 Thank you all for joining us today to discuss enforcement of the long forthcoming privacy law that I'm sure is coming any day now. For those who don't know me, my name is Eric Null. I'm Senior Policy Counsel here at New America's Open Technology Institute, where I focus primarily on telecom and consumer privacy issues. And I'm here to introduce today's festivities. So first, we'll have a keynote address from David Medine. David is formerly of the Federal Trade Commission, the Consumer Financial Protection Bureau, and the Privacy and Civil Liberties Oversight Board. So he has quite a lot of experience with enforcement agencies and also standing up new agencies in issue that often comes up in privacy enforcement discussions. We're thrilled that he's here today to share his wisdom with us. And David has also graciously agreed to have a short Q&A after his remarks. So please be thinking of questions for him as he's speaking. After that, we will just go directly into the panel discussion to talk about the different views on the proper privacy enforcement regime. And there will similarly be time for a Q&A at the end, so please be thinking about questions. And with that, I will turn it over to David. Good afternoon. Thanks, Eric, and thanks, New America. I have a lot of formers in my government experience, and so I think they each bring to bear a little bit to the question of who should be enforcing the new privacy law that's just around the bend. So I wanted to give a brief history of the Federal Trade Commission's efforts on internet privacy and privacy in general, and then at least make a recommendation for how to proceed in terms of who should enforce a future law. So I want to go back to 1995 when, according to Vice President Gore, we had the information superhighway, which later became the internet. And Christine Varney joined the FTC as a commissioner and with the help of Bob Patofsky, who was the chairman and Jody Bernstein, the head of consumer protection and I, put together a two-day workshop in 1995 on what should we do about this information superhighway. We had talks about governance and advertising, consumer protection, privacy, and after the end of two days, we sat back and said clearly privacy is going to be a very hot issue. And so we decided to focus on it. We actually ran it in part out of the advertising division and in part out of the financial practices division at the FTC, which I headed because we didn't have a privacy staff in those days. So the greatest concern right then was what happens if I put my information out on the information superhighway? Where will it go? Will it be protected? And so we wanted to see how websites were handling people's information. And so back in those days, it was pretty easy, believe it or not, to conduct a survey of all websites on the internet to see which ones had privacy notices. And at the beginning, when we started the process, relatively few sites had privacy notices, some of the major ones at the time, but by and large, sites weren't having privacy notices. And so we encourage websites to start adopting privacy notices on their websites. At the same time, I chaired a federal advisory committee on access and security, which is to try to get people's views on two issues. Again, should people have access to their information? And we couldn't really get agreement between advocates and industry on access rights at the time. But surprisingly, we reached a very quick consensus on security, which is to not have very prescriptive rules, but instead have a process and a risk assessment. And virtually the entire 50-member advisory committee agreed on the approach to data security. So as time went on and websites began over the couple of years later, started adopting privacy notices, we said, okay, they have privacy notices, but they aren't very good protections of privacy. And so we started raising the bar and said, okay, it's not enough just to have a privacy policy, you have to have at least a decent privacy policy. And so we adopted a streamlined set of fair information practices of notice, choice, access, and security, and then added enforcement at the end. So notice, choice, access, and security, and started evaluating websites as to whether they addressed those issues and not just had some sort of privacy policy. At the same time, children's privacy became very important because we were finding instances of abuse of children online and also some very strange advertising practices where they had 900 numbers at the time, which charged a lot of money. And some of the kids' shows would put a tone for 900 number on their TV and they tell the little kid, bring your phone to the TV, and the TV would dial the phone, essentially, and run up huge bills for the parents. So children were being clearly taken advantage of. And in something that maybe couldn't happen today, I give you the chronology of how children's privacy was addressed, which is in March of 1998, the FTC issued a report on children's privacy. In July, Senators McCain and Brian from Nevada introduced the Children's Online Privacy Protection Act. And in October, President Clinton signed the bill. So from March, the start of the FTC report, March till October, we had legislation adopted and passed and enforced. Of course, we would have the same thing today, I'm sure. So in addition to sort of studying whether websites were addressing privacy, we also held a series of public discussions where we had the head of the direct marketing association with the country's biggest spammer on the same panel, because we wanted to create a dialogue. And there's a New York Times article at the time that I always really appreciated. I'll just read you two or three sentences from the article, which is, seldom is a Federal Trade Commission hearing room the venue for a searching discussion of fundamental human rights in the post-industrial age. But in just such a room today, a workshop on privacy concerns raised by the rapid growth of computer databases quickly became an examination of some profound questions about the individual's place in technological society. And so I think the FTC was a wonderful forum to develop ideas. So by 2000, the FTC commissioners felt that websites weren't doing enough to protect privacy. And finally, after years of encouragement and hearings and so forth, came to the conclusion that we need a federal privacy law to protect consumers. This was, I think, around the summer of 2000. In the elections that followed, we went from Bill Clinton to George W. Bush, who appointed a different chairman of the Federal Trade Commission. And the new chairman immediately withdrew the recommendation for privacy legislation. They did instead adopt the do not call list, which Jodi Bernstein and I had sort of did the brain work on in the previous administration. And that had, I think, some success, although certainly some challenges as well. And so I think, again, the privacy issues went from the advertising division and financial practices division to a new division at the FTC dealing with privacy and identity protection. Since then, hundreds of cases have been brought in both privacy and security, using largely the unfair and deceptive trade practice authority, the FTC. So I think the FTC has done a fantastic job, but I want to recommend that instead of giving the FTC new powers under any new federal legislation that a new agency be created. And I want to offer five reasons why I think that's the case. The first is that while the FTC's primary mission is protecting consumers, a lot of privacy is about values and rights. And I think having a new organization that is committed to that approach as opposed to just a protection approach would be very beneficial. Second is efficiency. I think there are lots of privacy statutes out there, some of which have homes and agencies, some of which don't, but HIPAA, the Drivers Privacy Protection Act, the Video Rental Act, the Gramm-Lage-Blyly Act, both privacy and security rules, all sit in a variety of places. And I think having them brought together under one roof for enforcement purposes and interpretation would be very helpful. They could still be overlapping responsibility with the agencies that currently