Congress wants the FTC to create a bureau dedicated to privacy. And that’s a big deal

Yes, the rumors are true—the United States might actually get a federal privacy law. Introduced in June, the American Data Privacy Protection Act (ADPPA) actually has bipartisan support, though there are a few kinks to work out.

But one section of the bill, which is now eligible for a floor vote in the House, could fundamentally change how consumer privacy is protected and enforced in the US: the proposed creation of a Bureau of Privacy, which would be a part of the Federal Trade Commission, broadening the scope and definition of how the regulator could enforce the law.

“It would dramatically elevate the profile of privacy in this country and the agency internationally,” Daniel Kaufman, a partner at BakerHostetler who previously held several roles at the FTC’s Bureau of Consumer Protection, said during a LinkedIn Live hosted by the International Association of Privacy Professionals (IAPP). “It’s almost limitless in terms of what the FTC can do.”

The BOP

A Bureau of Privacy isn’t entirely a new idea, according to Caitriona Fitzgerald, a deputy director at the Electronic Privacy Information Center (EPIC) and some iteration of it has been proposed before, even going as far back as 1991.

The latest draft of the ADPPA would place this responsibility under the Federal Trade Commission, which currently has a division dedicated to privacy and identity protection.

“It sends a message that the importance of privacy is on par with the importance of competition, economics, and consumer protection,” Fitzgerald told Marketing Brew. That means that for consumers, the BOP would be the dedicated enforcer at the federal level, potentially alongside state attorneys general. Even individual consumers might be granted the right to sue companies for damages stemming from some privacy violations thanks to the ADPPA.

While the final version of the bill is likely to change, the BOP would be responsible for both playing referee and rulemaker, creating more definitive regulations outlined in the bill and enforcing them. So far, that includes:

• Ensuring that targeted advertising doesn’t discriminate against individuals, citing civil rights.
• Establishing rules for and reviewing algorithmic impact assessments that “large data holders” would be required to file.
• Keeping an eye on data minimization, or making sure companies are only collecting the data that is “reasonably necessary and proportionate” for a business to operate, and nothing more.

And like the Wu Tang Clan, the Bureau of Privacy would be for the children, establishing a division within the BOP called the Youth Privacy Marketing Division. That’s especially significant considering the ADPPA currently bans outright targeted advertising to anyone under the age of 17.

Alison Pepper, EVP, government relations and sustainability at the 4A’s, told Marketing Brew over email that the BOP aligns with its work with Privacy for America, a coalition of advertising trade bodies including the ANA and IAB. She said the group has called for “the FTC to be empowered (and funded) to be the primary enforcer of comprehensive privacy legislation.”

She wrote that “the FTC makes sense as the primary regulator for multiple reasons,” one of which is that “the FTC has a long history of specific experience over the years looking at issues at the intersection of advertising and privacy —they wouldn’t be starting from scratch like another agency. With a strong bill and increased funding, the FTC would be the right agency for the job.”

Even so, she said, “the 4A’s support for the FTC being the primary enforcer (and receiving a significant funding increase to do so) was predicated on comprehensive privacy legislation being preemptive of existing or future state privacy laws—and the current iteration of the ADPPA has far too many exemptions precluding true preemption.”

Financial harm ≠ harm

Though it hasn’t passed, the draft of the bill is clear on size—the bureau should be as large as other existing bureaus within the commission. It would need to be staffed. Desks, monitors, and Mr. Coffee machines would need to be ordered. (According to the FTC, it has a little over a thousand full-time employees. And it doesn’t break out by bureau, but we can say it is more than one and less than the total number of FTC FTEs. Good luck, folks!)

That fresh slate presents the FTC with an incredible opportunity, argued Cobun Zweifel-Keegan, a managing director at the IAPP. The bill doesn’t specifically state who the FTC would need to hire, meaning it could look to staff up with “interdisciplinary staff,” specifically experts in “data protection, digital advertising, data analytics, and youth development,” the bill states.

“Any regulator has to think about prosecutorial discretion. There’s always this question of, ‘I have limited resources. How am I going to use them wisely?’” he said.

A bureau would presumably provide more resources, strengthening the agency’s enforcement arm. Under current laws, the FTC can only pursue privacy cases that are “unfair or deceptive acts or practices in or affecting commerce,” as well as enforcing “other federal laws relating to consumers’ privacy and security,” like the Gramm-Leach-Bliley Act and the Children’s Online Privacy Protection Act.

But unlike someone who steals your car or wallet, it can be hard to prove or quantify the significance of privacy and data harms in court, Fitzgerald said.

Proving that Twitter collected and sold personal information to advertisers is pretty black and white, but proving that data was collected unfairly can be more difficult for less transactional crimes—like whether a tech or data company revealed your sexual orientation or gender identity or inadvertently told your parents you’re pregnant, explained Jessica B. Lee, a privacy lawyer and chair of Loeb & Loeb’s privacy, security and data innovations practice. “These are harms that don’t have a dollar sign attached to them, and it’s hard to quantify,” she said.

Alan Chapell, president of Chapell and Associates, agreed.

“In privacy, ‘unfair’ is really, really hard to prove. It’s very subjective. You kind of have to have somebody dead to rights on something that’s really draconian,” he said. “Assuming the company you’re going after has any money at all, they’re probably going to fight you.”

The proposed ADPPA might not make these fights any easier on an individual level, but with new powers, resources, and expertise, the FTC could potentially bring more cases to court.

“I can see [how] having a different bureau that has a specific mandate—to enforce [ADPPA], to create rules around this specific law—is really helpful to the FTC, because it gives them a whole host of additional powers that they do not currently enjoy,” Chapell said.