July 19, 2025

Enforcing a New Privacy Law

112319-42-Privacy-Surveillance
Shutterstock

Who should hold companies accountable?

By Becky Chao
Policy Analyst
Open Technology Institute

By Eric Null, J.D.
Senior Policy Counsel
Open Technology Institute

By Claire Park
Research Assistant
Open Technology Institute

Abstract

In the ongoing legislative debate about how to protect individual privacy, Congress must also consider how a new federal privacy law could be enforced. Possibilities for regulating data and privacy practices include creating a new federal agency, expanding the Federal Trade Commission’s current jurisdiction, bolstering the roles of states, and/or empowering individuals with a private right of action to pursue enforcement on their own.

Congress should carefully consider all of these options as it develops federal privacy legislation. The effectiveness of any federal privacy law will depend on enforcement.

This report is the third in a series of reports and events that focuses on important aspects of the privacy debate—covering civil rights aspects of privacy, whether current online business models are conducive to strong privacy protections, enforcement mechanisms, and more.

Executive Summary

Protecting privacy online is fundamental to prevent myriad harms, but current regulation has not sufficiently safeguarded individual privacy to date. As Congress considers enacting federal legislation to protect privacy, it has a variety of options at its disposal for addressing how the new legislation should be enforced.

At present, the Federal Trade Commission (FTC) has the broadest federal jurisdiction over protecting consumer privacy. However, the FTC’s privacy authority is constrained. It does not have the ability to address all privacy concerns, and its scope is limited as an enforcement agency focused primarily on interstate commerce and consumers.

First, the FTC’s current approach focuses on privacy harms that can be quantified in terms of economic damage. Yet privacy encompasses many things that cannot be quantified. Privacy represents soft values with “social, political, and informational consequences”—i.e., it has no clear monetary value. Second, the FTC’s Section 5 authority to take action against “unfair or deceptive acts or practices” does not sufficiently protect privacy. Both causes of action are narrow, and the FTC has rarely invoked its unfairness authority to address privacy abuses. Third, the FTC has limited rulemaking authority under the Magnuson-Moss Warranty-Federal Trade Commission Improvement Act (Magnuson-Moss).

Additionally, the FTC currently lacks the capacity to exercise its jurisdiction over privacy regulations effectively. The FTC has around 40 full-time staff working on privacy issues, which is significantly fewer than many foreign data protection authorities in smaller countries. It is also unclear whether the FTC has the technological expertise it needs to enforce privacy laws.

As an alternative, Congress could consider establishing a new data protection agency, as some experts have argued. Doing so could provide opportunities to create a structure that is better suited to enforcing privacy, including by maintaining some degree of stability or independence across presidential administrations. A new agency dedicated to the cause of privacy enforcement and data protection could also improve relations with authorities abroad. The primary concern with creating a new agency, however, is that it might be logistically difficult and take a long time to set up.

The proper role of states in privacy enforcement is also an important issue for Congress to consider. There are two important questions regarding state authority: whether state attorneys general (AGs) have the authority to enforce a federal privacy law, and whether state legislatures have the freedom to enact their own privacy laws. State enforcement could provide several benefits, including serving as a hedge against regulatory capture and political pressure at the federal level. On the other hand, if states take differing approaches to protecting their constituents’ privacy, they could cause overly burdensome compliance challenges for companies.

Individuals could also enforce their own privacy rights if Congress includes a private right of action in federal privacy legislation. With a private right of action, an individual whose privacy rights are violated could sue the violating company directly rather than rely on a federal or state enforcer. While there is some opposition to a private right of action from industry and lawmakers, private rights of action are an extension of democratic participation, like petitioning government, writing members of Congress, and talking to state legislators. Additionally, individuals have not always been able to rely on the government to protect their rights, particularly their civil rights. A private right of action can therefore empower individuals to pursue enforcement on their own.

Congress should carefully consider all of these options as it works to craft new federal privacy legislation. The effectiveness of any privacy law will depend on how it is enforced.

