Federal Regulatory Authorities (FTC, FCC, DoC, HHS)

Federal Regulatory Authorities (FTC, FCC, DoC, HHS) – A Comprehensive Guide for CIPP/US Exam Preparation

Why Federal Regulatory Authorities Matter

Understanding federal regulatory authorities is essential for anyone pursuing the CIPP/US certification because the United States does not have a single, comprehensive data protection authority. Instead, privacy regulation is enforced by a patchwork of sector-specific federal agencies. Each agency has distinct jurisdiction, enforcement powers, and areas of focus. Knowing which agency does what — and the boundaries of their authority — is critical for answering exam questions correctly and for practicing privacy law in the real world.

In the absence of an omnibus federal privacy law, these regulatory bodies serve as the primary guardians of consumer privacy, each operating within its own statutory mandate. Their actions — enforcement cases, rulemaking, and guidance documents — effectively shape the privacy landscape in the United States.

What Are the Key Federal Regulatory Authorities?

The CIPP/US exam focuses on four primary federal regulatory authorities when it comes to privacy:

1. Federal Trade Commission (FTC)
2. Federal Communications Commission (FCC)
3. Department of Commerce (DoC)
4. Department of Health and Human Services (HHS)

Each plays a unique and complementary role in the U.S. privacy ecosystem.

---

1. The Federal Trade Commission (FTC)

Overview:
The FTC is widely considered the de facto federal privacy regulator in the United States. It is an independent agency established in 1914, primarily tasked with protecting consumers and promoting competition.

Primary Authority:
The FTC derives its privacy enforcement power mainly from Section 5 of the FTC Act, which prohibits unfair or deceptive acts or practices in or affecting commerce.

Key Concepts:
- Deception: A representation, omission, or practice that is likely to mislead consumers acting reasonably under the circumstances, and the representation is material. For example, if a company's privacy policy says it does not share data with third parties but actually does, this constitutes deception.
- Unfairness: A practice is unfair if it causes or is likely to cause substantial injury to consumers that is not reasonably avoidable by consumers themselves and is not outweighed by countervailing benefits to consumers or competition. This is a three-part test you should memorize.
- The FTC has used its unfairness authority to bring cases against companies for inadequate data security practices, even where no specific privacy promise was broken.

Enforcement Tools:
- Consent Decrees (Consent Orders): The most common enforcement outcome. Companies agree to implement specific privacy and security measures, often including 20-year monitoring periods and independent third-party audits.
- Civil Penalties: The FTC can seek civil penalties for violations of consent orders or specific statutes it enforces (e.g., COPPA, FCRA).
- The FTC does NOT have direct criminal enforcement authority — it can refer matters to the Department of Justice for criminal prosecution.
- The FTC typically cannot impose fines for first-time Section 5 violations unless a specific statute authorizes it.

Sector-Specific Statutes Enforced by FTC:
- Children's Online Privacy Protection Act (COPPA) — protects children under 13 online
- Fair Credit Reporting Act (FCRA) — regulates consumer reporting agencies (shared jurisdiction with CFPB)
- Gramm-Leach-Bliley Act (GLBA) — financial privacy (Safeguards Rule)
- CAN-SPAM Act — commercial email regulation
- Telemarketing Sales Rule (TSR) — Do Not Call rules
- Health Breach Notification Rule — applies to non-HIPAA-covered entities handling health data

Jurisdiction Limitations:
- The FTC generally does not have jurisdiction over common carriers (regulated by the FCC), banks and federal credit unions (regulated by banking regulators), non-profit organizations, or insurance companies (regulated by states).
- The FTC's jurisdiction covers for-profit entities engaged in commerce.

Landmark Cases to Know:
- FTC v. Wyndham Worldwide — affirmed FTC's authority to use Section 5 unfairness to address inadequate data security
- FTC v. Facebook (2019) — $5 billion settlement for privacy violations
- In the Matter of LabMD — tested the limits of FTC unfairness authority in data security cases

---

2. The Federal Communications Commission (FCC)

Overview:
The FCC is an independent agency that regulates interstate and international communications by radio, television, wire, satellite, and cable. Its privacy role centers on telecommunications and communications-related data.

Primary Authority:
- Telecommunications Act of 1996, particularly Section 222, which governs the protection of Customer Proprietary Network Information (CPNI)
- Telephone Consumer Protection Act (TCPA) — regulates telemarketing calls, auto-dialed calls, prerecorded messages, and unsolicited faxes
- CAN-SPAM Act — the FCC has authority over wireless commercial messages

Key Concepts:
- CPNI (Customer Proprietary Network Information): Information that telecommunications carriers collect about their customers' phone usage, including call details, calling patterns, and billing information. Carriers must protect CPNI and can only use it for providing the service or with customer approval.
- The FCC requires carriers to implement data breach notification procedures for CPNI breaches.
- TCPA: Requires prior express consent for autodialed calls or texts to cell phones and prior express written consent for telemarketing calls using autodialers or prerecorded voices. Violations can result in statutory damages of $500–$1,500 per call/text.

