Privacy advocates want it. Tech companies want it. Lawmakers are considering it. But if federal privacy legislation does come to be, who should enforce it?

There are essentially three options here, and they are not all mutually exclusive: the U.S. Federal Trade Commission, which has some experience enforcing privacy; state attorneys general, who are already becoming increasingly active in the area; and some sort of new federal data protection agency.

The FTC wants the job, as Chairman Joseph Simons made abundantly clear in a testimony to the Senate Committee on Commerce, Science, and Transportation Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security a few months back. (The agency declined to provide fresh comment on pending legislation.)

"The commission urges Congress to consider enacting privacy legislation that would be enforced by the FTC," Simons said. "The Commission and its staff are prepared to share our expertise and assist with formulating appropriate legislation, as we did with the Children’s Online Privacy Protection Act, CAN-SPAM, and the Gramm-Leach-Bliley Act."

The agency has an annual budget of more than $300 million and employs more than 1,100 staffers. It has, over the years, handled five dozen privacy cases. That's a far cry from the caseload it might expect if the U.S. gets anything analogous to the EU General Data Protection Regulation, but some of those cases have involved big names like Google, Facebook and Uber.

On the other hand, the FTC lacks the ability to levy civil penalties, as well as authority over nonprofits and common carriers, as Simons griped to the subcommittee. And civil society groups are not particularly impressed with its track record on the privacy front.

For that reason, dozens of privacy advocacy groups in November issued a series of principles for new federal legislation that would involve a new EU-style data protection agency.

"We think that the FTC has historically failed to address data protection and regardless of what might be in any new legislation, it's so encumbered historically by a significant number of internal conflicts that it simply cannot so the job," said Jeff Chester, the executive director of the Center for Digital Democracy. "The Federal Trade Commission has been engaged in serious self-restraint over the decades when it comes to regulating the most powerful digital media companies. … All the advantages that the U.S. digital marketing industry has developed over the last 10 years that eviscerate privacy have been made possible by the failure of the FTC to act."

Chester added, "Practically, our call for a new agency might translate into greater authority for the FTC that could help assist it in tackling the market. But we've called for a new agency and we are really pushing heavily in Congress to get a law enacted that reflects the framework that is intrinsic to the GDPR."

That would not, however, mean all the enforcement power accretes to the new agency. Chester argued that, for example, when cases involve granular, geolocation-based personalization or where the data practices of a mom-and-pop store are in question, it makes sense for the states to play an important role. "There's no way that one agency, even an emboldened and better funded FTC, can really deal with what's going on," he said. "You need a privacy multiplier to protect the public, and that should be the states."

Of course, it's state activity in the privacy arena — in particular, the California Consumer Privacy Act — that helped lead big tech to decide last year that a federal law might not be such a bad idea after all.

"There has been a considerable push by industry groups for a federal privacy law that would create a nationwide standard, including recent comments submitted by the Association of National Advertisers with the Federal Trade Commission advocating for the FTC’s support of a federal law," said Scott Pink, special counsel at O'Melveny's Silicon Valley office. "While there are several federal privacy bills pending before Congress, it is difficult to predict whether and what type of law would pass a divided Congress at this point. However, the likelihood of federal legislation would go up if we continue to see major privacy violations in the headlines or major compliance issues with the California law, as each could prompt federal action."

Activists such as Chester say companies are after something that avoids a fragmented regulatory landscape while also being less strict than the Californian law (which will be enforced by the Californian state attorney general).

"The fact that killing state regulation is at the top of the industry death-wish list is reason enough for us to fight against the push for pre-emption with all our political strength," Chester said. "We'd like to see a strong federal baseline, but the states are given a free hand to enact stronger policies."

Pink said that, if a federal law is passed that pre-empts conflicting state laws, the primary enforcement should be at the federal level — by the FTC, because of its "long history of guidance and enforcement in the area of privacy" — for consistency's sake. However, he added, "I could also see a role for enforcement by state attorneys general, similar to how the CAN-SPAM Act is currently enforced."

And while Washington deliberates on the need for a federal law, California is keeping busy. Earlier this month, Attorney General Xavier Becerra introduced a new bill to strengthen the state's data breach notification framework. "AB 1130 closes a gap in California law and ensures that our state remains the nation’s leader in data privacy and protection," he said.

That does not sound like someone who would happily be pre-empted by weak federal legislation.

photo credit: wuestenigel Handcuffs and money via photopin (license)