Federal Trade Commission officials shared their privacy enforcement plans, including possible fines against company executives, with members of Congress on Wednesday at a hearing on enhancing data security protections.

In the wake of data mishaps at Facebook, Google and other U.S. tech companies last year, legislators have held a series of hearings in D.C. on privacy principles for a possible federal law. Some members of the House Committee on Energy and Commerce Subcommittee on Consumer Protection and Commerce said Wednesday that the FTC's current enforcement system isn't enough to deter big companies from engaging in harmful data privacy practices.

Rep. Kathy Castor, D-Florida, said the agency's $5.7 million fine against Musical.ly, also known as TikTok, over alleged Children's Online Privacy Protection Act violations wasn't large enough, less than 1% of parent company ByteDance's annual revenue.

“No CEO is going to blink an eye at a fine that inconsequential,” Castor said. “Companies will just see small FTC fines as the cost of doing business and will continue to elevate profits over privacy.”

Rep. Michael Burgess, R-Texas, also raised concerns that “for large companies, fines are simply a cost of doing business.” He added a consent decree for “a company the size of Facebook” is inconsequential. Last month, Facebook's quarter earnings report stated the company plans to face a $3 billion to $5 billion FTC penalty over privacy mishaps. Facebook reported more than $55 billion in revenue last year.

FTC commissioner Rohit Chopra acknowledged that fines—even seemingly massive ones—have a smaller effect on big companies. He said the FTC does have the authority to penalize individuals for their companies' privacy law violations and that it's something the agency is “looking into.”

“For some firms, fines are a parking ticket and a cost of doing business,” Chopra said. “And we cannot change behavior unless those penalties are painful, and often that means finding out who at the top called the shots.”

At the International Association of Privacy Professionals Global Summit last week, FTC chairman Joseph Simons, who also testified at Wednesday's hearing, said fining individual executives was “on the [FTC's] radar,” but that he isn't “expecting to do this in every case.”

FTC commissioner Rebecca Slaughter noted Wednesday that ”unlike counterparts in Europe” the U.S. agency can't independently assess fines. Simons has repeatedly said that a federal privacy law would require more resources and enforcement authority for the FTC.

The agency currently has 40 employees focused on privacy, compared to around 140 at the Irish Data Protection Commission, which oversees Facebook, Twitter and other tech companies' compliance with the General Data Protection Regulation, and 500 at the U.K.'s Information Commissioner's Office.

Read More: