Revamped FTC or New Agency

To provide context into our analysis of whether data privacy should be regulated by the FTC or a new agency, we will first detail the current shortcomings of FTC regulation of data privacy along with proposals to address these limitations in authority and resources. Next, we will explain why a growing number of lawmakers and members of civil society are calling for the establishment of a new agency that would be narrowly focused on enforcing federal privacy law. Finally, we will briefly outline the three bills put forward by lawmakers.

Federal privacy law in the United States consists of many distinct statutes that regulate data practices in different industries rather than a comprehensive or “omnibus” approach. While Congress has delegated enforcement authority for several specific privacy statutes to the FTC, that has never included general privacy authority. Under this sectoral approach to privacy, the enforcement of privacy statutes is delegated to different federal agencies based on subject matter. For example, the Health Insurance Portability and Accountability Act (HIPAA) is enforced by the U.S. Department of Health and Human Services,¹ the Family Educational Rights and Privacy Act is enforced by the U.S. Department of Education,² and the Telephone Consumer Protection Act is enforced by the Federal Communications Commission (FCC).³

Congress has assigned the FTC enforcement responsibility for the Children's Online Privacy Protection Act (COPPA),⁴ the Fair Credit Reporting Act,⁵ the Fair and Accurate Credit Transactions Act,⁶ the Gramm-Leach-Bliley Act,⁷ the Identity Theft Assumption and Deterrence Act,⁸ the Telemarketing and Consumer Fraud and Abuse Prevention Act,⁹ and the Controlling the Assault of Non-Solicited Pornography and Marketing Act.¹⁰ These statutes comprise only a small fraction of the 82 statutes enforced by the FTC.¹¹

The FTC is an enforcement agency with the dual mission to protect consumers and promote competition in the American economy.¹² The agency has three bureaus: the Bureau of Competition, the Bureau of Consumer Protection, and the Bureau of Economics.¹³ The Division of Privacy and Identity Protection is one of eight divisions within the Bureau of Consumer Protection.¹⁴ Despite privacy comprising such a small component of the FTC’s organizational structure, the agency has been treated as the de facto privacy authority in the United States.

The Federal Trade Commission Act of 1914 gave the FTC authority to stop “unfair or deceptive acts or practices in or affecting commerce” (UDAP),¹⁵ and the commission applies this authority to privacy and data security where a sector-specific privacy statute is inapplicable. The FTC applies UDAP authority to questions of data privacy not covered by specific statute because the United States does not have a designated general privacy authority.¹⁶ What constitutes an “unfair or deceptive” activity with regard to data processing has been decided on a case-by-case basis over many years in a process that scholars have labelled a “Common Law of Privacy.”¹⁷ With a privacy law in place, a regulator would be able to refer to a set of codified data privacy standards rather than rely primarily on a common law approach.

It is the norm among industrialized countries to have independent regulators for privacy and data protection and omnibus—rather than sectoral—privacy laws. The United States is the only country in the Organisation for Economic Co-operation and Development (OECD) without a DPA.¹⁸ The Global Privacy Assembly began in 1979 and convenes 130 privacy and data protection authorities from around the world.¹⁹ The FTC represents the United States at these convenings, even though the United States is one of the few countries without a dedicated privacy agency.²⁰ European countries have had DPAs since a 1995 EU directive.²¹

The FTC fulfills some of the roles that foreign privacy authorities do, including collaborating with European DPAs on enforcement matters.²² However, the FTC cannot be considered America’s privacy regulator because there are several other U.S. agencies that enforce various privacy statutes. In the absence of comprehensive privacy legislation, the United States does not have an omnibus privacy law to enforce.²³ The FTC’s existing role as the closest approximation to a U.S. privacy regulator has led many lawmakers drafting federal comprehensive privacy legislation to propose delegating enforcement authority to the FTC.²⁴ Competing proposals to delegate enforcement of privacy legislation to a new DPA have challenged the assumption that the FTC should enforce an omnibus privacy law. This report seeks to evaluate the strengths and weaknesses of different enforcement agency approaches.

Stakeholders that advocate for FTC enforcement agree that the agency would need additional authority and resources if Congress decides to delegate enforcement authority of new privacy legislation to the FTC.²⁵ Broadly speaking, these concerns stem from constraints on the agency’s rulemaking authority and resources along with a perception that the FTC has too many competing priorities within its broad mandate to focus sufficiently on regulating data privacy.²⁶ After a brief discussion of these concerns, we will outline the various solutions to these shortcomings proposed by lawmakers and members of civil society.

