David Vladeck on FTC Enforcement, Federal Privacy Legislation, and Lessons from the Titanic

Interview with Professor David Vladeck, former Director of the FTC Bureau of Consumer Protection: “There are things the FTC can do, but the FTC can’t do everything that needs to be done.”

In late 2022, the Federal Trade Commission (FTC) closed its first round of comments on its landmark Commercial Surveillance and Data Security rulemaking proceeding. Submissions from numerous civil rights, consumer protection, and privacy and technology policy organizations (compiled here, including a letter by the Center) extensively detailed all manner of privacy and civil rights violations and abusive commercial data practices for the FTC to address. According to Georgetown Law’s Professor David Vladeck, the sheer number of matters on the table means the Commission will “have to be selective … I would pick 1–2 issues out of the 95 and use them as test cases.”

Having served as the Director of the FTC’s Bureau of Consumer Protection from 2009 through 2012, Professor Vladeck — who is also the founding Faculty Director of the Center on Privacy & Technology and the Director of the Civil Litigation Clinic — kindly sat down for an interview to discuss the current state of enforcement when it comes to protecting privacy from the exploitative data practices of technology and other companies. Our discussion explored the possibilities and limitations of regulation, litigation, and legislation. In particular, we focused on the FTC’s ability to pursue effective enforcement against violative commercial data practices in the wake of two decisions from the Supreme Court of the United States (SCOTUS) in recent years: AMG Capital Management LLC v. FTC (“AMG”) and TransUnion v. Ramirez (“TransUnion”).

Specifically, AMG significantly curtailed the ability of the FTC to obtain redress for consumers even where companies are confirmed to have broken the law. TransUnion also set a concerning precedent, though it was a narrower decision that barred liquidated damages for consumer privacy violations under the Fair Credit Reporting Act, where no “concrete injury” was considered to have occurred. The latter is what Vladeck pointed to when asked, given his extensive experience in both litigation and FTC regulation, what his dream case today would be: “If I were the FTC, I would have brought a case against TransUnion and tried to get huge civil penalties. … The day the Supreme Court announced this decision in TransUnion, I would have opened an investigation.”

In a paper published after SCOTUS heard oral arguments of AMG but before issuing its decision, Vladeck situated such cases within the sobering broader context of the erosion of equitable remedies in U.S. common law:

In a series of opinions written by Justice Scalia, the Court slowly eroded its longstanding view that equity was a flexible doctrine adaptable to evolving norms, ensuring that courts could effectively remedy wrongdoing. […] Put more bluntly, the only equitable remedies that are still available to federal courts are remedies that could be imposed if, but only if, an English Chancery court could have imposed them in the mid-eighteenth century. No longer can equity be used to provide remedies to newly emerging challenges. Equity is now stuck in time.

According to Vladeck, such erosion predominantly occurred within the sphere of private litigation in federal courts, but has now begun impacting government agencies’ enforcement actions against private businesses. For example, AMG barred the FTC from being able to order monetary equitable remedies — such as restitution and disgorgement of profits — under section 13(b) of the FTC Act, a key enforcement measure the Commission has relied on for decades to protect consumers. This means that the Commission can no longer use these tools to retrieve for consumers their money from a company that wrongfully profited from illegal activity, if that company was not already under a pre-existing FTC order for earlier violations (and setting aside the possibility of first-time civil penalties, which are only available where they have been authorized by a specific statute or FTC regulations).

In a darkly bemusing twist, Vladeck offered some “good news”: the state of digital privacy today is such that nearly every single major technology company is already under an FTC order — thus somewhat blunting the impact of AMG. This still leaves people vulnerable, however, if those companies engage in future violative data practices that do not fall under existing orders, or in the case of current or future technology companies that infringe privacy rights but have yet to be investigated and issued an order. It may not be as clear in these latter cases whether, as Vladeck asked about Facebook five years ago, the company is truly clueless, or just outright venal.

What all of this really runs up against is, sadly, “There are things the FTC can do, but the FTC can’t do everything that needs to be done.” This is despite the fact that “Congress said, and this is clear in the legislative history, we can’t foresee all of the scams and all of the ways businesses will cheat consumers, so we’re going to have a very broad remit [for the FTC].” Vladeck notes as well the perennial problem of protective regulation failing to keep pace with technological capacity: “The number of lifeboats on the Titanic was based on ships much smaller than the Titanic. So when the Titanic sank, it was in complete compliance with the regulations that were in effect [with regard to this requirement], even though there were fewer than half the lifeboat seats needed for passengers.”

In that case, what about litigation? Although there are some possibilities, such as an ongoing children’s privacy lawsuit against Google and YouTube, litigation has limitations as well, being “based on just a few statutes and mostly common law.”

What Vladeck believes is ultimately necessary is for Congress to pass legislation. To the extent any bill places additional responsibilities on the FTC, however, such as the much-heralded American Data Privacy and Protection Act introduced in 2022, he stresses that the bill must come with additional resources for the FTC to be able to fulfill them. Otherwise, the message sent is: “Yeah FTC, you figure all this out, but you’re still an under-resourced tiny agency that’s one-fifth the size of the SEC [Securities and Exchange Commission] and half the size of the FCC [Federal Communications Commission].”

Taking in the absence of strong regulations, lack of legislation, and insufficient litigation, Vladeck pursued an additional strategy as soon as he finished his tenure running the FTC’s Bureau of Consumer Protection: creating an organization that would contribute to building a strong, cohesive civil society movement with a critical mass to advocate for privacy rights. With the support of Dean William Treanor; initial funding from the Ford Foundation; and a highly-recommended founding director in the then-Chief Counsel to the Senate Judiciary Subcommittee on Privacy, Technology and the Law, named Alvaro Bedoya — the Center on Privacy & Technology was formed.

Reflecting on the years since then, Vladeck shared, “I’ve been so proud of what the Center has done, but I’ve tried my best to stay on the sidelines. […] Part of what I wanted to see, and I’m so thankful that this has happened, is a generation of privacy advocates coming out of the Center. This is a place where you can do great work on issues that are really important, with the freedom to say, ‘This is wrong and we need to fix it.’ It’s worked out better than I ever anticipated.”