Jurisdiction:
- The FCC has jurisdiction over common carriers and telecommunications providers — precisely the entities the FTC generally cannot regulate.
- This complementary jurisdiction is important for the exam: if a question involves a telecom company's handling of customer data, think FCC, not FTC.

Recent Developments:
- The FCC has expanded its breach notification rules and increased enforcement actions against robocallers.
- The interplay between FCC and FTC jurisdiction has been a recurring exam topic, especially following the net neutrality debates about whether broadband providers are common carriers.

---

3. The Department of Commerce (DoC)

Overview:
The Department of Commerce is a cabinet-level executive branch agency. Unlike the FTC and FCC, the DoC's role in privacy is primarily advisory, facilitative, and policy-oriented rather than enforcement-focused.

Key Privacy Roles:

- National Institute of Standards and Technology (NIST): A bureau within the DoC that develops cybersecurity and privacy frameworks (e.g., the NIST Cybersecurity Framework and the NIST Privacy Framework). While these frameworks are voluntary for private sector organizations, they are often treated as best-practice standards.

- National Telecommunications and Information Administration (NTIA): Serves as the President's principal adviser on telecommunications and information policy. The NTIA has been involved in developing privacy-related policy proposals, stakeholder engagement (multistakeholder processes), and international internet governance.

- International Trade Administration (ITA): Administers the EU-U.S. Data Privacy Framework (DPF) (successor to the Privacy Shield, which succeeded Safe Harbor). The ITA manages the list of participating organizations and handles the self-certification process for companies that wish to transfer personal data from the EU/EEA/UK/Switzerland to the United States under the DPF.

Key Concepts:
- The DoC does not have direct enforcement authority over privacy violations. Enforcement of the Data Privacy Framework commitments falls to the FTC (and in some cases the Department of Transportation for air carriers).
- The DoC plays a convening and policy development role — it brings stakeholders together and develops voluntary codes of conduct and frameworks.
- NIST frameworks are increasingly referenced in legislation and regulation as standards of care.

Why It Matters for the Exam:
- You may be asked about who administers vs. who enforces international data transfer mechanisms. The DoC administers the DPF; the FTC enforces it.
- Understanding the DoC's non-enforcement, policy-oriented role helps distinguish it from the FTC and FCC.

---

4. The Department of Health and Human Services (HHS)

Overview:
HHS is the cabinet-level executive branch agency responsible for protecting health and providing essential human services. Its privacy role is focused on health information.

Primary Authority:
- Health Insurance Portability and Accountability Act (HIPAA) — specifically the Privacy Rule, Security Rule, and Breach Notification Rule
- Health Information Technology for Economic and Clinical Health Act (HITECH) — strengthened HIPAA enforcement and extended certain requirements to business associates

Office for Civil Rights (OCR):
Within HHS, the Office for Civil Rights (OCR) is the specific division that enforces HIPAA. OCR investigates complaints, conducts compliance reviews, and imposes penalties.

Key Concepts:
- Covered Entities: Health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically
- Business Associates: Third parties that perform functions involving the use or disclosure of Protected Health Information (PHI) on behalf of covered entities
- Protected Health Information (PHI): Individually identifiable health information held or transmitted by a covered entity or its business associate
- Minimum Necessary Standard: Covered entities must make reasonable efforts to limit PHI use, disclosure, and requests to the minimum necessary to accomplish the intended purpose
- Individual Rights: Access, amendment, accounting of disclosures, restriction requests, confidential communications, and right to receive a notice of privacy practices

Enforcement:
- OCR can impose civil monetary penalties (CMPs) using a tiered penalty structure based on the level of culpability:
  • Tier 1: Did not know (and would not have known) — $100–$50,000 per violation
  • Tier 2: Reasonable cause — $1,000–$50,000 per violation
  • Tier 3: Willful neglect, corrected — $10,000–$50,000 per violation
  • Tier 4: Willful neglect, not corrected — $50,000 per violation
  • Annual cap of approximately $1.5 million per identical provision violated (adjusted for inflation)
- Criminal penalties may be pursued by the Department of Justice for knowing violations of HIPAA
- OCR also uses Resolution Agreements (similar to consent decrees) and Corrective Action Plans

Breach Notification:
- Covered entities must notify affected individuals, HHS, and (for breaches affecting 500+ individuals) the media
- Business associates must notify the covered entity
- Notification must occur without unreasonable delay and no later than 60 days after discovery

---

How These Agencies Work Together

The U.S. sectoral approach means these agencies have complementary but non-overlapping jurisdictions in most cases:

- The FTC is the broadest, covering most commercial entities but not common carriers, banks, or nonprofits
- The FCC covers telecommunications companies (common carriers) that the FTC cannot reach
- The DoC provides policy, frameworks, and administers international data transfer programs, but does not enforce
- HHS (OCR) enforces health information privacy under HIPAA for covered entities and business associates

A single company could potentially be subject to multiple agencies depending on its activities. For example, a tech company operating a health app might face FTC scrutiny under Section 5 and the Health Breach Notification Rule, while a hospital using the same app would be subject to HHS/OCR under HIPAA.

