The U.S. Federal Trade Commission (FTC) has understandably been the focus of much attention in the data privacy world. The FTC is considered by many to be the primary U.S. data privacy regulator, and this blog has gone so far as calling the FTC the
. We respectfully disagree. The FTC is facing unprecedented challenges, while state attorneys general (AGs), who have similar—and in some instances greater—authority, are taking more and more steps to protect the privacy of their citizens.


Although the FTC has used its authority under Section 5 of the FTC Act to regulate data privacy, it is facing a number of hurdles that could curtail such use, including:


  • Challenges from litigants: The FTC now is facing not one, but two high-profile challenges to its authority to regulate data privacy and cybersecurity. In addition to the Wyndham case, LabMD also is fighting the FTC’s allegations that the company failed to protect consumer data, claiming, like Wyndham, that the FTC lacks authority under Section 5 of the FTC Act to bring a data security enforcement action on unfairness grounds. If successful, the FTC’s authority to regulate consumer data privacy could be radically restricted.

  • Congressional skepticism: Last week, all four sitting FTC commissioners testified in their first-ever joint appearance in Congress before the House Energy and Commerce Committee’s Subcommittee on Commerce, Manufacturing and Trade. The commissioners called for federal privacy legislation while facing inquiries from lawmakers who questioned the FTC’s budget and scope of its regulatory actions.

  • Dissension in its own ranks: Last week’s hearing highlighted another issue nagging the FTC—the scope of its “unfairness” authority. Although the FTC Act provides the FTC with the authority to prevent unfair acts affecting commerce, Commissioner Joshua Wright has suggested that the FTC has not sufficiently outlined its interpretation of “unfair,” a criticism echoing the challenges made by Wyndham and LabMD.


AGs, on the other hand, do not face these same barriers.


Most AGs have authority to protect privacy under their state unfair and deceptive trade practice statutes (UDAP statutes, often referred to as “mini-the FTC Acts”), which, notably, do not contain the same limitations on recovery of civil penalties as does the FTC Act (the FTC cannot, under Section 5, recover penalties for violations of the act itself but only for a rule or final order issued by the FTC), as well as a wide range of other state data privacy laws and regulations (including a host of new California laws, Massachusetts data privacy regulations, Nevada PCI compliance law,
etc
.).


AGs also have concurrent authority with the FTC or other federal regulators under various federal laws, such as the Children’s Online Privacy Protection Act (COPPA), the Health Insurance Portability and Accountability Act (HIPAA) and others. AGs are demonstrating that they are not hesitant to use their authority to enforce the privacy rights of their states’ citizens. For example:


These are by no means the only examples of AGs exercising their authority to police data privacy but more than amply show that the FTC has some stiff competition as to whether it’s the U.S. DPA. The FTC is certainly a significant concern, but companies that are cavalier with their customers’ privacy ignore AGs at their peril. Thus, rather than having one
de facto
DPA in the FTC, the U.S. actually has 50+ such DPAs.