Introduction

With increasing public scrutiny of privacy intrusions, legislators must not only grapple with creating new federal legislation to protect privacy, but also consider how such legislation should be enforced. Congress could expand the FTC’s authority or create a new federal agency to regulate privacy. Congress could also empower states to enforce federal rules as well as their own legislation, or empower individuals to play an enforcement role by including a private right of action.

This report builds on an event held by New America’s Open Technology Institute on October 8, 2019 that examined the different ways that Congress could create an enforcement regime as part of new privacy legislation. David Medine, former special counsel at the Consumer Financial Protection Bureau, former associate director for Financial Practices at the Federal Trade Commission, and former Chairman of the Privacy and Civil Liberties Oversight Board (PCLOB), delivered opening remarks. A panel moderated by Dylan Gilbert, policy counsel at Public Knowledge, followed. Panelists included Elizabeth Banker, vice president and associate general counsel at the Internet Association; Blake Bee, program counsel for the National Attorneys General Training & Research Institute Center for Consumer Protection at the National Association of Attorneys General; Bob Gellman, a privacy and information policy consultant; and Yosef Getachew, program director of the Media and Democracy program at Common Cause. The discussion covered the successes and shortcomings of the current privacy enforcement regime, including the FTC’s work thus far on enforcing data protection and privacy, the promise and downfalls of creating a new data protection agency, the role of state enforcement, and the implications for including a private right of action in federal privacy legislation.

The FTC is Currently the Primary Privacy Enforcer but its Authority is Limited

Creative Commons

Overview

At present, the FTC has the broadest federal jurisdiction over protecting consumer privacy. Congress originally created the agency to enforce the antitrust laws through the FTC Act of 1914, but later added consumer protection issues to its portfolio in 1938 when Congress expanded the agency’s authority under Section 5 of the FTC Act to prohibit “unfair or deceptive acts or practices.”[1] Since then, Congress has also given the FTC additional statutory authority to protect privacy through such statutes as the Fair Credit Reporting Act and the Children’s Online Privacy Protection Act (COPPA).

Despite these additional statutes, the FTC’s authority is limited and creates challenges in relying on the agency to protect privacy. Not only does the agency lack a strong record on enforcing privacy, but it also lacks sufficient capacity to do so. Congress could grant the agency more authority and resources to protect privacy, but it is unclear whether it would lead to stronger enforcement.

The FTC’s authority on privacy regulations is limited

The FTC has limited privacy authority. It is constrained as an enforcement agency that focuses primarily on interstate commerce and consumers. As Banker argued, “a lot of the criticism that the FTC is receiving about [its enforcement record] is not necessarily fair, because … to date, it has not been given a clear mandate, a clear set of rules to work with, and the resources to go with it, in order to be that strong enforcer [on privacy].”[2] The FTC’s core Section 5 authority does not define standards for unfairness and deception. Because its privacy enforcement must fit within this authority, the agency’s current jurisdiction does not allow it to sufficiently protect against myriad privacy threats that are not easily characterized as unfair or deceptive practices. Further, not only are there questions about whether FTC enforcement provides strong enough incentives for companies to avoid violating existing laws, there are also questions about the extent to which the FTC’s enforcement actions under Section 5 actually protect consumers if they primarily seek to address companies’ disclosure and notice to consumers. In addition, it is not clear whether the FTC is best equipped to address privacy harms because it lacks capacity, especially on technological expertise. Its authority is further restricted by its limited rulemaking authority under Magnuson-Moss.

First, the FTC’s current approach focuses on privacy harms that can be quantified in terms of economic damage. This approach, as Gellman critiqued, may overlook harms that cannot be quantified in these terms. Privacy, he said, represents soft values with “social, political, and informational consequences”—i.e., it has no clear monetary value. Gellman suggested that the FTC’s structure means that it inherently focuses on economic damages, since the Bureau of Economics is on par with the Bureau of Consumer Protection in terms of hierarchy, and the economic implications of privacy harms are a critical factor in the agency’s decision-making.

Similarly, as an agency created to focus primarily on commerce and consumers,[3] the FTC may not be best positioned to tackle the full breadth of privacy issues, especially those that go beyond commerce and affect more than just consumers. After all, privacy intrusions create externalities that implicate individuals who do not use a product or service, in that one consumer’s data may also reveal information about a non-user. While Banker recognized that “consumer protection in and of itself is a value,” Medine suggested that because “privacy is about values and rights … a new organization that is committed to … that approach, as opposed to [the FTC’s] approach, would be very beneficial.”

