GAO Urges Congress to Start Moving on a Privacy Law


Researchers recommended lawmakers give regulators more power to write rules and punish the companies that break them.

The Government Accountability Office on Wednesday came out in support of a national data privacy statute and encouraged lawmakers to give regulators more power to punish companies for their digital misdeeds.

“Congress should consider developing comprehensive legislation on Internet privacy that would enhance consumer protections and provide flexibility to address a rapidly evolving Internet environment,” the congressional watchdog said Wednesday in an uncharacteristically decisive report. Citing the Cambridge Analytica scandal and the broad privacy provisions recently enacted in Europe, officials said it’s high time Congress boost regulators’ consumer protection abilities.

The sweeping report is based on interviews with tech companies, industry groups, consumer advocates, academics and former leaders of the Federal Trade Commission and Federal Communications Commission, as well as a review of 101 FTC enforcement actions related to online privacy.

While researchers didn’t specify which agency should take the reins on privacy issues, the experts they interviewed largely saw FTC as the logical choice. That said, experts were split on how the commission should go about enforcing those rules.

Though FTC is already responsible for policing internet service and content providers today, its authority is largely limited.

The agency can punish companies for practices it deems “unfair and deceptive,” but it can’t issue regulations that clearly define those boundaries. Industry groups argued such regulations could limit innovation and that companies are already deterred from misbehaving by the threat of punishment. But other interviewees, including eight of the nine former FTC and FCC commissioners who participated in the report, said the lack of rulemaking authority limits the agency’s ability to proactively prevent firms from harming consumers.

Furthermore, the commission can’t hit first-time offenders with financial penalties, which could dissuade companies from consistently following the rules, experts said. And even when it can fine rulebreakers, they added, the payments “are not large enough to act as a deterrent and ... companies may consider them to be a cost of doing business.”

A comprehensive privacy law that sets clear standards for company behavior and gives more power to the agency charged with enforcing those standards “could enhance the federal government’s ability to protect consumer privacy,” GAO wrote.

The report comes as lawmakers and tech industry advocates are increasingly weighing in on what a federal privacy law should look like.

Sens. Ron Wyden, D-Ore., Marco Rubio, R-Fla., Amy Klobuchar, D-Minn., Brian Schatz, D-Hawaii, and others have introduced internet privacy proposals in recent months, and on Wednesday, the U.S. Chamber of Commerce released draft legislation that would increase consumers control over their data but leave the FTC’s current authorities unchanged.