The Federal Trade Commission Act (FTC Act) is a cornerstone of U.S. privacy regulation that governs private-sector collection and use of data. Enacted in 1914, Section 5 of the FTC Act prohibits 'unfair or deceptive acts or practices in or affecting commerce,' which has become the primary federal mechanism for enforcing privacy protections in the private sector.

The Federal Trade Commission (FTC) uses this authority to take action against companies that engage in deceptive practices, such as violating their own privacy policies or misrepresenting how they collect, use, or protect consumer data. If a company promises certain data protection measures but fails to implement them, the FTC can pursue enforcement actions.

The FTC also addresses 'unfair' practices, which are defined as those that cause substantial consumer injury, are not reasonably avoidable by consumers, and are not outweighed by countervailing benefits to consumers or competition. This three-part unfairness test allows the FTC to address harmful data practices even when no explicit deception has occurred.

Notably, the FTC Act does not provide a comprehensive privacy framework like the EU's GDPR. Instead, it operates as a broad enforcement tool that the FTC applies on a case-by-case basis. The FTC has used this authority to address data security failures, unauthorized data sharing, improper data collection from children, and other privacy violations.

Enforcement typically results in consent decrees, which require companies to implement specific privacy and security measures, often including regular third-party audits for up to 20 years. Violations of consent decrees can result in significant financial penalties.

The FTC Act applies to most commercial entities but notably excludes common carriers, banks, savings institutions, federal credit unions, and airlines, which are regulated by other agencies. The Act has been instrumental in shaping U.S. privacy standards through enforcement actions against major companies, effectively creating a body of privacy 'common law' through its decisions and settlements.

The Federal Trade Commission (FTC) serves as the primary federal agency responsible for enforcing privacy and data security standards in the private sector in the United States. Under Section 5 of the FTC Act, the Commission has authority to take action against companies engaging in 'unfair or deceptive acts or practices' in commerce. This broad mandate has become the cornerstone of privacy and security enforcement in the U.S.

**Deception-Based Actions:** The FTC pursues companies that make false or misleading claims about their privacy and data security practices. If a company's privacy policy promises certain protections but fails to implement them, the FTC can bring a deception claim. Notable cases include actions against Facebook, Google, and Snapchat for misrepresenting their data practices to consumers.

**Unfairness-Based Actions:** The FTC also takes action when a company's data practices cause substantial consumer injury that is not reasonably avoidable and not outweighed by benefits. This includes cases where companies fail to maintain reasonable data security measures, leading to data breaches. The landmark case *FTC v. Wyndham Worldwide* confirmed the FTC's authority to bring data security cases under its unfairness jurisdiction.

**Enforcement Mechanisms:** The FTC typically resolves cases through consent orders (consent decrees), which require companies to implement comprehensive privacy or security programs, undergo regular third-party assessments, and comply for 20 years. Violations of consent orders can result in significant civil penalties.

**Key Outcomes:** FTC enforcement actions have established de facto standards for reasonable data security and privacy practices. Companies are expected to implement appropriate safeguards, honor their privacy promises, provide consumer notice and choice, and minimize data collection.

**Limitations:** The FTC cannot impose fines for first-time violations (unless under specific statutes like COPPA), lacks direct rulemaking authority for general privacy rules (though this is evolving), and relies heavily on case-by-case enforcement rather than comprehensive regulation. Despite these limitations, FTC enforcement remains the most significant federal mechanism for holding private-sector organizations accountable for privacy and security failures.

The Children's Online Privacy Protection Act (COPPA), enacted in 1998 and enforced by the Federal Trade Commission (FTC), is a critical U.S. federal law designed to protect the privacy of children under the age of 13 online. COPPA imposes specific requirements on operators of websites, online services, and mobile applications that are directed toward children or that knowingly collect personal information from children under 13.

Key provisions of COPPA include:

1. **Parental Consent**: Operators must obtain verifiable parental consent before collecting, using, or disclosing personal information from children under 13. This consent must be meaningful and can be obtained through various approved methods.

2. **Privacy Policy Requirements**: Websites and services must post clear, comprehensive privacy policies detailing their data collection practices, including the types of information collected, how it is used, and disclosure practices.

3. **Data Minimization**: Operators cannot collect more personal information than is reasonably necessary for a child to participate in an activity.

4. **Parental Rights**: Parents have the right to review their child's personal information, request its deletion, and refuse further collection or use of the data.