handle them, but I think having an agency focused on bringing those laws together and having a rational approach to them makes sense. Also, a third reason is internationally, most countries have freestanding data protection agencies, I believe. I haven't surveyed all of them, but I would say certainly from my experience is the vast majority of them do. And I think they've seen the logic of having a freestanding agency. I think they will also interact better with the United States if it has a freestanding agency that's sort of on par with theirs in terms of having chairman of respective agencies and a central focus in the United States government for them to deal with. The fourth reason is the FTC commissioners have a lot on their plate, and I know from having been there for 10 years is dealing with financial issues and privacy issues, but the FTC commissioners are dealing with competition issues. And these days they're taking on the huge challenge of competition in the high-tech community, which itself is probably a full-time job, but they also have a whole array of unfair and deceptive trade practices. I think having a separate agency would allow the people who ran that agency the ability to focus just on data protection issues and also develop the expertise, the technological marketplace expertise that you really need to intelligently regulate and enforce in this area. I think the Consumer Financial Protection Bureau, where I spent only a few months, is a good example of an agency that has taken authorities from a number of different places and housed them under the same roof and whether, for instance, applies the laws to both banks and non-banks and a whole range of different laws under the same roof. I think one lesson from the CFPB we've seen is that there are some benefits to having a commission structure instead of an individual director structure. The problem with the director structure is with each new president you can have wild swings on how the agency operates, whereas in a commission structure, usually the new president gets one or two appointees and maybe the opportunity to appoint the chairman, but it's a much more gradual process and I think industry and consumers, instead of going back and forth between a strong set of rights, weak set of rights, whatever it happens to be, having a smoother process would be very helpful. I know I was at the FTC when there was a transition from George H.W. Bush to Bill Clinton and it could not have been a smoother transition. The old chairman took the new chairman up to the hill, introduced him, actually stayed on the commission for a while as a commission member to ease the transition. And so I think there are some opportunities in a commission structure to not have wild swings, which I think probably benefits most everybody. And then the last one, I guess, is a financial budget issue, which is if you put anything inside of a larger agency that's going to compete for funds, whereas if there was a separate freestanding agency, it could make its own case for its budget and have that be the entire budget that went towards the issue of protecting both data protection and for security issues. And so that's my recommendation is that I, we may hear from others later on, but that, and as much as I respect the FTC enormously, I think that essentially privacy has grown from a small piece of the FTC in the division, advertising and financial practices to a separate division and I think it's ready essentially to graduate into a separate agency. I know the challenges of starting up an agency, having worked at the privacy and civil liberties oversight board. I do recommend that if their new agency is created, it's sit on the structure of the old agency until it's ready to separate, which was more the CFPB model, CFPB sat on the treasury systems, payroll, email, website. That's very helpful. Sharon Franklin who's here and I had to start from scratch and that's much more challenging when you have no infrastructure at the same time when you're trying to get your job done. So it certainly eases the transition if you have a base agency to start with. So with that, thank you and happy answering your questions. Hi Dave Pereira from Amlix. Thank you for taking my question. Does regulatory capture concern you and if it does, how would you address it? I think regulatory capture is probably an issue for every agency. I guess I don't see a big difference in whether it would be a freestanding agency or the FTC, maybe others do. But I think having it be independent, transparent, accountable to overseers but in Congress and the public is the best approach. I mean, I think that's always a risk but I think you can take as many steps as possible to make it transparent unless it's taken. I mean, obviously industry has a greater chance to come lobby and meet with the commissioners than sometimes the private sector does but having a strong advocacy community I think would be helpful. Hi, I'm Carl Herkenroder with Communications Daily. I'm just curious, do you have any thoughts on the settlements that the FTC achieved with Facebook and Google? Are they protecting consumers? I haven't been studying the details lately. I know the FTC has both gotten praise and condemnation for those settlements. You know, as a staff person it's tough to try to balance, you know, sending the strongest message. You know, there are also litigation risks so it's easy to say we'll take you to court but having a well-funded opponent and not a lot of precedent on some of these issues makes it a challenge so I can't really give an opinion about either of those but I think having obviously clearly effective enforcement is gonna be critical to any agency and its ability to go into court and perhaps one thing in the FTC has a lot of independent litigation authority but if it seeks civil penalties it has to go through the Justice Department, maybe a new agency ought to have complete litigation and authority in terms of pursuing remedies. Paul Nelson from USAID. Just on the enforcement question I'm curious if there are any, do you think the current remedies available are sufficient even if they are housed in a new agency or if you think that there are other tools in the toolkit that you think would be necessary for them to be effective given the topic and given, you know, how ephemeral data is and how difficult it can be to protect it and the interests related to it? If I understand whether the toolkit is effective, the FTC is actually a very broad toolkit so I think if you carry that over to a new agency I think it would be well situated. First, the FTC has equitable authority to go into court and get restitution, get undue gains back from companies so I think it has a whole array of equitable issues plus it has the injunctive authority to go into court and get temporary and permanent injunctions and restraining orders against companies and then finally civil penalty authority which we saw certainly in the Facebook case and others is to impose fines or penalties on companies so I think that's an important array of authorities and I'm not sure what else you would add. I think it's important that the new agency have that similar array of authorities. You outlined a series of advantages to separate agency. What are the risks? Well, obviously it's a challenge to start up an agency which we can tell you about. It's obviously you have to make sure which people get chosen to lead the agency, whether the agency gets sufficient funding. The FTC I think has a track record that people are comfortable with. This would be a new agency that people would have to get used to and understand its authorities. So again, I think having it that FTC is not the worst thing in the world but I think again because of the five reasons I stated I think having it focused in a new agency would be most helpful. Yeah, I mean I think this is an agency, even if they enforce HIPAA you'd have to deal quite a bit with HHS. I think if you enforce Graham Leach-Biley financial privacy they'd have to interact with the banking agencies quite a bit. But I think having just like the CFPB which has a dedicated consumer protection mission in the context of all the banking agencies in the FTC I think