Second, Section 5—which forms the core of the FTC’s jurisdiction over privacy—does not give the agency sufficient authority to protect privacy. Section 5 empowers the commission to pursue actions against “unfair or deceptive acts or practices.” An act or practice is considered unfair if it “causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”[4] An act or practice is considered deceptive if it involves a material representation, omission, or practice that is likely to mislead a reasonable consumer.[5] This enforcement regime, which primarily addresses companies’ notice and disclosure policies, has created incentives for companies to simply avoid promising clear privacy protections so they can avoid the risk that they may be held accountable for violating those promises. Gellman argued, for instance, that cases brought under the agency’s deception authority have resulted in company disclosure through “vaguer and less clear privacy notices” to which companies cannot be held accountable. Instead, the FTC should wield its unfairness authority more: if the goal is to change company practices, as Gellman suggested, “you can do that more through unfairness and set standards for everybody else than you can through [the] deception” authority.

However, the FTC’s existing unfairness authority as currently utilized also fails to ensure strong privacy protections. Getachew noted that “one of the challenges of the unfairness standard is that it’s not only [asking] is something unfair, but is that practice outweighed by any benefits that a consumer might receive? Are there any economic advantages to that practice? And is that better than anything that could be considered unfair?” Thus, even if a practice could be considered unfair, if the FTC finds that the practice potentially benefits some consumers in some way, the balancing test may prevent the agency from taking action.

Third, the FTC has limited rulemaking authority under the Magnuson-Moss Act. The Act requires the FTC to show “substantial evidence in the rulemaking record” that a practice is prevalent or widespread before it can be declared an unfair and deceptive act or practice.[6] Since Magnuson-Moss was enacted in 1975, the FTC has rarely issued regulations under its rulemaking authority. As Getachew explained, “the key ingredient [the FTC is] missing is rulemaking authority, particularly for areas of concern [like] data processing [and] data practices that harm [members of marginalized communities or general consumers]. We’ve seen the Section 5 unfair and deceptive [authority] extend to as much as it can, but without clear rules, without strong rules, it’s hard to really go further than that.”

To facilitate more effective enforcement of privacy regulations, Congress could grant the FTC more authority, such as general rulemaking authority under the Administrative Procedure Act. FTC Chairman Joseph Simons, however, has asked Congress not to give the agency broad rulemaking authority, and instead has advocated for targeted rulemaking authority.[7] While federal privacy legislation will ultimately determine what the FTC’s rulemaking authority looks like, Getachew explained that,

you want to have a broad scope for an agency to enact rules encompassing a lot of different areas when it comes to privacy. So that could be transparency provisions, so consumers have easy, understandable notices on what … data is being collected. [Or] use restrictions on what data can and cannot be collected, particularly around sensitive data. I think the big point is making sure that rulemaking authority is constantly used or adopted when we’re seeing new harms arise, as opposed to a piece of legislation that might limit an agency to just a few set of provisions.

If Congress is not willing to go so far, it could at least grant targeted rulemaking authority over particular aspects of a privacy law or specific, complex provisions. This approach could allow more technical or specific aspects of a law to be decided through a rulemaking process at an agency, such as the FTC, instead of by Congress.

The FTC lacks capacity to effectively enforce privacy laws

The FTC currently lacks capacity to exercise its jurisdiction over privacy regulations effectively. First, the FTC lacks the staffing resources it needs to carry out its privacy work. The FTC has around 40 full-time staff working on privacy issues, which is significantly fewer than many foreign data protection authorities in smaller countries.[8] For instance, the U.K. Information Commissioners’ Office employs over 500 people to regulate data privacy,[9] and the Irish Data Protection Commissioner employs about 130 people to enforce the General Data Protection Regulation.[10] The agency charged with enforcing privacy in the United States should be properly staffed to ensure that when companies violate privacy rules, they are directly held accountable. As FTC Chairman Joseph Simons wrote to Rep. Frank Pallone Jr. (D-N.J.), the agency has “brought on average about twenty privacy and data security cases per year over the past five years … With more staff we would be able to bring more cases under our existing authority; providing us with additional authority would notably improve our ability to bring significantly more privacy and data security cases.”[11] With only 40 full-time staff dedicated to the issue, the FTC simply cannot be aggressive in protecting privacy across the country.

