FTC Compliance Training: Safeguards Rule, Privacy Rule & Section 5 Mastery
A self-paced training program built for every FTC-regulated business: auto dealers, mortgage brokers, debt collectors, retailers offering financing, financial advisors, and marketing teams. Six modules. Twelve lessons. Real penalties explained, plus the May 13, 2024 breach-notification rule that quietly reshaped enforcement.
FTC Enforcement Just Got Teeth
If you collect, store, or transmit consumer financial information, the FTC is no longer issuing warning letters and walking away. Officers are being named personally. Public disclosure has a clock. State attorneys general are stacking parallel claims on top.
The May 13, 2024 amendment to the FTC Safeguards Rule (16 CFR § 314.5) changed the math for every non-bank financial institution under FTC jurisdiction. When a security event affects 500 or more consumers and exposes unencrypted customer information, the entity must report it to the FTC within 30 days — and the report is published on a publicly searchable portal. The portal is the part most counsel did not see coming. Competitors, plaintiffs' lawyers, and journalists check it daily. A single late-night intrusion can become a press story before remediation is finished.
This came on the heels of the Drizly consent order, in which the FTC named the CEO personally and bound him to data-security obligations that follow him to future employers. That signal — that named officers, not just companies, can be on the hook — reset the conversation in boardrooms across regulated industries.
Layered on top: state laws (CCPA/CPRA in California, the New York SHIELD Act, Texas Data Privacy and Security Act, Connecticut, Colorado, Virginia, Utah, and a dozen others) frequently impose stricter notification clocks, broader definitions of personal information, and private rights of action. FTC enforcement data shows that compliance failures very rarely happen in isolation — one trigger event often produces three or four parallel inquiries. The training that covers only HIPAA or only PCI is no longer enough for any business that touches consumer financial data.
Most internal teams learned the original Gramm-Leach-Bliley framework a decade ago and have never reviewed the 2021 modernization or the 2024 amendment. FTC Compliance Mastery closes that gap in 210 minutes of focused, plain-English training designed for operators and their counsel.
Who This Course Is Built For
If your business advertises to consumers, finances purchases, processes personal information, or sends marketing communications, the FTC has rules you are required to follow. This course addresses the operators who actually own the work.
Auto Dealers
Franchised and independent dealerships, F&I managers, and BDC teams. Anyone underwriting, financing, or leasing falls under the Safeguards Rule full-stop.
Mortgage Brokers & Lenders
Originators, processors, and any non-bank lender. Annual privacy notices and the 30-day breach clock apply to every loan file you touch.
Debt Collectors & Buyers
Collection agencies, debt buyers, and law firms collecting consumer debts. FDCPA, Regulation V, and the Safeguards Rule all overlap on your data.
Retailers Offering Financing
Furniture, appliance, jewelry, medical, and powersports retailers offering installment or buy-now-pay-later. If you finance, you are a financial institution to the FTC.
Payday & Short-Term Lenders
Storefront and online payday lenders, title lenders, and pawnbrokers. Heightened scrutiny + state caps + Safeguards = no margin for error.
Financial Advisors & RIAs
Investment advisors not registered with the SEC, financial planners, and tax preparers handling consumer financial data. The IRS WISP requirement maps directly to Safeguards.
B2C Software & SaaS
Fintech, lending platforms, payment apps, credit-monitoring services, and consumer-facing SaaS handling financial data. Built-in compliance is a sales advantage.
Marketing & Communications Teams
Anyone writing claims, running ads, or sending emails. FTC Act Section 5, CAN-SPAM, and the Telemarketing Sales Rule live in your queue, not in legal's.
What Is Inside the Course
Six modules. Twelve lessons. 210 minutes total. Beginner-to-intermediate level. Audio narration available. Full certificate of completion after passing the 20-question final exam at 80 percent.
