Who Should Enforce Privacy Protections?

The Federal Trade Commission’s (FTC) $5 billion settlement with Facebook over the company’s deceptive privacy practices made a big splash this summer, raising questions about the role the FTC should play in enforcing U.S. privacy laws. While some observers criticized the FTC for not going far enough, others felt the record fine demonstrated the FTC’s willingness to set new precedents for punitive actions—and its unique ability to serve as the cop on the beat.

But that isn’t the end of the conversation.

As Congress drafts legislation to protect individuals’ privacy, it should also consider how it wants those privacy protections enforced. While the FTC has long safeguarded privacy through various federal laws on specific issues, such as children’s privacy and credit information—as well as its Section 5 authority over unfair and deceptive practices—legislators have other avenues for protecting privacy.

Some of these possible enforcement mechanisms were discussed at a recent event hosted by New America’s Open Technology Institute. David Medine, former associate director for financial practices at the FTC, former special counsel at the Consumer Financial Protection Bureau (CFPB), and former Chairman of the Privacy and Civil Liberties Oversight Board, argued in favor of creating a new privacy-focused agency, observing that “privacy has grown from a small piece of the FTC” (where it was originally housed within the advertising and business practices division) to its own separate division. Creating a new agency, he said, would devote resources and funds to the cause without competing with the FTC’s other responsibilities. It could also help combine the administration and enforcement of existing federal privacy laws under one roof.

Similarly, Bob Gellman, a privacy consultant, and Yosef Getachew, director of the media and democracy program at Common Cause, argued that the FTC lacks robust rulemaking authority and that a new agency may be better equipped to adjudicate data-related cases—which can disproportionately harm marginalized communities.

Establishing a separate agency for enforcing privacy, however, can be tricky. Medine and Elizabeth Banker, vice president and associate general counsel for the Internet Association, argued that devoting time and resources to the creation of a new agency might in fact delay enforcement of new privacy protections. The success of a new agency would also depend on a number of uncertain factors, including funding, leadership, and varying staff expertise on privacy and data protection issues. Medine recommended that a new data protection agency follow the CFPB model and be housed within another department until it is ready to become independent.

Still, protecting privacy may be too significant a task for one federal agency to properly address. If that’s the case, Getachew posited, state attorneys general (AGs) could be given authority to enforce the federal privacy law in both federal and state courts. Blake Bee, program counsel at the National Association of Attorneys General, argued that state AGs are more likely to actively enforce privacy laws if they can bring cases in state courts. More generally, Bee said, state AGs can mitigate the impact of regulatory capture and enforce the law when legislators and federal agencies face political pressure—or are influenced by companies and industry members to act counter to the public interest.

Banker pointed out that separate state laws, and varied enforcement of those laws, may make it more difficult for consumers to “keep track of where they are in the U.S, [which companies] they’re dealing with on the other side, and whether that party is subject to the law.” Bee acknowledged this concern but pointed out that “companies and industries do that every day.”

Congress could also add a private right of action to legislation, empowering individuals to bring lawsuits directly against offending companies for privacy violations. Getachew likened a private right of action to other modes of democratic participation, such as voting or calling political representatives. Banker, however, noted that individual and class action lawsuits don’t necessarily clarify the obligations, responsibilities, and consumer protections created by the legislation—nor do they reveal whether a company agreed to settle because of legitimate wrongdoing or litigation costs.

The question of what substantive protections should be included in privacy legislation is only part of the equation. Congress should look carefully at how legislation can be most effectively enforced—which may include opportunities at the federal, state, and individual levels—and pass strong laws to deter continued violations. The future of consumer privacy protections depends on it.