Second, it is unclear whether the FTC has the technological expertise it needs to enforce privacy laws. Not only has the office of the chief technologist been vacant since May 2018,[12] but as of April 2019, the agency also only employs around five technologists on staff, with only around three technologists working on privacy and security research and casework.[13] FTC Chairman Simons has asked Congress for additional resources to hire an estimated ten to fifteen technologists to support ongoing work in these areas,[14] and former Commissioner Terrell McSweeny has called for the creation of a freestanding Bureau of Technology to bolster the agency’s technological expertise.[15] Without a robust understanding of technology—including online advertising methods, algorithmic tools, and machine learning—the FTC will be hampered in its ability to protect privacy.

Congress Could Design a New Data Protection Agency that Addresses Many of the Shortfalls of the FTC’s Authority

FTC Headquarters / Photo by Postdif, Wikimedia Commons

The FTC’s bounded mandates and capacity, as well as its limited rulemaking authority and mixed record on enforcing privacy, raise questions as to whether the agency would provide robust privacy enforcement even if granted additional authority and resources. As an alternative, several panelists proposed that Congress could consider establishing a new data protection agency.

Setting up a new agency would also provide opportunities to create a structure that is better suited to enforcing privacy, including by maintaining some degree of stability or independence across presidential administrations. Medine advocated for establishing a new agency as a commission because if the new agency were headed by an individual director instead, there could be “wild swings on how the agency operates” with each new president, “whereas in a commission structure, usually the new president gets one or two appointees, and maybe the opportunity to appoint the chairman, but it’s a much more gradual process.”[16] For instance, the FTC’s commission structure allows the possibility for an outgoing Chairman to stay on as a Commissioner after a presidential transition, which, Medine suggested, can lead to a smoother transition.

A new agency could also more easily procure resources for enforcing privacy. Medine noted that if the issue of privacy and data protection stayed within a larger agency with jurisdiction over other issues, it would compete for limited funds against these issues and departments within that agency. On the other hand, “if there [were] a separate freestanding agency, it could make its own case for its budget, and have that be the entire budget that went towards the issue of protecting both data protection and for security issues,” Medine said.

The primary concern with creating a new agency, as Medine and Banker emphasized, is that it might be logistically difficult and take a long time to set up. Banker recalled the time and effort it took to set up the Department of Homeland Security. “There was really a pretty long period of time before it started functioning the way you would expect an agency to function,” she cautioned, adding that there were many disparate pieces that had to be brought together to create a new department. Though Congress passed the Homeland Security Act in 2002, there were several modifications over the next seven years, with multiple reorganizations and reviews of its mission and basic policies, operations, and infrastructure.[17] Medine recommended that if a new agency were to be created, it should “sit on the structure of the old agency until it’s ready to separate.” He said this structure was particularly helpful in the case of the Consumer Financial Protection Bureau, which benefited from the existing infrastructure—such as payroll, email, and website systems—within the Treasury Department, where it was housed initially before spinning off into a separate agency. He compared this example to his experience as the first Chairman of the PCLOB, which had been challenging to stand up because it was established as a completely independent agency.

With regard to the substance of a new agency’s authority, Gellman suggested that the agency be given mostly soft power, which would enable it to create rules and regulations necessary to fulfill its mission to protect privacy. A set of high-level principles, like the Fair Information Practice Principles, could guide the authority.[18] If this flexible approach does not work, Gellman added, the agency could be given stronger rulemaking and enforcement authority.

Finally, a new agency dedicated to the cause of privacy enforcement and data protection could also improve relations with authorities abroad “in terms of having [an equivalent] chairman … and a central focus in the United States government for them to deal with,” as Medine suggested at the event. Currently, the FTC serves only part of the role of protecting privacy, and no single federal law comprehensively regulates the collection and use of personal data. Further, the United States is one of the few countries around the world—and the only country among its Organisation for Economic Co-operation and Development peers—that lacks a federal agency explicitly dedicated to data protection.[19] Creating a new agency explicitly dedicated to privacy and data protection could therefore streamline interactions with international counterparts, as such an agency may be better suited to interact with other international data protection authorities.

