What Is Federal Trade Commission Act, Section 5?
Section 5 of the Federal Trade Commission Act prohibits 'unfair or deceptive acts or practices in or affecting commerce.' It is the workhorse of US privacy enforcement: where no sector-specific law (FCRA, HIPAA, GLBA, COPPA) applies, the FTC can reach privacy harms under Section 5's 'unfairness' or 'deception' theories. Deception means any material representation or omission that is likely to mislead a reasonable consumer acting reasonably — this is how the FTC sues companies that break their own privacy promises. Unfairness covers practices that cause or are likely to cause substantial injury to consumers, not reasonably avoidable, and not outweighed by benefits — used for practices like failing to secure data reasonably, or deceptive design patterns. Because Section 5 is not a privacy law per se, it has no specific consumer rights, no prescribed penalties for first-time violations, and no private right of action. Its power lies in the FTC's consent-decree practice: 20-year compliance monitoring, algorithmic disgorgement (deletion of models trained on unlawfully obtained data), and civil penalties up to $53,088 per violation for subsequent violations.
At a glance
- Full name
- Federal Trade Commission Act, Section 5
- Short code
- FTC Act §5
- Enacted
- 1914
- Last major update
- Magnuson-Moss 1975 (rulemaking authority); civil penalty authority ongoing
- Jurisdiction
- United States (federal)
- Private right of action
- No
- Primary enforcer
- Federal Trade Commission (Bureau of Consumer Protection, Division of Privacy and Identity Protection)
- Statutory citation
- 15 U.S.C. § 45
Scope — who FTC Act §5 covers
Protected data
Consumer rights & protections
No direct consumer rights — Section 5 grants enforcement authority, not individual rights
Consumers benefit indirectly through FTC consent decrees that often include disclosure requirements, monitoring, and algorithmic disgorgement
The FTC Consumer Response Center accepts privacy complaints (which inform enforcement priorities but do not guarantee individual action)
Notable features
Section 5 is the flexible backbone of US federal privacy enforcement. Three features make it distinctive: (1) algorithmic disgorgement — the FTC can require companies to delete AI models trained on unlawfully obtained data (Cambridge Analytica 2019, Everalbum 2021, WW International 2022, Rite Aid 2023); (2) 20-year consent decrees with ongoing compliance reporting; (3) the "reasonable security" standard, which effectively creates a federal data-security floor despite no specific security statute.
Enforcement & penalties
Enforcing agency: Federal Trade Commission (Bureau of Consumer Protection, Division of Privacy and Identity Protection)
Penalties: No statutory per-violation penalty for a first Section 5 violation (the FTC seeks injunctive relief and consent orders). Civil penalties up to $53,088 per violation (2025 adjusted) apply to violations of FTC rules (like the Safeguards Rule, Health Breach Notification Rule, COPPA Rule) or violations of prior FTC consent orders. The FTC also pursues redress, disgorgement, algorithmic disgorgement (deletion of AI models trained on unlawfully obtained data), and 20-year compliance programs.
Private right of action: Section 5 has no private right of action. Consumers harmed by unfair or deceptive practices must rely on state consumer-protection laws (often modeled on Section 5) or state common-law claims. State AGs can bring Section 5-equivalent claims under their own statutes.
Landmark enforcement cases
FTC v. Kochava
2024Ongoing litigation against data broker Kochava for selling precise geolocation data that could reveal visits to sensitive locations (reproductive health clinics, places of worship, domestic-violence shelters). The case is a test of Section 5's 'unfairness' theory applied to geolocation data sales. Court denied Kochava's motion to dismiss in February 2024.
Official source →FTC v. X-Mode Social / Outlogic
2024X-Mode (rebranded as Outlogic) agreed to a settlement barring sale of sensitive location data after FTC alleged unfair practices in selling precise location data that could identify visits to sensitive places. First FTC action that banned a data broker from specific geolocation data sales.
Official source →FTC v. Avast
2024Avast paid $16.5M and agreed to delete all data collected through its browser extensions and antivirus — plus algorithmic disgorgement of products built using that data. The FTC alleged Avast sold users' browsing data to more than 100 third parties despite promising privacy protection.
Official source →FTC v. Cambridge Analytica
2019First major FTC algorithmic disgorgement order — required deletion of all data and any algorithms, models, or work product derived from data improperly collected via Facebook.
Official source →Relevance to data brokers
Section 5 is the single most important federal enforcement tool for data brokers. The FTC has used it against brokers selling geolocation data (X-Mode, Kochava), brokers with weak security (InMarket), brokers that misrepresent their practices (Epsilon Data Management paid $150M in 2021), and any broker breaking explicit privacy promises. When a broker lacks accountability under FCRA, HIPAA, GLBA, or state laws, Section 5 typically fills the gap.
Exercise your rights
Remove your data from 300+ brokers for $5
OfflistMe drafts opt-out emails citing FTC Act §5 and other applicable laws. Citations included. You send from your own inbox. No account, no ID upload.
Start for $5 →FAQ
What is the difference between 'deception' and 'unfairness' under Section 5?+
Deception: a material representation, omission, or practice likely to mislead a reasonable consumer (e.g., saying you don't sell data while selling it). Unfairness: a practice that causes or is likely to cause substantial injury to consumers, not reasonably avoidable by consumers, and not outweighed by countervailing benefits (e.g., selling geolocation data that exposes visits to reproductive health clinics).
Can I file a Section 5 complaint with the FTC?+
Yes. Report privacy violations at reportfraud.ftc.gov. Individual complaints do not trigger guaranteed individual remedies, but they shape FTC enforcement priorities and can fuel class-wide investigations and settlements.
What is algorithmic disgorgement?+
A remedy the FTC has used since 2019 (Cambridge Analytica) requiring companies to delete not just unlawfully obtained data but also any algorithms, models, or products built using that data. Notable uses: Everalbum (2021) facial-recognition model, WW International (2022), Rite Aid (2023) facial-recognition system, Avast (2024).
Does Section 5 apply to nonprofits?+
Section 5 generally exempts nonprofits, but the FTC has asserted jurisdiction over nonprofits engaged in commercial activities (e.g., when a nonprofit sells data or services). This is narrower than state consumer-protection laws, several of which cover nonprofits outright.
Official sources & citations
Other federal privacy laws
Federal privacy law is sectoral — each statute covers a specific data type or industry. Here are the other federal regimes to know alongside FTC Act §5: