Despite an ever-deepening crisis of exploitative personal data practices, the United States remains one of the few developed countries in the world with no national data protection agency. To date, Congress has failed to heed calls to establish such an agency—or indeed to enact comprehensive data protection legislation at all.
In the absence of a U.S. data protection agency, the task of regulating and safeguarding data privacy has been spread across various state and federal entities. For general online privacy enforcement, the regulatory responsibility has fallen chiefly to the Federal Trade Commission. The FTC’s mandate includes the power to prohibit unfair and deceptive trade practices, including the unfair and deceptive collection, use, or transfer of personal data. The Commission is also responsible for combatting unfair methods of competition and has specific authority to enforce and issue rules under several targeted privacy laws.
Beginning in the mid-1990s, the FTC took an active interest in the emerging issue of online privacy and held a series of workshops that led, in part, to the passage of the Children’s Online Privacy Protection Act (“COPPA”), the issuance of reports critical of the data practices of early internet companies, and demand for additional regulatory authorities. Unfortunately, the FTC’s early internet privacy proceedings also led to a reframing of privacy law in the United States as being a matter of “notice and choice” and deference to industry-backed “self-regulation.”
Nevertheless, the Commission began in the 2000s to expand the scope of its privacy investigations and eventually formed a Division of Privacy and Identity Protection within the Bureau of Consumer Protection. Since then, the FTC has led significant investigations into privacy violations by both small entities and some of the largest technology companies in the world. But many of these cases did not lead to substantial
changes in business practices or monetary penalties, and the agency’s dreams of industry self-regulation have gone largely unfulfilled.
Defenders of the FTC’s lack of effective privacy enforcement have argued that the agency does not have sufficient regulatory or penalty authorities to address the privacy threats posed by modern internet services. And it is true that there are significant limitations in the patchwork of data protection authorities at the FTC’s disposal. For example, the procedures by which the FTC can define unfair and deceptive practices are unnecessarily onerous, and the Commission is limited in its ability to penalize first- time data protection offenders. For these (and many other) reasons, Congress must move quickly to establish a strong, independent, and adequately funded data protection agency.
But the FTC’s failure to rein in the widespread misuse of personal data is not just a function of its limited statutory powers. Too often, the FTC has neglected to use the authority Congress has already given it. The Commission’s repeated failure to take meaningful enforcement action and to block harmful mergers has allowed abusive data practices by Facebook, Google, and other industry giants to flourish. Some statutory authorities, including the FTC’s power to promulgate trade rules, have simply never been used to advance the Commission’s data protection mission.
The purpose of this report is to highlight some of the unused and underused authorities in the FTC’s toolkit. Until Congress acts to create a modern data protection agency in the United States, is critical that the Commission deploy every available tool to safeguard privacy rights and stem the tide of exploitative data practices. This report is meant as a starting point for the FTC to make the most of the data protection authority it already has.