---

Exam Tips: Answering Questions on Federal Regulatory Authorities (FTC, FCC, DoC, HHS)

Tip 1: Know the Jurisdiction Boundaries
The exam frequently tests whether you can identify which agency has authority over a given scenario. Remember:
- Telecom company → FCC
- Hospital or health plan → HHS/OCR
- General commercial entity with deceptive privacy practices → FTC
- International data transfer framework administration → DoC
- International data transfer framework enforcement → FTC

Tip 2: Understand the FTC's Unfairness vs. Deception Distinction
This is heavily tested. Deception involves misleading representations or broken promises. Unfairness involves substantial, unavoidable injury not outweighed by benefits. Memorize the three-part unfairness test.

Tip 3: Remember What the FTC Cannot Do
- Cannot impose fines for first-time Section 5 violations (absent a specific statute authorizing it)
- Cannot regulate common carriers, nonprofits, banks, or insurance companies
- Cannot bring criminal charges (must refer to DOJ)

Tip 4: Associate Key Acronyms with the Right Agency
- CPNI → FCC
- TCPA → FCC
- PHI → HHS
- HIPAA → HHS/OCR
- COPPA → FTC
- NIST → DoC
- DPF → DoC (administration) / FTC (enforcement)

Tip 5: Distinguish Administration from Enforcement
A common trick question involves the Data Privacy Framework. The DoC administers it; the FTC enforces it. If the question asks who handles compliance certification, the answer is DoC. If it asks who takes action against a company that violates its DPF commitments, the answer is FTC.

Tip 6: Know Key Enforcement Mechanisms
- FTC → Consent decrees (often 20-year terms), civil penalties for violations of orders or specific statutes
- FCC → Fines, consent decrees, forfeiture orders for TCPA/CPNI violations
- HHS/OCR → Tiered civil monetary penalties, resolution agreements, corrective action plans; DOJ handles criminal referrals
- DoC → No direct enforcement power

Tip 7: Watch for HITECH Act Details
The HITECH Act extended HIPAA requirements directly to business associates and increased penalty amounts. Questions about business associate obligations or enhanced penalties often reference HITECH.

Tip 8: Understand Breach Notification Differences
- HIPAA breach notification is managed by HHS/OCR with a 60-day notification deadline
- FCC has CPNI breach notification requirements
- FTC enforces the Health Breach Notification Rule for non-HIPAA entities
Know which rule applies based on the type of entity in the question.

Tip 9: Process of Elimination
When faced with a question about which agency regulates a particular practice, first eliminate agencies that clearly do not have jurisdiction. If the entity is not a telecom provider, eliminate FCC. If it is not a healthcare covered entity, eliminate HHS. If the question asks about enforcement (not just policy), eliminate DoC. What remains is usually FTC by default — reflecting its role as the broadest privacy enforcer.

Tip 10: Pay Attention to the Type of Entity
The exam loves to test entity classification. Always identify the entity type first:
- For-profit commercial company → likely FTC
- Telecommunications carrier → FCC
- Healthcare provider/plan/clearinghouse → HHS
- Nonprofit → generally outside FTC jurisdiction (may still be subject to state laws)
- Bank → banking regulators, not FTC

Tip 11: Remember Landmark Cases
Be familiar with FTC v. Wyndham (affirming unfairness authority for data security), LabMD (testing limits of FTC authority), and major FTC settlements (Facebook, Google, etc.). These cases illustrate the boundaries and strength of FTC enforcement and frequently appear in exam scenarios.

Final Summary Table:

Agency | Primary Role | Key Statutes | Enforcement Power
FTC | Broadest privacy/consumer protection | Section 5 FTC Act, COPPA, FCRA, GLBA | Consent decrees, civil penalties, no criminal
FCC | Telecom privacy | TCPA, Section 222 (CPNI) | Fines, forfeiture orders
DoC | Policy, frameworks, DPF administration | N/A (voluntary frameworks) | No direct enforcement
HHS/OCR | Health information privacy | HIPAA, HITECH | Tiered CMPs, resolution agreements, DOJ criminal referrals

By mastering these distinctions — jurisdiction, enforcement tools, key statutes, and the interplay between agencies — you will be well-prepared to tackle any CIPP/US exam question on federal regulatory authorities.