The FTC Compliance Landscape
Who is regulated and why. The history from the FTC Act of 1914 through Gramm-Leach-Bliley, Dodd-Frank, and the 2021 and 2024 Safeguards Rule revisions. How FTC jurisdiction interacts with the CFPB, state regulators, and self-regulatory bodies. By the end of this module you will know whether you are a covered "financial institution," what enforcement looks like in practice, and where most non-CPA businesses miss the line. Includes a structured self-audit so you can confirm your obligations before you write a single policy.
Safeguards Rule Deep Dive (16 CFR Part 314)
The eight required elements of an information security program, line by line, with the 2021 modernization and 2024 amendment merged in. Risk assessment, access controls, encryption-or-compensating-controls, MFA, secure development, change management, monitoring, training, incident response, vendor oversight, and the Qualified Individual designation. We translate the regulatory text into a checklist your IT lead, vCISO, or in-house counsel can act on this week.
FTC Privacy Rule (16 CFR Part 313)
The often-forgotten companion to the Safeguards Rule. We cover the initial privacy notice, the annual notice exception (Reg P safe harbor), opt-out rights, joint marketing exceptions, and information-sharing limits. Most enforcement actions begin with a privacy-notice failure, not a hack. Lesson includes notice templates, the model form analysis, and a decision tree for whether an annual notice is required this year.
Breach Notification & Incident Response
The May 13, 2024 amendment in operational detail. What counts as a "notification event," the 30-day clock, the 500-consumer trigger, the unencrypted-customer-information definition, and the public FTC portal. We walk through a tabletop scenario from detection through filing, including the legal-hold timing, forensic-investigator coordination, and the press-and-customer communications sequence. Encryption is treated as an operational safe harbor, not a technical detail.
FTC Act Section 5 — Unfair, Deceptive & AI Claims
Section 5 is the catch-all. The FTC uses it for false advertising, manipulative dark patterns, "Made in USA" misrepresentation, junk-fee disclosure, and now generative-AI claims (the "AI washing" crackdown of 2024-2026). We cover the substantiation standard, the disclosure framework, real consent-order language, and the new categories the FTC has signaled enforcement priority on. Critical for any team that writes copy, runs paid media, or ships product features.
Marketing Compliance — CAN-SPAM, TSR, COPPA
The four laws marketing leaders must know inside the FTC umbrella: the CAN-SPAM Act for commercial email, the Telemarketing Sales Rule (TSR) including the Do Not Call Registry, COPPA for any collection of children's data under 13, and the FTC's online-disclosure guidance (.com Disclosures, the Endorsement Guides, and the 2023 Negative Option Rule). Designed so a marketing director can complete this module and walk back to the team with a defensible playbook.
The 8 Required Elements You Will Master
16 CFR § 314.4 spells out eight non-optional elements of every covered information security program. Module 2 unpacks each one in operational language.
- Element 1Designate a Qualified Individual responsible for the program. One named human, accountable to leadership, with authority to act.
- Element 2Conduct a written, periodic risk assessment that drives every other safeguard. Generic risk assessments do not qualify.
- Element 3Implement safeguards: access controls, asset inventory, encryption (or documented compensating controls), MFA, change management, secure SDLC.
- Element 4Regularly test and monitor the effectiveness of safeguards through continuous monitoring, annual penetration testing, and biannual vulnerability assessments.
- Element 5Implement training for personnel and verify that the Qualified Individual and key staff stay current on threats — this course satisfies the operator-training prong.
- Element 6Oversee service providers via written contracts that bind them to safeguards equivalent to your own, with periodic reassessment.
- Element 7Maintain a written incident response plan that names roles, authorities, and the 30-day FTC notification workflow under the May 13, 2024 amendment.
- Element 8The Qualified Individual delivers a written annual report to the board or governing body covering program status, risk, and material events.
The May 13, 2024 Reality Check
If a security event affects 500 or more consumers and any of their unencrypted customer information was acquired without authorization, you must notify the FTC within 30 days. The notification is published on a public, searchable FTC portal. There is no quiet correction. There is no embargoed disclosure. Competitors, prospective customers, plaintiffs' lawyers, journalists, and ratings agencies have a permanent breadcrumb trail.
