As we’ve all been following in the news, the House reconciliation bill to fund “human infrastructure” is still mired in negotiations, ever on the verge of either passing to monumental fanfare, or cratering in failure. Tucked away on page 671 of the 1684-page bill is a short provision that, despite scant attention, has the potential to usher in a new era for the FTC and U.S. privacy – $500 million to fund a brand new FTC privacy bureau, to be spent between 2022 and 2029. Here’s what the provision says:
FEDERAL TRADE COMMISSION FUNDING FOR A PRIVACY BUREAU AND RELATED EXPENSES. In addition to amounts otherwise available, there is appropriated for fiscal year 2022, out of any money in the Treasury not otherwise appropriated, $500,000,000, to remain available until September 30, 2029, to the Federal Trade Commission to create and operate a bureau, including by hiring and retaining technologists, user experience designers, and other experts as the Commission considers appropriate, to accomplish its work related to unfair or deceptive acts or practices relating to privacy, data security, identity theft, data abuses, and related matters.
With all of the talk about trillions here and billions there for infrastructure, $500 million might sound like chump change. But to put it in perspective, the FTC’s current annual budget is about $350 million – covering all of its programs, including its entire antitrust mission and the many components of consumer protection, of which privacy is just one. Further, the FTC currently employs just 61 people to staff its privacy mission, at a cost of about $13 million – less than 1/38th of the proposed new $500 million budget (or about 1/5 on an annual basis, when the amount is spread over its eight-year duration). Indeed, when one of us called for the creation of a new FTC privacy bureau last March, it seemed inconceivable that such a bureau could launch with a half-billion-dollar wind at its sails.
With $500 million, the FTC could employ hundreds of additional staff – including lawyers, investigators, technologists, and other experts – to oversee U.S. privacy. It could bring (and litigate) “big cases” (and smaller ones too), study key industries, conduct consumer surveys, provide more personalized assistance to U.S. consumers, and provide greater leadership and guidance (through public events and user-friendly publications) here and abroad. (And yes, the FTC could also launch rulemakings to expand existing rules, or to launch new ones under its inherent Magnuson-Moss rulemaking authority.) For those who have been calling for a brand new U.S. privacy agency, this new, well-funded privacy bureau could go a long way to satisfying their goals.
Of course, what this legislation would not do is strengthen the FTC’s legal authority by (among other things) enacting a comprehensive federal privacy law, giving the FTC full jurisdiction over common carriers and nonprofits, and authorizing monetary remedies for privacy violations. For years, the FTC and others have argued that these types of legal reforms are necessary to ensure that the agency can be fully effective in protecting consumers’ privacy.
Nevertheless, if the legislation passes, businesses should expect more oversight in the form of investigations, litigation, warning letters, studies, surveys, and rulemakings. Indeed, the FTC has already highlighted some of these goals and aspirations in early October, which we discussed in an October 3 blogpost on the topic. With $500 million, the FTC’s “wish list” list would grow exponentially longer and could include, for example, enforcement “sweeps” to examine companies’ privacy practices, even in the absence of any suspicion of wrongdoing. We are following this issue closely and will post additional details as they unfold.