When news reports quoted FTC Commissioner Rohit Chopra saying that the US should go beyond GDPR in its privacy laws, I immediately got nervous emails from European and Asian colleagues. Could that really be right? What are the prospects? To be fair, for someone who isn't familiar with how US regulation works, the alarm is understandable. So, without expressing any opinion as to the merits of such a law, I hereby offer our non-US audience my carefully calculated assessment of the prospects of the US going beyond GDPR: Not gonna happen in a million gazillion* years.
First of all, the FTC has five commissioners of roughly equal power, usually split by party 3-2 in favor of the President's party. This guy fills one of the Democratic seats, so he’s outnumbered for the foreseeable future.
Second, the FTC really hasn’t got a lot of power to create a privacy regime on its own. Its power is based on a powerful but general-purpose consumer protection law, which the FTC has used to punish misuses of data after the fact. But it would be hard for the FTC to turn that power into a forward-looking framework. Otherwise, the FTC enforces a smattering of more specific privacy laws governing things like children's online privacy. So even if a majority of commissioners agreed with Chopra, the FTC’s power is limited.
Couldn't Congress do something? Sure. But for the foreseeable future, our government is divided, with one party pushing serious deregulation across the board. Even with a smorgasbord of legislative proposals in the works, it seems that there's no bipartisan appetite for a massive new regulatory framework. Besides, even California wasn’t able to muster the political will to implement a data privacy law even approaching GDPR. (I'm referring to the California Consumer Privacy Act.) If California can’t do it, nobody can.
* One of my colleagues disagreed with my assessment. He thinks this should be "a billion squillion years."