5. **Data Security**: Operators must maintain reasonable procedures to protect the confidentiality, security, and integrity of children's personal information.

6. **Safe Harbor Programs**: The FTC allows industry groups to develop self-regulatory guidelines that, if approved, serve as a safe harbor for compliance.

Personal information under COPPA includes names, addresses, email addresses, phone numbers, Social Security numbers, geolocation data, photos, videos, audio recordings, and persistent identifiers used to track online behavior.

The FTC updated the COPPA Rule in 2013 to address evolving technologies, expanding the definition of personal information and strengthening protections. Violations can result in significant civil penalties. COPPA represents one of the most important limits on private-sector data collection in the United States, specifically targeting the vulnerable population of young children in the digital environment.

The future of federal enforcement regarding data privacy in the United States is increasingly focused on emerging technologies and practices, including data brokers, Big Data, the Internet of Things (IoT), and Artificial Intelligence (AI). These areas present significant challenges to existing privacy frameworks and are drawing heightened attention from regulators like the FTC, CFPB, and other federal agencies.

**Data Brokers** collect, aggregate, and sell vast amounts of personal information, often without consumers' knowledge or consent. Federal enforcement is moving toward requiring greater transparency, accountability, and potentially establishing a national registry for data brokers. The FTC has issued reports recommending legislation to address data broker practices, and the CFPB has taken steps to regulate certain data broker activities under existing financial privacy laws.

**Big Data** analytics enable organizations to derive insights from massive datasets, raising concerns about discriminatory profiling, lack of transparency, and secondary uses of data beyond original collection purposes. Federal agencies are scrutinizing how Big Data practices may lead to unfair or deceptive outcomes, particularly affecting vulnerable populations.

**IoT** devices—from smart home products to wearables—continuously collect granular personal data, often with inadequate security measures and unclear privacy policies. The FTC has emphasized the need for security-by-design, data minimization, and meaningful consumer notice and choice in the IoT ecosystem.

**Artificial Intelligence** presents enforcement challenges related to algorithmic bias, automated decision-making, and opaque data processing. Federal agencies are increasingly focused on ensuring AI systems are fair, explainable, and do not perpetuate discrimination. The FTC has warned companies against using biased AI and has signaled willingness to take enforcement action under existing authority.

Overall, the trajectory of federal enforcement is toward more proactive regulation, with calls for comprehensive federal privacy legislation that addresses these technologies holistically. Agencies are leveraging existing authorities—particularly Section 5 of the FTC Act—while advocating for new legislative tools to keep pace with rapidly evolving data practices and technological innovation.

The HIPAA Privacy Rule, established under the Health Insurance Portability and Accountability Act of 1996, is a critical federal regulation that governs the collection, use, and disclosure of protected health information (PHI) by covered entities in the private sector. Covered entities include health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically.

The Privacy Rule sets national standards to protect individuals' medical records and personal health information. It establishes limits on how covered entities and their business associates can use and disclose PHI. Under the rule, covered entities may use or disclose PHI without patient authorization only for specific purposes, primarily treatment, payment, and healthcare operations (TPO). For most other uses and disclosures, covered entities must obtain written authorization from the individual.

Key provisions include the Minimum Necessary Standard, which requires covered entities to limit the use, disclosure, and request of PHI to the minimum amount necessary to accomplish the intended purpose. This principle directly limits private-sector data collection and use by ensuring organizations do not access more health information than needed.

The Privacy Rule also grants individuals important rights over their health information, including the right to access and obtain copies of their medical records, request corrections, receive an accounting of disclosures, and request restrictions on certain uses of their information. Covered entities must provide a Notice of Privacy Practices informing individuals about how their PHI may be used.

Business associates—third-party vendors who handle PHI on behalf of covered entities—are also bound by the Privacy Rule through Business Associate Agreements (BAAs), extending privacy protections throughout the data handling chain.

Enforcement is managed by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), which can impose civil monetary penalties and refer criminal violations to the Department of Justice. Penalties range from $100 to $50,000 per violation, with annual maximums reaching $1.5 million per violation category. The HIPAA Privacy Rule remains one of the most significant frameworks limiting private-sector health data practices in the United States.

The HIPAA Security Rule, established under the Health Insurance Portability and Accountability Act of 1996, sets national standards for protecting electronic protected health information (ePHI) held or transferred by covered entities and their business associates. While the HIPAA Privacy Rule broadly addresses the use and disclosure of protected health information in all forms, the Security Rule specifically focuses on safeguarding electronic data.