having a new privacy agency dedicated to privacy again in a broader context is an important way to focus attention on this issue. Thank you very much. Thank you. What's that? We have a science eating. We do, science eating. Okay, all set. All right, well hello everybody. My name is Dylan Gilbert. I am Policy Counsel at Public Knowledge where I work on our consumer slash user privacy issues. Thank you Eric and thank you OTI for holding this event for this important conversation on a topic that at first blush seems like it might be non-controversial but as we've seen already through some of the questions that have been floated up when it comes to enforcement some of the most contentious issues in the privacy debate actually are found in the under the umbrella of the enforcement topic. So we've got a lot of interesting things to talk about. Before we get going I wanted to have the panelists introduce themselves so we'll start here with Bob. Hi, I'm Bob Gelman. I've been in the privacy business if you will for more than 40 years, 17 of those years I spent on Capitol Hill as a house staffer and for the past 20 years or so I've been a privacy consultant. Hello, I'm Elizabeth Banker. I'm with the Internet Association where I'm Associate General Counsel and I work on privacy and intermediary liability issues. Hi everyone, my name is Yosif Ghatachu. I am the Director of the Media and Democracy Program at Common Cause. Common Cause is a pro-democracy reform organization focused on holding power accountable and infusing our democracy values and our policymaking. We think privacy is both a democracy issue and a civil right. And I'm Blake B. I am Program Counsel at the National Association of Attorneys General Center for Consumer Protection. Prior to joining NAG I worked as an Assistant Attorney General for Mississippi Attorney General Jim Hood in his Consumer Protection Division and his Executive Office. Great, thanks. So when we talk about enforcement, generally I kind of view it as being like a three level type of conversation. We've got the topic of enforcement at the federal level. This is gonna be a federal privacy bill that potentially will come as Eric mentioned at some point or at least some early iterations of that. We also have the potential for state level enforcement of the federal bill and then individual enforcement through a private right of action. So I'd like to kind of take the conversation down that path starting at the federal level, the agency level and then moving down to state level and then to the private right of action at the end. So I think the first place to start is saying, okay, so what agency at the federal level or agencies should be in charge of enforcing a comprehensive federal privacy law? And we'll have Elizabeth kick us off on that. Thanks, Dylan. So I think in talking about enforcement, it's important to start by articulating the goals of enforcement. And I think what Internet Associations, members of companies could see as the goals is to reach a high level of compliance with the rights and protections for consumers in the law. With that, the things that help achieve that goal are things like having a lot of clarity about what the rules are, having an agency that is consistent in its enforcement, having an agency that does a good job of advising both businesses and consumers about what their obligations, expectations and rights may be. And so I think with those things in mind, we do think that a strong federal regulator is the best option and that the FTC is well-placed to do that. Certainly take David's experience into account and his expertise is far greater than mine, but I would note that the FTC has done certain things particularly well and hearing him talk about the history of privacy in the FTC really brought home to me one of those things is its ability to look ahead and be proactive. And I think that is definitely a characteristic we would wanna see in a federal regulator. I would note other things that the FTC has done particularly well are putting together messages and materials to help small businesses figure out how to comply with cybersecurity requirements, providing tools to consumers to understand what the rights are in given certain situations. And certainly in the enforcement perspective, just looking at enforcement of specific rules against particular companies or other entities, I think what we see there is the FTC can indeed be a strong enforcer, but I think a lot of the criticism that the FTC is receiving about how it does that is not necessarily fair because at right now to date it has not been given a clear mandate, a clear set of rules to work with and the resources to go with it in order to be that strong enforcer. And so as we talk about federal legislation, one of the things that we'd really like to see and hopefully we can talk about today are what additional powers, what additional expertise, what additional resources would the FTC need? And maybe it's not the FTC or it's an outgrowth of the FTC. I think that's less important than really understanding what it would take to be a successful federal regulator. But right now I think what we see is an environment where consumers really need to understand what the rights are and they need to have those rights protected. And so having a long delay that might be created by trying to stand up a new entity would not necessarily fit that goal. So I'll just add to that by saying that I think with the FTC we have seen multiple models of consumer protection laws where the FTC has enforced with really important contributions from state attorneys general. And so I think those types of additional support on enforcement can be very useful. Does anybody wanna respond to that? Yeah, I can just jump in. This might be a point I make throughout the discussion today but really the issue for me and for I think many folks is that privacy is too big for one entity to handle on its own. Even now the way our framework is set up is sector specific where you have the FTC as a general privacy agency but then you have the Department of Health and Human Services regulating HIPAA, you have Department of Education doing FERPA, you have other agencies like the FCC doing telecom privacy. And so the question is whether you set up a new agency or you have the FTC become the main agency with more powers and more authority, you have to figure out how do you incorporate all this expertise among other agencies and how do you set it up where you have a situation where you are getting the input from all the stakeholders in place because really privacy is too big and even if you do have the FTC as the main agency they're still gonna rely on the expertise of the FCC or HHS in certain situations whether it's through memorandum of understanding or through other frameworks. So I wanna get back to this issue of authority and resources that you mentioned and we also had a question from the audience about well was the FTC doing enough right now to have enough resources? What do you think? Do you think the FTC is doing enough right now? What additional resources does it need whether that's legal regulatory authority or if it's just sort of staffing or expertise? What are some of the ways that assuming that it is the FTC right now that would be the regulator? So I think that we hear comparisons every once in a while between how the FTC is staffed for privacy versus European counterparts such as the Irish Data Protection Authority and I think those disparities are quite noticeable. 