The IT Law Wiki


President Woodrow Wilson signed the original FTC Act into law on September 26, 1914. When the Federal Trade Commission was created, its purpose was to prevent unfair methods of competition in commerce as part of the battle to "bust the trusts." Over the years, Congress passed additional laws giving the agency greater authority to police anticompetitive practices.

In 1938, Congress passed the Wheeler-Lea Amendment, which amended the FTC Act "to prohibit 'unfair or deceptive acts or practices' in addition to 'unfair methods of competition' — thereby charging the FTC with protecting consumers directly, as well as through its antitrust efforts."[1] Since then, the Commission also has been directed to administer a wide variety of consumer protection laws, including the:

In 1975, Congress gave the FTC the authority to adopt industry-wide trade regulation rules.

While the Commission does not have criminal law enforcement authority, it is a law enforcement agency with authority to, among other things, address consumer concerns about Internet privacy, both for Internet service providers and content providers. Under the FTC Act, certain entities, such as banks, savings and loan associations, and common carriers, as well as the business of insurance, are wholly or partially exempt from Commission jurisdiction.[2]

FTC investigations are nonpublic until the Commission takes a public action such as issuing a complaint or announcing a settlement.

FTC's mission[]

The FTC's mission is to promote the efficient functioning of the marketplace by protecting consumers from unfair or deceptive acts or practices and to increase consumer choice by promoting vigorous competition. The Commission's primary legislative mandate is to enforce Section 5 of the FTC Act, which prohibits unfair methods of competition and unfair or deceptive acts or practices in or affecting commerce.[3] With the exception of certain industries and activities, the FTC Act provides the Commission with broad investigative and law enforcement authority over entities engaged in or whose business affects commerce. The FTC is the only federal agency with both consumer protection and competition jurisdiction in broad sectors of the economy. The agency enforces laws that prohibit business practices that are harmful to consumers because they are anticompetitive, deceptive, or unfair, and promotes informed consumer choice and understanding of the competitive process.

The Commission also has responsibility under 45 additional statutes governing specific industries and practices, including the Truth in Lending Act of 1968, the CAN-SPAM Act, the Children's Online Privacy Protection Act of 1998, the Equal Credit Opportunity Act, the Fair Credit Reporting Act of 1970, the Fair Debt Collection Practices Act, and the Telemarketing and Consumer Fraud and Abuse Prevention Act of 1984.

The Commission also enforces over 30 rules governing specific industries and practices, e.g., the Used Car Rule,[4] which requires used car dealers to disclose warranty terms via a window sticker; the Franchise Rule,[5] which requires the provision of information to prospective franchisees; the Telemarketing Sales Rule,[6] which defines and prohibits deceptive telemarketing practices and other abusive telemarketing practices; and the Children’s Online Privacy Protection Act and regulations.[7]

In addition, on May 12, 2000, the Commission issued a final rule implementing the privacy provisions of the Gramm-Leach-Bliley Act.[8] The rule requires a wide range of financial institutions to provide notice to their customers about their privacy policies and practices.

E-commerce on the Internet falls within the scope of this statutory mandate.

Online privacy[]

The online collection and use of consumers’ information, including the tracking of individual browsing habits, has raised significant concerns for many consumers. These concerns are not new; surveys have consistently demonstrated consumer unease with data collection practices in the online marketplace.

Beginning in 1995, the Federal Trade Commission held a series of public workshops on the issues of privacy and the Internet. In part based upon these workshops, the FTC issued several reports to Congress focusing on a variety of privacy issues, including the collection of personal information from children, self-regulatory efforts and technological developments to enhance consumer privacy, consumer and business education efforts, and the role of government in protecting online privacy. The Commission has sought to understand the online marketplace and its information practices and to assess its cost and beneficial effects. It has also used its law enforcement authority to challenge websites with deceptive privacy policy statements.

With certain exceptions, the FTC generally cannot directly impose civil monetary penalties for Internet privacy cases. Instead, the FTC typically addresses Internet privacy cases by entering into settlement agreements requiring companies to take actions such as implementing reasonable privacy and security programs. If a company then violates its settlement agreement with the FTC, the agency can request civil monetary penalties in court for the violations. In addition, the FTC can seek to impose civil monetary penalties directly for violations of certain statutes and their implementing regulations, such as the statute pertaining to the Internet privacy of children (COPPA) and its corresponding regulations.