The Security Rule requires covered entities—including healthcare providers, health plans, and healthcare clearinghouses—to implement appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of ePHI.

**Administrative Safeguards** include policies and procedures designed to manage the selection, development, and implementation of security measures. This encompasses risk assessments, workforce training, access management, and contingency planning. Organizations must designate a security official responsible for developing and implementing security policies.

**Physical Safeguards** address access to physical facilities and electronic equipment. These include facility access controls, workstation use policies, workstation security measures, and device and media controls governing the receipt, removal, and disposal of hardware and electronic media containing ePHI.

**Technical Safeguards** involve the technology and related policies that protect ePHI and control access to it. These include access controls (unique user identification, emergency access procedures), audit controls, integrity controls, and transmission security measures such as encryption.

The Security Rule follows a flexible approach, allowing organizations to adopt measures that are reasonable and appropriate for their specific environment. It distinguishes between 'required' and 'addressable' implementation specifications, giving entities some discretion in how they meet certain standards based on their size, complexity, and risk profile.

Non-compliance with the Security Rule can result in significant civil and criminal penalties enforced by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR). The Security Rule plays a critical role in limiting how private-sector healthcare organizations collect, store, and manage sensitive health data electronically, ensuring robust data protection in an increasingly digital healthcare landscape.

The Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted in 2009 as part of the American Recovery and Reinvestment Act (ARRA). It was designed to promote the adoption and meaningful use of health information technology, particularly electronic health records (EHRs), while strengthening the privacy and security protections established under the Health Insurance Portability and Accountability Act (HIPAA). In the context of limits on private-sector collection and use of data, the HITECH Act plays a significant role. It expanded the scope of HIPAA's privacy and security requirements by extending certain obligations directly to business associates — third-party entities that handle protected health information (PHI) on behalf of covered entities such as healthcare providers, health plans, and healthcare clearinghouses. Prior to HITECH, business associates were only indirectly regulated through contractual agreements. The Act introduced stricter breach notification requirements, mandating that covered entities and business associates notify affected individuals, the Department of Health and Human Services (HHS), and in some cases the media, when unsecured PHI is breached. This increased transparency and accountability in how private-sector organizations handle sensitive health data. HITECH also strengthened enforcement by increasing penalties for HIPAA violations, establishing a tiered penalty structure based on the level of negligence, with maximum penalties reaching $1.5 million per violation category per year. State attorneys general were also granted authority to bring civil actions on behalf of state residents for HIPAA violations. Additionally, the Act imposed limitations on the sale of PHI without patient authorization and restricted the use of PHI for marketing and fundraising purposes. These provisions directly limit how private-sector organizations collect, use, and disclose health information. Overall, the HITECH Act significantly enhanced data protection in the healthcare sector by strengthening privacy safeguards, increasing accountability for data handlers, and imposing meaningful consequences for non-compliance, thereby placing important limits on private-sector collection and use of sensitive health data.

The 21st Century Cures Act, enacted in December 2016, is a significant piece of U.S. legislation that addresses various aspects of healthcare innovation, including important provisions related to health data privacy and interoperability. In the context of private-sector data collection and use limitations, this act has notable implications for how health information is handled.

One key aspect is its interaction with 42 CFR Part 2, which is a federal regulation that provides strict confidentiality protections for substance use disorder (SUD) patient records. Historically, 42 CFR Part 2 imposed more restrictive requirements than HIPAA, requiring specific written patient consent before any disclosure of SUD treatment records. This created challenges for healthcare providers seeking to coordinate care and share information through electronic health records.

The 21st Century Cures Act directed the Department of Health and Human Services (HHS) to align 42 CFR Part 2 regulations more closely with HIPAA while still maintaining essential patient protections. The goal was to reduce barriers to integrated care while preserving confidentiality safeguards for individuals seeking substance use disorder treatment.

Key provisions include allowing disclosure of SUD records with patient consent for purposes of treatment, payment, and healthcare operations, similar to HIPAA's framework. The act also addressed anti-discrimination protections, prohibiting the use of SUD records in criminal proceedings against patients without their consent or a court order.

