If Congress wants the FTC to be tougher on tech, it needs to pass a privacy law

On Wednesday, the Federal Trade Commission settled an investigation into the Google-owned video platform YouTube, resulting in the largest fine ever weighed on a tech company for violating children’s privacy law. But the $170 million in penalties and new restrictions over children’s data, critics argue, do little to incentivize the company to change its behavior.

Over the past few months, the FTC has settled a handful of prominent cases in which companies like Facebook, Equifax, and YouTube have mishandled the data of their customers and users. But in each of these cases, consumer advocacy groups and politicians have cried out, asking for the only agency with the authority to protect user privacy, the FTC, to be tougher on these companies.

“The FTC pulled the curtain back on this practice, but it did not go far enough to put in place critical new rules for accountability,” Sen. Ed Markey (D-MA), who authored the law that Google allegedly violated, said in a statement. “The FTC let Google off the hook with a drop-in-the-bucket fine and a set of new requirements that fall well short of what is needed to turn YouTube into a safe and healthy place for kids.”

“We are very disappointed that the Commission failed to penalize Google sufficiently for its ongoing violations of COPPA and failed to hold Google executives personally responsible for the roles they played,” the Center for Digital Democracy’s executive director Jeff Chester said. “A paltry financial penalty . . . sends a signal that if you are a politically powerful corporation, you do not have to fear any serious financial consequences when you break the law.”

The Republican commissioners, like Chairman Joe Simons, touted the historic nature of the settlement in an attempt to counter much of the criticism — and they’re not entirely wrong. Yes, it is the largest monetary penalty ever imposed as a result of Children’s Online Privacy Protection Act (COPPA) violations, but what the agency received in relief this week is miles away from the statutory maximum. For violating COPPA, companies can be fine $42,530 per violation, and those fines can be handed out on a per-child and per-day basis.

Democratic Commissioner Rohit Chopra called attention to this in his dissenting statement on Wednesday, writing that the agency should have issued a penalty in the billions just to cover the revenue Google made in ill-gotten gains from this behavior over the years. “The terms of the settlement were not even significant enough to make Google issue a warning to its investors,” Chopra wrote. “Google earned – and will continue to earn – enormous sums by illegally tracking kids in many ways.”

But in order to receive a larger payout and more significant structural changes from Google, the FTC would have had to take it to court. That kind of case could last years, and the commissioners wouldn’t have any certainty on the amount of relief they would receive in the end. The FTC is a small organization compared to Google. Taking the company to court would trouble the FTC far more than it would Google, a company with billions of dollars in profit and full-time legal staff.

Without a federal law that outlines how the FTC should police privacy, the agency is effectively making up the rules as it goes along with its own prior consent decrees and decisions as their baseline for enforcement. In Google’s case, there was a law, COPPA, but it has never been challenged in court. There’s no precedent. So commissioners felt better using their prior COPPA settlements, like the one with TikTok, to guide a deal.

For months, FTC officials, including Simons, have been begging Congress for the ability to act in response to initial offenses. In a statement following the agency’s settlement announcement with Facebook in July, Simons said, “I renew my call for Congress to enact federal data security legislation that gives the FTC authority to seek civil penalties for first-time violations.” He continued, “Fortunately, other agencies were able to fill in the gap—this time. But under different circumstances, future breaches might not always be subject to civil penalties, which sends absolutely the wrong signal regarding deterrence.”

A clear privacy law like COPPA is something agency officials have been begging lawmakers to write for years. Currently, the FTC generally can’t issue fines or penalties for first-time privacy offenses since there is no federal privacy law. Under COPPA, the FTC can issue these fines for a company’s first offense of the law because once it was approved, it empowered them with the authority to do so, but only when children’s privacy is being mishandled.

The Senate Commerce Committee has been working on a privacy bill for months. Last we heard from the chairman, Sen. Roger Wicker (R-MS), legislation was expected to be introduced by Labor Day, but that holiday has come to pass. The House Energy and Commerce Committee is also expected to draft a bill, but little has come of its discussions so far.

There are a handful of other privacy measures that have already been introduced, but they’ve found little momentum. But until Congress does something, there will be little consequences for Big Tech when it violates the privacy of its users.

YouTube’s fine for allegedly breaking the law may only add up to a few days in profit, but the structural changes implemented by the FTC will hurt the most. Now, YouTube is prohibited from serving children targeted ads, which is the most lucrative form of advertising for them on videos that receive tens of millions of views.