Published by The Lawfare Institute
in Cooperation With
Divisions over private right of action and federal preemption have long gridlocked efforts to enact federal consumer privacy legislation. Cameron Kerry and John Morris have outlined nuanced proposals for resolving both issues here on Lawfare (private right of action and preemption) and in their longer Brookings Institution report with Caitlin Chin and Nicol Turner Lee.
But fine-tuning these contested issues may not be enough to break the gridlock or to produce a competent system for enforcing any federal consumer privacy law. In a paper we are making public today, we go beyond private right of action and preemption to consider enforcement frameworks outside the privacy field. The paper is based on workshops we convened in late 2020 with experts from financial services regulation, environmental law, labor law, intellectual property and other fields. We find that, to a remarkable degree, the realization of public policy goals often depends on enforcement mechanisms and remedies that have not yet received much attention in the privacy debate. These tools applied in other arenas may offer ideas for assembling an effective web of enforcement for a federal privacy law.
In the U.S., the dominant model of federal regulation is based on supervision, not on investigation and complaint. Under the supervision model, government overseers have routine access to information about the activities of regulated entities, and those monitors can take a variety of actions short of investigation, complaint and litigation that change practices of a business.
Most large federal regulators have authority for some combination of both supervision and investigations but, for many large agencies, supervision is the primary form of enforcement. The Federal Trade Commission, the likely locus of privacy enforcement powers under any new federal law, is an outlier in this regard. The agency was designed to rely primarily on investigations led by lawyers. Over time, the FTC has developed more supervision-like activities, and many major tech companies are already under supervision for past privacy or data security failings. But so far, the FTC’s use of its supervision powers generally comes only after investigation and complaint. Also, where the FTC does put companies under ongoing supervision, there are concerns that the third-party assessments the agency relies on to track compliance are not rigorous. One path to effective privacy enforcement may be to shift FTC emphasis to supervision.
In our paper, we rely heavily on the research of Boston University law professor Rory Van Loo. Among his many insights: The supervision model may be well matched with the rise of privacy compliance departments inside corporations. Also, most federal monitoring agencies have at their disposal a graduated continuum of enforcement options, and at many agencies, the options most frequently exercised are those outside the court system. Federal regulators can recall toys and automobiles. Monitors at the Federal Energy Regulatory Commission can issue public noncompliance notices. The Food and Drug Administration’s inspections group issues thousands of warning letters every year. Compliance varies across time and agencies, but there are indications that companies in diverse industries cooperate when informally advised to take a course of action. A similar mix of enforcement options may work well in the privacy context.
Our paper also draws on lessons from environmental law, relying on the work of Ohio State University law professor Dennis Hirsch. Environmental law has adopted innovative ways of dealing with small, collective and intangible harms. As a baseline, there are statutory requirements, such as emission limits, that the government enforces. By focusing on whether a regulated company exceeded an objective standard, the government does not have to demonstrate the causality and harm required of traditional tort plaintiffs. Another interesting approach in environmental statutes is the concept of natural resource damages to account for degradation of common resources. This allows for the measurement of collective and intangible harms, something that would be an important feature in the privacy context because many privacy interferences have subtle but population-wide effects.
Another powerful enforcement innovation in environmental law is the citizen suit, found in almost every federal environmental protection law. These provisions authorize any affected individual to sue any person (including any government agency) alleged to be in violation of a standard or to sue the Environmental Protection Agency itself for failure to perform any duty that is not discretionary. Typically in these proceedings, attorneys fees can be awarded to successful plaintiffs.
Many regulatory systems also rely on private-sector enforcers, such as certification bodies, self-regulatory organizations, accountants, lawyers and other “gatekeepers.” In recent years, the use of gatekeepers across many sectors has expanded and, moreover, has changed in that the large corporations have themselves been enlisted as gatekeepers, regulating the conduct of their third-party service providers. As Van Loo has written, “[P]olicymakers have begun relying on third-party enforcement by the real gatekeepers of the economy: the firms who control access to core product markets.” Already we see the power of gatekeepers in the privacy context, as browser makers require express, just-in-time consent for disclosure of location information and Apple moves to bar from its store apps that do not comply with its tracking transparency rules. Policymakers may want to look for ways to further leverage the power of browsers, operating systems and other technical intermediaries.
We discuss much more in our paper, including the emergence of injunctive-only relief (plus attorneys’ fees) in a few recent privacy and data security cases.
Finally, two overarching points emerge from our research: Remedies provided for in statutes should be tied to policy goals, and a regime pursuing even a single clearly defined goal may require multiple enforcement mechanisms. In many realms, policy enforcement is not just about compensating individuals for the harms they have suffered but also aims for deterrence. Considering remedies through a deterrence theory framework reveals just how complex and interdependent the necessary remedies might be. Before developing a system of remedies, therefore, policymakers should define their goals. In the privacy field, it is not at all clear that has been done yet.