As the office mentioned in its report, the FTC is already in charge of internet privacy-related cases. But because its power is pretty limited, it's only been able to close 101 cases over the past decade, and almost all of them ended in settlements. A set of GDPR-like rules would give the agency more power, such as the right to slap penalties when appropriate.
GAO's report heavily cited Facebook's Cambridge Analytica scandal as a prime example of why a federal-level internet privacy law is necessary. It also named a handful of other privacy concerns that became a lot more prominent over the past few years based on the agency's research. One of those is the rise in popularity of Internet of Things devices, thereby increasing the opportunities for security and privacy breaches. Another cause for concern is that automakers don't always clarify their data-sharing practices, which could become a huge issue for the increasing number of connected cars.
GAO also pointed out that there are no overarching laws in place to govern companies' collection and sale of personal information. Finally, it mentioned one of its old reports, which determined that people generally have no idea how their location data is shared and used by third parties. If you'll recall, a Motherboard report recently learned that some major US carriers are selling real-time location data to other companies, making it easy for bounty hunters and just about anyone to find whoever they want to track. Putting rules in place to address these two latter issues could squash that practice.
The agency wrote as a conclusion:
"Recent developments regarding Internet privacy suggest that this is an appropriate time for Congress to consider comprehensive Internet privacy legislation... Comprehensive legislation addressing Internet privacy that establishes specific standards and includes APA notice-and-comment rulemaking and first-time violation civil penalty authorities could help enhance the federal government's ability to protect consumer privacy, provide more certainty in the marketplace as companies innovate and develop new products using consumer data, and provide better assurance to consumers that their privacy will be protected."
According to ZDNet, the House Energy and Commerce Committee has scheduled a hearing for February 26th to discuss these findings. During that session, it'll also explore the possibility of conjuring up GDPR-like laws in the US.