FTC enforcement trends: From straightforward actions to technical allegations

Until recently, the U.S. Federal Trade Commission limited its prescribed guidance on data privacy and cybersecurity compliance. Instead, its enforcement actions have offered a new common law of privacy, providing examples of actions and behaviors it considers unreasonable practices. In 2014, the IAPP Westin Research Center analyzed 47 FTC actions spanning 12 years in detail, working backward from the descriptions of privacy and security practices alleged to violate the FTC Act in order to develop best practices and guidelines. In 2018, the IAPP revisited the case study to trace the evolution of enforcement trends, looking at 50 cases from 2014-2018.

These studies illustrate how FTC enforcement has grown from straightforward actions over misrepresentations in privacy policies and data transfer agreements to more technical allegations over issues like facial recognition technology, software development kit usage and expanded definitions of "unfair practices" and "sale of data." Accordingly, privacy taxonomy continues to grow in complexity.

The IAPP has now analyzed 67 FTC enforcement actions between October 2018 and April 2024 in eight primary areas: children's privacy, health privacy, general privacy, data breaches and data security practices, vendor management and third-party access, employee data and management, and artificial intelligence governance. The analysis offers actions companies can take toward compliance, summarizes major trends in each area and dives deep into case studies of interest.