Enforcement of Privacy Laws

Government Enforcement of Privacy Laws in the U.S.

In the absence of a comprehensive federal privacy law, the Federal Trade Commission has used its authority under the FTC Act, passed in 1914, to fill some of the gaps left by federal sectoral privacy laws. The FTC Act initially established the agency to enforce a ban on “unfair methods of competition in or affecting commerce.” In 1938, Congress authorized the Commission to enforce a prohibition on unfair and deceptive acts and practices (UDAP), creating the FTC’s dual mission to promote competition and protect consumers. This provision, alongside targeted authorities like the Children’s Online Privacy Protection Act and the Health Breach Notification Rule, forms the legal foundation of the FTC’s power to regulate personal data practices.

EPIC helped establish the FTC’s authority for consumer privacy and has urged the FTC to safeguard American consumers in cases involving Google, Meta, OpenAI, Grindr, Thomson Reuters, and others. But even when the FTC reaches a consent agreement with a privacy-violating company, those orders are often weak and underenforced. Prominent examples include the FTC’s failure to enforce the 2011 consent order against Google and the Commission’s failure to enforce the consent order against Facebook even after repeated violations. Because of the FTC’s failure to act, we face an epidemic of runaway online tracking, sales of personal information by data brokers, and other commercial surveillance harms.

This long-running pattern began to change between 2021 and 2024, as the FTC made increased use of its UDAP authority, cracked down on data brokers, secured stronger remedies to address the misuse of sensitive personal information, and initiated an ambitious rulemaking to rein in commercial surveillance practices. Regulators at the Consumer Financial Protection Bureau and Federal Communications Commission also took increased action during this period, pursuing measures to regulate data brokers and limit the commercial exploitation of location data. Unfortunately, many of those regulatory trends were reversed in 2025 with the change of administration, underscoring the inconsistency and fundamental weakness of privacy enforcement mechanisms at the federal level. 

The United States needs a new approach. While the FTC helps to safeguard consumers and promote competition, it is ultimately not a data protection agency. The U.S. needs a federal data protection agency focused on privacy protection, compliance with data protection obligations, and emerging privacy challenges.

The United States Needs a Data Protection Agency

There is an urgent need for leadership from the United States on data protection. Virtually every other advanced economy has recognized the need for an independent agency to address the challenges of the digital age. Current law and regulatory oversight in the United States is woefully inadequate to meet the challenges. The Federal Trade Commission is fundamentally not a privacy or data security agency. The FTC only has authority to bring enforcement actions against unfair and deceptive practices in the marketplace, and it lacks the ability to create prospective rules for data security. The Consumer Financial Protection Bureau similarly lacks data protection authority and only has jurisdiction over financial institutions. Neither of these agencies possess the resources needed to address privacy and data security.

As the technology becomes interwoven into every aspect of our lives, the need for an effective, independent data protection agency has never been greater. An independent agency can more effectively utilize its resources to police the current widespread exploitation of consumers’ personal information. An independent agency would also be staffed with personnel who possess the requisite technical expertise to regulate the fields of data security, artificial intelligence, online advertising, and more.

Our current privacy laws are woefully out of date and fail to provide the necessary protections for our modern age. We also now face threats from foreign adversaries that target the personal data stored in U.S. companies and U.S. government agencies. The U.S. urgently needs a Data Protection Agency.

Learn more about EPIC’s campaign for a U.S. Data Protection Agency.

Privacy Laws Should Provide for a Private Right of Action

While government enforcement is essential, the scope of data collection online is simply too vast for one entity to regulate. Individuals and groups of individuals who use these online services are in the best position to identify privacy issues and bring actions to vindicate their interests. These cases preserve the government resources, and statutory damages ensure that companies will face real consequences if they violate the law.

The inclusion of a private right of action is the most important tool policymakers can give to their constituents to protect their privacy. A private right of action would impose enforceable legal obligations on companies. As EPIC Advisory Board Member Woody Hartzog wrote with regard to a private right of action in the Illinois biometric privacy law:

The ACLU’s suit against facial recognition company Clearview AI settled, with Clearview agreeing not to sell its face surveillance system to any private company in the United States.  Private rights of action are extremely effective in ensuring that the rights in privacy laws are meaningful. In contrast, in states where Attorneys General have sole enforcement authority, we have seen little enforcement of (and compliance with) privacy laws.

The statutory damages set in privacy laws are not large in an individual case, but they can provide a powerful incentive in large cases and are necessary to ensure that privacy rights will be taken seriously, and violations not tolerated. In the absence of a private right of action, there is a very real risk that companies will not comply with the law because they think it is unlikely that they would get caught or fined. Private enforcement ensures that data collectors have strong financial incentives to meet their data protection obligations. Many privacy laws include a private right of action, and these provisions have historically made it possible to hold companies accountable for their privacy violations.

State Attorneys General and Privacy Enforcement

State Attorneys General have historically played a strong role in privacy enforcement, largely stemming from their consumer protection watchdog role.

In late 2025, EPIC published State Attorneys General & Privacy: Enforcement Trends, 2020-2024, examining State AG enforcement actions across six areas of privacy harms: Unwanted Calls & Texts, Data Breach, Data Privacy, Antitrust, Platform Accountability & Governance, and Algorithms & Automated Systems. EPIC’s report catalogs over 220 cases and settlements, 35 letters, and 20 public investigations from January 2020 through December 2024, providing a detailed look at the breadth and impact of state-level privacy enforcement.

Danielle Citron wrote a seminal article on the role of State Attorneys General in 2017.