For the private sector, these regulations limit how organizations can collect, use, and disclose sensitive substance use disorder information. Healthcare providers, insurers, and their business associates must comply with both HIPAA and 42 CFR Part 2 requirements when handling SUD records. Violations can result in criminal penalties, including fines.

The reforms aim to balance two competing interests: facilitating better care coordination through appropriate information sharing and protecting the privacy of individuals with substance use disorders to encourage them to seek treatment without fear of stigma or legal consequences.

The Fair Credit Reporting Act (FCRA), enacted in 1970, is a landmark federal law that regulates the collection, dissemination, and use of consumer credit information in the United States. It is one of the most significant privacy laws governing private-sector data practices.

The FCRA primarily governs Consumer Reporting Agencies (CRAs) such as Equifax, Experian, and TransUnion, as well as the entities that furnish information to them and those who use consumer reports. The Act establishes a framework that balances the need for credit reporting with consumer privacy rights.

Key provisions of the FCRA include:

1. **Permissible Purpose**: Consumer reports can only be obtained for specific legitimate purposes, such as credit transactions, employment screening (with consumer consent), insurance underwriting, or other legitimate business needs.

2. **Accuracy and Fairness**: CRAs must maintain reasonable procedures to ensure the accuracy, relevance, and proper utilization of consumer information.

3. **Consumer Rights**: Individuals have the right to access their credit reports, know who has requested their information, and dispute inaccurate or incomplete information. CRAs must investigate disputes within 30 days.

4. **Adverse Action Notices**: When a consumer is denied credit, employment, or insurance based on information in a consumer report, the entity must provide notice to the consumer, including the CRA's contact information.

5. **Time Limitations**: Most negative information must be removed after seven years, while bankruptcies can remain for ten years.

6. **Identity Theft Protections**: Consumers can place fraud alerts and credit freezes on their files.

The FCRA is enforced by the Federal Trade Commission (FTC) and the Consumer Financial Protection Bureau (CFPB). Violations can result in statutory damages, punitive damages, and attorney fees. The Act also permits state laws that provide greater consumer protections.

For privacy professionals, understanding the FCRA is essential as it represents one of the earliest and most comprehensive frameworks limiting how private entities collect, use, and share personal information in the consumer reporting context.

FACTA (Fair and Accurate Credit Transactions Act) was enacted in 2003 as an amendment to the Fair Credit Reporting Act (FCRA). It was designed to enhance consumer protections, particularly regarding identity theft and the accuracy of credit information. FACTA introduced several key provisions that limit how private-sector organizations collect and use personal data.

Key provisions of FACTA include: the right for consumers to obtain a free annual credit report from each of the three major credit reporting agencies; the requirement for businesses to truncate credit and debit card numbers on receipts (showing no more than the last five digits); disposal rules requiring organizations to properly destroy consumer information derived from credit reports; and fraud alert provisions allowing consumers to place alerts on their credit files when they suspect identity theft.

The Red Flags Rule, established under Section 114 of FACTA, requires financial institutions and creditors to develop and implement written Identity Theft Prevention Programs. These programs must be designed to detect, prevent, and mitigate identity theft in connection with certain accounts. The rule applies to entities that hold covered accounts, including consumer accounts that involve multiple payments or transactions.

Under the Red Flags Rule, organizations must: identify relevant red flags for covered accounts, such as suspicious documents, unusual account activity, or alerts from credit reporting agencies; detect these red flags through their established programs; respond appropriately to mitigate potential harm when red flags are detected; and periodically update their programs to reflect changes in risks.

The Federal Trade Commission (FTC) and federal banking agencies enforce the Red Flags Rule. Examples of red flags include discrepancies in personal information, unusual account activity patterns, and notifications from law enforcement about identity theft. Together, FACTA and the Red Flags Rule represent significant limitations on private-sector data use while establishing proactive obligations to protect consumers from identity theft and credit fraud.

The Gramm-Leach-Bliley Act (GLBA), enacted in 1999, is a landmark U.S. federal law that primarily governs how financial institutions collect, use, and disclose consumers' nonpublic personal information (NPI). It plays a critical role in limiting private-sector data collection and use within the financial services industry.

The GLBA applies broadly to 'financial institutions,' which includes not only banks and credit unions but also insurance companies, securities firms, tax preparers, mortgage brokers, and other entities significantly engaged in financial activities.