States Could Play a Vital Role in Enforcement

Currently, there is no comprehensive federal privacy law in the United States. To fill that void, states are actively proposing and enacting privacy laws. California recently passed the California Consumer Privacy Act,[20] Vermont passed a data broker registry bill,[21] and Illinois has long had a biometric privacy law.[22]

This situation raises two important questions regarding state authority: whether state AGs can enforce a federal privacy law, and whether state legislatures have the freedom to enact their own privacy laws. A federal privacy law could change the state-federal dynamic by either strengthening or curtailing states’ enforcement power. Congress could, for instance, allow states to build on a federal law or preempt states from taking any action on privacy at the state level. Congress could also refuse to allow states to enforce a federal privacy law, scaling back on the number of privacy enforcers. Alternatively, Congress could empower state AGs to enforce a privacy law (along with whatever state privacy laws exist). The options in-between are many. Where on this spectrum Congress should land is a subject of much debate.

State enforcement provides several benefits. As Bee of the National Association of Attorneys General noted, states are “a hedge against industry capture, they’re a hedge against political pressure that could be applied to any federal agency. Since our members are diverse, our members are multi-party, they have the ability to step in if one industry has taken a policy position or political position one way or the other.” In addition, because of the variety in leadership among state governments, states can adopt different approaches that can complement one another. State enforcement could also help provide a more thorough enforcement regime than a single agency, which could be too partisan in its enforcement and/or lack sufficient resources. Further, states can take action that affects local constituents that a federal agency may overlook. As Getachew argued, “states are seeing that some of these practices [that violate people’s privacy] are being abused in their communities and they want to do something about it, which is not being addressed at the federal level.” Essentially, more privacy enforcement—particularly at the state level—would better protect consumer privacy overall, because “privacy is too big for one agency to handle,” as Getachew said.

On the other hand, states acting on their own by passing legislation and enforcing their own laws or a federal privacy law could create various problems. From a company perspective, having to address different laws in different states could cause burdensome compliance challenges. At the very least, it could raise compliance costs, which companies could then pass onto advertisers or consumers. States may also interpret particular aspects of a federal law differently, creating inconsistencies throughout the country in how the law is interpreted and enforced. However, as Bee pointed out, “companies and industries [navigate multiple state laws] every single day. If you’re going to do business in a state, you’re agreeing to abide by all of their laws.” He later stated that the Uniform Law Commission is working on model legislation,[23]which may help create uniformity among state privacy laws.

Nonetheless, Banker argued that consumers could be confused if Congress allowed states to act on their own, because consumers would not know when certain companies are bound by a particular state’s laws:

as you travel around and stay in different hotels and buy from different vendors, or you find some unique supplier of something you want in a far-off state, that seller may not have sufficient contacts with California to be subject to [California] law, and the California law has carve-outs [such as for small businesses]. So do consumers need to know what the size of the business is that they’re dealing with, to understand whether they have rights to access and deletion?

These issues could be alleviated by a single, federal privacy law. If the substantive privacy protections at the federal level are strong, consumers and civil society may be more amenable to preemption, though there are no such protections yet. Ultimately, whether Congress should preempt state laws and whether it should give state attorneys general enforcement authority will depend on its answers to many of these competing concerns and questions.

If states end up playing an active role in the enforcement of a federal privacy law, Bee argued that giving states the ability to bring lawsuits in state court, rather than in federal court exclusively, could encourage state enforcement. State AGs regularly bring challenges in their own state courts, and they may be more familiar with the operations of their state courts than with federal courts. The ramifications of this policy choice are demonstrated by the enforcement of the Children’s Online Privacy Protection Act (COPPA); states have been reticent to bring COPPA enforcement cases because the law requires states to bring cases in federal court, not state courts. State court enforcement authority would help improve state privacy enforcement.

