FTC Privacy Enforcement 2024-2025: Major Cases, Emerging Trends & CIPP/US Exam Critical Analysis

The Federal Trade Commission has dramatically escalated privacy enforcement in 2024-2025, bringing landmark cases against health apps, data brokers, connected vehicles, and major tech companies. Understanding FTC enforcement is critical for CIPP/US exam success—it represents 20-24% of the exam and demonstrates how Section 5 of the FTC Act operates in practice. This comprehensive guide analyzes every major enforcement action, emerging enforcement theories, and the patterns you need to know for the exam.

FTC Section 5 Authority: Foundation of Privacy Enforcement

Before diving into specific cases, understanding the FTC's legal authority is essential for both practice and the exam.

Section 5 of the FTC Act: The Privacy Workhorse

Legal Framework:

• Statute: 15 U.S.C. § 45(a) prohibits "unfair or deceptive acts or practices in or affecting commerce"
• Jurisdiction: Applies to most businesses (exceptions: banks, insurance companies, nonprofits, common carriers)
• No Need for Actual Harm: FTC can act on likelihood of harm, not just proven injury
• Broad Interpretation: FTC has expansively interpreted Section 5 to cover data privacy and security

Deceptive Practices Standard:

1. Representation, omission, or practice that is likely to mislead
2. Consumer interpretation is reasonable under the circumstances
3. Misleading representation is material (likely to affect consumer decisions)

Unfair Practices Standard (3-prong test):

1. Causes or is likely to cause substantial injury to consumers
2. Injury is not reasonably avoidable by consumers
3. Injury is not outweighed by countervailing benefits to consumers or competition

FTC Enforcement Tools

• Consent Orders: Settlements without admission of liability (most common outcome)
• Civil Penalties: Up to $50,120 per violation (adjusted annually for inflation)
• Injunctive Relief: Orders to stop illegal practices
• Consumer Redress: Refunds to harmed consumers
• Data Deletion Orders: "Algorithmic disgorgement" - delete data and algorithms derived from it
• Monitoring: Compliance monitoring periods (typically 10-20 years)
• Privacy Program Requirements: Mandated comprehensive privacy programs

2024-2025 Enforcement Trends: The Big Picture

Five Priority Enforcement Areas (2024-2025):

1. Health Privacy: Digital health apps, telehealth, health data brokers
2. Location Data: Precise geolocation tracking, data brokers, connected vehicles
3. Children's Privacy (COPPA): Social media, AI toys, teen-targeted apps
4. Data Security: Unreasonable security practices, breach notification failures
5. AI & Automated Decision-Making: Deceptive AI claims, discriminatory algorithms

Major Health Privacy Cases: Digital Health Under Scrutiny

Case Study 1: GoodRx Holdings ($1.5 Million - February 2023)

Case Study 2: BetterHelp, Inc. ($7.8 Million - March 2023)

Health Privacy Lessons for CIPP/US Exam

Location Data Crackdown: Data Broker Enforcement Wave

The FTC launched an unprecedented series of enforcement actions against data brokers collecting and selling precise geolocation data in 2024, establishing new standards for location data practices.

Case Study 3: X-Mode Social (Outlogic) - January 2024

Case Study 4: InMarket Media - May 2024

Additional Location Data Cases (2024)

Gravy Analytics (December 2024):

• Used location data to categorize consumers by sensitive characteristics
• Complete ban on sensitive location data
• Algorithmic disgorgement required

Mobilewalla (January 2025):

• Aggregated location data from multiple sources
• Created consumer segments based on visits to sensitive locations
• Same comprehensive ban structure

Case Study 5: General Motors & OnStar - January 2025 (LANDMARK)

Location Data Enforcement Lessons

COPPA Enforcement: Protecting Children Online

Children's privacy enforcement remained a top FTC priority in 2024-2025, with major actions against social media platforms, toy makers, and teen-focused apps.

2025 COPPA Rule Updates (Effective April 2025)

Major Changes:

• Separate opt-in consent required for targeted advertising
• Separate opt-in consent required for third-party disclosure
• Enhanced data minimization requirements
• Retention limited to "reasonably necessary" period
• Strengthened parental controls

Case Study 6: TikTok/ByteDance - August 2024

Case Study 7: Disney - September 2025

Case Study 8: Apitor Technology (Robot Toys) - September 2025

Case Study 9: Iconic Hearts/Sendit App - September 2025

Additional 2024-2025 COPPA Cases

• Microsoft ($20M - June 2023): Xbox violations, account creation without parental consent
• Epic Games ($275M - December 2022): Fortnite dark patterns, default privacy settings
• Amazon/Alexa ($25M - June 2023): Voice recordings retention, failed to honor deletion requests
• Edmodo ($6M - August 2023): Ed-tech platform, inadequate parental consent procedures

Data Security Enforcement: Novel Theories Emerging

Case Study 10: Blackbaud - February 2024

Case Study 11: Avast - February 2024

Emerging Enforcement Areas

Artificial Intelligence & Automated Decision-Making

While full AI enforcement is still developing, the FTC has brought actions involving:

• Rite Aid (October 2023): Facial recognition system with discriminatory outcomes; required to suspend use for 5 years
• Weight Watchers (2023): AI-powered app illegally collected children's data; algorithmic disgorgement ordered
• Ring/Amazon (2023): Failed to restrict employee access to video recordings; required algorithm deletion
• Avast (2024): Delete algorithms derived from improperly collected browsing data

Algorithmic Disgorgement: Emerging remedy requiring deletion of not just data, but algorithms, models, and products derived from illegally obtained data.

