The FTC regulates privacy and security issues under a number of laws, including the general FTC Act, which prohibits unfair and deceptive acts and practices. For example, companies have been targeted for making false and deceptive representations for failing to comply with their own online privacy policies.
The FTC has historically been active in protecting the privacy of children. The FTC enforces the Children’s Online Privacy Protection Act (COPPA), which imposes requirements on operators of websites, apps, or online services directed to children under 13 years of age or where there is knowledge of collection of personal information from a child under 13. COPPA requires websites and apps to post privacy policies with specific provisions about private data concerning children, notify parents directly about the information collection practices of the website or app, and get verifiable parental consent before collecting personal information from their children, or sharing this personal information with others.
The FTC also enforces key international privacy frameworks, such as the EU-U.S. Privacy Shield Framework (which provides a mechanism for companies to transfer personal consumer data from the EU to the US) and the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CPBR) System. In addition, the FTC, among other federal agencies, enforces portions of the Gramm-Leach-Bliley Act, which pertains to financial privacy issues, and applies to “financial institutions” such as banks and lenders; under this law, the Financial Privacy Rule, and the Safeguards Rule, financial institutions are subject to requirements for collecting and disclosing customers’ personal financial information and maintaining safeguards to protect that information.