Government watchdog finds weak enforcement of US privacy regulations

Nearly all of the 101 data privacy violations investigated in the last 10 years ended in settlement agreements, with no penalties.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
3 min read

The GAO recommends Congress pass legislation with penalties for companies that violate your privacy.

James Martin/CNET

Data privacy has gotten out of the government's control, according to a report released Wednesday.

The Government Accountability Office report recommends the passage of a federal internet privacy law with real consequences for companies that violate it.

The report found that over the last 10 years, most of the Federal Trade Commission's actions against data privacy abuses didn't include fines because the agency doesn't have the authority to impose fines for those specific violations.

In the past, the FTC has fined companies like Google and Vizio for tracking your data. But the GAO found that of the 101 data privacy violations the FTC investigated since 2009, nearly all of them ended with settlement agreements without fines.

The report is the result of a 2017 request by Rep. Frank Pallone, a Democrat from New Jersey who is now chairman of the House Energy and Commerce Committee.

"Since I requested this report, the need for comprehensive data privacy and security legislation at the federal level has only become more apparent," Pallone said in a statement. "From the Cambridge Analytica scandal to the unauthorized disclosures of real-time location data, consumers' privacy is being violated online and offline in alarming and dangerous ways."

Privacy concerns seemed to reached a boiling point last year, following a flurry of breaches and data abuses from household tech names like Facebook and from phone companies that enable location tracking. The European Union's General Data Protection Regulation kicked in last May, but the US has no equivalent data law.

Lawmakers have pushed for federal regulation of data privacy, such as the Data Care Act, introduced by 15 senators in December. In November, Sen. Ron Wyden, a Democrat from Oregon, introduced the Consumer Data Protection Act, which would jail CEOs for lying about data protection.

Some tech giants have echoed the demands. Apple CEO Tim Cook has called for a US data privacy law, while companies like Google and Amazon look to shape such legislation.

The GAO interviewed Apple, Google and Facebook for the report, as well as internet service providers like Verizon and Comcast. The report found that most of the companies prefer the current model of regulation on data privacy -- the one that prevents the FTC from fining them unless they have agreed to a consent decree for a previous violation.

At a congressional hearing in November, the FTC told lawmakers that under the current structure, the agency doesn't have the resources to protect consumers from data abuse.  

Consumer advocacy groups and former FTC and FCC commissioners told the GAO that there should be civil penalties for first-time violations. Some are calling for a new agency specifically for overseeing data privacy.

With the report, Pallone announced a Feb. 26 hearing on data privacy.

"Congress needs to act, and this hearing is an important first step," Rep. Jan Schakowsky, a Democrat from Illinois and chairwoman of the Consumer Protection and Commerce Subcommittee, said in a statement.  

Cambridge Analytica: Everything you need to know about Facebook's data mining scandal. 

Infowars and Silicon Valley: Everything you need to know about the tech industry's free speech debate.