New Government Accountability Office Recommendations May Expand FTC Powers

This post is authored by Matthew Bonner, a third-year student at Drexel University’s Thomas R. Kline School of Law. Mr. Bonner is a legal-intern with the XPAN Law Group.

Unlike the European Union, the United States still lacks an adequate federal framework to protect data users’ privacy rights. The GDPR provides landmark privacy rights for data subjects. It also imposes fines for violations that can total up to 20,000,000 EUR. Currently, the Federal Trade Commission (“FTC”) serves as the primary federal agency tasked with enforcing data privacy rights. In recent years this agency has pursued action against tech giants such as Snapchat, Facebook, and Myspace. The FTC derives much of its enforcement power from Section 5 of the Federal Trade Commission Act.

Section 5 grants the FTC the authority to prohibit “unfair or deceptive acts or practices in or affecting Commerce.” FTC Act, 15 U.S.C. §45. The FTC must complete multiple steps in order to impose any liability upon entities that violate Section 5 of the FTC Act. First, the FTC must issue an order for a company to cease and desist the deceptive or unfair practices, but the Act does not allow for the issuing of fines with this order. 15 U.S.C. §45(b). Second, the company may appeal this order within sixty (60) days in the court of appeals where the alleged actions occurred. 5 U.S.C. §45(c). Third, the order becomes final after the petition period expires, or if the court rejects the petition. 5 U.S.C. §45(g). Finally, only after a cease and desist order becomes final may the FTC impose penalties of up to $10,000 per violation. 5 U.S.C. §45(l)  Ultimately, the Commission has the power in 14 U.S.C §45(b) to modify, alter or set aside its order. The Act further narrows the FTC’s enforcement power because violations only occur if the entity committed an unfair or deceptive trade practice with “actual knowledge or knowledge fairly implied on the basis of objective circumstances. . .” 15 U.S.C. §45(m)(1)(A). Finally, because Section 5 only governs “unfair or deceptive acts or practices in or affecting commerce,” no baseline privacy standard exists. 15 U.S.C. §45(a)(1). This allows companies to craft lax privacy standards that will be found legal as long as they never deceive their customers. Id.

The current issues plaguing the FTC have not gone unnoticed. In January 2019, the Government Accountability Office (“GAO”) recommended that Congress implement sweeping changes to the FTC Act which would greatly empower the FTC’s  ability to enforce data privacy standards. GAO serves as an influential nonpartisan agency which advises Congress on how to maximize the efficiency of spending tax dollars. Historically, GAO effectively spurs on change within federal agencies, and between 1983-2008, enjoyed an 81% implementation  rate of its recommendations. Federal agencies implement recommendations regarding information security at an even higher rate–94%. Id.

The GAO report noted on Page 20-21 that between 2008-2018, the FTC only initiated 101 actions against companies for violations of the FTC Act, and of these actions only two resulted in civil penalties due to violations of the order.

Most importantly, the content of the 56-page report proposes radical changes affecting data privacy which seem to recommend a data privacy regulation similar to the GDPR. For example, GAO recommended three major changes on page 2: (1) the creation of a federal statute regarding Internet privacy which would clearly state “prohibited behavior;” (2) the granting of rulemaking authority to consumer protection agencies; (3) enabling the FTC to impose fines against first time offenders to relevant privacy laws. On page 38, GAO tasked Congress with considering what agency should enforce data privacy law, what authority such an agency should have, and finally discovering a balance between the industry needs versus consumer data privacy. GAO will meet with the House Energy and Commerce Committee on February 26, 2019 to discuss the findings of the report. Although the recommendations of GAO are non binding, this hearing may finally influence Congress to draft legislation which more clearly defines data privacy rights in the United States. Greater flexibility to impose high fines would likely help deter companies from mishandling consumer’s data. Also, the added power of rulemaking authority means more institutional competence in the context of data privacy laws. Finally, heightened clarity in American data privacy standards would enable effective enforcement, and likely increase consumer protection.



Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind. If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic data discovery, you should consult a licensed attorney in your jurisdiction.