Need its Own Agency?