Privacy advocates argue that current restraints on FTC rulemaking would limit effective enforcement of a future comprehensive privacy law unless Congress explicitly takes steps to address these obstacles. Rulemaking is the process by which government agencies draft and implement regulations in order to fulfill their mandate and implement laws passed by Congress.²⁷ Normally, agencies engage in rulemaking in accordance with the standards set forth by the Administrative Procedures Act (APA).²⁸ However, with a few exceptions, the FTC must adhere to stricter standards for rulemaking under the Magnuson-Moss Warranty Act.²⁹

Congress passed Magnuson-Moss specifically to make rulemaking more burdensome for the agency after a series of FTC rules in the 1970s were perceived by some to be an overextension of the commission’s mandate, particularly the attempted ban on advertising directed at children.³⁰ The Magnuson-Moss procedures include about 20 additional procedures and analysis requirements not found in the APA.³¹

FTC rulemaking under this stricter standard takes, on average, six-times longer than rulemaking done under the APA standard.³² Under APA procedures, the FTC was able to issue rules in 2.94 years on average. Since Magnuson-Moss was passed, it takes the agency 5.57 years on average.³³ Congress has granted APA rulemaking powers to the FTC pursuant to the enforcement of certain statutes, but the commission lacks the ability to utilize the APA standard when dealing with matters of consumer protection that fall outside of these statutes. That is why the FTC is in the peculiar position of being able to utilize APA rulemaking to oversee the privacy of individuals below the age of 13 under COPPA but cannot do the same for adults.³⁴ Congress allowed the FTC to use APA rulemaking 12 times between 1993 and 2009, and the agency was able to issue rules in 287.25 days on average under this typical rulemaking process.³⁵

In a future privacy law, this limitation could easily be addressed by specifying that FTC rulemaking pursuant to the new law would be done under APA rather than Magnuson-Moss standards. FTC Commissioner Christine S. Wilson has advocated for the inclusion of such a provision in any future privacy legislation.³⁶ Proposed privacy bills from both Republicans and Democrats—such as Senator Roger Wicker’s (R-MS) proposal³⁷ and Senator Maria Cantwell’s (D-WA) proposal³⁸—would provide the FTC at least some form of APA rulemaking powers to enforce a new privacy law.

The FTC’s small size and limited resources have also contributed to the agency’s weak privacy enforcement record. As of April 2019, the agency had only about 40 full-time employees overseeing data privacy.³⁹ That’s only about one-third the size of the Irish Data Protection Commission, the lead European authority responsible for supervising Google and Facebook, which is responsible for bringing more cases than any other European DPA. The FTC’s budget and personnel will be discussed in more depth later in the report.

If Congress passes privacy legislation that assigns enforcement authority to the FTC, it could increase the agency’s budget to hire more staff and create a fourth bureau in addition to the agency’s Bureau of Competition, Bureau of Consumer Protection, and Bureau of Economics.⁴⁰ Proponents of creating a Bureau of Technology within the FTC, such as former Commissioner Terrell McSweeny, argue that organizing the work the commission does on technology within its own bureau will enable the FTC to better attract the personnel needed to enforce relevant data privacy laws.⁴¹ Senator Ron Wyden’s (D-OR) Mind Your Own Business Act of 2019 would add 125 new staff to existing bureaus and 50 staff to a new Bureau of Technology.⁴² The FTC could also create a new bureau without legislation if it obtained approval from the Congressional Appropriations Committees.⁴³

Members of Congress have introduced three bills that would establish a new agency to enforce comprehensive federal privacy legislation. These proposals reflect a concern that simply allocating more resources to the FTC or expanding its rulemaking power would not necessarily equip the agency to sufficiently protect user privacy rights. Some argue that the FTC lacks the “digital DNA” to regulate the distinctive digital economy.⁴⁴ Others point to the FTC’s lackluster track record on regulating digital platforms as reason to create a new agency.⁴⁵

DPA proposals call for the creation of a dedicated agency to enforce federal data privacy law. Much of DPA discourse draws from foreign data privacy enforcement models. The Eshoo-Lofgren DPA, in many ways, draws from the EU’s GDPR. In addition to including many of the GDPR’s privacy rights, the Eshoo-Lofgren DPA proposal—and, indeed, most DPA proposals—are modeled after the EU’s Data Protection Authorities, the entities tasked with enforcing the GDPR.⁴⁶ Under the European model, the DPA investigates breaches of privacy laws and, if applicable, levies fines.⁴⁷ In addition to this investigative and punitive function, the DPA consults with industry and civil society to promote compliance and refine the enforcement of federal privacy law.⁴⁸