There is no meaningful data privacy law at the federal level, and experts and officials say that has left the government and the FTC will little power to take action.
The $5 billion settlement between Facebook and the Federal Trade Commission announced Wednesday has drawn scorn as a "sweetheart deal" for the tech company, but defenders of the agreement had a ready answer: pass a law.
For months, there has been growing bipartisan rancor directed at tech companies and an emerging appetite from regulators to examine Silicon Valley's influence. But there is no meaningful data privacy law at the federal level, and experts and officials say that has left the government and the FTC will little power to take action.
There were calls for new legislation after the FTC's announcement on Wednesday, but up to now, partisan politics, big-money lobbying and Washington's slow machinery have kept a federal law off the books.
"Without a robust, comprehensive federal privacy law covering data collectors and consumers, bad actors will be able to continue to abuse data in the online marketplace," Sen. Roger Wicker, R-Miss., chairman of the Senate Commerce Committee, said in a statement.
Sen. Ron Wyden, D-Ore., who has been working on a draft of a privacy law, said in a statement: "Americans will see our privacy violated again and again until Congress passes strong privacy laws that gives the FTC the resources and authority it needs to hold large corporations — and the executives at the top — accountable for protecting our most personal data."
Above the law
Europe and a growing number of U.S. states have laws that protect people's digital data — from email addresses and browsing history to biometric data and location information. But Congress hasn't passed such a law, despite years of debate.
Instead, the FTC relies on pre-internet laws that prohibit companies from misrepresenting themselves to consumers or using "unfair or deceptive" business practices.
If the U.S. had a law dedicated to data protection, the FTC could have taken a much more aggressive stance against Facebook, according to current and former FTC officials, lawmakers and others with expertise in data privacy issues.
"Under existing law, the FTC doesn't have a lot of power to change [Facebook's] practices," said Justin Brookman, formerly policy director for the FTC's Office of Technology Research and Investigation.
"I think that the biggest takeaway from this is the FTC needs new authority," he said. "They need an actual privacy law to enforce, as opposed to a mere prohibition on lying."
FTC Chairman Joe Simons alluded to the commission's limitations even while defending the settlement, arguing it was a "real-world choice" and noting that a court battle could have taken years.
Many FTC commissioners have called for federal legislation over the years, and Commissioner Christine Wilson, part of the FTC's three-member Republican majority, renewed that call on Wednesday.
"Carefully crafted comprehensive federal privacy legislation will set expectations for businesses and it will empower consumers to make informed choices about when and how to share their data," Wilson said at a news conference.
A series of tough questions faces Congress when it comes to data privacy regulations: What restrictions should there be on the collection, use and retention of data? Who will have the ability to sue companies for violations? Should people have the right of "portability" to move their data from one company to another?
None of those questions has proven particularly difficult in terms of partisanship, but House and Senate committees that have been working on data privacy legislation have been sluggish.
Still, there is some guarded optimism that legislation could pass.
"I'm not going to predict that a law will pass, but the chances are greater than at any other time that I've seen, just because there's bipartisan support," said Maureen Ohlhausen, a former FTC commissioner. "The attention to privacy and data security is really intense right now."
Congress has little more than five months to pass a law before a tough new state privacy law takes effect Jan. 1 in California, forcing companies to reveal what data they collect and giving users the right to delete that data and prevent its sale.
Congress may have more breathing room if enforcement of the California law is delayed, which may happen depending on when the state's attorney general finalizes regulatory details of how his office will enforce the law. The law allows a delay of up to July 1, 2020.