Federal privacy legislation would transform US FTC with new Bureau of Privacy

National privacy legislation blessed by a congressional committee last week wouldn’t just change the privacy landscape of the US, it would also transform the primary agency tasked to enforce it: the Federal Trade Commission.

By creating a Bureau of Privacy equivalent in size and influence to other FTC bureaus, the proposed American Data Privacy and Protection Act could quintuple the staff specifically dedicated to digital privacy, and it could pump up the FTC’s budget by $60 million a year or more — assuming Congress appropriates additional financial resources instead of forcing the FTC to cannibalize resources that now go to antitrust enforcement or consumer protection.

That would place the FTC, which now has only about 45 dedicated digital privacy enforcers but draws on a much larger pool of staff to support privacy, more on par with sister national regulators such as Ireland’s Data Protection Commissioner, the UK’s Information Commissioner’s Office, the Office of the Privacy Commissioner of Canada, and France’s National Commission on Informatics and Liberty.

Within the FTC, through the promotion of privacy to a dedicated bureau rather than relegating issues to a division of the Bureau of Consumer Protection, privacy would symbolically and literally get a seat at the table with the FTC’s chair and the other four commissioners, an equal peer to antitrust enforcement and consumer protection.

Building out the new Bureau of Privacy, which under the current text of the ADPPA “shall be of similar structure, size, organization, and authority as the existing bureaus within the Commission related to consumer protection and competition,” would be a huge effort. While hiring 250 or more lawyers, technologists and investigators would likely take several years, the legislation mandates that a Bureau of Privacy be “established, staffed and fully operational” one year after the ADPPA is enacted.

An obvious first step would be to transfer the FTC’s Division of Privacy and Identity Protection (DPIP) from its current home in the Bureau of Consumer Protection to the new bureau, but that would be just a start. While the ADPPA would also mandate creation of a Youth Privacy and Marketing Division within the new FTC privacy bureau, its architects would need to think through a long list of other organizational questions, such as which other divisions should be built into the Bureau’s superstructure, such as enforcement and policy.

Many other organizational decisions would have to be made — some difficult. While much of the new privacy bureau would no doubt be in Washington DC, the FTC could decide to base some staff in its eight regional offices, perhaps in the tech hubs of San Francisco and Seattle.

The new bureau would affect the whole FTC because it would also require more resources in support areas, such as human resources, security and even the press office. Resources such as litigation support and business education might be reassigned from the Bureau of Consumer Protection to the new privacy bureau, shrinking the existing BCP. The FTC declined to comment on the ADPPA legislation.

Just the proposal by Congress of a new internal Bureau of Privacy represents a victory for the FTC, however. Until recently, many FTC critics who knocked the agency for lackluster privacy enforcement were calling for the creation of a sole-purpose US privacy regulator akin to the new California Privacy Protection Agency. That debate, at least for now, is over.

“Having a separate Bureau will give importance and credibility and heft to this mission,” Jessica Rich, a former director of the FTC’s Bureau of Consumer Protection, told MLex. “Also, if the FTC is going to be absorbing lots of new resources which have been slated for privacy, it should have a dedicated place to put those resources and to build the program.”

The Numbers

With the proposed ADPPA legislation approved by a 52-2 vote by the House commerce committee last week, it is perhaps headed to a vote of the full House in September. Passage of the bill this year remains a long shot, but not outside the realm of possibility.

Relative to many other Western democracies, the FTC has significantly fewer resources dedicated to privacy enforcement than its sister national privacy regulators. In a report to Congress in 2020, the FTC compared the 40 to 45 staffers of DPIP to counterparts such as the 180-person staff of the Irish DPC and the 700 staffers who were then at the UK’s ICO.

Canada’s OPC, which regulates a population just over one-tenth the size of the US, now has 207 full time staff.

