Thursday, February 27, 2020

FTC Annual Report Offers a Contrasting Perspective to Calls for a New Privacy Agency

On more than one occasion I have written pieces for the Free State Foundation arguing that online privacy oversight should take place exclusively at the federal level. More specifically, at the FTC, the expert agency with substantial institutional knowledge regarding, and experience with, this topic.

Members of both the House and the Senate, meanwhile, have drafted legislation that would transfer FTC authority to an entirely new agency. Two Representatives from Silicon Valley, Zoe Lofgren (D) and Anna Eshoo (D), introduced the Online Privacy Act in November 2019. As I described at the time, that bill would create specific consumer privacy rights (including the authority to access, correct, delete, and transfer personal data) and empower new bureaucracy, the independent Digital Privacy Agency, to enforce its provisions.

More recently, on February 13, 2020, Senator Kristen Gillibrand (D-NY) unveiled the Data Protection Act. The Data Protection Act would establish, and transfer authority previously held by the FTC to, the Data Protection Agency. Specifically, this new independent agency would "have all powers and duties under the Federal privacy laws to prescribe rules, issue guidelines, or to conduct studies or issue reports mandated by such laws, that were vested in the [FTC]…."


The FTC released a report on February 25, 2020, that serves as reminder of the important role that it plays. The Privacy & Data Security Update: 2019 offers an overview of the agency's enforcement efforts over the course of last year. A few highlights:
  • A $5.7 million settlement with Musical.ly – now known as TikTok – regarding charges that it collected children's personal data in violation of the Children's Online Privacy Protection Act (COPPA);
  • A $170 million penalty for YouTube and Google as a result of alleged violations of COPPA;
  • A settlement with Equifax, totaling as high as $700 million, in response to a data breach affecting nearly 150 million people; and
  • 13 enforcement actions against companies for allegedly making false promises relating to the EU-U.S. Privacy Shield framework.