FTC Stands in for US Privacy Law; Ferguson Focused on Kids, Says Agency's Ex-CPO
Despite some federal statutes and many state laws specific to privacy, the FTC acts as a stand-in for the lack of a comprehensive federal privacy measure, said the agency's former chief privacy officer at a Practising Law Institute (PLI) event Wednesday. Besides state privacy laws, enforcers often employ unfair and deceptive acts and practices (UDAP) statutes and other consumer protection laws, another panelist said.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
Though the U.S. is “the only democracy and major western power or country" without a comprehensive omnibus privacy law covering "the entire marketplace,” the FTC is there to fill the gap, said Marc Groman, a 10-year agency veteran and its first CPO in the George W. Bush administration.
Historically, the FTC has focused on whether privacy policy statements about data collection, storage and sharing are deceptive, as the agency doesn't need “to prove injury or harm,” said Groman, now principal at Groman Consulting Group.
Unlike state regulators, “the FTC has no authority to seek civil penalties” generally, Groman added. But there are some exceptions, such as under COPPA, the Fair Credit and Reporting Act or the Telemarketing Sales Rule.
Though it seems privacy "is not a focus" of FTC Chairman Andrew Ferguson, he's vigilant concerning the data of children and teens, said Groman. He predicted there would be “tremendous emphasis” on business models that collect information from minors, perhaps in ways “we haven't seen before.” Nobody should feel that "the cop is no longer on the beat," he added.
In addition to increased COPPA enforcement, Groman expects “the FTC to robustly enforce” the Take It Down Act (see 2505190057) and the Protecting Americans’ Data from Foreign Adversaries Act (see 2501210067).
The privacy landscape used to be “two laws,” but now there are “many," noted Fox Rothschild privacy lawyer Odia Kagan: That makes it “really complicated,” echoing another privacy lawyer who spoke earlier (see 2512170036).
Though only 20 states have comprehensive consumer privacy laws, all of them have consumer protection statutes, sometimes “called Baby FTCs,” Kagan added. As such, a recent trend has states filing privacy claims "that have causes of action both in the privacy law and in the consumer protection law.”
While many state privacy laws contain threshold requirements so as not to sweep up small businesses in compliance, these consumer protection laws lack threshold limitations, Kagan said.
Groman said those thresholds show states recognize it “would be too difficult for small business” to comply.
Both the FTC and states' baby FTCs include a “requirement for disclosure,” Kagan said, as consumers “need to know what is going on in order … to understand the key concepts of what [they're] agreeing to.”
Given this, she said companies need to ensure they keep privacy policies up to date to reflect an ever-changing landscape, especially with new state privacy laws taking effect in 2026.
These privacy notices should have two parts, she said: “the story at the top, which is, 'Here's what's happening with your data,'” followed by what the consumer’s rights are concerning the data. Under the UDAP standard, “People need to know what is going on with their data” and they need to be able to “understand” it based on the notice.
Making sure a company has “a data retention and minimization policy” is “data privacy and data security 101,” said Groman. He added: “If you don't need [data], don't collect it,” and only “retain it for as long as necessary" for business purposes. He added, “Forever is not a data retention policy ... under any standard for any data security program of any organization or international standard-setting body."