1998 Report[]

In its 1998 report, Privacy Online: A Report to Congress, based upon its examination of the information practices of over 1400 commercial sites on the World Wide Web, and its assessment of private industry’s efforts to implement self-regulatory programs to protect consumers’ online privacy, the Commission summarized widely-accepted principles regarding the collection, use, and dissemination of personal information.

These Fair Information Practice Principles, which predate the Internet, had been recognized and developed by government agencies in the United States, Canada, and Europe since 1973, when the United States Department of Health, Education, and Welfare released its seminal report on privacy protections in the age of data collection, Records, Computers, and the Rights of Citizens.

The Report assessed the information practices of commercial websites and the existing self-regulatory efforts in light of these fair information practice principles and concluded that an effective self-regulatory system had not yet taken hold. The Commission deferred judgment on the need for legislation to protect the online privacy of consumers generally, and instead urged industry to focus on the development of broad-based and effective self-regulatory programs.


In response to the concerns over the privacy of children’s online personal information, and with the encouragement of the FTC, the 105th Congress passed the Children's Online Privacy Protection Act to prohibit unfair and deceptive acts and practices in connection with the collection and use of personally identifiable information from and about children on the Internet.

1999 Report[]

In 1999, the Commission issued a second report to CongressSelf-Regulation and Online Privacy: A Report to Congress. — that assessed the progress made since its 1998 report, and set an agenda for Commission actions to encourage implementation of online privacy protections. In that Report, a majority of the Commission found notable progress in self-regulatory initiatives, and that online businesses were providing significantly more notice of their information practices. However, it also found that the vast majority of the sites surveyed collected personal information from consumers online, and that the implementation of fair information practices was not widespread. It argued that the growth of the Internet in general, and electronic commerce in particular, mandated against sweeping regulations that might inhibit the growth of both. The Commission also outlined plans for future Commission actions to encourage greater implementation of online privacy protections, including the public workshop on online profiling. One of the main elements of industry self-regulation was FTC enforcement of the privacy policies that companies collecting personal information posted on their websites.

2000 Report[]

In its 2000 report — Privacy Online: Fair Information Practices in the Electronic Marketplace: A Report to Congress[9] — a majority of the Commission concluded that, despite its significant work in developing self-regulatory initiatives, industry efforts alone have been insufficient. Thus, the majority recommended that Congress enact legislation to ensure consumer privacy online.

Clinton Administration developments[]

During this period, the Commission also used its Section 5 authority to bring actions against companies that engaged in unfair or deceptive information practices. Most of these early cases involved deceptive statements in companies’ privacy notices about their collection and use of consumers’ data.[10] The legal theories in these early enforcement actions highlighted, in particular, the fair information practice principles of notice and choice (the "notice-and-choice approach"). Collectively, the Commission's policy and enforcement efforts underscored its emphasis on the concepts of transparency and accountability for information practices.

Bush Administration developments[]

However, the agency changed its position after the election of President George W. Bush and a change in leadership at the Commission. The new FTC Chairman, Timothy Muris, announced that the agency would expand enforcement of existing laws rather than pursuing new legislation.[11] Muris indicated that the Commission was "primarily a law enforcement agency" which "best carries out its consumer protection mission" through "aggressive enforcement of the basic laws of consumer protection." He further indicated that in his opinion, "the particular issue of broad based, Internet only legislation is still premature at this moment."[12]

In the early 2000s, prompted by concern over offline data privacy threats and the increasing convergence of online and offline data systems, the Commission’s privacy approach evolved to include a focus on specific consumer harms as the primary means of addressing consumer privacy issues. Rather than emphasizing potentially costly notice-and-choice requirements for all uses of information, the harm-based model targeted practices that caused or were likely to cause physical or economic harm, or "unwarranted intrusions in [consumers'] daily lives."[13]

Obama Administration developments[]

In recent years, the FTC has sought to protect consumers' personal information and ensure that consumers have the confidence to take advantage of the many benefits of the ever-changing marketplace by using two primary models:

  • the "notice-and-choice model," which encourages companies to develop privacy notices describing their information collection and use practices to consumers, so that consumers can make informed choices, and
  • the "harm-based model," which focuses on protecting consumers from specific harms — physical security, economic injury, and unwanted intrusions into their daily lives.

