Chapter 5: Federal and State Regulators and Enforcement of Privacy Law
Additional FTC Authority: COPPA, HITECH, FCRA, CAN-SPAM
Beyond Section 5 the FTC enforces COPPA (children under 13, parental consent), shares HITECH breach authority with HHS, has historic FCRA/FACTA authority (now largely CFPB), and shares CAN-SPAM with the FCC.
| Law | FTC role | Key detail |
|---|---|---|
| COPPA | Rulemaking + enforcement agency | Protects children under 13; requires notice and verifiable parental consent before collecting their personal information |
| HITECH | Shares authority with HHS | Breach notice for personal health record providers, even without seeking government electronic reimbursement |
| FCRA / FACTA | Historic rulemaking, now largely CFPB | FTC shares enforcement for institutions without a separate financial regulator; state AGs must notify the FTC before suit |
| CAN-SPAM | Shares with FCC + state AGs | Restricts unsolicited commercial email; FCC issued rules on MSCMs (commercial texts) |
COPPA's age line
COPPA protects children under 13 and requires express, verifiable parental consent before collecting their personal information. Don't confuse this with the under-18 scope of California's Age-Appropriate Design Code Act.
Key terms - quick answers
What is “COPPA”?
The Children's Online Privacy Protection Act (1998), requiring notice and verifiable parental consent before collecting personal information from children under 13; the FTC is its rulemaking and enforcement agency.
What is “HITECH”?
The Health Information Technology for Economic and Clinical Health Act; the FTC shares breach-notification authority with HHS for personal health record providers.
What is “FACTA”?
The Fair and Accurate Credit Transactions Act of 2003, which amended the FCRA; rulemaking authority later moved to the CFPB.
What is “CAN-SPAM”?
The Controlling the Assault of Non-Solicited Pornography and Marketing Act, restricting unsolicited commercial email; enforced by the FTC, FCC, and state AGs.