A Private Right of Action is Key to Ensuring that Consumers Have Their Own Avenue for Redress

Creative Commons

In addition to deciding what agency or agencies may enforce a new privacy law, Congress should consider whether the law should incorporate a private right of action. With a private right of action, an individual whose privacy rights are violated could sue the violating company directly.

Currently, federal law does not provide a private right of action that would enable individuals to sue companies directly for privacy intrusions, but several state privacy laws include private rights of action. Illinois’s biometric privacy law allows users whose biometric data is illegally collected or handled to sue the companies responsible.[24] The California Consumer Protection Act allows users to sue a company for statutory damages if their personal information is involved in a data breach as a result of the company’s negligence.[25] Without a private right of action, individuals have to rely on federal or state enforcers, like the FTC, to protect their privacy. While there is some opposition to a private right of action from companies and policymakers, it would offer several benefits.

First, private rights of action are an extension of democratic participation, like petitioning government, writing members of Congress, and talking to state legislators, as Getachew argued. The ability for a person to bring a lawsuit against another party that has done them wrong is also how our judicial system generally works. For example, under tort law, individuals can sue others for causing harm, such as assault, battery, or trespassing. In the same way, individuals who experience privacy harm should be able to hold the perpetrator accountable in court.

Second, individuals have not always been able to rely on the government to protect their rights, particularly their civil rights.[26] If a single federal agency is responsible for privacy enforcement, some individual harms likely would not be addressed. This lapse could result from lack of agency capacity and resources, and potentially for illegitimate reasons, like agency capture as well. Such under-enforcement could encourage companies to engage in privacy-harming practices if they believe that enforcement would be unlikely. A private right of action is critical for aggrieved individuals who would then be able to intervene and pursue enforcement on their own, without relying on the federal enforcer.

A private right of action can be designed to reduce the likelihood of frivolous lawsuits and therefore reduce potential problems for law-abiding companies. Gellman argued that “people on all sides of these issues have to begin to look at ways of finding accommodation, finding middle ground, putting some kind of agreeable limits, be they … putting a cap on damages [or] setting procedural requirements before you can file a class action lawsuit.” Gellman suggested that one potential procedural requirement could be having to get your “ticket punched” by some authorizing agency before you can file a class action lawsuit. Such a requirement would allow the agency to control which individual cases move forward, and could potentially weed out malicious or frivolous cases. The private right could be limited to specific issues, or have intent requirements.

Getachew made clear, however, that the private right of action cannot have a forced arbitration clause attached. Forced arbitration clauses are “anti-consumer [and] anti-democratic,” and they

allow industry to potentially control how a case is decided. … At the same time, with a forced arbitration framework, you don’t have a situation where you can have a legal precedent for whatever the harm is being litigated against. It’s just within that arbitration context, and so it may not be able to empower a class or a community of individuals [that experience] the same harm. And really, it’s just not cost-effective for an individual to go through [arbitration] as opposed to going through the private right of action route.

Many argue it would be unfair to give individuals a private right of action, but then force them to go through binding arbitration instead of being heard by a court of law.

Similarly, Banker argued that class action settlements could also be unfair: “There are [class action] settlements where you don’t necessarily know what the terms of the agreement were, whether the company … settle[d] because of the cost of the litigation, or because there actually was wrongdoing, and it doesn’t necessarily create rules that other people can … follow.” Banker argued that agency enforcement is preferable to an individual private right of action because then cases are settled by consent decree: “We get to see the complaint, we get to see a consent order,” and other businesses can learn from those cases.

In the end, Getachew argued that a private right of action should be “one tool in the toolkit to protect consumers and to really make sure that if the agency isn’t acting as a cop on the beat, there’s another framework in place to” protect privacy. But getting there may require a compromise.

Conclusion

As part of comprehensive privacy legislation, Congress will have to decide on an enforcement regime. Should Congress create a new agency or expand the FTC’s jurisdiction? What role should states and individuals play in privacy enforcement?

There are significant benefits to the possibility of creating a new federal agency with express rulemaking and regulatory authority for privacy and data protection, although this must be done carefully to ensure the agency can overcome the challenges of being a new entity. There are also strong arguments in favor of continuing to permit states to pass their own laws and to allow state attorneys general to enforce a new federal law. Additionally, creating a private right of action could ensure that individual consumers are able to stand up for themselves in court.

