For all the debate over the last year on how to craft a new privacy law, there’s one point nearly everyone agrees on: We need a stronger cop on the beat. Consumers deserve a data regulator with the proper authority, resources, and staff. Such oversight has probably never been more necessary, given the vital role consumer data now plays in driving our economy.
Some have suggested stronger data oversight should come from an entirely new agency created by Congress. While we share that dedication to better enforcement, the reality is that there’s no need to build something from scratch. More effective would be to create a new, data-focused arm of the existing Federal Trade Commission and to give it adequate tools to both monitor the marketplace and protect consumers.
The FTC is the right choice for this role because it’s long been the agency at the forefront of the federal government’s approach to privacy. Indeed, the Commission has led this charge for the last half century, protecting consumers through law enforcement actions, policy efforts, and consumer education. Its track record, especially over the last 15 years, shows there’s no reason to shift that responsibility elsewhere. Even as it’s been bound by insufficient resources and limited authority from old statutes, the agency has pursued cases and secured consent decrees against virtually every big name in the technology industry, including Facebook, Google, Apple, Twitter, Snapchat, and Uber.
Some might argue that the agency’s actions haven’t gone far enough. If so, that’s a reflection of insufficient authority and resources – not a lack of interest from the Commission. Luckily, this is exactly what a privacy law would rectify. Our framework for legislation, for example, would clearly define and prohibit practices that put personal data at risk or undermine accountability. The FTC’s authority would be expanded to nonprofits and common carriers for purposes of the new law and the agency would be granted rulemaking authority to address certain new data practices that put consumer data at risk. It would dramatically increase the amount of funding and staff available to the agency, thereby improving its real-world ability to enforce privacy law nationwide. Perhaps even more importantly, our approach would give the Commission new authority to seek fines against a company for first-time violations. This power, which the FTC currently lacks, would greatly assist it in more forcefully responding to the privacy transgressions that are repeatedly making headlines.
Fortunately, the FTC’s leadership is clearly eager to take on this mantle – and that organizational energy is important. When Chairman Joe Simons spoke at the annual Consumer Electronics Show in Las Vegas earlier this month, he said it would be a “huge mistake” to create a new data protection commission, calling his agency “the most active privacy enforcer on the planet – and we’re doing that with a 100-year-old statute.” This isn’t a situation where an agency’s leadership or staff is at odds with the law or regulations they’re asked to uphold. Rather, a data protection bureau at the FTC – one that has sufficient tools and authority to go after bad actors – would simply give the agency a more effective way of doing the work it’s already endeavoring to do.
We all want a privacy regulator that knows what it’s doing and has the means to enforce new legislation. By giving the FTC enhanced civil penalty authority, more staff and resources, and an expanded power to conduct rulemakings, Congress can transform an established and effective authority into a robust 21st-century guardian of American privacy.