The Act contains three key privacy and security components:

1. **Financial Privacy Rule (Regulation P):** This requires financial institutions to provide customers with privacy notices explaining their data collection and sharing practices. Institutions must inform consumers about what personal information is collected, how it is shared, and with whom. Customers must be given the opportunity to opt out of having their NPI shared with nonaffiliated third parties.

2. **Safeguards Rule:** This mandates that financial institutions develop, implement, and maintain a comprehensive written information security program to protect consumer data. The program must include administrative, technical, and physical safeguards appropriate to the institution's size, complexity, and the sensitivity of the information handled.

3. **Pretexting Provisions:** The GLBA prohibits the practice of pretexting—obtaining personal financial information through false pretenses, deception, or fraudulent means.

The Federal Trade Commission (FTC), along with other federal and state regulators, enforces the GLBA. Violations can result in significant civil and criminal penalties, including fines and imprisonment.

For privacy professionals, understanding the GLBA is essential because it establishes baseline requirements for how financial data must be handled, limits the sharing of sensitive consumer information, and requires robust security measures. It represents one of the most significant federal limits on private-sector data practices, specifically targeting the financial sector's handling of personal information. The GLBA's framework has influenced subsequent privacy regulations and continues to shape how financial institutions approach data governance and consumer privacy protection.

The Dodd-Frank Wall Street Reform and Consumer Protection Act, enacted in 2010 in response to the 2008 financial crisis, represents one of the most significant pieces of financial regulatory legislation in U.S. history. A key provision of this act was the establishment of the Consumer Financial Protection Bureau (CFPB), an independent federal agency dedicated to protecting consumers in the financial marketplace.

The CFPB consolidates consumer financial protection authorities that were previously spread across multiple federal agencies. It has broad regulatory authority over banks, credit unions, securities firms, payday lenders, mortgage servicers, debt collectors, and other financial companies operating in the United States.

From a privacy perspective, the CFPB plays a crucial role in limiting private-sector collection and use of consumer financial data. The bureau enforces key privacy provisions under the Gramm-Leach-Bliley Act (GLBA), including requirements for financial institutions to provide privacy notices explaining their data collection and sharing practices. It also oversees the Fair Credit Reporting Act (FCRA), which governs how consumer credit information is collected, used, and shared.

The CFPB has the authority to write rules, supervise companies, and enforce federal consumer financial protection laws. It can take action against companies engaging in unfair, deceptive, or abusive practices related to consumer data. The bureau also handles consumer complaints, giving individuals a channel to report privacy violations by financial institutions.

Notably, the CFPB has increasingly focused on data privacy issues in the digital age, including concerns about data brokers, fintech companies, and the use of alternative data in financial decision-making. The bureau has issued guidance on proper data handling practices and has taken enforcement actions against companies that failed to adequately protect consumer financial information.

For CIPP/US professionals, understanding the Dodd-Frank Act and CFPB is essential because they represent significant limits on how private-sector financial entities collect, use, share, and protect consumer data, forming a critical component of the U.S. sectoral privacy framework.

Online Banking Privacy is a critical area within U.S. privacy law that governs how financial institutions collect, use, share, and protect consumers' personal financial information during electronic banking transactions. It falls under several key regulatory frameworks that privacy professionals must understand.

The primary legislation governing online banking privacy is the Gramm-Leach-Bliley Act (GLBA) of 1999, which requires financial institutions to explain their information-sharing practices to customers and to safeguard sensitive data. Under GLBA, banks must provide privacy notices that clearly describe what personal information they collect, how it is used, and with whom it is shared. Customers are given opt-out rights regarding the sharing of their nonpublic personal information (NPI) with non-affiliated third parties.

The GLBA's Safeguards Rule mandates that financial institutions implement comprehensive security programs to protect customer information, including data transmitted through online banking platforms. This includes encryption protocols, multi-factor authentication, secure login procedures, and regular security assessments.

Additionally, the Federal Financial Institutions Examination Council (FFIEC) provides guidance on authentication and access controls for internet banking systems. Regulations such as the Electronic Fund Transfer Act (EFTA) and Regulation E also protect consumers conducting electronic banking transactions by establishing error resolution procedures and limiting liability for unauthorized transfers.

Financial institutions must also comply with the Bank Secrecy Act (BSA) and anti-money laundering (AML) requirements, which involve collecting and retaining certain customer information, creating a tension between privacy and regulatory compliance.

State laws may impose additional requirements. For example, the California Consumer Privacy Act (CCPA) provides broader consumer rights, though certain GLBA-covered data may be exempt.

