Enforcement of Privacy Laws
Background
There are two main forms of enforcement in U.S. privacy laws: government enforcement, typically by an agency of relevant jurisdiction or State Attorneys General, and private right of action, the ability for an individual or group of individuals to pursue legal action to enforce their rights.
Documents
Government Enforcement of Privacy Laws in the U.S.
In the absence of a comprehensive federal privacy law, the FTC has used its authority under the FTC Act, passed in 1914, to fill some of the gaps left by federal sectoral privacy laws. The FTC Act established the agency to enforce a ban on “unfair methods of competition in or affecting commerce.” In 1938, Congress authorized it to enforce a prohibition on unfair and deceptive acts and practices (UDAP), creating the FTC’s dual mission to promote competition and protect consumers. This UDAP authority is rooted in and commonly applied to false advertising.
EPIC helped establish the FTC’s authority for consumer privacy and has urged the FTC to safeguard American consumers in cases involving Microsoft, Google, Facebook, Uber, Samsung and others. From 2009 to 2019, the FTC filed 101 internet privacy enforcement actions (source: Gov’t Accountability Office.) Almost all ended in settlements. However, even when the FTC reaches a consent agreement with a privacy-violating company, the Commission rarely enforces the Consent Order terms. Two prominent examples are the FTC failure to enforce the consent order against Google even after the FTC chair warned that Google’s consolidation of Internet services would be bad for consumers, and the agency’s failure to enforce the consent order against Facebook even after repeated violations, including the transfer of user data to Cambridge Analytica, were widely known. Over the last decade, because of the FTC’s failure to act, the problem has grown dramatically from cookie tracking to ubiquitous, cross-device mass surveillance of individuals and communities.
The United States needs a new approach. While the FTC helps to safeguard consumers and promote competition, it is not a data protection agency.
The US needs a federal data protection agency focused on privacy protection, compliance with data protection obligations, and emerging privacy challenges.
The United States Needs a Data Protection Agency
The United States is one of the few democracies in the world that does not have a federal data protection agency, even though the original proposal for such an institution emerged from the U.S. in the 1970s. The United States was once a global leader on privacy. The Fair Credit Reporting Act, passed in 1970, was viewed at the time as the first modern privacy law—a response to the growing automation of personal data in the United States.
But today, Europe has surpassed the United States in protecting consumer data. The General Data Protection Regulation strengthens the fundamental rights of individuals and puts consumers back in control of their personal data. It gives European data subjects rights to breach notification (within 72 hours of breach), right to access (whether or not personal data concerning them is being processed, where and for what purpose), right to be forgotten (to have the data controller erase his/her personal data, and data portability (the right for a data subject to receive the personal data concerning them and to transmit that data to another controller). American data subjects have none of these rights. American companies will be required to provide these protections to Europeans but not to Americans, creating a digital lower class. U.S. companies are leaders in technology, and the U.S. government should be a leader in technology policy.
There is an urgent need for leadership from the United States on data protection. Virtually every other advanced economy has recognized the need for an independent agency to address the challenges of the digital age. Current law and regulatory oversight in the United States is woefully inadequate to meet the challenges. The Federal Trade Commission is fundamentally not a data security agency. The FTC only has authority to bring enforcement actions against unfair and deceptive practices in the marketplace, and it lacks the ability to create prospective rules for data security. The Consumer Financial Protection Bureau similarly lacks data protection authority and only has jurisdiction over financial institutions. Neither of these agencies possess the resources needed to address data security.
As the data breach epidemic reaches unprecedented levels, the need for an effective, independent data protection agency has never been greater. An independent agency can more effectively utilize its resources to police the current widespread exploitation of consumers’ personal information. An independent agency would also be staffed with personnel who possess the requisite expertise to regulate the field of data security.
Our current privacy laws are woefully out of date and fail to provide the necessary protections for our modern age. We also now face threats from foreign adversaries that target the personal data stored in U.S. companies and U.S. government agencies. The U.S. urgently needs a Data Protection Agency.
Learn more about EPIC’s campaign for a U.S. Data Protection Agency.
Privacy Laws Should Provide for a Private Right of Action
The inclusion of a private right of action with statutory damages is a crucial tool to supplement government enforcement, particularly for marginalized communities. If a company violates federal privacy law, individuals and groups of individuals, or their agents, should be able to pursue a private right of action that provides meaningful redress without a showing of additional harm. State Attorneys General should also be given enforcement authority in privacy laws.
State Attorneys General and Privacy Enforcement
State Attorneys General have historically played a strong role in privacy enforcement, largely stemming from their consumer protection watchdog role. Danielle Citron wrote a seminal article on the role of State Attorneys General in 2017.
Recent Documents on Enforcement of Privacy Laws
-
Complaints
In re OpenAI
-
Testimony
Hearing on “Federal Trade Commission Practices: A Discussion on Past Versus Present”
September 19, 2024
-
Amicus Briefs
Calhoun, et al. v. Google
US Court of Appeals for the Ninth Circuit
EPIC’s brief supports the Plaintiffs’ arguments that a jury could find that a reasonable user understood Google’s specific heightened privacy promises contained in the Chrome Privacy Notice to mean that Google would not collect the information it expressly promised not to and therefore that Google did not establish the affirmative defense of consent.
-
Comments
Disrupting Data Abuse: Protecting Consumers from Commercial Surveillance in the Online Ecosystem
Federal Trade Commission Proposed Trade Regulation Rule on Commercial Surveillance & Data Security
Top Updates
EPIC Statement on Recent Attacks Against the CFPB
November 27, 2024
Resources
-
Data Protection Law
Congressional Research Service | 2019
-
Senator Gillibrand: Pass the Data Protection Act
Data for Progress Blog | 2021
-
Gillibrand Introduces New And Improved Consumer Watchdog Agency To Give Americans Control Over Their Data
Senator Kirstin Gillibrand | 2021
-
What the FTC Could Be Doing (But Isn't) To Protect Privacy
EPIC | 2021
-
Brown Releases New Proposal That Would Protect Consumers’ Privacy from Bad Actors
Senator Sherrod Brown | 2020
-
Confronting A Data Privacy Crisis, Gillibrand Announces Landmark Legislation To Create A Data Protection Agency
Senator Kirstin Gillibrand | 2020
-
Eshoo & Lofgren Introduce the Online Privacy Act
Reps. Anna Eshoo and Zoe Lofgren | 2019
-
The Privacy Policymaking of State Attorneys General
Danielle Keats Citron | 2017
-
The FTC and the New Common Law of Privacy
Daniel Solove and Woodrow Hartzog | 2013
Support Our Work
EPIC's work is funded by the support of individuals like you, who help us to continue to protect privacy, open government, and democratic values in the information age.
Donate