On June 19, 2020, the Federal Trade Commission (FTC) submitted to Congress two reports that Congress requested in connection with the spending bill that funds the FTC. One of these reports (the "Resources Report") describes the resources used and needed by the FTC to protect consumer privacy and security, and the second (the "Authorities Report") describes the FTC's use of its existing authorities to protect consumer privacy and security.
The Resources Report states that while the FTC has used its "existing resources effectively, and [has] brought more cases, and obtained larger fines, than any other privacy enforcement agency in the world," with additional resources, the FTC "could better ensure that American consumers' privacy is adequately protected." The Resources Report describes specific structural changes the FTC would consider if given such resources. If enacted, these changes would significantly increase the agency's enforcement activity in the privacy and data security areas.
According to the Resources Report, the FTC's data privacy and security efforts are largely handled by 40-45 employees in its Division of Privacy and Identity Protection. In comparison, the U.K. Information Commissioner's Office has 700 employees, and the Irish Data Protection Commissioner has about 180 employees. The FTC states in the Resources Report that it should have "a more comparable number of employees [to these agencies]" given it is the federal entity primarily responsible for protecting consumers' privacy and data security.
The Resources Report notes that, even with its comparatively low number of employees, the FTC has utilized its current resources effectively. The FTC has brought over 633 privacy and security related cases, with billions of dollars ordered in monetary relief and civil penalties. However, the FTC states that its efforts could be enhanced by the creation of at least three separate additional units with the following responsibilities:
First, the FTC would create one or more units to expand its ability to launch new investigations. These units would: (1) investigate more online services for Children's Online Privacy Protection Rule (COPPA) violations; (2) investigate new technologies that have the potential to result in substantial consumer harm, such as biometrics and artificial intelligence; (3) devote additional staff to enforcement involving the collection, use, and disclosure of sensitive data; and (4) continue to take on larger, more complex investigations that may lead to litigation.
Second, one or more units would devote additional resources to order enforcement. The FTC would expand the staff that can conduct compliance reviews of existing privacy and data security orders, building upon resources from the existing Enforcement Division.
Third, one or more units would focus on policy, case generation, and targeting. Among other things, this unit would monitor markets for new risks to consumers, review referrals from privacy and security researchers, and serve as a hub for technical and market expertise as needed on cases. With additional resources, the FTC could also conduct extensive industry studies pursuant to its authority under Section 6(b) of the FTC Act, similar to its past studies regarding mobile device manufacturers and the data broker industry.
Commissioner Chopra issued a separate statement accompanying the reports suggesting, among other things, that the FTC use its existing authority and resources more effectively, that the FTC apply the same hard line standards to large firms that it applies to small firms, cooperate more with state attorneys general, and conduct more industry-wide studies. Chairman Simons and Commissioners Phillips and Wilson issued a separate statement countering Commissioner Chopra's arguments but agreeing that "with more authority and more resources, [the FTC] could do more." The dueling separate statements reflect ongoing division among the Commissioners regarding appropriate relief and penalties in privacy and security cases.
The separate Authorities Report outlines the FTC's authority under the FTC Act (specifically focusing on Section 5), discusses the FTC's other work to deter unfair and deceptive conduct in privacy and data security matters, and concludes by discussing challenges to and limitations on its authority, such as F.T.C. v. Credit Bureau Center, LLC, 937 F.3d 764 (7th Cir. 2019) (holding section 13(b) does not authorize restitution).