40 people versus 800. So certainly having the right number of people is important. I think having the technical expertise is also critically important. So I think additional resources to help in that area is important. But then I would say I think having a more useful and clear set of rules to be enforced are the things that would ultimately allow the FTC to move a little bit quicker in enforcement actions and get to results more quickly. Yeah, I think the key ingredient that's missing is rulemaking authority, particularly for areas of concern when it comes to data processing, data practices that harm several different types of communities, whether you're marginalized, whether you're a general consumer. We've seen the section five on fair deceptive active practices really extend to as much as it can, but without clear rules, without strong rules, it's hard to really go further than that. So that's the big thing that's missing. So I wanna get to David's comment about privacy values and rights, which I think is an interesting point and sort of talking about sort of the culture, the way things are done at the FTC and when we talk about privacy as a right that is to be enforced, do you think that the FTC is equipped to enforce privacy rights and values? And if not, how do we equip the agency to do that? So I'll guess I'll jump in on this. I can't speak to the culture of the FTC, but I can say that I do think that consumer protection in and of itself is a value and that the role that the FTC has and the way that it acts consistently with that role, I think shows that they can deal with values. And so I think whether it's privacy or consumer protection more broadly, I don't know that it's necessarily something that requires a new agency. I mean, I think that part of the process of coming up with a federal law, it will be sort of setting how we see this privacy right playing out in the context of commercial use as a personal information, not commercial use as a personal information and all the different contexts where that's important. And so I think that some of that work will be done by Congress, but I think that the FTC does have and has done a good job of keeping the consumer and what's best for the consumer kind of central to their focus. So let's talk about APA rule making that you mentioned, Yosef. So this was a topic that a couple of years ago seemed to be off the table as far as whether the FTC should have APA rule making authority to enforce a federal privacy law. Now it seems to be a little bit that we've shifted more towards what would the scope of that rule making look like. So I'd be curious to know what your thoughts are all of you on assuming that it's the FTC that's enforcing and that it has given APA rule making authority to sort of enforce the provisions in the federal bill. What should that look like? What are some of the rights that APA rule making should be tied to? Like for example, determining the contours of a deletion, right? Or is it just a broad across the board type of rule making? What do you think is the best way to operationalize that? Well, I think a lot of that depends on what your privacy law looks like and how it's divided up. Who it covers, who it doesn't cover, what you deal with, what you do with the problem of existing privacy rules and existing agencies. And until you know that, you can't figure out exactly what whatever agency you're talking about, FTC or someone else, how it will approach the problem. Typically what happens if you're trying to do anything of a broad nature, the first thing that happens is what will happen on the Hill, this what happened at the agency, all the affected industries come in and say, yeah, we love it all, we wanna be exempt. That's the first approach and that will happen on the Hill. And then you have to see how the law gets shaped and are we talking about online? Are we talking about offline? Are we talking about state and local governments? Are we talking about, how do you divide up the online world? They're not, everyone in the online space is not the same. And so do you have five different rules for online, 10, whatever, I don't know how you do that. And that's why you need more direction from a statute. Yeah, I agree with Bob. A lot of it depends on what the legislation looks like since a lot of the bills out there have a set of provisions that just kick it to the FTC to say, all right, create rules around all of this. But I think when you're talking about rulemaking authority, you wanna have a broad scope for an agency to enact rules encompassing a lot of different areas when it comes to privacy. So that could be transparency provisions. So consumers have easy understandable notices what data is being collected, use restrictions on what data can and cannot be collected, particularly around sensitive data. I think the big point is making sure that rulemaking authority is constantly used or adopted when we're seeing new harms arise as opposed to a piece of legislation that might limit an agency to just a few set of provisions. Can I make a further point? If you look at the European approach to privacy, Europe has a very high level, the directive and the GDPR, high level standards. There are a lot of details in there, but basically the standards are very high level. That's not the American approach. That doesn't mean it doesn't have to be, but the American approach is to write a law and then to write rules that go on forever. The lawyers come forward and ask all kinds of questions about what the law means and you get rules to try and answer them and all they do is create more questions. And so an agency, if you wrote a very broad-based privacy law and whatever agency has to implement that, could write 10, 20, 30,000 pages of rules. It could take decades to do. It's a real challenge. Can I just add on? I do have a fear about that and I think the European model is interesting and it may be that in this particular case, I think as we talk about federal legislation right now, what's clearly called for is something that's going to be very broad. It's going to cross a bunch of different sectors. It will be offline and online. Like the GDPR, it could be both business uses and nonprofits and even individuals in some cases, perhaps with exceptions. So in order to accommodate all of those different potential use cases, having rules that are incredibly detailed and prescriptive will make it very difficult for that type of law to either be written or to be implemented through regulation. And so I think we need to think about taking a different approach at this stage. Do you have something in the same way? No, but we'll never get to that. So okay, we'll keep on this topic. Let's bring in the idea of potentially having a new regulator. Bob, do you think that if we weren't gonna go the FTC route, what would perhaps be the best approach to having a new regulator? Do you agree with David? I do, but I wanna talk a little bit. David made a positive case for a new regulator, not the FTC. And Elizabeth made a positive case for the FTC. And I wanna say a few words about the FTC of a negative persuasion. I've been in the privacy agency space since the mid-80s when I wrote a privacy bill that got introduced for a number of Congresses, never saw any action. In 1993, I don't wanna say I've been around a long time, I wrote a large article of what is now the early history of the idea of a privacy agency and what was going on in government. It was called fragmented, incomplete, and discontinuous as a description of what had gone on to that point. And I look back at the article in preparation for today and there was hardly any mention in there of the FTC. The FTC wasn't, I'm not saying that the FTC wasn't involved in privacy at all, but in terms of broad-based looking at privacy regulation, no one saw the FTC up to that point as a solution. And I think the FTC's principal role was as regulator of the FCRA, the Fair Credit Reporting Act. And I think the FTC's job in doing that was mixed. I think the FTC came to prominence in some ways as a US privacy regulator as a result of the interest in privacy in the EU. If you go back to the Reagan administration, the Reagan administration and the American business community was trying to fend off the privacy activities in Europe. And the argument was that the American approach to privacy, whatever it was, was just as good as the European approach, but it was a little bit different. And I think that what was missing there in that argument was there really wasn't any clear enforcement that was a parallel to the DPAs, the Data Protection Agencies in Europe. And so the FTC got promoted as a privacy regulator. And back in the day, 20-some years ago, I used to appear at panels like this and I used to say that if I had a dollar for every time an American businessman or the US government official went to Europe and talked about how great the FTC was, I could take everyone in this room