Federal and State Regulatory Authorities for Private-Sector Privacy
The FTC has general authority over unfair/deceptive practices plus specific authority in areas like children's privacy; sector regulators include banking agencies, the FCC, DOT, and HHS. State attorneys general enforce, and California's CPPA is the first U.S. agency dedicated to a state comprehensive law.
At the federal level, the FTC has general authority to enforce against unfair and deceptive trade practices - including deception actions where a company breaks a privacy promise - and specific regulatory authority in areas like marketing communications and children's privacy.
Other federal agencies regulate particular sectors: the banking regulators (CFPB, Federal Reserve, Office of the Comptroller of the Currency), the FCC, the DOT, and HHS through its Office of Civil Rights. The Department of Commerce does NOT have privacy regulatory authority but often leads privacy policy for the executive branch.
State attorneys general have long brought privacy actions, often under state unfair-and-deceptive-practices laws. Under the CPRA, California created the CPPA - the first U.S. agency dedicated to enforcing a state comprehensive law, similar to European DPAs enforcing the GDPR.