Federal and State Enforcement Actions: A Comprehensive Guide for CIPP/US Exam Preparation
Introduction
Federal and state enforcement actions are a critical component of the U.S. privacy landscape. Understanding how government authorities enforce privacy and data protection laws is essential for anyone studying for the CIPP/US certification exam. This guide provides a thorough overview of the topic, explaining why it matters, how enforcement mechanisms work, and how to approach exam questions on the subject.
Why Federal and State Enforcement Actions Matter
The U.S. does not have a single, comprehensive federal privacy law. Instead, privacy is protected through a patchwork of federal and state laws, regulations, and enforcement actions. This sectoral approach means that multiple agencies at both the federal and state level have overlapping and complementary authority to enforce privacy protections. Understanding enforcement actions is important because:
• They shape the practical meaning of privacy laws through precedent and guidance.
• They establish standards of conduct that organizations must follow.
• They create significant financial and reputational consequences for non-compliance.
• They signal regulatory priorities and emerging areas of concern.
• They define the boundaries of acceptable data practices even in the absence of specific statutory requirements.
What Are Federal Enforcement Actions?
Federal enforcement actions are legal proceedings brought by federal government agencies against organizations or individuals that violate privacy and data protection laws. The most prominent federal agencies involved in privacy enforcement include:
1. The Federal Trade Commission (FTC)
The FTC is the primary federal agency responsible for consumer privacy protection in the United States. Its authority derives primarily from:
• Section 5 of the FTC Act – This prohibits unfair or deceptive acts or practices in or affecting commerce. The FTC has used this broad authority extensively to pursue privacy and data security enforcement actions.
• Deception Prong: An act or practice is deceptive if there is a material representation, omission, or practice that is likely to mislead consumers acting reasonably under the circumstances. In the privacy context, this often involves companies failing to honor their privacy policy commitments or making false claims about their data practices.
• Unfairness Prong: An act or practice is unfair if it causes or is likely to cause substantial injury to consumers, is not reasonably avoidable by consumers, and is not outweighed by countervailing benefits to consumers or competition. The FTC has used the unfairness authority to address inadequate data security practices.
The FTC typically resolves enforcement actions through consent decrees (also called consent orders), which are binding agreements requiring the company to implement specific remedial measures. These often include:
• Monetary penalties (civil penalties for violations of specific statutes or orders)
• Requirements to implement comprehensive privacy or security programs
• Regular third-party assessments for 20 years
• Prohibitions on misrepresenting privacy practices
• Deletion of improperly collected data
• Reporting requirements
Key FTC enforcement examples include actions against Facebook (Meta), Google, Uber, Wyndham Hotels, and many others.
2. The Department of Health and Human Services (HHS) – Office for Civil Rights (OCR)
HHS OCR enforces the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, Security Rule, and Breach Notification Rule. Enforcement mechanisms include:
• Resolution agreements and corrective action plans
• Civil monetary penalties (CMPs)
• Referral to the Department of Justice for criminal violations
Penalties under HIPAA are tiered based on the level of culpability, ranging from lack of knowledge to willful neglect.
3. The Department of Education
Enforces the Family Educational Rights and Privacy Act (FERPA) through the Family Policy Compliance Office. Enforcement can include withdrawal of federal funding from educational institutions.
4. The Consumer Financial Protection Bureau (CFPB)
Enforces financial privacy provisions, including aspects of the Gramm-Leach-Bliley Act (GLBA) and the Fair Credit Reporting Act (FCRA), and can bring enforcement actions for unfair, deceptive, or abusive acts or practices (UDAAP) in the financial services sector.
5. The Federal Communications Commission (FCC)
Enforces privacy provisions of the Telecommunications Act, the Telephone Consumer Protection Act (TCPA), the CAN-SPAM Act, and the Cable Communications Policy Act. The FCC can impose substantial fines for violations.
6. The Department of Justice (DOJ)
The DOJ may bring criminal prosecutions for privacy violations under various federal statutes, including HIPAA, the Computer Fraud and Abuse Act (CFAA), the Electronic Communications Privacy Act (ECPA), and the Children's Online Privacy Protection Act (COPPA) in certain circumstances.
