The F.T.C. has nevertheless built a strong privacy program based largely on the Federal Trade Commission Act, which was passed more than 100 years ago, long before personal computers, the internet, social media or mobile phones were invented. This general-purpose law is supplemented by a few sector-specific privacy laws, like the Children’s Online Protection Act, which give the F.T.C. stronger authority to act in specific areas of the marketplace.

The F.T.C. Act gives the agency a lot to work with. The agency can investigate fraud, deception and clearly harmful practices by a wide array of companies. It can bring enforcement actions stopping such conduct and getting back money that consumers have lost. It can study trends in the marketplace and issue studies. And it can use the bully pulpit to call out troubling practices and educate the public, just as any government agency can.

Using this authority, the F.T.C. has challenged the privacy practices of some of the biggest companies (and prominent users of consumer data) in the world, including Facebook, Google, Twitter, Equifax, Microsoft, Uber, Wyndham and many others.

But the F.T.C. Act is not enough to protect privacy. Each action against these tech companies, for example, required painstaking investigation before the agency could obtain even the most basic privacy relief for consumers. Some also prompted controversy and litigation over the parameters of the F.T.C.’s privacy authority. At times, facing the reality of the limits on its powers, the agency has had to pull its punches.

Under the F.T.C. Act, the agency can’t set normative privacy standards that all companies must follow, such as requiring them to post a privacy policy, limit the consumer data they collect and retain, refrain from certain uses of that data or give consumers choices about how their data is used. Sure, the agency might be able to get this type of relief against a particular company following proof of specific and harmful misconduct, but it can’t set these standards on an industry-wide basis.

[If you’re online — and, well, you are — chances are someone is using your information. We’ll tell you what you can do about it. Sign up for our limited-run newsletter.]

Also, the F.T.C. can’t generally impose penalties on privacy wrongdoers, unless they’re already under an order for previous wrongdoing — as in the case of Facebook. Yes, it can get back money that consumers have lost, or order companies to “disgorge” its profits from illegal activities. But all of this can be very difficult to calculate in privacy, and even more difficult to prove in court, as many plaintiffs have learned in privacy class actions and similar litigation. That’s why the ability to obtain penalties is so important.