Chapter 5: Federal and State Regulators and Enforcement of Privacy Law

Federal Privacy Enforcement Outside the FTC

Many federal agencies enforce privacy depending on the statute violated: OCR/HHS for HIPAA, CFPB and bank regulators for GLBA, Dept. of Education for FERPA, FCC for TCPA, and EEOC for the ADA. The FTC may have overlapping responsibility.

Who enforces what (sectoral federal regulators)
Sector / law	Lead agency
Medical - HIPAA	OCR (HHS)
Financial - GLBA	CFPB and federal financial regulators (Federal Reserve, OCC)
Education - FERPA	U.S. Department of Education
Telecom / marketing - TCPA	FCC
Workplace - ADA and antidiscrimination	EEOC and others

Overlap is the trap

The FTC may have overlapping responsibilities with these sector agencies. On the exam, match the statute to its primary regulator (HIPAA to OCR (HHS), GLBA to CFPB/bank regulators, FERPA to Education, TCPA to FCC) - and watch that the FTC is not the answer for sector-specific statutes.

As new technology emerges, agencies use existing frameworks: with no federal AI privacy law, the OCR (HHS) is expected to address improper collection of protected health information (PHI) by companies using AI, and the EEOC is expected to address discrimination from algorithmic hiring decisions.

Key terms - quick answers

What is “OCR (HHS)”?

The Office for Civil Rights within HHS, which enforces HIPAA.

What is “HIPAA”?

The Health Insurance Portability and Accountability Act, governing protected health information held by covered entities.

What is “CFPB”?

The Consumer Financial Protection Bureau, generally responsible for financial consumer-protection issues.

What is “GLBA”?

The Gramm-Leach-Bliley Act, governing nonpublic personal information held by financial institutions.

← Types of Litigation and Enforcement Other Federal Privacy Actors and the DOJ's Criminal Role →