Social Media & Dark Patterns

September 2024 FTC Report: "A Look Behind the Screens"

• Examined data practices of major social media platforms
• Found "vast surveillance" of users
• Inadequate protections for children and teens
• Lax privacy controls
• Extensive AI use with minimal transparency

Biometric Data

FTC Policy Statement on Biometrics (2023): Biometric information is sensitive data deserving heightened protection under Section 5.

2025 Enforcement Priorities Under New Leadership

With leadership changes in 2025 (Commissioner Ferguson becoming Chair), enforcement priorities are evolving while maintaining focus on core areas:

Expected Continuity:

• Children's privacy and online safety
• Location data privacy
• Data security
• Health privacy

Potential Shifts:

• Possible refinement of unfairness claims around sensitive data classification
• Continued focus on deceptive practices over novel unfairness theories
• Attention to content moderation and speech issues
• Examination of how platforms moderate content

Key Enforcement Patterns for CIPP/US Exam

Common Violations

Standard Consent Order Provisions

Nearly Every FTC Consent Order Includes:

1. Monetary Relief: Civil penalties and/or consumer redress
2. Injunctive Prohibitions: Specific banned practices
3. Affirmative Obligations: Required actions (consent mechanisms, notices)
4. Privacy Program Requirements: Comprehensive privacy program with specific elements
5. Data Deletion: Delete improperly collected data
6. Third-Party Notification: Direct third parties to delete shared data
7. Compliance Monitoring: Typically 10-20 years
8. Reporting Requirements: Annual compliance reports to FTC
9. Record Keeping: Maintain documentation of compliance
10. Employee Training: Privacy and security training programs

Penalty Calculation Factors

• Nature of Violation: Deception vs. unfairness
• Sensitivity of Data: Health, children's, location data = higher penalties
• Number of Consumers Affected: More consumers = higher penalties
• Duration of Violations: Years of violations = higher penalties
• Company Size & Revenue: Ability to pay considerations
• Prior Violations: Repeat offenders face enhanced penalties
• Consumer Harm: Actual vs. potential harm
• Company Cooperation: Self-reporting may reduce penalties

Exam Study Strategy: FTC Enforcement

High-Yield Case Studies to Memorize

Exam Question Patterns

Type 1: Case Identification

"Which FTC enforcement action was the first to enforce the Health Breach Notification Rule?"

Answer: GoodRx Holdings (2023)

Type 2: Legal Theory Application

"A company promises in its privacy policy not to share health data but shares it with advertisers. What is the likely FTC claim?"

Answer: Deceptive practice under Section 5 (privacy policy = enforceable promise)

Type 3: Remedy Identification

"What remedy did the FTC impose in location data broker cases like X-Mode?"

Answer: Complete ban on collecting, using, or selling sensitive location data + data deletion

Type 4: Threshold/Standard Questions

"What is required to establish an unfair practice under Section 5?"

Answer: (1) Substantial injury, (2) not reasonably avoidable, (3) not outweighed by benefits

Common Exam Traps

1. Confusing HBNR with HIPAA: HBNR applies to non-HIPAA entities; know the difference
2. Thinking FTC needs actual harm: FTC can act on likelihood of harm
3. Forgetting about state AG coordination: Many cases involve both FTC and state AGs
4. Not knowing recent cases: Exam includes 2024-2025 cases; stay current
5. Ignoring algorithmic disgorgement: New remedy - delete algorithms derived from bad data

Practical Compliance Lessons

What the Cases Teach

1. Privacy Policies Are Contracts

• Every promise in privacy policy is enforceable
• Overpromising = deceptive practice
• Privacy policy must match actual practices

2. Tracking Pixels Are Data Sharing

• Third-party pixels constitute data disclosure
• Must disclose pixel use in privacy policy
• Health data + pixels = high FTC scrutiny

3. Sensitive Data Requires Special Care

• Health data, precise location, children's data = sensitive
• Affirmative express consent required
• Consider not collecting if not essential

4. Third-Party Liability Doesn't End Responsibility

• Sharing data with third parties doesn't transfer liability
• Must ensure third parties comply with your promises
• SDK integration = your responsibility

5. Data Minimization Is Enforceable

• Collecting or retaining unnecessary data = unfair practice
• Implement data retention schedules
• Delete data when no longer needed

Conclusion

FTC privacy enforcement has reached unprecedented levels in 2024-2025, with landmark cases establishing new legal frameworks for health privacy, location data, connected vehicles, and children's online safety. Understanding these cases is essential for CIPP/US exam success—they represent how Section 5 operates in practice and demonstrate evolving enforcement priorities.

Key Trends to Remember:

• Health privacy is a top enforcement priority (GoodRx, BetterHelp)
• Location data faces unprecedented scrutiny (complete bans now possible)
• COPPA enforcement includes novel theories (fake engagement, dark patterns)
• Connected devices subject to same standards as apps (GM/OnStar)
• Data retention can be standalone violation (Blackbaud)
• Algorithmic disgorgement emerging as standard remedy
• Consumer redress increasingly common (BetterHelp first-ever for health data)

For the CIPP/US exam, focus on memorizing major case names, penalties, legal theories, and novel remedies. Understand how Section 5 unfairness and deception standards apply in different contexts. Know the difference between HBNR and HIPAA. Study the pattern of consent order provisions.

Most importantly, recognize that FTC enforcement creates the "common law" of US privacy—these cases define what practices are acceptable and what crosses the line. Master them, and you'll excel on 20-24% of your exam.