On May 21, 2019, representatives of the Federal Trade Commission (FTC) and the Office of DC Attorney General (AG) Karl Racine visited Reed Smith to discuss data privacy trends to watch at the federal and state level. In an IAPP KnowledgeNet presentation moderated by Reed Smith partner Divonne Smoyer, Maneesha Mithal (associate director of the FTC’s Division of Privacy and Identity Protection, Bureau of Consumer Protection) and Ben Wiseman (director of AG Racine’s Office of Consumer Protection) discussed their expectations for a federal privacy law, expanding state authority in the privacy arena, and privacy resources, among other things, in a wide-ranging conversation.

Ms. Mithal explained that a federal data privacy law is necessary and believed that the FTC is the natural enforcer of such law. According to Ms. Mithal, the FTC would benefit from a variety of enforcement tools in a federal privacy law, including: 1) civil penalties for first-time violators to aid deterrence; 2) Administrative Procedure Act rulemaking authority to address changes in technology and business models, similar to the authority present in the Children’s Online Privacy Protection Act (COPPA); and 3) broadened jurisdiction over non-profits and common carriers.  Ms. Mithal also welcomed the involvement of state AGs as enforcers of a federal privacy law.

Mr. Wiseman noted that the states, as “laboratories of democracy,” have developed perspective and expertise from their data breach laws and enforcement actions. This expertise has led the states to conclude that consumer transparency and control, and a mechanism to hold companies accountable if they misuse consumer data, are baselines for consumer data privacy laws.  It also has led to a common position among many state AGs, including the DC AG, opposing any federal law that pre-empts their ability to protect their own consumers.

Both panellists spoke of the heightened public interest in privacy protections after the passage of the California Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR).  Neither Ms. Mithal nor Mr. Wiseman thought that the CCPA or the GDPR were perfect laws. By contrast, Mr. Wiseman spoke highly of Vermont’s recent data broker law, both because it helped consumers understand how their data was being used and because the state did a good job collaborating with stakeholders in crafting the legislation.

The panellists also recognized that a balance must be struck between privacy and innovation, especially the need to ensure that small businesses are able to innovate. According to Mr. Wiseman, this is why some state AGs are promoting a federal privacy law that will provide small businesses with one standard, making compliance less costly. Similarly, Ms. Mithal emphasized the FTC’s focus on promoting innovation and choice in the marketplace. To that end, she indicated that new data protection laws should perhaps contain thresholds for compliance, including thresholds based on the amount of data handled by businesses and the sensitivity of that data.

Finally, acknowledging the continued focus of regulatory and enforcement agencies on privacy concerns, Ms. Mithal suggested that additional resources are necessary, especially when the FTC’s resources are compared with those of similar agencies in the EU tasked with enforcing the GDPR. These resources would both allow the FTC to enforce any new laws on the horizon and enable it to engage in additional investigations and enforcement actions under existing laws, like COPPA, the Fair Credit Reporting Act, and the Gramm-Leach-Bliley Act.

Although a federal privacy law remains elusive, companies should be mindful that they are already subject to data privacy oversight.  AGs have focused their efforts on protecting consumers through existing consumer protection laws and the FTC will continue to use the privacy enforcement tools in its toolbox. Further, discussions like these between the FTC and AGs will continue: The FTC’s Hearings on Competition and Consumer Protection in the 21st Century are nearly complete, with the final hearing, a Roundtable with the State Attorneys General currently scheduled for June 12, 2019.  Regulators are watching and are ready, willing and able to hold businesses accountable for privacy violations, even without a federal privacy law.  Companies should continue to be aware and prepared.