Article
from Belfer Center for Science and International Affairs, Harvard Kennedy School

The Role of the Federal Trade Commission in Federal Data Security and Privacy Legislation

Federal Trade Commission building

The Federal Trade Commission (FTC) is the nation’s primary consumer protection body, and while some have called for a new data protection agency, most believe the FTC should be the body responsible for data security and privacy. Indeed, the FTC already enforces some privacy legislation and seeks to expand on its role in data privacy. As federal data and privacy bills are considered, it is therefore critical that we understand the role the FTC might play in overseeing and enforcing such legislation as well as the important role that lawmakers will have in setting parameters for the FTC.

The issues related to rulemaking and enforcement authority are especially important and complex. Unchecked or overly prescriptive authority risks unwieldy regulation that could harm innovation and business, but too little authority risks insufficient protection from privacy harms and overly rigid protections that cannot adapt to rapidly changing technology. We must work to avoid both ends of this spectrum and, instead, strike a balance that ensures that the FTC is appropriately resourced to deliver on the agency’s promise to protect citizens and their data.

As a result of our engagement with stakeholders, we believe the key to striking the right balance lies in “guided FTC rulemaking” in a federal law, echoed by privacy experts and private sector companies alike. With such an approach, Congress would be tasked with establishing clear guardrails and definitions around the type of rulemaking authority the FTC could use, the targeted areas in which that authority could be applied, and the means by which such efforts could be undertaken. Parameters for assessing penalties would also be key in ensuring that the enforcement of violations is carried out in a way that upholds compliance rather than conveying a perception of unguided fining.

This publication—the second in a series of three main articles—explores these issues and provides recommendations for what we consider to be the most reasonable solutions.

CONSIDERATIONS AND OPTIONS

This section addresses the key question and options available to lawmakers in considering the FTC’s role in federal privacy legislation. There are four categories of questions:

  • What type of rulemaking authority should the FTC be given and under which laws should that authority be granted?
  • For which aspects of a data security and privacy law should the FTC be granted targeted rulemaking authority?
  • How will the FTC handle the enforcement of federal privacy legislation (e.g., assessing violations, determining whether a warning is warranted, determining fines) and should the FTC provide regular guidance to companies beyond enforcement?
  • How should these efforts be funded and organized (e.g., budget amount, personnel needed, phased funding, new FTC bureau)?

Below, we explore these considerations and options, bringing together our assessments of four major federal privacy bills (two Democratic, two Republican), interviews with stakeholders, and a review of existing research.

Consideration #1: Current Authorities Under Which the FTC Can Operate

The FTC is the nation’s consumer protection body and it generally operates under the FTC Act and additional rules that it promulgates pursuant to the Magnuson-Moss Warranty Act (MMWA) of 1975. This differs from other federal agencies in that the Administrative Procedures Act (APA) is more commonly the primary rulemaking authority.

Although Section 18 of the FTC Act authorizes the Commission to create rules specifying and governing unfair and deceptive acts or practices (currently the Commission’s key tool for addressing data privacy and security), MMWA rulemaking requires a much more lengthy and cumbersome process (to include publishing an Advanced Notice of Proposed Rulemaking, publishing a Notice of Proposed Rulemaking for public comment, holding informal hearings, publishing the final rule, and—after all of this—any person may seek judicial review within 60 days), which is largely why the authority has rarely been used since its inception in 1975.

The APA is the standard authority granted to most federal agencies to create, amend, or appeal rules. The authority, which is known as “notice and comment,” requires agencies to publish a notice of proposed rulemaking in the federal register and provide ample time for public comment, among other requirements. APA authority must be specifically granted to the FTC by Congress in legislation; currently, the FTC has been directed to use this authority for specific laws, such as the Children’s Online Privacy Protection Act (COPPA) and the Telemarketing and Consumer Fraud and Abuse Prevention Act. According to the U.S. Chamber of Commerce, rules promulgated under APA authority on average took less than a year to adopt versus five years for those under MMWA.

To address the lengthy rulemaking procedures of MMWA, the FTC recently worked to streamline the process; however, it must be noted that, despite the changes (including as the Commissioner’s statement notes: “providing the Commission with greater accountability and control over Section 18 rulemaking, deciding the final list of disputed material facts to be resolved, deciding who will make oral presentations to the Commission and who will cross examine or present rebuttals submissions”), the requirements are still difficult to meet and may not eliminate many of the obstacles that held up previous attempts at rulemaking under the authority. However, the FTC has stated that it intends to use these updated procedures in new rulemakings on privacy issues—an approach encouraged by the Biden Administrationto address privacy and security because Congress has not yet been able to. This has drawn concern with regard to the lack of oversight and the agency’s capacity to enforce such rules.