Each model advances the goal of protecting consumer privacy; at the same time, each has been subject to criticism.

Specifically, the notice-and-choice model, as implemented, has led to long, incomprehensible privacy policies that consumers typically do not read, let alone understand. Likewise, the harm-based model has been criticized for failing to recognize a wider range of privacy-related concerns, including reputational harm or the fear of being monitored. In addition, both models have struggled to keep pace with the rapid growth of technologies and business models that enable companies to collect and use consumers’ information in ways that often are invisible to consumers. Meanwhile, industry efforts to address privacy through self-regulation have been too slow, and have failed to provide adequate and meaningful protection.

Enforcement actions[]

The following FTC enforcement actions are discussed in this wiki:


The following FTC publications and websites are discussed in this Wiki:


The following FTC workshops, conferences and meetings are discussed in this Wiki:


  1. See J. Howard Beales III, Director, Bureau of Consumer Protection, Fed. Trade Comm'n, "The FTC's Use of Unfairness Authority: Its Rise, Fall, and Resurrection" (June 2003) (full-text).
  2. See Section 5(a)(2) and (6)a of the FTC Act, 15 U.S.C. §§45(a)(2) and 46(a). See also The McCarran-Ferguson Act, 15 U.S.C. §1012(b).
  3. See 15 U.S.C. §45(a).
  4. 16 C.F.R. Part 455.
  5. 16 C.F.R. Part 436.
  6. 16 C.F.R. Part 310.
  7. 16 C.F.R. Part 312.
  8. 15 U.S.C. §§6801 et seq.
  9. Privacy Online: Fair Information Practices in the Electronic Marketplace: A Report to Congress, at 3.
  10. See, e.g., In re GeoCities, Inc., 127 F.T.C. 94 (1999) (consent order) (settling charges that website had misrepresented the purposes for which it was collecting personally identifiable information from children and adults); FTC v., LLC, No. 00-11341-RGS, 2000 WL 34016434 (D. Mass. July 21, 2000) (consent order) (challenging website’s attempts to sell children’s personal information, despite a promise in its privacy policy that such information would never be disclosed); see also In re Liberty Fin. Cos., 128 F.T.C. 240 (1999) (consent order) (alleging that site falsely represented that personal information collected from children, including information about family finances, would be maintained anonymously); FTC v. Inc., No. 00-0032 (D.D.C. Jan. 6, 2000) (consent order) (settling charges that an online auction site allegedly obtained consumers' personal identifying information from a competitor site and then sent deceptive, unsolicited email messages to those consumers seeking their business); FTC v. Rennert, No. CV-S-00-0861-JBR (D. Nev. July 6, 2000) (consent order) (alleging that defendants misrepresented the security and encryption used to protect consumers' information and used the information in a manner contrary to their stated purpose).
  11. See Remarks of FTC Chairman Timothy J. Muris], The Privacy 2001 Conference (Oct. 4, 2001) (full-text).
  12. See Challenges Facing the Federal Trade Commission, Hearing on H.R. 68 Before the Subcomm. on Commerce, Trade, and Consumer Protection of the H. Comm. on Energy and Commerce, 107th Cong. 12 (2001) (statement of Timothy J. Muris, FTC Chairman) (full-text).
  13. In announcing the Commission’s expanded privacy agenda, then FTC Chairman Muris noted that "[m]any consumers are troubled by the extent to which their information is collected and used . . . [but that] what probably worries consumers most are the significant consequences that can result when their personal information is misused." See Remarks of FTC Chairman Tim Muris at the Privacy 2001 Conference (Oct. 4, 2001) (full-text). Chairman Muris then identified various harms caused by the misuse of consumer data — for example, risks to physical security from stalking; economic injury resulting from identity theft; and commercial intrusions into daily life by unwanted solicitations.

See also[]