FTC Privacy Enforcement Actions and Authority

The Federal Trade Commission serves as the primary federal enforcement authority for consumer privacy and data security in the United States, operating under a statutory framework that spans deceptive practices, unfair business conduct, and sector-specific privacy rules. This page describes the scope of FTC enforcement jurisdiction, the procedural mechanisms through which enforcement actions proceed, the categories of conduct that trigger regulatory scrutiny, and the boundaries that distinguish FTC authority from overlapping federal and state regimes. Practitioners navigating privacy compliance and service categories will encounter FTC enforcement as a foundational regulatory layer.

Definition and scope

The FTC's privacy enforcement authority derives principally from Section 5 of the FTC Act (15 U.S.C. § 45), which prohibits "unfair or deceptive acts or practices in or affecting commerce." The Commission does not administer a single comprehensive federal privacy statute; instead, it applies Section 5 broadly to privacy and data security failures that constitute either deception (misrepresentations to consumers) or unfairness (practices causing substantial injury not offset by countervailing benefits).

Sector-specific statutes expand and particularize this jurisdiction:

• COPPA (15 U.S.C. §§ 6501–6506): The Children's Online Privacy Protection Act grants the FTC rulemaking and enforcement authority over operators collecting personal data from children under 13.
• GLBA (15 U.S.C. § 6801 et seq.): The Gramm-Leach-Bliley Act covers financial institutions and requires the FTC to enforce the Safeguards Rule and Privacy Rule for non-bank financial entities.
• FCRA (15 U.S.C. § 1681 et seq.): The Fair Credit Reporting Act gives the FTC shared enforcement authority with the CFPB over consumer reporting practices.
• Health Breach Notification Rule (16 C.F.R. Part 318): Requires non-HIPAA health apps and vendors to notify consumers and the FTC of unauthorized disclosures.

Notably, the FTC lacks jurisdiction over common carriers, non-profits, and most financial institutions already under prudential banking regulators — a structural boundary discussed further in the Decision Boundaries section below.

How it works

FTC enforcement proceeds through two primary procedural tracks:

1. Administrative proceedings: The Commission issues an administrative complaint against a respondent. An Administrative Law Judge hears the matter, issues an initial decision, and the Commission may review and modify that decision. Outcomes include cease-and-desist orders, mandated compliance programs, and civil penalties for subsequent violations of the order.

2. Federal court actions: The FTC may file suit directly in federal district court, particularly under COPPA and GLBA violations or where injunctive relief or civil penalties are sought at the outset.

Enforcement actions typically move through the following phases:

1. Investigation initiation — triggered by consumer complaints, referrals from state attorneys general, or staff monitoring of public disclosures and media reports.
2. Civil investigative demand (CID) — the FTC issues compulsory document and information requests.
3. Consent negotiation or litigation decision — the majority of cases resolve through consent orders without formal adjudication.
4. Consent order or judgment — binding terms imposed, including operational requirements and monitoring periods that commonly span 20 years.
5. Order compliance monitoring — the FTC's Division of Privacy and Identity Protection tracks compliance; violations of existing orders can trigger civil penalties up to $51,744 per violation per day (FTC Penalty Adjustments, 2023).

Common scenarios

The FTC's enforcement record identifies several recurring fact patterns that draw regulatory action:

Deceptive privacy policy representations — An organization publishes a privacy policy stating that data is not shared with third parties while simultaneously selling or transferring that data. The gap between stated practice and actual conduct constitutes a deceptive act under Section 5. The FTC v. Facebook settlement (2019, $5 billion civil penalty) is the largest consumer privacy penalty in U.S. history and illustrates the scale of liability for platform-level deception.

Inadequate data security — Under the unfairness prong, failure to implement reasonable security measures — even absent an express security promise — constitutes an unfair practice if the resulting harm is substantial and not reasonably avoidable. The FTC's LabMD litigation and subsequent orders against companies including Zoom, Twitter, and Drizly established that weak authentication, unnecessary data retention, and insecure data transfers are actionable.

COPPA violations — Operators of child-directed platforms that fail to obtain verifiable parental consent before collecting personal data face civil penalties. The FTC and DOJ secured a $170 million civil penalty against Google/YouTube in 2019 (FTC press release) — the largest COPPA penalty on record at the time.

Health data misuse — Following the FTC's 2023 policy statement on health breach notifications, non-HIPAA health applications that share sensitive health data with advertisers without consumer authorization face enforcement under both Section 5 and the Health Breach Notification Rule.

Organizations seeking to understand where these scenarios intersect with privacy service categories can cross-reference enforcement precedent with applicable compliance frameworks.

Decision boundaries

The FTC's authority is bounded by jurisdictional, structural, and doctrinal limits that define where its reach ends and other regulatory regimes begin.

FTC vs. FCC: Common carriers regulated under the Communications Act fall outside FTC jurisdiction. Internet service providers reclassified as common carriers under Title II of the Communications Act are subject to FCC privacy rules, not FTC enforcement — a distinction with practical significance for broadband providers.

FTC vs. HHS OCR: Covered entities and business associates under HIPAA answer to HHS Office for Civil Rights, not the FTC, for protected health information. The FTC's Health Breach Notification Rule applies specifically to the gap population: health apps and vendors not covered by HIPAA.

FTC vs. CFPB: The Consumer Financial Protection Bureau holds primary enforcement authority over most FCRA matters for large financial institutions. The FTC retains FCRA enforcement authority over non-bank creditors, debt collectors, and consumer reporting agencies not under CFPB supervision.

Section 5 unfairness vs. deception: These are distinct legal theories. Deception requires a material misrepresentation or omission likely to mislead a reasonable consumer. Unfairness requires proof that an act causes or is likely to cause substantial injury that consumers cannot reasonably avoid and that is not outweighed by countervailing benefits — a higher and more contextual standard codified in the FTC Act at 15 U.S.C. § 45(n).

Rulemaking authority post-AMG Capital: The Supreme Court's 2021 ruling in AMG Capital Management, LLC v. FTC, 593 U.S. 67 (2021), held that the FTC cannot use Section 13(b) to obtain equitable monetary relief in federal court. The Commission has responded by expanding use of its Section 19 rulemaking-based penalty authority and by promulgating trade regulation rules — including updates to the COPPA Rule and proposed changes to the Safeguards Rule — that create penalty authority for first-time violations. This doctrinal shift materially alters the enforcement calculus for companies navigating privacy compliance frameworks.

The provider network scope and purpose reflects this regulatory environment, organizing privacy service providers and professional categories in alignment with the FTC's sector-specific enforcement framework.