Data Security Law Blog

GAO Backs “Comprehensive” Privacy Legislation

A recent report by the Government Accountability Office (GAO) is recommending that Congress adopt comprehensive federal data privacy legislation. The GAO’s proposal is, in part, meant to address limitations of the current privacy regulatory landscape, which is mostly piecemeal, industry-specific regulation at both the federal and state levels. The GAO’s 56-page report follows more than a year of interviews with officials from various federal agencies that have taken active roles in data security issues, including the Federal Trade Commission (FTC), Federal Communications Commission, and the Consumer Financial Protection Bureau, as well as stakeholders from industry and academia.

Following those interviews, the GAO concluded that “[c]omprehensive Internet privacy legislation that establishes specific standards and includes traditional notice-and-comment rulemaking and broader civil penalty authority could enhance the federal government’s ability to protect consumer privacy.”

In calling for a new, comprehensive statutory framework, the GAO noted that, although the FTC has regulated online privacy by invoking its “unfair and deceptive practices” authority under Section 5 of the Federal Trade Commission Act, this authority is limited in several ways. For example, the FTC generally cannot impose civil money penalties. Moreover, the agency completely lacks jurisdiction over certain entities (e.g., banks), and is also prohibited from filing enforcement actions under certain circumstances such as against a “common carrier” (e.g., airlines). And the extent of the FTC’s authority over entities that are regulated by other agencies, namely internet service providers, has shifted over time due to actions by the executive and legislative branches. Other agencies fill some of these gaps, but are likewise constrained by similar limits on their enforcement authority.

Many stakeholders agreed that a uniform federal privacy statute could “enhance Internet privacy oversight by, for example, clearly articulating to consumers, industry, and privacy enforcers what behaviors are prohibited.” Developing a new, ubiquitous privacy regime would also open the door to broader consideration of the more vexing privacy issues, such as balancing industry’s business objective of collecting consumer data with the consumer’s desire to better understand and limit how that information is used.

We expect that Congress will begin considering new privacy legislation in the coming months. We’ll be following any legislative developments in this space.