For privacy professionals, understanding online banking privacy requires balancing consumer protection, data minimization principles, regulatory compliance, and cybersecurity requirements. Financial institutions must continuously adapt their privacy practices to address evolving threats, technological advancements, and changing regulatory landscapes while maintaining consumer trust in digital banking services.

The Family Educational Rights and Privacy Act (FERPA), enacted in 1974, is a federal law that protects the privacy of student education records. It applies to all educational institutions that receive federal funding, which includes most public and many private schools from kindergarten through higher education.

FERPA grants parents specific rights regarding their children's education records, including the right to inspect and review records, request corrections to inaccurate information, and control the disclosure of personally identifiable information (PII) from those records. When a student turns 18 or enters a postsecondary institution, these rights transfer from the parent to the student, who is then referred to as an 'eligible student.'

Under FERPA, educational institutions are generally prohibited from disclosing student education records or personally identifiable information without the written consent of the parent or eligible student. However, there are several important exceptions. Schools may disclose records without consent to school officials with legitimate educational interests, other schools to which a student is transferring, certain government officials for audit or evaluation purposes, parties connected to financial aid, organizations conducting studies on behalf of the school, accrediting organizations, and in cases of health or safety emergencies.

FERPA also establishes the concept of 'directory information,' which includes less sensitive data such as a student's name, address, phone number, and dates of attendance. Schools may disclose directory information without consent but must first notify parents or eligible students and give them the opportunity to opt out.

For privacy professionals, FERPA is significant because it limits how private-sector organizations that partner with educational institutions can collect, use, and share student data. Companies providing educational technology services, for example, must comply with FERPA requirements when handling student records. Violations can result in the withdrawal of federal funding from the institution. The U.S. Department of Education oversees FERPA enforcement through its Student Privacy Policy Office.

The Telemarketing Sales Rule (TSR) and the Telephone Consumer Protection Act (TCPA) are two critical U.S. regulations that limit private-sector collection and use of personal data, particularly in the context of telemarketing and communications.

**Telephone Consumer Protection Act (TCPA) - 1991:**
The TCPA is a federal law administered by the Federal Communications Commission (FCC) that restricts telemarketing communications via telephone, fax, and text messages. Key provisions include: requiring prior express written consent before making autodialed or prerecorded marketing calls to consumers' cell phones; establishing the National Do Not Call (DNC) Registry, which allows consumers to opt out of receiving telemarketing calls; prohibiting unsolicited fax advertisements; restricting the hours during which telemarketers can call (between 8 AM and 9 PM local time); and providing consumers with a private right of action, allowing them to sue violators for $500-$1,500 per violation.

**Telemarketing Sales Rule (TSR) - 1995:**
The TSR is enforced by the Federal Trade Commission (FTC) and applies to telemarketing activities conducted across state lines. It complements the TCPA by establishing additional requirements: telemarketers must disclose specific information before making a sales pitch, including the identity of the seller and the purpose of the call; it prohibits deceptive and abusive telemarketing practices; it requires telemarketers to maintain company-specific do-not-call lists; it restricts calls to consumers who have placed their numbers on the National DNC Registry; and it regulates the transmission of caller ID information, prohibiting the blocking or falsification of such data.

Both regulations work together to protect consumer privacy and limit unwanted commercial communications. Violations can result in significant penalties — the FTC can impose fines of up to $50,120 per TSR violation, while TCPA violations can lead to substantial class action lawsuits. Together, these laws represent important limits on private-sector data use in direct marketing contexts.

The CAN-SPAM Act (Controlling the Assault of Non-Solicited Pornography and Marketing Act) was enacted in 2003 as a federal law in the United States to regulate commercial email messages and set national standards for sending commercial electronic communications. This legislation is a critical component studied in the Certified Information Privacy Professional/United States (CIPP/US) certification, particularly under the domain of limits on private-sector collection and use of data.

The Act establishes several key requirements for businesses and marketers. First, it prohibits false or misleading header information, meaning the 'From,' 'To,' and 'Reply-To' fields must accurately identify the sender. Second, it bans deceptive subject lines that would mislead recipients about the content of the message. Third, commercial emails must be clearly identified as advertisements or solicitations.

One of the most important provisions requires that every commercial email include a clear and conspicuous opt-out mechanism, allowing recipients to unsubscribe from future messages. Once a recipient opts out, the sender must honor that request within 10 business days. Additionally, all commercial emails must include the sender's valid physical postal address.