Those are imperfect comparisons because the missions of those agencies vary to some degree from the FTC, which has about 1,100 full time staff, with 612 full-time-equivalent employees dedicated to consumer protection and 528 dedicated to competition in a $351 million spending plan for the 2021 fiscal year, according to the FTC’s 2022 fiscal year budget request.

Part of the issue is that the 45-employee number undercounts the full effort going toward privacy at the FTC. “The number of 40 to 45 people devoted to privacy isn’t right,” Andrew Smith, the director of the BCP during much of the Trump Administration, told MLex.

“That doesn’t count the people in the regions; it doesn’t count the front office, human resources, international, administration of claims” or BCP’s Enforcement Division or Division of Marketing Practices, which also have responsibility for enforcement of privacy requirements, Smith said. He said a better estimate would be 150 full-time staff, or about 14 percent of the agency’s roughly 1,100 staffers, working on privacy issues.

Assuming Congress does allocate new funds for an FTC Bureau of Privacy of equivalent “structure, size, organization, and authority” as the bureaus of competition and consumer protection, the FTC budget would grow substantially, said Daniel Kaufman, longtime FTC veteran who is a former acting chief of the Bureau of Consumer Protection.

Not everyone works for those two bureaus at the FTC, which also has a much smaller Bureau of Economics and other support and organizational staff. But within a range of 350 to 450 people working for each of the current primary bureaus, the FTC could be looking at hiring well over 200 new people, Kaufman said.

Given that the FTC’s proposed 2022 budget requests 110 new staff at a yearly cost of $18.5 million, and factoring the cost of office space, support staff and employee onboarding for twice that number of new employees, the FTC budget increase could easily reach the range of $50 million to $60 million, Kaufman said.

“To be clear, these are rough back-of-the-envelope calculations, but I think we are talking mid-eight figures,” he said. “And this makes some logical sense since the FTC has about 1,100 FTEs now with a budget of roughly $350 million.”

Culture shift

A separate privacy bureau might change the way the FTC sees itself, and how its European counterparts see the FTC.

The clean slate of creating a new privacy bureau from scratch would offer the FTC a chance to depart from orthodoxy in deciding the staffing mix for the new bureau, on decisions such as the proportion of lawyers to technologists. Rather than putting a lawyer at the helm, the new bureau could follow the lead of the California agency and hire a technologist — Ashkan Soltani, a former FTC chief technologist, is executive director of the California enforcer.

Smith said he’s not convinced there’s a need for a new privacy bureau, but creating one won’t necessarily change the relationship between the five commissioners and privacy.

“Privacy takes up a lot of the oxygen anyway right now at the FTC and the commissioners are very focused on it,” he said, adding the change could come at the expense of the profile of the Bureau of Consumer Protection.

“We had a saying in consumer protection: ‘Commissioners arrive as antitrust lawyers and leave as privacy lawyers,’” Smith said. “I think privacy is a very deep and abiding interest to all of the commission, and when you take that out of the Bureau of Consumer Protection it’s going to mean that people are at least a little bit less attentive to the Bureau of Consumer Protection.”

Others, such as Maneesha Mithal, the most recent chief of DPIP, say a dedicated privacy bureau would bolster the privacy leadership of the FTC and the US.

With a separate privacy bureau, “there would be a little more equivalence to places like the [UK] ICO and the Canadian privacy commissioner,” Mithal said. “It would give the FTC a little more gravitas to have a bigger unit working on privacy, in terms of its ability to influence international agencies on privacy.”

Even privacy advocates who favored a stand-alone enforcer, such as the Electronic Privacy Information Center, say they will accept the concept of an internal FTC privacy bureau if it means getting a deal on a good federal law.

“We believe it is more important at this time to get strong, comprehensive federal privacy protections in place and ADPPA would do that while creating a new privacy bureau at the FTC,” EPIC president Alan Butler told MLex. “That would be a major step forward, though not as far as we think Congress needs to go. Congress also needs to ensure that the FTC has the resources it needs to carry out the rulemaking and enforcement work under the ADPPA.”