The Federal Trade Commission (FTC) enforces US federal privacy law primarily through Section 5 of the FTC Act — prohibiting "unfair or deceptive practices" — without a comprehensive federal privacy statute equivalent to GDPR. Despite this more fragmented framework, FTC enforcement in 2024 produced the most aggressive US privacy enforcement year on record.
2024 FTC Enforcement: Record Activity
The FTC issued 19 AI-related enforcement actions in 2024 — more than in the previous three years combined. Combined with 25 enacted or active US state privacy laws, US organizations face a compliance patchwork that rivals EU GDPR in complexity for companies operating at scale.
Key 2024 enforcement cases:
Amazon Alexa ($875M, 2023/ongoing): Amazon was required to pay $25M in civil penalties for COPPA violations and delete illegally retained Alexa voice recordings of children. The broader FTC complaint included allegations that Amazon retained voice recordings beyond stated retention periods and used them to train AI models without adequate consent.
Meta behavioral advertising settlements: FTC prohibited Meta from monetizing data collected from users under 18, part of ongoing FTC oversight of Meta's privacy consent order.
AI data broker enforcement: The FTC issued enforcement actions against multiple data brokers selling AI-analyzed personal profiles without adequate disclosure or consent — establishing that AI analysis of personal data to create behavioral profiles constitutes "sensitive" processing requiring heightened disclosure.
Health data enforcement: FTC's enforcement authority over health data not covered by HIPAA (consumer apps, wearables, telehealth platforms outside healthcare provider networks) produced multiple enforcement actions targeting unauthorized health data sharing.
The US Privacy Patchwork: 25 State Laws
The absence of federal US privacy law has produced a patchwork of state statutes that collectively cover the majority of the US population:
California CPRA (effective 2023): Most comprehensive US state law, covering 40 million Californians. Applies to companies with >$25M revenue or processing 100,000+ CA consumers. Creates the California Privacy Protection Agency (CPPA) as dedicated enforcement body.
Virginia VCDPA, Colorado CPA, Connecticut CTDPA: Similar rights and requirements covering 20+ million residents across three states.
Texas TDPSA, Florida FDBR: Expanding coverage to the two largest states outside California.
Washington My Health MY Data Act: Extends health data protections beyond HIPAA to consumer health applications — the most aggressive US health data law outside California.
For organizations operating nationally, compliance with all 25 active state laws requires a rights management infrastructure broadly similar to GDPR — consumer rights requests, data minimization, privacy notices, and processor contracts — but with varying specific requirements.
What FTC's AI Enforcement Means Technically
The FTC's AI enforcement actions in 2024 establish practical guidance:
Training data transparency: Organizations must be able to document what personal data was used to train AI models, whether consent was adequate for that training use, and what retention period applied.
Purpose limitation: AI-generated personal profiles cannot be used for purposes beyond what was disclosed to the data subject. Using behavioral AI analysis for employment screening when only marketing was disclosed constitutes an FTC Act violation.
Vendor data practices: The FTC treats SaaS vendors that access and retain user data as a compliance responsibility of the deploying organization. An organization using a CRM, analytics platform, or AI tool where the vendor processes user data must disclose this in privacy notices and ensure the vendor's practices match disclosed purposes.
Zero-knowledge architecture and FTC compliance: The FTC's core concern in AI vendor cases is that vendors collect, retain, and use user data beyond what was disclosed. Zero-knowledge architecture — where the vendor's infrastructure holds only encrypted data with no decryption capability — means the vendor cannot engage in undisclosed use of user data. The technical limitation aligns directly with FTC enforcement priorities.
Proposed FTC Commercial Surveillance Rulemaking
The FTC's proposed rule on commercial surveillance practices (pending as of 2025) would create explicit requirements for:
- Data minimization for AI processing
- Opt-out rights for automated profiling
- Limits on secondary use of data collected for one purpose
- Security requirements for personal data retention
If finalized, this rule would create federal GDPR-like data minimization obligations applicable to any organization serving US consumers — significantly raising the floor for privacy compliance across the US market.
Sources: