The Federal Trade Commission says it would consider creating three new units to pursue privacy enforcement investigations if Congress would increase its full-time employee headcount. But there is significant disagreement among FTC commissioners about how any additional resources should be deployed.
In a report for Congress published June 19, the FTC said with more resources it could create a unit to focus on new investigations into violations of the Children’s Online Privacy Protection Act (COPPA). The unit would also investigate potential violations with new technologies like the “Internet of Things, facial recognition, biometrics, and artificial intelligence, as well as stalking apps, revenge pornography, and other technologies that have the potential to result in substantial consumer harm,” the report said.
Another unit would monitor existing enforcement actions, while a third would focus on policy, case generation, and targeting.
While FTC leadership agrees more resources are necessary to expand privacy investigations, Commissioner Rohit Chopra argued in a June 17 statement that the FTC should start enforcing laws already on the books and drafting regulations on issues it has already been authorized to address. He points to energy privacy rules enacted under President George W. Bush that the FTC has yet to enforce and rules for defining practices considered unfair or deceptive.
“Contrary to what many believe, the FTC has several relevant rulemaking authorities when it comes to data protection, but simply chooses not to use them,” Chopra wrote. “Rules do not need to create any new requirements for market participants. In fact, they can simply codify existing legal precedents and enforcement policy to give even more clarity on what the law requires.”
Chopra reiterated a criticism of current FTC enforcement practices that he claims punish smaller firms more harshly than larger ones. And he listed a number of new initiatives the FTC should pursue, including investigating firms more comprehensively for data protection violations. He also advocates for monitoring the monitors and cites PwC’s lax enforcement of the FTC’s 2012 settlement with Facebook as a prime example.
Chopra’s fellow commissioners were not in agreement with many of these suggestions. Chairman Joe Simons and Commissioners Noah Joshua Phillips and Christine S. Wilson wrote in a joint statement assessing these and other suggestions by Chopra to expand FTC privacy investigations: “We do not share his enthusiasm for such an across-the-board increase in regulation.” The commissioners said doing so would amount to “pulling resources away from other priorities.”
The FTC report makes its case for more resources by comparing its full-time headcount to two European data privacy authorities.
The FTC’s privacy enforcement actions are built on the work 40-45 employees in the Division of Privacy and Identity Protection, as well as the privacy-related work of other units within the FTC’s Bureau of Consumer Protection. Chopra estimated the total at 52 employees.
“Despite the relatively small number of employees dedicated to privacy enforcement, we have used our existing resources effectively, and we have brought more cases, and obtained larger fines, than any other privacy enforcement agency in the world,” the FTC said. The agency highlighted the $5 billion privacy enforcement order brought against Facebook in 2019 and the $575-700 million data breach settlement reached with Equifax, also in 2019.
The FTC noted the U.K. Information Commissioner’s office has about 700 employees, and the Irish Data Protection Commissioner has about 180 employees.
“Although these entities have different mandates, as the federal entity primarily responsible for protecting consumers’ privacy and data security in the United States, the FTC should have a more comparable number of employees or access to additional outside resources (such as experts),” the report said.