Published by The Lawfare Institute
in Cooperation With
Editor’s Note: This article originally appeared on TechTank.
The Federal Trade Commission is a small but resilient federal agency with an outsized influence on the commercial marketplace. It fights fraud and deception, protects consumer privacy, and promotes competition using both law enforcement and an array of policy tools (workshops, reports, education, etc.) that amplify its reach and impact.
However, as it begins its 108th year, the FTC faces some significant challenges. Its legal authority to return money wrongfully taken from consumers is under threat. It is strapped for resources. And it badly needs a stronger federal law to protect the privacy of the American public. Fixing these problems will require action from Congress, hopefully in 2021. But even without Congressional action, there are structural and policy steps the FTC can undertake to increase its reach and effectiveness. Here are five ideas:
Establish a New "Bureau of Data Protection"
The FTC has two primary bureaus, the Bureau of Consumer Protection (BCP) and the Bureau of Competition (BC), reflecting the agency’s dual mission to protect consumers and promote competition. (The FTC’s third bureau, the Bureau of Economics, provides economic analysis to support the two missions.) Within BCP, a division of just 40 to 50 staff is responsible for most of the FTC’s privacy and security work, including its law enforcement actions, regulations, public workshops, reports, and policy guidance. Although both bureaus handle issues related to the collection and use of consumer data (and the market power derived from that data), they mostly do so separately.
This structure is no longer workable for the FTC or the American public. Today, consumer data is one of the key drivers of the marketplace, variously described as its “lifeblood,” “oil,” “currency,” “DNA,” or “frontier”—pick your metaphor. Companies collect data at every turn, and data breaches and abuses are rampant. Tech platforms have used our data to amass enormous and excessive market power, leading to widespread calls that they be reined in or broken up. In addition, privacy and competition issues are converging, as illustrated by repeated investigations of tech platforms by both bureaus.
For these reasons, it’s time for the FTC to create a new Bureau of Data Protection by moving staff from BCP and BC to the new bureau and giving it a unified data protection focus. The FTC could do this without legislation, so long as it obtained approval of its Congressional Appropriations Committees.
The new bureau would be responsible for privacy and security enforcement and related policy initiatives. It also would handle issues at the intersection of competition and privacy, such as mergers involving large amounts of consumer data, or practices like blocking “third party” cookies that appear to place privacy and competition in conflict. Significantly, the new bureau would not just protect “privacy,” but would also address broader data protection concerns, including anticompetitive data practices and the use of data for fraud, racial profiling, and discrimination. While increased legal authority and resources (including more technologists) will be needed to fully realize the potential of the new bureau, there are good reasons to create this bureau now.
First, it would elevate the FTC’s data protection mission, and create a dedicated office that more closely resembles data protection agencies across the world, such as the EU’s Data Protection Authorities. Second, it would ensure early and direct input from both privacy and competition staff on all data protection matters—something that does not naturally occur under the FTC’s current structure. Third, it would be a logical home for coordinated investigations of the tech platforms and—if Congress would grant it—stronger oversight over these entities akin to the supervisory authority the banking agencies and the Consumer Financial Protection Bureau exercise over financial entities. Fourth, with the two FTC missions now working in tandem, the new bureau could provide greater transparency to the public about the relationship between competition and privacy, an ongoing source of confusion. Finally, the new bureau could frame and plan its new mission, recommend ways to build and strengthen it, and make clear to stakeholders here and abroad that the FTC envisions a bold future for data protection.
Clarify Role and Priorities for the Bureau of Economics
The FTC’s Bureau of Economics (BE) supports the agency’s dual missions by performing economic analysis to build the FTC’s cases, and evaluating the impact of the FTC’s actions. It is staffed with approximately 100 economists and research assistants divided between the two missions. For years, however, it has struggled to define its role and manage its resources effectively.
Certainly, BE has done invaluable work analyzing the economic impact of regulations, developing the detailed analysis needed for antitrust enforcement, calculating injury and penalties, analyzing ad substantiation, and studying issues like credit report accuracy and patent abuse. But during my 26 years at the FTC, it spent far too much time trying to opine on every matter in the agency, including the Bureau of Consumer Protection’s many routine fraud cases, and cases following established precedent. A 2015 Inspector General report found that BE was the only FTC bureau with no strategic plan or process to evaluate its performance; that individual economists, more than agency needs, drove its research agenda; and that better coordination and planning were needed to ensure that BE could provide the economic support requested by the other bureaus. That same year, an article by a longtime BE deputy director described an organization that had struggled for decades to define its role at the agency.