The single most cost-effective control under this rule is full-disk and field-level encryption that meets the FTC's standard, because the 30-day clock only triggers on unencrypted data. Module 4 walks the encryption safe harbor in detail, including the kinds of partial-encryption deployments that do not qualify.
Unfair, Deceptive & the New AI Frontier
Section 5 of the FTC Act gives the Commission authority over "unfair or deceptive acts or practices in or affecting commerce." That single sentence is the legal basis for: false advertising actions, "Made in USA" enforcement, the dark-patterns guidance, the negative-option (autorenewal) rule, the Endorsement Guides, the recent crackdown on AI-washing, and most data-privacy actions outside Safeguards.
"Unfair" requires substantial consumer injury that is not reasonably avoidable and not outweighed by benefits. "Deceptive" requires a material representation, omission, or practice likely to mislead a reasonable consumer. Neither standard requires intent. A founder honestly believing the AI feature works does not make the claim defensible if the substantiation is missing.
The 2024-2026 enforcement wave has named several themes: AI capability claims ("our model detects fraud" without test data), made-in-USA labels on partially imported goods, review and endorsement manipulation, negative-option subscription traps, and junk-fee disclosure failures. Module 5 of this course walks each pattern with real consent-order language and gives marketing leaders a substantiation checklist they can adopt before the next campaign ships.
CAN-SPAM, TSR & COPPA in Plain English
Marketing teams own more FTC exposure than they realize. Three foundational rules and a dozen guidance documents live in the comms director's lap, not legal's.
CAN-SPAM Act. Every commercial email must accurately identify the sender, include a physical postal address, honor opt-out requests within ten business days, avoid deceptive subject lines, and disclose adult or sexually-oriented content. Penalties run up to $51,744 per violating email under current civil penalty inflation. Studies suggest the most common violation today is not deceptive subject lines, but failure to process opt-outs through a working unsubscribe path.
Telemarketing Sales Rule. The TSR governs outbound calls and texts to consumers, the National Do Not Call Registry, robocalls, abandoned-call rates, caller-ID accuracy, and the recent Telemarketing Sales Rule amendments covering technical-support scams and B2B telemarketing. SMS marketing is increasingly enforced under the TSR plus state mini-TCPA statutes.
COPPA. The Children's Online Privacy Protection Act governs any operator of a website or online service "directed to children under 13" or with actual knowledge of users under 13. Verifiable parental consent, data-minimization, and the 2025-proposed COPPA 2.0 expansion all matter for SaaS, education-tech, and any consumer app with age-mixed audiences.
What You Will Be Able to Do When You Finish
This course is built around operator outcomes, not regulatory recitation. By the time you submit the final exam at 80 percent or higher, you should be able to walk into a leadership conversation, a vendor negotiation, or a regulator interview with the answers ready.
You will be able to determine your own coverage. The first practical question every operator asks is "does this even apply to me?" After Module 1 you will know the FTC definition of a financial institution, the difference between FTC and CFPB jurisdiction, and the specific triggers that pull a non-bank business under Safeguards. You will also know whether your data volume puts you over the 5,000-consumer line that disqualifies the small-firm carve-out.
You will be able to draft and defend a Safeguards-compliant program. Module 2 walks each of the eight required elements with the documentation that proves compliance. You will leave with a structure for the written risk assessment, sample language for the Qualified Individual designation, and a vendor-oversight contract checklist your procurement team can adopt this quarter. The goal is not "documentation theater" — the goal is a program that holds up under FTC investigative demand letters and state-AG follow-on inquiries.
You will run a credible breach-notification tabletop. Module 4 includes a step-by-step decision tree for the moment a security event is discovered: who decides if it crosses the 500-consumer threshold, who controls the 30-day clock, when outside counsel and a forensic firm enter the room, and how the encryption safe harbor is documented. Most institutions discover during a real incident that they cannot answer those questions in real time. After this course you will.