out to lunch. But if I had a dollar for every case that the FTC actually brought, I couldn't buy myself lunch. And that's not true today, there have been more cases. I think many of the cases that the FTC brought are meaningless. Almost all of the cases are cases brought under the deception authority rather than the unfairness authority. And I don't think we learn anything at all from deception cases, one's just the same as the other, except that the lawyers learn to write vaguer and less clear privacy notices so that they can't be held accountable for them. I think that a lot of cases at the FTC by numbers were under the privacy shield or safe harbor against American companies that claimed to be in them. And those cases were fine. They did absolutely nothing for American consumers. They diverted resources that the FTC could have used to protect American consumers. And the whole purpose of those cases was so that the American business community could stand up and say, see, we're enforcing this. There were absolutely no consequences to companies that claimed to be in the safe harbor or privacy shield and weren't, they just were given a slap on the wrist and told to do better. So it was all sort of a paper exercise. In 2013, I took a look at the FTC's privacy cases and I looked at OCR, the Office of Civil Rights which enforces HIPAA, which was a relatively new law. It came in around 2000, give or take. And they had been enforcing the law for, so I looked at 10 years worth of records. And on the numbers of cases that were brought, OCR brought about 2,000 cases a year in the health community. How many cases did the FTC bring a year? 20. That's two orders of magnitude difference. And there's some reason, I'm not gonna make the argument here, there's some reason to suggest that those cases actually overstate the importance and the numbers of the FTC cases. OCR had a much narrower jurisdiction than the FTC did. So I don't think that there's much of a track record of the FTC after all of these years. And ultimately, the FTC never really recovered its mojo after Magnus and Moss some years ago and basically took away the agency's rulemaking authority. And I think that the people at the FTC, there are a lot of nice, bright, competent people there trying to do the right thing, but the agency is institutionally incapable of doing what needs to be done. It's basically scared to death of using the power that it has. And why do you think that a few years ago, the telecom industry wanted to move its privacy regulation from the FCC to the FTC? Have you ever heard of anyone that wanted to move from a stronger regulator, to a stronger regulator from a weaker one? It's the other way around. They wanted to go to the FTC because they knew the FTC would not be a strong regulator. I want more argument I wanna make. This is sort of inside baseball in a lot of ways. One of the reasons I wanna get away from the FTC is the FTC has a Bureau of Economics. It doesn't get as much attention necessarily in this context as other bureaus, but basically the Bureau of Economics has the heart of Scrooge. It's a bunch of narrow-minded economists who have no understanding of the soft values that privacy represent, the social political informational consequences. If you wanna know more about it, I'm not gonna talk about it further. I suggest you read Chris Hoofnagle's book on the FTC, where he's got a discussion of this. I want a privacy agency that's not stuck with the FTC's Bureau of Economics. So Bob not pulling any punches there when anybody liked that? Anybody like to respond to any of that? Well, yeah, I think a lot of what Bob discussed goes to the current constraints of the FTC under its Section 5 authority, under its various bureaus that it has, under its resources that it has. For an agency that oversees privacy, it has about 40 staff that's looking into these issues, which is nowhere near adequate for the amount of privacy issues. And again, what I said earlier, privacy is too big for one agency to handle. And so I think a lot of the concerns Bob raised could be addressed by giving the agency more resources, giving it rulemaking authority, giving it more oversight over the concerns that we all have. But on the flip side, without endorsing a new agency, I think part of the challenge is that the mission of the FTC is consumer protection, but it's also competition. And there are competing priorities and a lot of different issues within consumer protection. It's not just privacy. And so if we want to move towards an agency whose sole mission is to protect our privacy and to look at privacy as a social good, as a democracy issue, that might be something another agency might be better suited to do, or it's using a bill to potentially, without being too controversial, kind of reframe the FTC's mandate or mission to look at issues beyond competition and consumer protection. So Bob, do you think that if the FTC was given the APA rulemaking, it was given a clear mandate from Congress as to what it can, it should, and should not do with enforcing privacy, and it was given more resources? Would that still be inadequate in your view? I think I would prefer otherwise, but I'm sure with under those circumstances, it's got the potential to do a better job. No question about that. So if we do a new regulator, do you think that it should be modeled after CFPB? Do you have any thoughts on what would be the correct model? Well, my original proposal back from the 80s for a privacy agency was just basically for a non-regulatory agency. All you had to do was have a press secretary that could point the finger at whoever was doing something obnoxious in the privacy space. And in the 80s, that was probably enough. And over the years, over the decade since, I've sort of wavered on that idea. There's been a lot of developments in privacy to say the least and a lot more public interest. I'm not sure that I have the answer, but I think that if I were rewriting my bill, I think I might do a fill in the blanks agency. We have a bunch of privacy regulators already and trying to take power away from anyone who has power is about the hardest thing there is to do in Washington. And I don't think that will work. And it's got a lot of parliamentary problems as well. One of the difficulties in this whole space is any comprehensive privacy law that addresses existing privacy laws will get referred to about six or eight committees in the Hill and will be absolutely dead as a doornail unless it's the number one priority of the speaker of the house. That's the only way you can get a bill through the house that crosses all of those parliamentary lines. My idea of a fill in the blanks agency would work with the existing regulatory agencies. I don't know that it would have to be regulatory. There's a lot to be accomplished by passing into law a set of high level principles and I would propose fair information practices as the principles and just tell everybody, go forth and do the right thing and comply with fair information practices. No regulations, figure it out for yourself. And I would give the agency a lot of soft powers to try and help people do that and to work with other agencies, federal and state in order to accomplish that goal. It's sort of a half baked idea. I don't have all the details but there are a lot of soft powers you can give an agency and you can always give it regulatory powers later on if you find out that a soft approach doesn't work. So other panelists, why not do a new agency? Well, I mean, as I said earlier, I think that there's a lot of effort that is required to create a new agency. I think obviously we at IA have an interest in seeing federal legislation soon. We think there would be a benefit for consumers and for businesses to avoid having a patchwork, which I'm sure is something we'll talk about a little bit later. But looking at what type of new agency it would be, I think it'll make the legislative process harder and then kind of while David suggested, I think a good way to kind of ease some of the pain of creating some new entity. I remember well before DHS existed and what was required to bring together all those disparate pieces to create a new department and maybe this wouldn't