Enforcement of Privacy Laws
There are two main forms of enforcement in U.S. privacy laws: government enforcement, typically by an agency of relevant jurisdiction or State Attorneys General, and private right of action, the ability for an individual or group of individuals to pursue legal action to enforce their rights.
Government Enforcement of Privacy Laws in the U.S.
In the absence of a comprehensive federal privacy law, the FTC has used its authority under the FTC Act, passed in 1914, to fill some of the gaps left by federal sectoral privacy laws. The FTC Act established the agency to enforce a ban on “unfair methods of competition in or affecting commerce.” In 1938, Congress authorized it to enforce a prohibition on unfair and deceptive acts and practices (UDAP), creating the FTC’s dual mission to promote competition and protect consumers. This UDAP authority is rooted in and commonly applied to false advertising.
EPIC helped establish the FTC’s authority for consumer privacy and has urged the FTC to safeguard American consumers in cases involving Microsoft, Google, Facebook, Uber, Samsung and others. From 2009 to 2019, the FTC filed 101 internet privacy enforcement actions (source: Gov’t Accountability Office.) Almost all ended in settlements. However, even when the FTC reaches a consent agreement with a privacy-violating company, the Commission rarely enforces the Consent Order terms. Two prominent examples are the FTC failure to enforce the consent order against Google even after the FTC chair warned that Google’s consolidation of Internet services would be bad for consumers, and the agency’s failure to enforce the consent order against Facebook even after repeated violations, including the transfer of user data to Cambridge Analytica, were widely known. Over the last decade, because of the FTC’s failure to act, the problem has grown dramatically from cookie tracking to ubiquitous, cross-device mass surveillance of individuals and communities.
The United States needs a new approach. While the FTC helps to safeguard consumers and promote competition, it is not a data protection agency.
The US needs a federal data protection agency focused on privacy protection, compliance with data protection obligations, and emerging privacy challenges.
The United States Needs a Data Protection Agency
The United States is one of the few democracies in the world that does not have a federal data protection agency, even though the original proposal for such an institution emerged from the U.S. in the 1970s. The United States was once a global leader on privacy. The Fair Credit Reporting Act, passed in 1970, was viewed at the time as the first modern privacy law—a response to the growing automation of personal data in the United States.
But today, Europe has surpassed the United States in protecting consumer data. The General Data Protection Regulation, which took effect last year, strengthens the fundamental rights of individuals and puts consumers back in control of their personal data. It gives European data subjects rights to breach notification (within 72 hours of breach), right to access (whether or not personal data concerning them is being processed, where and for what purpose), right to be forgotten (to have the data controller erase his/her personal data, and data portability (the right for a data subject to receive the personal data concerning them and to transmit that data to another controller). American data subjects have none of these rights. American companies will be required to provide these protections to Europeans but not to Americans, creating a digital lower class. U.S. companies are leaders in technology, and the U.S. government should be a leader in technology policy.
There is an urgent need for leadership from the United States on data protection. Virtually every other advanced economy has recognized the need for an independent agency to address the challenges of the digital age. Current law and regulatory oversight in the United States is woefully inadequate to meet the challenges. The Federal Trade Commission is fundamentally not a data security agency. The FTC only has authority to bring enforcement actions against unfair and deceptive practices in the marketplace, and it lacks the ability to create prospective rules for data security. The Consumer Financial Protection Bureau similarly lacks data protection authority and only has jurisdiction over financial institutions. Neither of these agencies possess the resources needed to address data security.
As the data breach epidemic reaches unprecedented levels, the need for an effective, independent data protection agency has never been greater. An independent agency can more effectively utilize its resources to police the current widespread exploitation of consumers’ personal information. An independent agency would also be staffed with personnel who possess the requisite expertise to regulate the field of data security.
Our current privacy laws are woefully out of date and fail to provide the necessary protections for our modern age. We also now face threats from foreign adversaries that target the personal data stored in U.S. companies and U.S. government agencies. The U.S. urgently needs a Data Protection Agency.
Privacy Laws Should Provide for a Private Right of Action
The inclusion of a private right of action with statutory damages is a crucial tool to supplement government enforcement, particularly for marginalized communities. If a company violates federal privacy law, individuals and groups of individuals, or their agents, should be able to pursue a private right of action that provides meaningful redress without a showing of additional harm. State Attorneys General should also be given enforcement authority in privacy laws.
State Attorneys General and Privacy Enforcement
State Attorneys General have historically played a strong role in privacy enforcement, largely stemming from their consumer protection watchdog role. Danielle Citron wrote a seminal article on the role of State Attorneys General in 2017.
Recent Documents on Enforcement of Privacy Laws
EPIC has filed comments with the FTC asking the agency to finalize a proposed Consent Order that would permanently ban SpyFone from the surveillance business and require the stalkerware company to delete the personal data that it stole.
EPIC's report "What the FTC Could Be Doing (But Isn't) to Protect Privacy" highlights numerous statutory authorities that the Federal Trade Commission has failed to use to safeguard privacy. EPIC identifies untapped or underused powers in the FTC's toolbox and explains how the FTC should deploy them to protect the public from abusive data practices.
US Court of Appeals for the Seventh Circuit
Whether a person can sue only for the first time their data is collected or disclosed without consent in violation of the Illinois Biometric Information Privacy Act ("BIPA").
US Court of Appeals for the Sixth Circuit
Whether the Supreme Court's decision to invalidate and sever the government debt exception from the Telephone Consumer Protection Act's robocall ban requires courts grant retroactive immunity to robocallers for illegal calls made for the five years between the exception's enactment and the Court's decision to sever.
Massachusetts Supreme Judicial Court
Whether the Attorney General can obtain from Facebook factual information derived from the company's investigation of third parties that improperly accessed user data.
Concerning Zoom's ability to bypass browser security settings and remotely enable a user's web camera without the knowledge or consent of the user.
Data Protection Law
Congressional Research Service | 2019
Senator Gillibrand: Pass the Data Protection Act
Data for Progress Blog | 2021
Gillibrand Introduces New And Improved Consumer Watchdog Agency To Give Americans Control Over Their Data
Senator Kirstin Gillibrand | 2021
What the FTC Could Be Doing (But Isn't) To Protect Privacy
EPIC | 2021
Brown Releases New Proposal That Would Protect Consumers’ Privacy from Bad Actors
Senator Sherrod Brown | 2020
Confronting A Data Privacy Crisis, Gillibrand Announces Landmark Legislation To Create A Data Protection Agency
Senator Kirstin Gillibrand | 2020
Eshoo & Lofgren Introduce the Online Privacy Act
Reps. Anna Eshoo and Zoe Lofgren | 2019
Danielle Keats Citron | 2017
The FTC and the New Common Law of Privacy
Daniel Solove and Woodrow Hartzog | 2013