7. Other Federal Agencies
Other agencies with privacy enforcement authority include the Securities and Exchange Commission (SEC), which has brought enforcement actions related to data breach disclosures, and the Federal Banking Agencies (OCC, FDIC, Federal Reserve), which enforce GLBA safeguards requirements for financial institutions.
What Are State Enforcement Actions?
State enforcement actions are legal proceedings brought by state government officials and agencies against organizations that violate state privacy and data protection laws. Key state enforcers include:
1. State Attorneys General (AGs)
State Attorneys General are the most prominent state-level privacy enforcers. Their authority derives from:
• State consumer protection statutes (often called "mini-FTC Acts" or UDAP statutes), which prohibit unfair and deceptive trade practices
• State data breach notification laws – All 50 states, the District of Columbia, and U.S. territories have enacted breach notification laws
• Comprehensive state privacy laws – States like California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and others have enacted comprehensive privacy laws with AG enforcement provisions
• Federal statutes with state AG enforcement provisions – Some federal laws, such as COPPA and HIPAA (through the HITECH Act), grant state AGs concurrent enforcement authority
State AGs frequently collaborate through multistate enforcement actions, where multiple AGs join together to investigate and bring actions against companies for privacy violations. These coordinated actions can result in very large settlements.
Notable multistate actions include the $391.5 million settlement with Google over location tracking practices and the $575 million settlement with Equifax following its massive data breach.
2. State Privacy Agencies
Some states have established dedicated privacy agencies. Most notably, California established the California Privacy Protection Agency (CPPA) under the CPRA, which has independent rulemaking and enforcement authority over the CCPA/CPRA.
3. Other State Regulators
State insurance commissioners, banking regulators, and health agencies may also have privacy enforcement authority within their respective sectors. For example, the New York Department of Financial Services (NYDFS) enforces its Cybersecurity Regulation (23 NYCRR 500).
How Federal and State Enforcement Actions Work
The enforcement process typically follows these stages:
Stage 1: Investigation
• Triggered by consumer complaints, data breach reports, media coverage, referrals from other agencies, or the agency's own monitoring
• Agencies issue Civil Investigative Demands (CIDs), subpoenas, or information requests
• Companies are expected to cooperate and produce documents, data, and testimony
Stage 2: Determination of Violation
• The agency assesses whether a violation has occurred based on the evidence gathered
• Factors considered include the nature and severity of the violation, the number of affected consumers, the company's awareness, and the company's cooperation
Stage 3: Resolution
• Consent Decree/Settlement: The most common outcome, where the company agrees to specific remedial measures without admitting liability
• Administrative Action: The agency issues orders or penalties through its administrative process
• Litigation: The agency files a lawsuit in court if settlement negotiations fail
Stage 4: Compliance Monitoring
• The agency monitors the company's compliance with the terms of the consent decree or order
• Violations of consent decrees can result in additional penalties (contempt of court or statutory penalties per violation)
Key Concepts to Understand
Interplay Between Federal and State Enforcement
• Federal and state enforcement authorities often operate concurrently
• Federal preemption may limit state enforcement in some areas, but many federal privacy laws set a floor rather than a ceiling, allowing states to enact and enforce stronger protections
• State AGs increasingly assert their role in privacy enforcement, particularly when they perceive federal enforcement as insufficient
• Coordination between federal and state enforcers is common but not always consistent
The Role of Private Rights of Action
While this guide focuses on government enforcement, it is important to note that some privacy laws also provide private rights of action, allowing individuals to sue directly. The CCPA/CPRA provides a limited private right of action for data breaches resulting from a company's failure to implement reasonable security measures. Understanding the distinction between government enforcement and private litigation is important for the exam.