The CAN-SPAM Act takes a preemptive approach, overriding most state anti-spam laws to create a uniform national standard. Notably, it follows an opt-out model rather than an opt-in model, meaning businesses can send unsolicited commercial emails as long as they comply with the Act's requirements. This is in contrast to regulations like the EU's GDPR, which generally requires prior consent.

Enforcement of the CAN-SPAM Act falls primarily under the Federal Trade Commission (FTC), though other federal agencies and state attorneys general can also take action. Violations can result in penalties of up to $46,517 per non-compliant email. The Act also imposes criminal penalties for certain aggravated violations, such as using false identities or harvesting email addresses through automated means.

The CAN-SPAM Act remains a foundational piece of U.S. privacy legislation governing electronic marketing communications.

The Cable Communications Privacy Act (CCPA) of 1984 and the Video Privacy Protection Act (VPPA) of 1988 are two significant U.S. federal laws that limit private-sector collection and use of personal data in the entertainment and media sectors.

**Cable Communications Privacy Act (CCPA) of 1984:**
This law was enacted as part of the Cable Communications Policy Act and specifically addresses the privacy of cable television subscribers. It requires cable operators to provide subscribers with a clear privacy notice at the time of entering into a service agreement and annually thereafter. The notice must detail what personally identifiable information (PII) is collected, how it is used, how long it is maintained, and the circumstances under which it may be disclosed. Cable operators are generally prohibited from collecting PII without the subscriber's prior consent, except when necessary for rendering cable services or detecting unauthorized reception. Subscribers have the right to access and correct their personal data. Violations can result in actual damages, punitive damages, attorneys' fees, and other legal remedies. The law also mandates that PII must be destroyed when it is no longer needed for its original purpose.

**Video Privacy Protection Act (VPPA) of 1988:**
The VPPA was enacted after the video rental records of Supreme Court nominee Robert Bork were disclosed to the press. It prohibits video tape service providers from knowingly disclosing personally identifiable rental, purchase, or viewing information about consumers without their informed, written consent. The law applies to entities that rent, sell, or deliver prerecorded video content, and has been interpreted to extend to online streaming services. Consumers may provide consent for sharing, which can be given electronically. Violations allow individuals to seek actual damages (minimum $2,500), punitive damages, attorneys' fees, and other equitable relief. The VPPA requires that PII must be destroyed within one year after the information is no longer needed.

Both laws represent important limitations on how private companies handle consumer data in media contexts.

Digital advertising and data ethics represent a critical intersection in the privacy landscape, particularly under the Certified Information Privacy Professional/United States (CIPP/US) framework. As private-sector organizations increasingly rely on data-driven advertising, significant ethical and legal considerations have emerged regarding how personal information is collected, used, and shared.

Digital advertising operates through complex ecosystems involving advertisers, publishers, data brokers, and ad technology platforms. These entities collect vast amounts of consumer data—including browsing history, location data, purchase behavior, and device identifiers—to deliver targeted advertisements. Techniques such as behavioral tracking, real-time bidding, cross-device tracking, and programmatic advertising raise substantial privacy concerns.

Data ethics in this context refers to the moral obligations organizations have when handling consumer information beyond mere legal compliance. Key ethical principles include transparency about data collection practices, obtaining meaningful consent, minimizing data collection to what is necessary, ensuring data accuracy, and providing consumers with genuine control over their information.

Several regulatory frameworks limit private-sector collection and use of data in digital advertising. The FTC Act prohibits unfair and deceptive practices, requiring companies to honor their privacy promises. State laws like the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) grant consumers rights to know, delete, and opt out of the sale or sharing of their personal information, directly impacting advertising practices. The Children's Online Privacy Protection Act (COPPA) imposes strict limitations on collecting data from children under 13.

Industry self-regulatory programs, such as the Digital Advertising Alliance (DAA) and the Network Advertising Initiative (NAI), establish guidelines for responsible data use in advertising. These include the AdChoices program, which provides consumers with opt-out mechanisms for interest-based advertising.

As privacy regulations evolve and third-party cookies phase out, the industry is shifting toward privacy-preserving approaches like contextual advertising, first-party data strategies, and privacy-enhancing technologies, reflecting growing recognition that ethical data practices are essential for sustainable digital advertising.