Consideration #2: Areas for Rulemaking

Under the current MMWA rulemaking procedures, the FTC is theoretically free (notwithstanding its resource limitations) to create multiple rules to address “unfair and deceptive practices.” In its Statement on Regulatory Priorities, the Commission indicated that it intends to create, among other areas, rules to curb lax security practices, limit surveillance abuses and ensure that algorithmic decision-making does not result in unlawful discrimination. This has caused some concern among stakeholders across the spectrum. On one end, companies fear unchecked rulemaking and enforcement; on the other, advocates fear the inability to oversee and enforce these rules broadly.

Four of the main legislative proposals—Sen. Maria Cantwell’s (D-Wash.) Consumer Online Privacy Act (COPRA), Sen. Roger Wicker’s (R-Miss.) SAFE Data Act, Sen. Sherrod Brown’s (D-Ohio) DATA 2020 (which would create a Data Accountability and Transparency Agency rather than place principal enforcement and rulemaking authority with the FTC) and Sen. Jerry Moran’s (R-Kan.) Consumer Data Privacy and Security Act (CDPSA)—have collectively identified the following areas for FTC rulemaking:

  • Determining which data elements qualify for enhanced protections under the term “sensitive covered data” (COPRA, SAFE Data Act and CDPSA)
  • Designating approved processes for covered entities to implement to allow individuals to opt out of transfers of covered data (COPRA)
  • Identifying circumstances that would require organizations to obtain individuals’ explicit consent for processing personal data (CDPSA and SAFE Data Act)
  • Setting requirements for covered entities to adequately respond to individuals’ rights requests in a timely fashion, including requests to access, correct and delete personal data (CDPSA)
  • Establishing regulations for biometric data (COPRA)
  • Identifying unlawful, unfair, deceptive or abusive acts or practices in connection with the collection, use or sharing of personal data (under a new data protection agency; DATA 2020)
  • Identifying processes (in consultation with the National Institute of Standards and Technology [NIST]) for receiving and assessing information regarding vulnerabilities to the security of covered data that are reported to the covered entity (SAFE Data Act)

Consideration #3: Enforcement

The FTC’s role in the enforcement of the law and subsequent rules is also important to navigate smoothly. Legislation from both sides of the aisle generally aligns on the scope of FTC enforcement: With the exception of Brown’s DATA 2020 Act (which calls for an entirely new agency), each of the four main bills described above provides that a violation of the privacy law (or a regulation promulgated under the privacy law) “shall be treated as a violation of a rule.” These provisions would allow the agency to seek monetary relief “to redress injury to consumers,” including refunds, damages and “public notification respecting the” underlying violation. Such authority would supplement—not replace—other FTC enforcement mechanisms, including penalty authority.

Here, we present the most controversial and intractable issues of FTC enforcement: the collection of penalties and associated frameworks, the right to cure, the role of state attorneys general and how fines would be used.

  • Collection of penaltiesAs with the other provisions described in this document, the aim of robust enforcement is compliance and protection, not lawsuits and collection of penalties. If left undefined, the parameters of first-time fining authority could be viewed as controversial by businesses, resulting in overly burdensome fines on well-meaning companies on one end and insufficient mechanisms for halting egregious and continuing harms on the other.

Each of the four main bills grants the FTC (or another future data protection agency) the authority to collect civil penalties in violation of the law (or rules promulgated under the law) and to treat violations as unfair and deceptive practices under the FTC Act. Historically, business groups have balked at this, claiming that the FTC has failed to provide specific, detailed guidance on what is deemed “unfair and deceptive.”

The CDPSA is more prescriptive in the authority it would grant the FTC; it limits penalties per violation “up to $42,530 multiplied by the number of individuals affected” and designates a number of considerations for the FTC in determining penalties, such as the degree of harm; intent in committing the violation; size, complexity and resources of a covered entity; reasonable expectations; degree of compliance; self-reporting; and steps taken to address the violation. This is similar to how COPPA determines its penalties but differs from the current enforcement of unfair and deceptive practices for general privacy violations. However, it must be noted that many experts have commented on the difficulty of translating privacy harms into quantitative amounts.