It’s possible that some of these problems have improved since I left the FTC in 2017. However, with the recent change in FTC leadership, now is a good time to evaluate whether BE is providing the economic support the agency needs most. In particular, BE could use its in-house expertise to alleviate the enormous cost of expert witnesses that is crushing the agency. It also could do empirical analysis to evaluate what practices cause the greatest harm, warranting particular attention, and how the FTC’s efforts have impacted consumers and businesses. In addition, BE could conduct much-needed research (see below) to determine whether the FTC is reaching and protecting underserved communities.
Reinvigorate and Expand the FTC's Every Community Program
Fraud can have a disproportionate effect on certain communities, such as seniors, veterans, African Americans, and Latinos. As a result, during my tenure at the FTC, we created and scaled up an ambitious project called Every Community, the goal of which was to ensure that the agency was reaching and protecting the diverse communities victimized by fraud.
The project included consumer surveys, outreach to community organizations, and data analysis by BE. Among BE’s findings was that Black and Latino communities experienced fraud at higher rates than white communities but reported fraud to the FTC at lower rates—in other words, they were underreporting fraud, highlighting a key challenge for the FTC in reaching and protecting these communities. In making its findings, BE staff had to perform a detailed analysis of fraud and census data, since the FTC’s complaint database contained very limited demographic data.
The FTC should expand this program, especially in light of the recent Executive Order on racial equity and underserved communities, Acting Chairwoman Rebecca Slaughter’s commitment to these issues, and the enhanced data protection mission proposed above. As part of this expanded program, the FTC should collect more demographic data (with appropriate safeguards) to enable the type of analysis discussed above, and task BE with additional studies of the FTC’s reach and impact on different communities. The FTC also should consider hiring experts on racial equity and inclusion to assist with this important work.
Issue a Commission Policy Statement on Consumer Harm
For years, there has been ongoing debate and confusion about what constitutes consumer harm for purposes of FTC law enforcement and policy. One reason is that the agency’s most definitive discussion of the issue, the Unfairness Policy Statement, was written in 1980—decades before the modern internet was invented, before everyone had a mobile device recording their every move, and before the tech platforms, social networks, and algorithmic decision-making dominated our lives.
The FTC’s unfairness statement has proved to be surprisingly durable, but its discussion of consumer harm is woefully outdated. Notably, it focuses mostly on economic harm and doesn’t discuss the many other forms of injury enabled by modern technology, particularly in the area of privacy and data security. Indeed, over the last two decades, the FTC has taken action against a wide range of harms that are non-economic in nature—including spying through rent-to-own computers and smart TVs, surreptitious use of consumer data by a vendor, the posting of women’s nude photos without their permission, “material retroactive changes” to privacy policies without consent, and the failure to provide reasonable security for genetic information, prescriptions, sexual profiles, and other sensitive data. While the FTC has discussed these types of harms in informal staff reports and comments, it has not summarized or enshrined them in an official, Commission-level policy statement.
A new policy statement on consumer harm would update old thinking, educate the public, and lay the foundation for stronger FTC enforcement and policy efforts. It also could explain when the FTC must prove harm as an element of the law versus when it considers harm as a matter of prosecutorial discretion. With so much precedent under the FTC’s belt, now is a good time to undertake this effort.
Convene a Public Workshop on Privacy "Third Rails"
Without a strong federal privacy law, the FTC will continue to be hampered in its efforts to protect the privacy of American consumers. As the agency has made clear time and again, the laws it now enforces contain many gaps in protection and does not allow the FTC to seek civil penalties for violations in most instances. Meanwhile, Congress has debated whether to pass a federal privacy law for over 20 years, but keeps getting stuck on the same issues—in particular, whether the federal law should preempt state privacy laws and whether to authorize private rights of action. Many stakeholders view these issues in “yes” or “no” terms, and have not sufficiently explored potential middle grounds, such as those suggested on this blog last year.
To facilitate progress on these issues, the FTC should host a public workshop to explore and highlight such middle grounds. In order to ensure a productive discussion, the workshop should focus on potential solutions, not on restating arguments “for” or “against” preemption and private rights of action. It also should feature speakers with diverse perspectives. Given the FTC’s privacy expertise and experience holding public workshops, it would be a natural convenor for such a discussion.
As the FTC starts a new year alongside a new administration, its commissioners are already identifying ways to reform and strengthen the agency. I hope they will add these five ideas to the list.