For a few weeks now, rumors have circled Washington that the U.S. Federal Trade Commission is negotiating a potentially record-breaking fine of Facebook for alleged privacy violations. Media reports have placed a potential fine in the $3 billion to $5 billion mark, and just this week, new reports state negotiations also include a slew of new privacy positions as part of the FTC settlement. 

With that as a backdrop, FTC Chairman Joe Simons joined IAPP Chief Knowledge Officer Omer Tene for an in-depth conversation here at the Global Privacy Summit in Washington to discuss FTC enforcement priorities. The immediate takeaway? Though not specifically commenting on any one case or company, Simons suggested record fines are on their way. 

Not surprisingly, Simons also advocated for the agency to get civil penalties "right out of the box. We're not in a position to get monetary relief for the first violation, only after the first consent order." He'd like to see that change.

Simons also commented extensively on the California Consumer Privacy Act and, subsequently, a potential U.S. federal privacy law. "The CCPA is in flux right now," he said, "so it's hard to get a gauge of what it's going to look like when it goes into effect." That said, Simons noted the CCPA "has galvanized the U.S. Congress to start thinking really hard about federal privacy legislation. We've encouraged them to do that." 

The crux of any conversation about a federal bill these days is preemption. Simons suggested that before the CCPA, talk of preemption was essentially a non-starter because proposed federal laws had been so watered down. That meant enthusiasm for preemption was low. Now the Hill is thinking more substantively about it. 

Simons said, however, that there could be a tradeoff: a federal bill with preemption that would allow state attorneys general to enforce the federal law. He also said that he has a sense preemption would be narrow and not include the FTC Act or privacy torts. 

And what if the impossible happened and the U.S. Congress passed a federal privacy law? Would the FTC be able to enforce it? Simons said the agency would certainly need to hire extra staff in its enforcement division and extra technologists. "It would take a while," he said. 

He was less enthusiastic about gaining rulemaking authority, however, saying it's incredibly cumbersome. "We can only pass rules under the authority we have, and we don't have much authority ... Even if we passed a rule that was GDPR-like, it would get overturned in court." 

Simons said this is an area that should be decided by the democratic process. "It's important that Congress decide these issues on cultural tradeoffs. These should be decided by elected officials." Otherwise, trying to make new privacy rules could tarnish what has traditionally been a bipartisan agency. "Putting rulemaking in our lap could damage the agency."