FTC Enforcement Process and Consent Decrees
Most FTC privacy actions end in a consent decree: the respondent does not admit fault but promises to change practices. Decrees are public, may require comprehensive privacy programs and audits, and violating one can trigger federal-court civil penalties.
A typical Section 5 action begins with a claim, may proceed through investigation (the FTC can subpoena witnesses and demand reports under oath), and can go to an ALJ trial, appealable to the five commissioners and then to federal court. The FTC cannot itself assess civil penalties, but if a ruling is ignored it can seek penalties in federal court up to $50,120 per violation (as of this writing).
In a consent decree the respondent does not admit fault but promises to change practices. Decrees are posted publicly, increasingly require comprehensive privacy programs or outside audits, and any violation can lead to federal-court enforcement and civil penalties - monitored by the Bureau of Consumer Protection (BCP) Enforcement Division with the DOJ.
The company avoids a prolonged trial, bad publicity, and exposure of its practices. The FTC gets good privacy/security practices baked in, avoids trial cost, and gains leverage: monetary fines are far easier to assess in federal court when a decree is in place and later violated.