https://www.nytimes.com/2019/08/12/opinion/ftc-privacy-congress.html

Aug 12, 2019

Give the F.T.C. Some Teeth to Guard Our Privacy

The agency lacks the legal authority and resources to be a fully effective watchdog. Congress should fix this.

By Jessica Rich

You might think that after the Federal Trade Commission levied a $5 billion fine against Facebook for privacy violations relating to Cambridge Analytica, the agency has great power to protect our privacy on the internet.

But in fact the F.T.C. lacks both the legal authority and resources to be fully effective in this area. The reason? Congress has repeatedly declined to enact a broad-based federal privacy and data security law setting strong privacy standards, codifying penalties for wrongdoers and allocating the staff and funds necessary to enforce the law nationwide.

It's not as if no one has thought about this issue. Since the late 1990s, consumer advocates, industry leaders and the F.T.C., among others, have at various times urged Congress to pass such a law, but to no avail. With a few exceptions, the F.T.C.'s legal authority over privacy is the same as it was before the internet was invented.

I'm all too familiar with this problem. I served as the F.T.C.'s top career privacy staff member for almost 15 years, and its director of the Bureau of Consumer Protection from 2013 to 2017. During that time, I was one of the people who repeatedly represented the F.T.C. before Congress on privacy issues.

We reviewed multiple draft privacy bills, testified on some of them, and responded to countless inquiries from individual members of Congress and their staffs. There was lots of activity, but Congress never acted.

There are many reasons for congressional inaction. Privacy cuts across multiple congressional committees, which makes it logistically difficult to draft and enact a privacy law. Most businesses, until recently, vigorously fought off new legal requirements, even while complaining that the current rules governing privacy aren't clear. Consumer advocates haven't always been as effective as they could be, adopting out-of-reach positions and declining to budge. And the F.T.C.'s requests for more authority have varied with each new administration, and have at times been overly cautious.

Recent events, including the Facebook debacle, passage of demanding privacy laws in Europe and California, and growing concern among the public, have altered these dynamics, giving hope to privacy proponents that we have finally reached the moment when a federal privacy law could pass.

But, despite these signs, congressional efforts appear to have stalled. Further, some of the focus has shifted to concerns about the alleged political bias of social media platforms, an entirely separate matter that has little to do with consumer privacy.

The F.T.C. has nevertheless built a strong privacy program based largely on the Federal Trade Commission Act, which was passed more than 100 years ago, long before personal computers, the internet, social media or mobile phones were invented. This general-purpose law is supplemented by a few sector-specific privacy laws, like the Children's Online Protection Act, which give the F.T.C. stronger authority to act in specific areas of the marketplace.

The F.T.C. Act gives the agency a lot to work with. The agency can investigate fraud, deception and clearly harmful practices by a wide array of companies. It can bring enforcement actions stopping such conduct and getting back money that consumers have lost. It can study trends in the marketplace and issue studies. And it can use the bully pulpit to call out troubling practices and educate the public, just as any government agency can.

Using this authority, the F.T.C. has challenged the privacy practices of some of the biggest companies (and prominent users of consumer data) in the world, including Facebook, Google, Twitter, Equifax, Microsoft, Uber, Wyndham and many others.

But the F.T.C. Act is not enough to protect privacy. Each action against these tech companies, for example, required painstaking investigation before the agency could obtain even the most basic privacy relief for consumers. Some also prompted controversy and litigation over the parameters of the F.T.C.'s privacy authority. At times, facing the reality of the limits on its powers, the agency has had to pull its punches.

Under the F.T.C. Act, the agency can't set normative privacy standards that all companies must follow, such as requiring them to post a privacy policy, limit the consumer data they collect and retain, refrain from certain uses of that data or give consumers choices about how their data is used. Sure, the agency might be able to get this type of relief against a particular company following proof of specific and harmful misconduct, but it can't set these standards on an industry-wide basis.

Also, the F.T.C. can't generally impose penalties on privacy wrongdoers, unless they're already under an order for previous wrongdoing -- as in the case of Facebook. Yes, it can get back money that consumers have lost, or order companies to "disgorge" its profits from illegal activities. But all of this can be very difficult to calculate in privacy, and even more difficult to prove in court, as many plaintiffs have learned in privacy class actions and similar litigation. That's why the ability to obtain penalties is so important.

The F.T.C. has limited jurisdiction over key industry sectors, like telecommunications companies, and no jurisdiction over banks or nonprofit entities. And absent clearer authority to order conduct relief and obtain penalties for privacy violations, the F.T.C. constantly faces obstacles in court, leading it to rely, more often than many would like, on the greater certainty of negotiated settlements. A strong privacy mandate from Congress could set clear limits on how consumer data can be used, and give the F.T.C. greater power to enforce these limits in litigation.

Finally, in addition to these many legal constraints, the F.T.C. is woefully understaffed in privacy, with some 40 full-time staff members (as of the spring) dedicated to protecting the privacy of more than 320 million Americans. This compares to hundreds of staff members in Britain, and almost 150 each in Ireland and Canada -- all countries with far smaller populations than the United States.

To adequately police privacy in this country, the F.T.C. needs more lawyers, more investigators, more technologists and state-of-the-art tech tools. Otherwise, it will continue to operate on a shoestring, foregoing certain investigations and understaffing others.

It's time for Congress to give the F.T.C. the increased authority and resources it has needed for the last 25 years. Let's not let the perfect be the enemy of the good as we debate, intellectualize, testify, criticize -- and continue to leave the F.T.C. holding the bag.

I'm not saying it's simple, but establishing basic privacy norms that all companies must follow, coupled with civil penalties for first-time violations and about 100 new staff members, would be a huge step in the right direction.

Jessica Rich, a former director of the Federal Trade Commission's Bureau of Consumer Protection and a manager of its privacy program, is consulting for Privacy for America, a coalition that supports enactment of a federal consumer privacy law.

[1] https://thehill.com/policy/technology/437133-ftc-says-it-only-has-40-employees-overseeing-privacy-and-data-security