have to be such a big lift but there was really a pretty long period of time before it started functioning the way you would expect an agency to function and I think that we just have to be realistic about timing and what's needed now and that doesn't necessarily mean we should compromise now but I think if we can achieve a lot of our goals working with the FTC, I still think that that would be the best route forward. Well speaking of timing, we have a lot of things to talk about. So let's talk about the state level enforcement now and Blake, what are your thoughts on the states? Should they play a role here or not? Absolutely they should and I know I'm the last to speak but I was thinking about these comments and first of all, I've got to give you the lawyer disclaimer, my opinions are my own since I'm the one up here representing 56 elected and appointed public officials. I'm speaking for myself, not them or NAG. When we're talking about strengthening a federal law, creating a new federal law, the state AGs are automatically going to have their intent up poked up about preemption and removing their authority to protect their consumers, protect their citizens in their own states and I can tell you my members care very much about their ability to protect their consumers. So they do not want to be preempted, they do not want to lose the authority to look after their citizens and when we're talking about a federal law, it shouldn't be less strict than an existing state law because as the panel's discussed, sometimes the FTC or any federal agency doesn't have enough resources to enforce the federal law and in that instance, the state AGs can and have stepped in to look after the rights of their citizens and bring to account some of these companies who are doing wrong. So, Yosef mentioned that the privacy space is too big for any one agency to handle and if that's the case, that's all the more reason you need the state AGs as a backstop because they can hedge against, they're a hedge against industry capture, they're a hedge against political pressure that could be applied to any federal agency. Since our members are diverse, our members are multi-partied, they have the ability to step in if one industry, excuse me, one agency has taken a policy position or a political position one way or the other. So that would be my thoughts on how we navigate this challenge because I read a Reuters story last week and it doesn't look like there's gonna be a federal bill by January 2020. So I think companies are gonna have to adapt to the existing state laws that are there and we'll get to see how kind of the privacy functions move forward and certainly understand and the states understand that having to deal with a patchwork can be difficult but companies and industries do that every single day. If you're going to do business in a state, you're agreeing to abide by all of their laws. So it's important that our state AGs remain involved and have the ability to protect their consumers. Thoughts, reactions? Well, I said earlier, definitely, I think there is a role for state AGs. I think we're in a really unique time though because we have something in California with the CCPA that will be going into effect but it really was and in many ways still is the only kind of state level comprehensive privacy law. Much like we have a sectoral approach at the federal level across states, we have a lot of very issue specific privacy laws. So whether it's biometrics, data brokers, ISPs, facial recognition, we have these specific issues which I think just adds to the complexity of this idea of a patchwork. And I think one thing we're particularly concerned about is it becomes impossible at a certain point for a consumer to I think keep track of where they are in the United States, who they're dealing with on the other side and whether or not that party is going to be subject to the law where they live. And so as you travel around and stay in different hotels and buy from different vendors or you find some unique supplier of something you want in a far off state, that seller may not have sufficient contacts with California to be subject to the law there. And the California law has carve outs. So do consumers need to know what the size of the businesses that they're dealing with to understand whether they have rights to access and deletion? So those are kinds of the things. It's not just the company's ability to comply. I mean, I think we've seen with like security breach of just laws that it is possible to comply. But for a number of reasons, I think that that is not what is best for consumers or for the business environment. So I kind of see a couple of different threads here. One is just the sort of this ability of state AGs to sort of enforce a comprehensive federal privacy law. And then that's the sort of interplay with preemption. So let's go to the former really quickly. Is there anybody that doesn't think state AGs should be enforcing the federal privacy law? Okay, yeah. So then Yosif, what do you have thoughts on the preemption issue? Sure, I mean, so I think states given common cause and the number of state chapters we have, we strongly believe that states are the laboratories of democracy. They have time and time again experimented with laws and provisions that they think are in the best interest of protecting their residents, their communities. And so we typically see preemption as something that's potentially harmful. We'd like to see a federal bill that's more of a floor than a ceiling given that phrase as you use repeatedly. But to your point, that states have done a number of different types of privacy bills, whether it's facial recognition or biometrics or anything else related to privacy. I think that goes to the complexity of the issue, but also the fact that states are seeing that some of these practices are being harmed or are being abused in their communities and they want to do something about it, which is not being addressed at the federal level. Now with this idea of consumers not necessarily knowing where to go or what's the best provision, I think at the end of the day, they want privacy protections and they want a framework that they know they're going to have their data protected. And so what we've seen in terms of other frameworks is that when one state, maybe it's California right now, passes the strongest privacy bill among other states, that kind of forces companies to comply with that and they apply that in other states. And so I don't think it's gonna be a situation where if you're living in one state that doesn't have a California-style bill, you may not necessarily get similar protections because yeah, companies don't want to comply with different types of provisions, so they'll just apply the strongest and apply that amongst as many states as possible. So I think we should probably just trying to figure out time here. We're gonna leave 15 minutes for questions. I would like to move on to the main event, which is the private right of action. The most contentious topic within the enforcement conversation, I would argue. And so the first question is the basic question, should consumers and users be able to enforce a federal bill individually and or as a class through a private right of action? And so, Yosef, why don't you kick off the conversation there? Sure, short answer is yes. Okay. So really, when you get back to how our democracy is shaped, how our democracy is structured, it's really heavily reliant on individual participation. Individuals participating in our political and government institutions, being able to petition the government, being able to write their member of Congress, being able to talk to their state legislators, that's kind of how our democracy works. And a private right of action is kind of the extension or kind of part of that democratic participation where you can have individuals empower to protect their own privacy rights. So we think this is really important for a couple of reasons. One, as I mentioned again, privacy is too big for when you see a handle. So part of that means that individuals should have the ability to sue companies if they think their privacy is being violated. And in certain situations, it could