FTC Outlines Potential Changes to Enhance Privacy and Security Enforcement Efforts If Given More Resources

Wilson Sonsini Goodrich & Rosati

Wilson Sonsini Goodrich & Rosati

On June 19, 2020, the Federal Trade Commission (FTC) submitted to Congress two reports that Congress requested in connection with the spending bill that funds the FTC. One of these reports (the "Resources Report") describes the resources used and needed by the FTC to protect consumer privacy and security, and the second (the "Authorities Report") describes the FTC's use of its existing authorities to protect consumer privacy and security.

The Resources Report states that while the FTC has used its "existing resources effectively, and [has] brought more cases, and obtained larger fines, than any other privacy enforcement agency in the world," with additional resources, the FTC "could better ensure that American consumers' privacy is adequately protected." The Resources Report describes specific structural changes the FTC would consider if given such resources. If enacted, these changes would significantly increase the agency's enforcement activity in the privacy and data security areas.

According to the Resources Report, the FTC's data privacy and security efforts are largely handled by 40-45 employees in its Division of Privacy and Identity Protection. In comparison, the U.K. Information Commissioner's Office has 700 employees, and the Irish Data Protection Commissioner has about 180 employees. The FTC states in the Resources Report that it should have "a more comparable number of employees [to these agencies]" given it is the federal entity primarily responsible for protecting consumers' privacy and data security.

The Resources Report notes that, even with its comparatively low number of employees, the FTC has utilized its current resources effectively. The FTC has brought over 633 privacy and security related cases, with billions of dollars ordered in monetary relief and civil penalties. However, the FTC states that its efforts could be enhanced by the creation of at least three separate additional units with the following responsibilities:

First, the FTC would create one or more units to expand its ability to launch new investigations. These units would: (1) investigate more online services for Children's Online Privacy Protection Rule (COPPA) violations; (2) investigate new technologies that have the potential to result in substantial consumer harm, such as biometrics and artificial intelligence; (3) devote additional staff to enforcement involving the collection, use, and disclosure of sensitive data; and (4) continue to take on larger, more complex investigations that may lead to litigation.

Second, one or more units would devote additional resources to order enforcement. The FTC would expand the staff that can conduct compliance reviews of existing privacy and data security orders, building upon resources from the existing Enforcement Division.

Third, one or more units would focus on policy, case generation, and targeting. Among other things, this unit would monitor markets for new risks to consumers, review referrals from privacy and security researchers, and serve as a hub for technical and market expertise as needed on cases. With additional resources, the FTC could also conduct extensive industry studies pursuant to its authority under Section 6(b) of the FTC Act, similar to its past studies regarding mobile device manufacturers and the data broker industry.

Commissioner Chopra issued a separate statement accompanying the reports suggesting, among other things, that the FTC use its existing authority and resources more effectively, that the FTC apply the same hard line standards to large firms that it applies to small firms, cooperate more with state attorneys general, and conduct more industry-wide studies. Chairman Simons and Commissioners Phillips and Wilson issued a separate statement countering Commissioner Chopra's arguments but agreeing that "with more authority and more resources, [the FTC] could do more." The dueling separate statements reflect ongoing division among the Commissioners regarding appropriate relief and penalties in privacy and security cases.

The separate Authorities Report outlines the FTC's authority under the FTC Act (specifically focusing on Section 5), discusses the FTC's other work to deter unfair and deceptive conduct in privacy and data security matters, and concludes by discussing challenges to and limitations on its authority, such as F.T.C. v. Credit Bureau Center, LLC, 937 F.3d 764 (7th Cir. 2019) (holding section 13(b) does not authorize restitution).

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Wilson Sonsini Goodrich & Rosati | Attorney Advertising

Written by:

Wilson Sonsini Goodrich & Rosati

Wilson Sonsini Goodrich & Rosati on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.