Who Enforces U.S. Privacy Law: FTC, AGs, Regulators & Private Suits

Because there's no omnibus statute, the Federal Trade Commission has become the closest thing the U.S. has to a national privacy regulator, and the exam tests its powers heavily.

The authority is Section five of the F-T-C Act, fifteen U.S.C.

forty-five, which bans unfair or deceptive acts or practices in commerce. That's two separate hooks. The F-T-C uses Section five to reach companies that break their own privacy promises and companies whose data security is so poor it harms consumers, even where no sectoral statute applies.

Its usual first remedy isn't a fine; it's a consent decree, a settlement that binds the company, often for twenty years, with required programs and outside assessments. Those decrees have effectively written privacy standards for the whole market.

You must keep the two Section five tests apart, because the exam will make you pick. A practice is deceptive when there's a representation or omission that is material and likely to mislead a consumer acting reasonably. So if a company's privacy policy says we never share your data and then it sells that data, that broken promise is deception.

A practice is unfair when it causes or is likely to cause substantial consumer injury that consumers can't reasonably avoid and that isn't outweighed by benefits to consumers or competition. Unfairness is the F-T-C's tool when a company made no specific promise but its conduct, often weak security exposing sensitive data, still harms people. Broken promise, think deceptive.

No promise but real harm, think unfair.

Enforcement isn't only federal. Every state has its own unfair-and-deceptive-practices statute, often called a UDAP or little-F-T-C act, and state attorneys general use them aggressively on privacy and data-security matters. State A-Gs also enforce breach-notification laws and, importantly, most of the new state comprehensive privacy laws name the attorney general as the enforcer, frequently as the only enforcer, with no private lawsuit allowed.

After a major breach, you'll often see a coalition of state A-Gs bring a joint action and a multimillion-dollar settlement. When an exam scenario asks who can act, remember the state A-G is almost always on the list, even when no federal agency is.

Beyond the F-T-C and the states, specific sectors have their own cops. The Department of Health and Human Services, through its Office for Civil Rights, enforces HIPAA. The Consumer Financial Protection Bureau and the banking regulators police financial-privacy rules.

The F-C-C oversees telecommunications privacy, including customer network information and parts of the robocall regime. And some statutes hand enforcement straight to individuals through a private right of action, meaning a consumer can sue directly, sometimes for fixed statutory damages. Watch for the Fair Credit Reporting Act, the Telephone Consumer Protection Act, the Video Privacy Protection Act, and Illinois's biometric law, all of which let private plaintiffs sue, which is why they drive so much litigation.

It helps to see how a typical F-T-C privacy matter unfolds, because the exam tests the sequence, not just the labels. It usually starts with an investigation, often opened with a civil investigative demand that compels the company to produce documents and data. If the F-T-C finds a problem, it issues a complaint alleging that the conduct was deceptive, unfair, or both.

Most matters then settle, and the settlement is a consent order: the company doesn't admit wrongdoing but agrees to fix the specific failures, build a comprehensive privacy or security program, and submit to independent assessments for many years. The real penalties come on the back end, if the company later violates that order, the F-T-C can seek civil penalties for each violation. So the agency's leverage is cumulative: the first matter installs the obligations, and the second one, if there is one, brings the fines.

Turn this into a reasoning move. For any scenario, ask who can enforce. Match the law to its regulator: HIPAA to H-H-S, financial rules to the C-F-P-B and bank examiners, telecom to the F-C-C.

If no sectoral statute fits, the F-T-C under Section five and the state attorney general are your default fillers. And always check whether the statute allows a private right of action, because that changes who shows up: not just a regulator but individual plaintiffs and class actions. A classic distractor implies the F-T-C will simply fine a first-time offender; usually its opening move is a consent decree, with civil penalties coming if the company later violates that order.

Recap: F-T-C deception versus unfairness, state A-Gs and UDAP laws, sector regulators, and private suits. Now go test yourself.