The path of the common law is one of step-by-step, incremental change.  Taking seriously the idea that the Federal Trade Commission’s privacy enforcement is a variant of common law-style legal development, this Essay applies path dependency theory to better understand the potential as well as the limits of this approach to privacy regulation.  Privacy protection to date has tended to follow an adjudicatory logic, and not a regulatory logic.  On the one hand, this mode of development risks harmful path dependency that, because it must adapt precedent-by-precedent, closes down policy options. For instance, even path-breaking remedies, like algorithmic disgorgement, can in fact embrace continuations of the status quo theory of harm, whether or not that’s the optimal underlying theory.

On the other hand, attention to path dependency helps us to diagnose where the path of privacy enforcement has, or has not, become too entrenched, and in so doing, opens up policy options.  Because a major pitfall of path-dependent routes is the risk of lock-in, path dependency directs attention to the ways in which different sources of the Commission’s regulatory authority may be more or less able to evolve over time, and why.  Notably, a path dependency framing suggests that the FTC’s deception authority, which has historically been more well-developed in the Commission’s enforcement actions, may have made this approach more locked-in than its unfairness authority, which has historically been stymied in part by political forces. 

The counterintuitive upshot is that the careful legal development on which the FTC has built up its legitimacy may lock it into only incremental reform, whereas the politically contingent side of its work may have greater play in the joints for far-reaching interventions.  This insight helps to explain why recent moves to regulate the ethical use of algorithms have drawn on the Commission’s unfairness authority, emphasizes why they were only possible under a new commissioner, and previews potential future barriers to the agency’s enforcement practices.  More broadly, it indicates that the future of privacy enforcement will reflect the institutional dynamics—both legal and political—of the regulatory agency that does the enforcing.  Situating privacy enforcement in these terms empowers us to better appraise where enforcement may be able to come from the FTC, as well as to think carefully about whether, and how, to design other enforcement institutions beyond the FTC.