Enforcement of U.S. Consumer Data Privacy Laws Part 1: Federal Agency Enforcement

This is the latest article in our series highlighting aspects of U.S. privacy laws. For our most recent previous article, click here.

A threshold consideration for businesses trying to understand the actors that enforce U.S. consumer privacy laws is an analysis of which laws apply to that business. This is because U.S. consumer privacy laws exist as a patchwork of separate but often overlapping statutes and regulations promulgated at the federal and state levels. Different government actors have responsibility for enforcing these laws, so no single government actor has jurisdiction over all enforcement.

In addition, certain federal and state statutes can permit consumers to bring individual or class action litigation to redress violations. Therefore, as a preliminary matter, businesses need to consider which laws apply to their operations in order to understand how those laws may be enforced.

There are three main ways that individual rights under U.S. privacy laws will be enforced:

1. By a federal government agency in an investigation, civil action, or criminal prosecution.
2. Through a state attorney general office or specialized privacy protection agency in a civil or criminal proceeding.
3. With a private right of action, under which consumers may seek legal remedies in civil litigation for the alleged violation of their rights on a representative or individual basis.

In this installment of our ongoing series, we will address the first avenue of enforcement — when government agencies and law enforcement offices bring investigations and enforcement actions against businesses to enforce privacy laws on behalf of consumers.

The following is a list of federal agencies empowered to enforce federal consumer privacy laws through civil and criminal proceedings. This list is non-exhaustive and highlights the medley of enforcement bodies with overlapping jurisdiction.

Federal Trade Commission. For nearly a century, the FTC has been authorized to enforce Section 5 of the FTC Act, prohibiting “unfair methods of competition in or affecting commerce,” broadly known as unfair and deceptive acts and practices, or UDAP. Under that statutory authority, the FTC can file privacy enforcement actions and reach settlements with target companies in consent agreements.

The FTC is also empowered to enforce the terms of consent orders. In addition, the FTC is authorized to enforce other federal laws relating to consumer data privacy, including the Children’s Online Privacy Protection Act (COPPA), which regulates the online collection and use of children’s information. The FTC also promulgates rules, and issues reports, advocacy filings, amicus briefs, and advisory opinions that influence the interpretation and application of U.S. privacy law at the federal and state levels. Examples of recent FTC enforcement actions include:

• A proposed order to settle charges that online counseling service BetterHelp, Inc. revealed consumers’ sensitive data with third-party social media companies after promising to keep such data private.
• A permanent injunction and civil penalty judgment of $275 million against Epic Games, Inc., the maker of online video game Fortnite, for COPPA violations.

Consumer Financial Protection Bureau and federal banking agencies. The CFPB and federal banking agencies have enforcement authority for the privacy protections encoded in the Gramm-Leach-Bliley Act (GBLA), which applies to financial institutions that have nonpublic personal information concerning consumers.

The CFPB also enforces the Consumer Financial Protect Act (CFPA), which transferred a significant portion of the FTC’s enforcement authority for the GLBA to the CFPB. For violations of data security provisions in the GLBA, federal banking agencies have exclusive enforcement authority for depository institutions, and the FTC has exclusive enforcement authority for all non-depository institutions. The CFPB also shares civil enforcement authority with the FTC for violations of the Fair Credit Reporting Act (FCRA), which covers the collection and use of consumer credit information. Examples of recent CFPB enforcement actions include:

• A consumer financial privacy action resulting in a $1 million judgment against T3Leads, a California business that sold consumer loan applications as leads to payday and installment lenders based on the alleged resale of sensitive personal data, exposing millions of consumers to harassment.
• A proposed stipulated final judgment for $24 million in civil penalties against Portfolio Recovery Associates, LLC, one of the largest debt collectors in the U.S., for alleged FCRA violations.

Department of Education. The DOE has jurisdiction over complaints under the Federal Educational Rights and Privacy Act (FERPA), which creates privacy protections for student records. While there is no criminal provision for FERPA violations, the Secretary of Education may “take appropriate actions” in response to complaints, including withholding federal funding, terminating funding eligibility, and issuing cease and desist orders.

• A 2018 audit by the Inspector General of the Department of Education showed a significant backlog in FERPA enforcement, with only 31 completed investigations of 285 pending complaints in the prior year.
• An example of FERPA enforcement is a findings letter from a Student Privacy Policy Office investigation into alleged FERPA violations by an online charter school’s forced waiver of parental rights to access.

Department of Health and Human Services and the Department of Justice. The HHS and DOJ have jurisdiction to pursue civil and criminal penalties, respectively, for violations of the Health Insurance Portability and Accountability Act (HIPAA) based on the improper use or disclosure of protected health information by health care providers, insurers, and other covered entities.

• Since April 2003, the HHS Office for Civil Rights has received more than 322,579 HIPAAA complaints and resolved 97% of those cases, including 130 settlements or civil penalties, totaling $134 million.
• Recently, HHS resolved an enforcement action with a $1.25 million settlement with an Arizona hospital system in a data breach resulting from a hacking incident by a threat actor in 2016 which disclosed the protected health information of 2.81 million consumers.
• A recent enforcement action by the DOJ related to HIPAA violations is the criminal prosecution of a former physician in New Jersey for conspiring to wrongfully disclose patients’ individually identifiable health information to a pharmaceutical sales representative.

In an upcoming article, we’ll discuss how state attorneys general have concurrent enforcement authority under certain U.S. federal privacy laws, and independent enforcement authority under state privacy laws.

If you have any questions or concerns about consumer data privacy laws, would like to know whether they apply to your business, or if there are particular topics you’d like us to address in the future, please contact Melanie Conroy, Vivek Rao, or Ariel Pardee.