be a situation where an agency isn't fully handling one issue where there's a clear harm. We've talked about regulatory capture. So in a lot of situations, if an agency is captured by a certain industry, they may not be as willing to enforce against that agency. Congress also plays a role in this situation where if Congress doesn't necessarily want an agency to go after a certain situation, they may withhold funds, they may not necessarily empower that agency to really protect consumers in a particular way. And so this is why a private right of action is particularly important in situations like this. And in the civil rights context, we've seen that not in many cases, individuals haven't always been able to rely on the government or government institutions to protect their civil rights, which is why in a lot of civil rights provisions, there is a private right of action to make sure that individuals are empowered. And kind of the flip side of a private right of action, there are provisions in certain bills, which we think are really dangerous where they allow for forced arbitration. And it really is an anti-consumer, anti-democratic way to go about privacy protections. We think with a forced arbitration framework, you have situations where that really allows industry to potentially control how a case is decided without much empowerment from the individual. At the same time, with a forced arbitration framework, you don't have a situation where you can have a legal precedent for whatever the harm is being litigated against. It's just within that arbitration context. And so it may not be able to empower a class or a community of individuals allowing for the same harm. And really it's just not cost effective for an individual to go through all of that as opposed to going through the private right of action route. Any thoughts on the private right? Well, I'm largely in agreement with what we just heard. I think that privacy is a really complicated subject, multifaceted, we need all the kinds of enforcement that we can get. Even the scummiest class action lawsuits that come along either in privacy or in other fields are sometimes the only protection that consumers get. And even if consumers don't get any direct relief out of it, it provides some degree of enforcement. It provides a reason why companies should do the right thing just to avoid being the subject of lawsuits. On the other hand, in an ideal world, I would have a full private right of action. It's not going to happen. It's too controversial. It's like preemption. And it can't look at these issues as black and white, all or nothing. There are a lot of ways to divide up the preemption pie. There are a lot of ways to divide up the private right of action pie. And I think what has to happen is the people at all sides of these issues have to begin to look at ways of finding accommodation, finding middle grounds, putting some kind of agreeable limits, be they it could be putting a cap on damages, it could be setting procedural requirements before you can file a class action lawsuit. One of the thoughts for my fill in the blank agency is it might be a kind of clearinghouse. You might have to go there to get your ticket punch before you can file a class action. I'm not lawsuit in court. I'm not sure how that would work. It's just an idea at this point. But the point is there are plenty of compromised positions available on all of these issues and what has to come out of the political process is an examination of all of those and finding a way to put all the pieces together in a way that'll get a majority vote. Anyone? I agree with many of your comments and I think what we're really missing right now is a privacy bill to have that, to be the context for that conversation. But maybe going to a few of the points that have been raised, I think state IG enforcement can achieve a lot of the goals that have just been mentioned for having a private right of action. And I think there are just a few problems with using litigation as a solution and you also have mentioned precedent. With the FTC and their enforcement actions, even when it's settled via consent decree, we get to see a complaint. We get to see a consent order. And I think that provides certainly learnings for businesses that care and are looking at how the FTC is interpreting the law and how they're applying it in given cases. What we see happen a lot in class action lawsuits in particular are that there are settlements where you don't necessarily know what the terms of the agreement were, whether the company that agreed to settle did it because of the cost of the litigation or because there actually was wrongdoing and it doesn't necessarily create rules that other people can look to and follow. And then to one of Bob's points, I think we all wish we were in a world where if you were following the law, you would not be sued. But I think that the fact of the matter is is that that's not the world we live in. And so certainly, I think we have to be realistic about that when we talk about a private right of action and what form it would take and whether or not it would be the right type of remedy. I just go back to kind of my starting point. You talk about enforcement, you've got to talk about the goals of enforcement. Definitely see the goal of enforcement as bringing up the level of compliance with whatever obligations and responsibilities and consumer protections Congress seeks to put in place. And I don't know that private litigation's as well positioned to do that. Anybody have thoughts on the goals of enforcement and any disagreement on that? Yeah, I think we could have a conversation around what a private right of action looks like in terms of what provisions are included, what's considered substantive, non-substantive. I don't buy into the argument that a private right of action in and of itself isn't useful for consumers. It's one tool in the toolkit to protect consumers and to really make sure that if the agency isn't acting as a cop on the beat, there's another framework in place to get there. And so I think shifting the conversation from what does a private right of action look like as opposed to just it can't work is something we have to get into sooner rather than later. And then it's really going into the substance of a bill to make sure if we have all the substantive protections in place, then we can kind of decide how a private right of action can look. So let's open it up for questions. Hopefully we've got some questions from the audience now. We have microphones moving around. My question's for Blake. I'm wondering since state agencies have had the ability to enforce COPPA for like many years and there have been like very few enforcement actions around children's privacy. I guess I'm wondering if you could speak to why that is and why you think or if you think a federal privacy law would be different and if states would be more focused on bringing those actions, thanks. That's a good question. And COPPA is interesting. There have been a couple of cases out of Texas and other states where they have, the state has gone into federal court to enforce COPPA and federal law. I think when crafting a federal law the legislators need to be very careful about how they want to include AG enforcement. If they want to include it as you can go into federal court and take action, what we've seen is state AGs have been, at least in the COPPA space have not been as eager to run into federal court. However, if you look at other federal laws that allow the states to enforce it in state court, such as Dodd-Frank, you see a lot more activity. Hi, David Brody from the Lawyers' Committee for Civil Rights Under Law. I also have a question for Blake. State AGs play an important role in enforcing civil rights protections. And a lot of state laws might go beyond federal law. So today in the Supreme Court there's a case about whether Title VII protects LGBTQ individuals. Well, there's state laws that make that a lot more explicit, for example. When we're thinking about privacy and the use of personal information, we're oftentimes concerned with the use of that information in discriminatory ways. Can you talk a little bit about the role of state's