A Billion Dollar FTC?

The House Energy and Commerce Committee, as part of the reconciliation process, last week proposed a massive change to the Federal Trade Commission (FTC) by approving the creation of a vast new FTC bureau dedicated to privacy, data security, and identity theft regulation.  The Committee also authorized one billion dollars, in addition to existing funding, to support the activities of this new bureau.

These are truly unprecedented actions.  Since the creation of the FTC one hundred seven years ago, there has never been a proposed expansion of manpower or funding that approaches this magnitude. This initiative has been taken without any specific hearings on this proposal or any effort to identify with any specificity how this extraordinary infusion of funding and other resources will be utilized.  The proposal also completely fails to do anything to affect the growing number of inconsistent privacy laws in the states that increasingly threaten to impose major costs, disruption, and confusion on the internet marketplace.

Let me be clear: ANA and many other associations and companies are strong supporters of the creation of a new FTC Privacy Bureau and further funding and staff to support this effort.  This support, however, is predicated on the development of a national privacy law that spells out in detail the appropriate use of data and their concomitant privacy protections.  It also assures that the FTC will be the key privacy regulator by requiring the preemption of inconsistent privacy laws.  We also support providing the FTC with renewed restitution and disgorgement authority under section 13(b), which the U.S. Supreme Court struck down, but only if it is directed to bad actors who intended to violate the FTC Act or should have known their actions were in violation of this authority.  For companies that may have inadvertently stepped over the line, the FTC should continue its long-standing practice of imposing consent decrees before demanding  financial penalties.

ANA believes the detailed draft bill put forward by Privacy for America (P4A) is an excellent foundation for a new FTC Bureau of Privacy and Data Security. It clearly delineates specific per se privacy and data violations.  Spelling out these standards very clearly is essential to make consumers aware of their protections and rights and puts businesses on notice about the guidelines and guardrails controlling their privacy-related actions.  Along with these per se rules, P4A’s bill appropriately vests the FTC with new authority to amend (pursuant to a cost/benefit analysis assessment) the law’s prohibited practices and accountability requirements, as needed; to bring civil actions to address unreasonable data practices; and to establish a new bureau focused on privacy issues operating under new specific requirements that is reasonably staffed to carry out its mission.  And the P4A bill would preempt inconsistent state laws. 

That’s the way to do this: set out strong, clear and reasonable privacy requirements, while beefing up the FTC’s enforcement resources.  Unfortunately, the House Committee’s proposal addresses resources but doesn’t specify guidelines or standards.   Consequently, the FTC’s enormous new bureau would undoubtedly go through a period of trying to identify its precise mission, be incentivized to justify its existence, and could produce an onslaught of perhaps well-intended but ineffective privacy constraints.   Businesses and consumers in the meantime would be left to wonder exactly what privacy rules and protections exist and how they might be interpreted and enforced.

Given the narrow margin of Committee approval of the House bill (31-27), it’s not certain that this proposal will survive through House and Senate deliberations.   But it is clear that the House Committee chose to bestow a lot of money on the FTC, resulting in a dramatic rearrangement of the FTC’s priorities and mission.  Rather than just throwing a bucket full of dollars at the agency’s data efforts without any direction, consumers and businesses would be far better served by a national law like that proposed by P4A to clearly delineate privacy rules of the road, preempt inconsistent state laws, and reasonably augment the FTC’s enforcement authority and resources.  A new FTC privacy bureau shouldn’t be launched without simultaneously passing a meaningful national privacy law.  It’s past time for Congress to take that action, affording America’s taxpayers the best bang for the buck when it comes to privacy and data security.