Although the CDPSA is more specific in outlining how the FTC may seek penalties, it does not determine where penalties would go or how they would be used. The other main bills identify the creation of a victims’ relief fund, which the Commission could draw from to issue payments to victims of harmful data practices. Some have stated that the funds should be deposited into the general U.S. Treasury and be usable by the federal government for general public good. Others have suggested that the funds not only go toward victims’ relief but also toward helping small and medium businesses bolster their data privacy and security compliance. We present the following options:

    • Penalties obtained by the FTC and the attorney general could be deposited into a Data Privacy and Security Victims’ Relief Fund which would provide redress, payments or compensation, or other monetary relief to individuals.
    • Funds could also be used “for the purpose of consumer or business education relating to data privacy and security or for the purpose of engaging in technological research that the Commission considers necessary to enforce.”
    • Funds could also be used to help with data privacy and security compliance for small- and medium-sized businesses, especially in the early years of the law, and could be shared with the Cybersecurity and Infrastructure Security Agency (CISA) to assist with their outreach and services.
  • Right to cureAdvocates decry the right to cure as a “first bite at the apple,” arguing that entities don’t get multiple chances to correct a crime in other cases. Other stakeholders disagree, asserting that—with a new federal privacy law—there will surely be confusion in interpretation and practice, especially among small entities that don’t have the resources for a full-scale privacy effort. The use of a warning letter for small- and medium-sized covered entities identifying the violation and outlining the steps that must be taken to remediate it has been put forth as a potential solution. While this may appear similar to a right to cure, the emphasis would be placed more on the path toward understanding and compliance than penalty; however, after some time, if the covered entity has not addressed its violating practices, the FTC could then look to initiate action.
  • Safe harbor guidanceThis type of provision is currently in use with COPPA and would allow “industry groups or others [entities] to submit for Commission approval self-regulatory guidelines that implement the protections of the Commission’s final Rule.” In receiving approval, an entity would be considered “in compliance” unless that approval was revoked for a violation or a change in the entity’s practices. Critics of COPPA safe harbor have stated that self-regulation has not worked well in the past because of the lack of oversight. Regardless, if the FTC were to have more capacity and resources, it would be better equipped to issue guidance and best practices on a regular basis, thus helping covered entities achieve compliance rather than solely taking them to court.
  • Role of state attorneys generalThe final question is that of the role of state attorneys general with regard to the FTC and whether the attorneys general could seek separate action against a covered entity for the same violation. Advocates assert that both should be allowed to do so, as the state may have a separate complaint against the entity. Not surprisingly, industry disagrees, citing concerns about multiple lawsuits that would place a heavy burden on companies. Of course, there is an argument for states’ rights in this discussion—one that many are hesitant to disregard entirely. As such, bills on both sides of the aisle allow state attorneys general to bring a suit on behalf of a state’s constituents.

Consideration #4: Capacity

Most stakeholders agree that the FTC is not appropriately resourced (in either staff or budget) to regulate or enforce privacy. The Commission’s current annual budget is approximately $351 million, but in its privacy mission, it employs 61 people at $13 million. For context, the United Kingdom’s Information Commissioner’s Office has a budget of approximately $90 million with 822 permanent staff, and Ireland’s Data Protection Commission has a budget of approximately $18 million with 138 permanent staff. Both countries have more data privacy officers than the United States but have significantly fewer citizens to protect. The U.S.’s capacity to address data security and privacy is out of sync with the degree of potential harms and threats.

In a letter written to Representative Frank Pallone (D-N.J.) in 2019, then-FTC Commissioner Joe Simons laid out what he could do with additional funding: With $50 million of funding per year, the FTC could hire and retain 160 more staff members; with $75 million, the FTC could hire and retain 260 more staff members; and with $100 million, the FTC could hire and retain 360 more staff members. Those staff members would join the 40 current (at that time) staff members ​​in the Division of Privacy and Identity Protection, expanding the Commission’s capacity to bring approximately 20 cases per year to 180 cases per year and enabling the agency to enforce not only any future federal data privacy and security law but also COPPA and the Fair Credit Reporting Act. Simons also estimated that he would need an additional 10 to 15 technologists to join the 5 on staff at that time and cited the need for additional infrastructure, such as office space.

Although the major federal bills (with the exception of DATA 2020, which argues for the creation of a new data protection agency) designate the FTC as the enforcement body and note that the FTC is currently under-resourced, they differ on the approaches they recommend to bolster those resources. The CDSPA grants the FTC the ability to grow to 440 personnel but doesn’t authorize specific funding to get there (though it does note the need for additional experts like technologists). The CDPA also directs the FTC in its regulation and enforcement authority but designates no specifics for its growth in funding or personnel. COPRA directs the creation of a new FTC bureau but leaves out specifics on budgetary and personnel needs. Of note, the Build Back Better (BBB) infrastructure bill also proposed $500 million over seven years for the development and growth of a new FTC bureau to enhance its ability to work on data privacy and security matters.

