The Federal Trade Commission (FTC) is the primary privacy regulator in the US, and has issued guidance and a number of reports to help companies comply both with its general privacy requirements, as well as the specific rules that the FTC is charged with implementing, such as COPPA.
Generally, once the FTC is alerted to a privacy violation, it can pursue enforcement against the company, which can lead to an order enjoining the company from continuing the offending practice. In some cases, the company can address the issues before an official investigation is launched. In others, enforcement actions are settled through consent decrees.1
Other regulators include:
- Financial Privacy: The financial privacy statutes and rules are enforced by a combination of the Consumer Financial Protection Bureau, the Federal Trade Commission, and financial regulators such as the Securities and Exchange Commission and the Federal Reserve.
- Healthcare and Medical Privacy: The HIPAA Privacy Rule is overseen by the Office of Civil Rights in the Department of Health and Human Services.2 In addition, health-related information collected and used by entities that are not subject to HIPAA is often subject to higher standards of care under the FTC’s privacy regime.3
- Child and Student Privacy: The FTC is charged with overseeing and enforcing COPPA.4 In addition, the California Consumer Privacy Act establishes a different set of consent requirements for the sale of personal information about a child (defined as a person under 16 years of age).5 For students, the Family Educational Rights and Privacy Act (FERPA) regulates how educational records may be accessed, stored, and shared, and is overseen by the U.S. Department of Education.6
- Communications and Media Privacy: The Federal Communications Commission is charged with implementing the Communications Act’s Section 222 requirements regarding customer proprietary network information (CPNI).
- Digital Marketing Privacy: The FTC is the principal enforcer of the U.S. laws that apply to digital marketing efforts, such as the CAN-SPAM Act. In addition, the FCC has enforcement authority for violation of the TCPA with the FTC.
- State Privacy and Cybersecurity: State attorneys general typically enforce state-level rules and requirements, though that is not always the case. For example, most state data breach laws allow the state’s attorney general to bring actions against a violator under the states’ consumer protection statutes, and in California the state attorney general is the primary enforcer of the CCPA. However, the New York DFS Cybersecurity Rules will be enforced by the Department of Financial Services.
1 FTC, A Brief Overview of the Federal Trade Commission’s Investigative and Law Enforcement Authority (Jul. 2008), available here.
2 45 CFR § 160.306.
3 FTC, Sharing Consumer Health Information? Look to HIPAA and the FTC Act (Oct. 2016), available here.
4 15 USC § 6505(a).
5 Cal. Civ. Code § 1798.
6 20 USC § 1232g.