Consent Decrees and Their Significance
FTC consent decrees are particularly important in U.S. privacy law because they:
• Establish de facto standards of conduct
• Create ongoing compliance obligations (often 20 years)
• Can result in massive penalties for subsequent violations (the FTC's $5 billion penalty against Facebook was based in part on violations of a prior consent decree)
• Signal to the industry what practices the FTC considers problematic
Penalties and Remedies
Penalties vary significantly depending on the statute and agency involved:
• FTC civil penalties under specific statutes (e.g., COPPA) can be thousands of dollars per violation
• HIPAA penalties are tiered from $100 to $50,000+ per violation, with annual caps
• State comprehensive privacy laws impose varying penalties (e.g., CCPA allows up to $7,500 per intentional violation)
• The FTC cannot impose monetary penalties under its general Section 5 authority for first-time violations (only for violations of consent orders or specific rules), though this has evolved through recent case law and the Supreme Court's decision in AMG Capital Management v. FTC
Exam Tips: Answering Questions on Federal and State Enforcement Actions
1. Know Your Agencies and Their Authority
• Be able to identify which agency enforces which law. The exam frequently tests whether you know that the FTC enforces COPPA, HHS OCR enforces HIPAA, and state AGs enforce state consumer protection laws and comprehensive privacy laws.
• Understand the difference between the FTC's deception and unfairness prongs under Section 5.
2. Understand Enforcement Mechanisms
• Know the difference between consent decrees, civil monetary penalties, criminal referrals, and administrative actions.
• Remember that FTC consent decrees typically last 20 years and include requirements for comprehensive privacy/security programs and third-party assessments.
3. Pay Attention to Preemption Issues
• When a question involves both federal and state enforcement, consider whether the federal law preempts state action. For example, HIPAA preempts less protective state laws but not more protective ones.
• Know that many federal privacy statutes expressly allow state AG enforcement.
4. Focus on Landmark Cases
• Be familiar with major enforcement actions referenced in the IAPP study materials, including FTC v. Wyndham (establishing FTC's authority over data security), the Facebook consent order and subsequent $5 billion penalty, and major multistate AG settlements.
5. Read Questions Carefully
• Distinguish between questions asking about which agency has authority versus what remedy is available. These are different inquiries.
• Watch for questions that test your understanding of the FTC's limitations – for example, the FTC generally cannot impose civil penalties under Section 5 alone without a prior order or specific rule.
6. Recognize Emerging Trends
• State enforcement is growing rapidly, particularly under new comprehensive state privacy laws.
• The CPPA in California represents a new model of dedicated state privacy enforcement agency.
• Multistate AG actions continue to be a powerful enforcement tool.
7. Use Process of Elimination
• If you are unsure of the correct answer, eliminate clearly wrong options first. For example, if a question asks which agency enforces FERPA, you can immediately eliminate the FTC, HHS, and the FCC.
• Remember that the FTC has the broadest general consumer privacy authority but does not have jurisdiction over certain sectors (banks, common carriers, nonprofits, etc.).
8. Understand the Practical Impact
• Enforcement actions often establish the practical meaning of statutory requirements. For example, what constitutes "reasonable security" has been largely defined through FTC enforcement actions rather than through the text of any statute.
• The exam may test whether you understand how enforcement actions create compliance expectations for the industry.
9. Don't Forget Jurisdictional Limitations
• The FTC does not have jurisdiction over banks (regulated by banking regulators), common carriers (regulated by the FCC), nonprofits, or in some cases, insurance companies (regulated by state insurance commissioners).
• Knowing these carve-outs can be essential for correctly answering enforcement-related questions.
10. Connect Enforcement to Broader Privacy Principles
• Enforcement actions exist to vindicate privacy rights and hold organizations accountable. Tying enforcement mechanisms back to the broader goals of transparency, accountability, and consumer protection will help you reason through unfamiliar scenarios on the exam.
Summary
Federal and state enforcement actions are the primary mechanisms through which U.S. privacy and data protection laws are given teeth. The FTC serves as the nation's primary privacy enforcer under its broad Section 5 authority, while sector-specific agencies like HHS OCR and the FCC enforce their respective statutes. State Attorneys General play an increasingly important role, enforcing both state-specific privacy laws and, in some cases, federal laws. Understanding the who, what, how, and why of these enforcement actions is essential for success on the CIPP/US exam and for effective privacy practice in the United States.