Congress should carefully consider all of these options as it works to craft new federal privacy legislation. The impact of any new rules will depend on the effectiveness of their enforcement, and individuals are counting on Congress to ensure that their privacy is protected.

Notes

  1. Wheeler-Lea Act of 1938, ch. 49, sec. 3, § 5(a), 52 Stat. 111, 111–12.
  2. All quotes from panel unless otherwise noted. Elizabeth Banker, Blake Bee, Bob Gellman, Yosef Getachew, Dylan Gilbert, David Medine, “Enforcing a New Privacy Law,” (Panel, Washington, DC, October 8, 2019), New America.
  3. About the FTC,” Federal Trade Commission.
  4. 15 U.S.C. Sec. 45(n).
  5. FTC Policy Statement on Deception,” Federal Trade Commission, October 14, 1983, FTC.
  6. 15 U.S.C. § 57a(b)-(c); (e).
  7. John Hendel and Cristiano Lima, “FTC chairman tells Congress: Don’t give me too much power.” Politico, May 8, 2019.
  8. Letter from Hon. Joseph J. Simons, Chairman, Federal Trade Commission, to Rep. Frank Pallone, Jr., Chairman, House Committee on Energy and Commerce (Apr. 1, 2019).
  9. “History of the ICO,” Information Commissioner’s Office.
  10. Peter Hamilton, “Data commissioner to look for more staff and funding,” The Irish Times, March 7, 2019 and Elaine Edwards, “Data Protection Commission welcomes extra €3.5m in budget,” The Irish Times, October 9, 2018.
  11. Letter from Hon. Joseph J. Simons, Chairman, Federal Trade Commission, to Rep. Frank Pallone, Jr., Chairman, House Committee on Energy and Commerce (Apr. 1, 2019).
  12. FTC Chief Technologists,” Federal Trade Commission.
  13. Letter from Hon. Joseph J. Simons, Chairman, Federal Trade Commission, to Rep. Frank Pallone, Jr., Chairman, House Committee on Energy and Commerce (Apr. 1, 2019).
  14. Letter from Hon. Joseph J. Simons, Chairman, Federal Trade Commission, to Rep. Frank Pallone, Jr., Chairman, House Committee on Energy and Commerce (Apr. 1, 2019).
  15. Leah Nylen, “’Technology is changing our mission,’ FTC’s McSweeny says,” LexisNexis, April 27, 2018.
  16. The question of whether the director appointment provision of the Consumer Financial Protection Act interferes with the president’s exercise of executive power is currently the focus of a supreme court case. Seila Law LLC, Petitioner, v. Consumer Financial Protection Bureau, No. 19-7. 1-21 (2019).
  17. Creation of the Department of Homeland Security,” Department of Homeland Security, last modified September 24, 2015.
  18. See, “Fair Information Practice Principles,” International Association of Privacy Professionals.
  19. The U.S. Urgently Needs a Data Protection Agency,” epic.org.
  20. State of California Legislature, Senate, California Consumer Privacy Act of 2018, SB-1121, September 24, 2018.
  21. Guidance on Vermont’s Act 171 of 2018 Data Broker Regulation,” Vermont Office of the Attorney General, December 11, 2018.
  22. Biometric Information Privacy Act, Illinois General Assembly.
  23. Collection and Use of Personally Identifiable Data Committee, Uniform Law Commission.
  24. Jennifer Mesko and Emily Knight, “Illinois Supreme Court Rules in Biometric Information Privacy Act Case,” American Bar Association, February 12, 2019.
  25. Patterson Belknap Webb & Tyler LLP, “A Closer Look at the CCPA’s Private Right of Action and Statutory Damages,” JD Supra, August 24, 2019.
  26. Becky Chao, Eric Null, Brandi Collins-Dexter, Claire Park, “Centering Civil Rights in the Privacy Debate,” Open Technology Institute, New America, August 14, 2019.

Originally published by New America, 11.20.2019, under the terms of a Creative Commons Attribution 4.0 International license.