FTC Privacy Enforcement Actions and Authority

The Federal Trade Commission serves as the primary federal enforcement authority for consumer privacy and data security in the United States, operating under a statutory mandate that predates most modern privacy legislation. This page covers the FTC's enforcement jurisdiction, the legal mechanisms it deploys, the categories of conduct that trigger investigations, and the boundaries that define — and limit — its authority. Understanding this enforcement landscape is essential for organizations operating under US privacy laws and regulations and for professionals navigating the federal privacy framework.

Definition and scope

The FTC's privacy enforcement authority derives primarily from Section 5 of the Federal Trade Commission Act (15 U.S.C. § 45), which prohibits "unfair or deceptive acts or practices in or affecting commerce." The Commission does not administer a single omnibus privacy statute; instead, it exercises sector-general authority over most commercial entities while also enforcing specific statutes — including the Children's Online Privacy Protection Act (COPPA), the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule, and the Fair Credit Reporting Act (FCRA).

The FTC's jurisdiction excludes certain entity categories by statute: common carriers (regulated by the FCC), banks, savings institutions, and federal credit unions fall outside its reach. Nonprofit organizations are also generally exempt. For covered entities — which include the vast majority of for-profit companies operating online — the FTC's authority extends to privacy policy compliance, data security adequacy, and the truthfulness of representations made to consumers about data practices.

Civil penalty authority under COPPA reaches up to $51,744 per violation per day (FTC Civil Penalty Adjustments, 16 C.F.R. § 1.98); penalty ceilings under other statutes differ by authority. The FTC can also seek injunctive relief, disgorgement, and — through federal court referrals — consumer redress.

How it works

FTC enforcement proceeds through a structured sequence that can originate from consumer complaints, Congressional referrals, media reports, or the Commission's own market surveillance.

1. Investigation initiation — Staff attorneys open a nonpublic investigation. The FTC issues civil investigative demands (CIDs) to compel document production, written responses, and oral testimony without requiring a court order.
2. Staff report and recommendation — Investigators compile findings and present a recommendation to the five-member Commission, which votes on whether to authorize a complaint.
3. Consent order negotiation — The majority of FTC privacy actions resolve through negotiated consent orders rather than contested litigation. The respondent neither admits nor denies wrongdoing but agrees to specific compliance obligations, often including biennial third-party assessments for 10 to 20 years.
4. Administrative complaint or federal court filing — If negotiations fail, the FTC may file an administrative complaint adjudicated before an Administrative Law Judge, or seek injunctive relief and civil penalties directly in federal district court.
5. Order monitoring — The FTC's Office of Technology monitors compliance with consent decrees. Violations of existing orders can trigger substantially higher civil penalties because prior notice of the prohibited conduct has been established.

The 2023 FTC Act amendments and the Commission's expanded rulemaking agenda under the Safeguards Rule (FTC Safeguards Rule, 16 C.F.R. Part 314) signal a shift toward prescriptive rulemaking to supplement case-by-case enforcement.

Common scenarios

FTC privacy enforcement concentrates in identifiable conduct categories:

• Deceptive privacy policies — Representations that personal data would not be shared with third parties, followed by disclosure or sale of that data. The 2023 action against data broker Kochava illustrates the FTC's pursuit of location data privacy violations under unfairness doctrine without a specific statute requiring geolocation restrictions.
• Inadequate data security — Failure to implement reasonable safeguards resulting in a breach. The FTC's long-running action against LabMD established — and later complicated — the evidentiary standard for "unreasonable" security under Section 5.
• COPPA violations — Collection of personal information from children under 13 without verifiable parental consent. The FTC's 2023 action against Amazon's Alexa and Ring services resulted in a combined $30.8 million in civil penalties (FTC Press Release, May 2023).
• Dark patterns and deceptive consent — Interface designs that obscure consumer choices or manufacture illusory consent, increasingly examined alongside consent management frameworks.
• Health data misuse — Sharing or monetization of sensitive health information without adequate disclosure, a category that intersects with health data privacy beyond HIPAA.

Decision boundaries

The FTC's authority has defined edges that determine whether a matter falls within its jurisdiction or belongs to another regulator.

Unfairness vs. deception — Deception requires a material misrepresentation. Unfairness requires that the practice causes or is likely to cause substantial consumer injury, is not reasonably avoidable, and is not outweighed by countervailing benefits (FTC Policy Statement on Unfairness, 1980). Unfairness theory is more expansive but requires heavier evidentiary development.

Sector carve-outs — HIPAA-covered entities and health plans fall under HHS enforcement for HIPAA violations; the FTC may still assert jurisdiction over non-HIPAA data practices of the same entity. Similarly, financial institutions subject to the GLBA are covered by the FTC's Safeguards Rule but their core banking data may fall under prudential regulators.

State AG parallel authority — FTC enforcement does not preempt state attorneys general acting under state privacy laws. The FTC and state regulators have coordinated on enforcement actions, but their legal theories and remedies differ.

No private right of action — Section 5 does not create a private cause of action. Consumers cannot sue under the FTC Act directly; enforcement rests exclusively with the Commission and, in some statutes, state AGs.

References

• Federal Trade Commission Act, 15 U.S.C. § 45
• FTC Civil Penalty Adjustments, 16 C.F.R. § 1.98
• FTC Safeguards Rule, 16 C.F.R. Part 314
• FTC Policy Statement on Unfairness (1980)
• FTC Press Release: Amazon Alexa/Ring COPPA Action (May 2023)
• Children's Online Privacy Protection Act (COPPA), 15 U.S.C. §§ 6501–6506
• Gramm-Leach-Bliley Act (GLBA), 15 U.S.C. §§ 6801–6827
• FTC Official Enforcement Actions Database