attorneys general in this space, protecting civil rights online and protecting against discriminatory uses of data and how you think that fits into a balance with a federal law in these sorts of floor-not-ceiling preemption debates? That's a good question. I can mainly speak to that in a policy context. So yeah, if you have a state law, no matter if it's about civil rights or another issue, and it is stronger than a federal law, and if a federal law comes along and preempts the state from acting in that space, you have lost greater protections for your citizens in that instance. So again, that can go from any type of law, whether it's LGBTQ protection or other vulnerable populations. States have that ability to pass a very strong law and take up the space that the federal government is not. And yeah, if a federal law comes down and preempts the states from occupying that space, those protections can be gone. You guys talked about how you were hoping that strong regulations in California would eventually be spread to the other states. But the GDPR and the European Union, I wanted you guys to talk about how you think that international data privacy laws will affect companies like Google. Well, I think that they already have. I think that some of the US multinational companies are aware of the need to comply with privacy laws all around the world. I mean, there are at least 134 countries that have national privacy laws. The only country of any significance that doesn't have one is guess who? It's us. So companies that are good actors are paying attention to that. I also think that there will be significant enforcement against some of these American multinational companies, in particular in Europe and possibly elsewhere. And I think one of the things that's happened here that may provide an incentive is the Facebook case at the FTC. Fine levels now are in the billions of dollars, and Europe has plenty of authority to impose significant fines. And $5 billion more or less for the US Treasury doesn't make much of a difference, but you can imagine some smaller countries in Europe or maybe elsewhere around the world may see privacy as a profit center as a way of balancing their budget and generating revenue because there are plenty of violations of laws. So I think all of this stuff that we're talking about in the US about different levels of laws and conformity as being a goal that I think a lot of people would like, although we wanna know whether the conformity is at this level or at this level, I think a lot of international laws have already done that. The EU has clearly been the opinion leader around the world and most laws around the world look like EU laws to some extent. The degree of enforcement remains to be seen, but I think that there is and has been and will continue to be a lot of influence from the EU either directly on companies that are regulated or even on companies that are less regulated by them because it makes sense to have one privacy rule if you can do it. And to, if I could just touch on that, on the question or the issue of uniformity since we know we're not gonna have a federal bill this year, the Uniform Law Commission as I'm understanding it is creating a model bill that can be filed in state legislatures and remember state legislatures convene most of them beginning January one. So I think you will see states attempt to occupy this space and try to create some uniformity. Maybe that's through this model bill that's gonna be put out there by the Uniform Law Commission or a potential federal bill that is introduced and then the states could take that and use that in their legislatures as a model. So I think you'll see the states acting in this space with a good deal of force come January, at least in the introduction and drafting legislation whether it gets passed, that's another issue. I wanted to piggyback a little bit on the comment that David made about aligning with international enforcement as sort of one of your five reasons for creating, excuse me, for creating a new agency, a new data protection authority in the United States. And I was wondering if any of you all had any thoughts or responses on that? Whether can we equip the FTC, can we get the FTC in a place where it can align with international enforcement or is that just a reason why we need a different authority? Well, the FTC has been involved with the DPAs in Europe for some years. I don't know whether, is it recognized still as the equivalent of a DPA or is it some ambiguous? Yeah, anyway, it's not, it doesn't have the authority that the DPAs have. On the other hand, a lot of the DPAs have authority that they don't exercise. So I think that there is some degree of flying in formation internationally but the FTC can only do what it's capable of doing either under its legislative authority or what it's actually willing to do with the authority that it has. So there's good and bad there. Other questions? Hey, so my question's kind of about when you talked about the FTC bringing bunch of cases mostly under deception and not under unfairness. I mean, I know in New York, the Attorney General has brought a few cases for under deception as well where they're like, oh, you didn't disclose your privacy policies, that's a deceptive act and you said that was kind of useless, the fact that they used deception and not unfairness. I was wondering if you could talk a little more about that and what you think the distinction is and how it would have been better if they used unfairness or an example of that. Well, all the deception cases are, I'm not saying that they're useless, mind you, but all the, and at some degree, I'll take enforcement of any type wherever I can get it. But the deception cases are typically, you said one thing and you did another. I'm gonna give you an example of a case. I wasn't really involved in this, but a privacy advocacy group filed a complaint. This was years ago. The goal was to try and get the FTC to use its unfairness authority. And so the complaint that was filed said, this company offered an opt out and it said to its users, if you wanna opt out, you have to opt out via snail mail. Well, that particular single standard is unfair. Nobody opts out by snail mail for an internet activity. And the complaint was filed that this was unfair. This was a really narrow single bullet right in the center of the target. How could anyone say this wasn't unfair? What did the FTC do with it? They looked at the company. They read through its privacy policy. They found something that was deceptive and they brought a deception case against it and they ignored the complaint. It's too easy to do that. And the agency doesn't have, the goal of that privacy advocacy group was to go through and pick very narrow, specific activities that companies were engaged in and give the FTC the opportunity effectively to write rules through cases. And by saying opting out via snail mail on an internet activity is unfair. And you can go through other specific kinds of activities and find that they're unfair. Well, the agency isn't willing to do that. And so they say, well, your privacy policy is deceptive because you said one thing and did another. We just don't learn anything from it. Maybe we get a better written privacy policy but that doesn't really help very much because nobody reads privacy policies. We already know that. Whether you change company practices is the issue and that's the goal and you can do that more through unfairness and set standards for everybody else than you can through deception. Yeah, just to quickly add on, I think one of the challenges with the unfairness standard is that it's not only something unfair but is that practice outweighed by any benefits that a consumer might receive? Are there any economic advantages to that practice? And is that better than anything that could be considered unfair? And this goes to kind of the heart of whether we need the FTC or another agency when its mission, as of now, is to look at issues through this UDAP lens which isn't necessarily going to be always pro-consumer. And so that can be a question of changing the mandate or a new agency. Good questions. So I think of that. Well, please join me in thanking our panel.