RECOMMENDATIONS

After assessing the many considerations and options for the role of the FTC above, below we list our recommendations and rationales. Of note, we do not recommend safe harbor provisions or the right to cure. Our goal is to strike a balance between ensuring safety for the consumer; preserving the ability to innovate and deliver services to businesses; and protecting our national security. We acknowledge that we cannot satisfy every stakeholder’s wish, but we have taken key interests into account and offer below what we believe to be the most prudent courses of action.

Recommendation #1: AuthorityA federal privacy bill should grant the FTC targeted rulemaking authority under Section 5, Administrative Procedure Act.

A bill should grant authority under Section 5 of the Administrative Procedure Act. Targeted rulemaking under the APA allows Congress to provide necessary oversight while not slowing the process—thus allowing the FTC to be agile and responsive to changing technological conditions and privacy harms. We recommend the following additional considerations:

  • As a prerequisite to rulemaking, the FTC must demonstrate any harm brought about by new technology and business models.
  • The law should specify ample time for stakeholders to comment (no less than 90 days).

Recommendation #2: Targeted Rulemaking Areas—Rules must be made clear with limited interpretation left to organizations. 

It is impossible to enumerate all the areas for which the FTC should create rules without having a bill—or a crystal ball—to consult. But the point of rulemaking is to ensure that the law can keep up with evolving technology, business models and the harms that develop with them. Therefore, targeted rulemaking means that the FTC should be allowed to update regulatory provisions as defined by Congress that it has deemed inadequate to address the new harms brought about by technological change, but the agency must clearly demonstrate the need to do so through its rulemaking procedures. As such, a federal privacy law must determine the standard for proof of harm. Furthermore, to ensure the best enforcement of data security, the FTC should be directed to work in coordination and consultation with the relevant security agencies (e.g., CISA, NIST, Office of the National Cyber Director).

Recommendation #3: Enforcement—The aim of a federal law should be for broad compliance and increased consumer data security and privacy, not to collect fines.

To move toward improvements and ensure a balanced bill, Congress should designate the FTC as the primary federal enforcer and allow state attorneys general to bring suit on behalf of that state’s constituents—but not in parallel. Congress should also grant the FTC and state attorneys general the authority to collect civil penalties for violations of a data privacy and security law and rules promulgated as part of that law. However, the following conditions should be met:

  • Congress should give covered entities two years to comply with the basic provisions laid out in legislation once the law is signed before the FTC is authorized to enforce it.
  • Clear penalty criteria and explanatory framework should be developed based on the type of covered entity, the intent and actions to correct, and the measure of harm as defined by Congress (such as how Sen. Moran’s CDPSA bill does).

As a matter of practice to ensure broad compliance, the FTC should use warning and remediation letters and should issue and update best-practice guidance regularly. Specific recommended tactics include:

  • Warning letters describing violations and steps for remediation should be issued to covered entities when needed.
  • Congress should require the FTC to release regular and specific guidance around the law and subsequent rules to help covered entities understand and comply, especially small and medium businesses and nonprofits with limited means.
  • Fines should go into a victims’ relief fund mirroring COPRA and CDPA and a data privacy and security fund (a split that Congress should determine).

Recommendation #4: Capacity—The FTC needs staffing and budget increases to be fully effective. 

Continuing with the status quo will result in little-to-no increase in resources for the FTC to carry out its duties, especially if federal privacy legislation is passed. Failure to provide more resources to the FTC would hamstring its ability to protect consumers by limiting its capacity to investigate suspected or alleged violations and enforce rules.

Therefore, Congress should allocate an additional $500 million for a new FTC Bureau of Data Security and Privacy, allowing it to grow to 360 personnel over the next five years, which is in line with former FTC Commissioner Joe Simons’ recommendations. We also recommend an additional $100 million for capital infrastructure and technology upgrades. It’s worth noting the need to focus on hiring diverse staff to address the varied nature of privacy threats and harms. Therefore, we recommend that bills require the hiring of technologists, privacy experts and other experts from varying fields to appropriately identify harms and ways to combat them. Although different stakeholders are advocating for both lower and higher resource and staff allotments for FTC privacy functions, our recommendation reflects the middle ground in the debate.

About this series: This is part of a series considering the major stumbling blocks of federal data security and data privacy efforts. It draws upon existing research and interview data to identify the most salient issues within data security and data privacy and recommend the most appropriate courses of action in an effort to find compromise on federal legislation.

Recommended citation

Zabierek, Lauren, Tatyana Bolton, Brandon Pugh, Sofia Lesmes and Cory Simpson. “The Role of the Federal Trade Commission in Federal Data Security and Privacy Legislation.” Belfer Center for Science and International Affairs, Harvard Kennedy School, June 14, 2022