Data Protection

Enforcement of Privacy Laws


There are two main forms of enforcement in U.S. privacy laws: government enforcement, typically by an agency of relevant jurisdiction or State Attorneys General, and private right of action, the ability for an individual or group of individuals to pursue legal action to enforce their rights.

Government Enforcement of Privacy Laws in the U.S.

In the absence of a comprehensive federal privacy law, the FTC has used its authority under the FTC Act, passed in 1914, to fill some of the gaps left by federal sectoral privacy laws. The FTC Act established the agency to enforce a ban on “unfair methods of competition in or affecting commerce.” In 1938, Congress authorized it to enforce a prohibition on unfair and deceptive acts and practices (UDAP), creating the FTC’s dual mission to promote competition and protect consumers. This UDAP authority is rooted in and commonly applied to false advertising.

EPIC helped establish the FTC’s authority for consumer privacy and has urged the FTC to safeguard American consumers in cases involving Microsoft, Google, Facebook, Uber, Samsung and others. From 2009 to 2019, the FTC filed 101 internet privacy enforcement actions (source: Gov’t Accountability Office.) Almost all ended in settlements. However, even when the FTC reaches a consent agreement with a privacy-violating company, the Commission rarely enforces the Consent Order terms. Two prominent examples are the FTC failure to enforce the consent order against Google even after the FTC chair warned that Google’s consolidation of Internet services would be bad for consumers, and the agency’s failure to enforce the consent order against Facebook even after repeated violations, including the transfer of user data to Cambridge Analytica, were widely known. Over the last decade, because of the FTC’s failure to act, the problem has grown dramatically from cookie tracking to ubiquitous, cross-device mass surveillance of individuals and communities.

The United States needs a new approach. While the FTC helps to safeguard consumers and promote competition, it is not a data protection agency.

The US needs a federal data protection agency focused on privacy protection, compliance with data protection obligations, and emerging privacy challenges.

The United States Needs a Data Protection Agency

The United States is one of the few democracies in the world that does not have a federal data protection agency, even though the original proposal for such an institution emerged from the U.S. in the 1970s. The United States was once a global leader on privacy. The Fair Credit Reporting Act, passed in 1970, was viewed at the time as the first modern privacy law—a response to the growing automation of personal data in the United States.

But today, Europe has surpassed the United States in protecting consumer data. The General Data Protection Regulation strengthens the fundamental rights of individuals and puts consumers back in control of their personal data. It gives European data subjects rights to breach notification (within 72 hours of breach), right to access (whether or not personal data concerning them is being processed, where and for what purpose), right to be forgotten (to have the data controller erase his/her personal data, and data portability (the right for a data subject to receive the personal data concerning them and to transmit that data to another controller). American data subjects have none of these rights. American companies will be required to provide these protections to Europeans but not to Americans, creating a digital lower class. U.S. companies are leaders in technology, and the U.S. government should be a leader in technology policy.

There is an urgent need for leadership from the United States on data protection. Virtually every other advanced economy has recognized the need for an independent agency to address the challenges of the digital age. Current law and regulatory oversight in the United States is woefully inadequate to meet the challenges. The Federal Trade Commission is fundamentally not a data security agency. The FTC only has authority to bring enforcement actions against unfair and deceptive practices in the marketplace, and it lacks the ability to create prospective rules for data security. The Consumer Financial Protection Bureau similarly lacks data protection authority and only has jurisdiction over financial institutions. Neither of these agencies possess the resources needed to address data security.

As the data breach epidemic reaches unprecedented levels, the need for an effective, independent data protection agency has never been greater. An independent agency can more effectively utilize its resources to police the current widespread exploitation of consumers’ personal information. An independent agency would also be staffed with personnel who possess the requisite expertise to regulate the field of data security.

Our current privacy laws are woefully out of date and fail to provide the necessary protections for our modern age. We also now face threats from foreign adversaries that target the personal data stored in U.S. companies and U.S. government agencies. The U.S. urgently needs a Data Protection Agency.

Learn more about EPIC’s campaign for a U.S. Data Protection Agency.

Privacy Laws Should Provide for a Private Right of Action

The inclusion of a private right of action with statutory damages is a crucial tool to supplement government enforcement, particularly for marginalized communities. If a company violates federal privacy law, individuals and groups of individuals, or their agents, should be able to pursue a private right of action that provides meaningful redress without a showing of additional harm. State Attorneys General should also be given enforcement authority in privacy laws. 

State Attorneys General and Privacy Enforcement

State Attorneys General have historically played a strong role in privacy enforcement, largely stemming from their consumer protection watchdog role. Danielle Citron wrote a seminal article on the role of State Attorneys General in 2017. 

Recent Documents on Enforcement of Privacy Laws

  • Testimony

    Hearing on “Big Data: Privacy Risks and Needed Reforms in the Public and Private Sectors”

    EPIC's testimony regarding privacy risks in the public and private sector and what a privacy law should look like.

  • Publications

    How the FTC Can Mandate Data Minimization Through a Section 5 Unfairness Rulemaking

    This paper argues that the Federal Trade Commission (FTC) should use its Section 5 unfairness authority to establish a Data Minimization Rule to prohibit all secondary data uses with limited exceptions, ensuring that people can safely use apps and online services without having to take additional action.

  • APA Comments

    In the Matter of Support King, LLC (

    EPIC has filed comments with the FTC asking the agency to finalize a proposed Consent Order that would permanently ban SpyFone from the surveillance business and require the stalkerware company to delete the personal data that it stole.

  • Publications

    What the FTC Could Be Doing (But Isn’t) To Protect Privacy

    EPIC's report "What the FTC Could Be Doing (But Isn't) to Protect Privacy" highlights numerous statutory authorities that the Federal Trade Commission has failed to use to safeguard privacy. EPIC identifies untapped or underused powers in the FTC's toolbox and explains how the FTC should deploy them to protect the public from abusive data practices.

  • Amicus Briefs

    Cothron v. White Castle

    US Court of Appeals for the Seventh Circuit

    Whether a person can sue only for the first time their data is collected or disclosed without consent in violation of the Illinois Biometric Information Privacy Act ("BIPA").

  • Amicus Briefs

    Lindenbaum v. Realgy, LLC

    US Court of Appeals for the Sixth Circuit

    Whether the Supreme Court's decision to invalidate and sever the government debt exception from the Telephone Consumer Protection Act's robocall ban requires courts grant retroactive immunity to robocallers for illegal calls made for the five years between the exception's enactment and the Court's decision to sever.

  • Amicus Briefs

    Attorney General v. Facebook

    Massachusetts Supreme Judicial Court

    Whether the Attorney General can obtain from Facebook factual information derived from the company's investigation of third parties that improperly accessed user data.

Support Our Work

EPIC's work is funded by the support of individuals like you, who help us to continue to protect privacy, open government, and democratic values in the information age.