You will recognize Section 5 risk before it ships. Module 5 trains the pattern recognition: the kinds of marketing copy, AI feature claims, autorenewal flows, and Made-in-USA labels that have triggered FTC actions. This is the module that earns the course's price back in a single product launch by killing one bad claim before counsel has to negotiate it out of a complaint.
You will own the marketing-compliance stack. CAN-SPAM opt-out workflows, TSR caller-ID and DNC-list discipline, COPPA verifiable parental consent, the .com Disclosures and Endorsement Guides — all of it lives in your team after Module 6. You stop pushing tickets to legal for routine questions and start escalating only the genuinely novel ones.
FTC Compliance vs Our CPA Firm Course
PTG offers a parallel CPA Firm Cybersecurity & Compliance course built around the IRS Written Information Security Plan (WISP) and IRS Publication 4557. Same training rigor, different audience.
| Dimension | FTC Compliance Mastery | CPA Firm Cybersecurity |
|---|---|---|
| Primary regulator | FTC + state AGs | IRS + state boards of accountancy |
| Primary rules | Safeguards Rule, Privacy Rule, FTC Act Section 5, CAN-SPAM, TSR, COPPA | IRS Pub. 4557 WISP, Gramm-Leach-Bliley, IRC § 7216 |
| Audience | Auto dealers, lenders, retailers offering financing, marketing teams | Tax preparers, EAs, CPAs, accounting firm owners |
| Breach reporting | 30-day public FTC portal (May 13, 2024) | IRS notification + state AG + EFIN provider notice |
| Length | 210 minutes / 6 modules / 12 lessons | Comparable structured curriculum |
One Price. Lifetime Access. Real Certificate.
$399
One-time payment · Lifetime access · Certificate of completion
- 12 lessons across 6 modules, 210 minutes total runtime, beginner-to-intermediate level
- Certificate of completion after passing the 20-question final exam at 80 percent or higher
- Audio narration available throughout the curriculum for accessible, mobile-friendly learning
Group and team licenses are available. Call 919-348-4912 for volume pricing on five seats or more.
About Petronella Technology Group
Petronella Technology Group is a Raleigh-based cybersecurity and AI automation firm. We are a CMMC Registered Practitioner Organization, BBB A+ since 2003, and our leadership has more than 30 years of cybersecurity experience. We help organizations move from compliance theater to defensible, evidence-backed programs that hold up to FTC, IRS, DoD, and state-AG scrutiny. Beyond training, our team delivers cybersecurity audits, vCISO and fractional security leadership, incident response, and the AI tooling that makes compliance sustainable.
Includes a Downloadable Resource Pack
Every enrollment includes a Resource Pack of practitioner-ready templates — worth hundreds in standalone licensing fees from compliance-template vendors — downloadable from your member dashboard once you complete checkout:
- GLBA Privacy Notice Template — initial + annual privacy notice per 16 CFR Part 313, with placeholder fields and the layered-notice format
- Safeguards Rule Annual Report Template — Qualified Individual annual report to senior management/board per 16 CFR § 314.4(i)
- Claim Substantiation Log — defends marketing teams against FTC § 5 / Made in USA / endorsement-disclosure scrutiny
- Marketing Disclosure Checklist — pre-launch reference for CAN-SPAM, TSR, COPPA, ROSCA + state auto-renewal laws, Made in USA claims, AI capability claims
Members download the pack from the course detail page after enrollment.
Frequently Asked Questions
Who exactly needs this course?
If you are an officer, manager, compliance lead, IT decision-maker, in-house counsel, or marketing director at a business that touches consumer financial information, advertises to consumers, or sends commercial email, this course is for you. The clearest fits are auto dealers, mortgage and consumer lenders, debt collectors, retailers offering financing, financial advisors and tax preparers not subject to SEC oversight, and marketing teams writing claims about products or services.
Do I qualify for the small-firm carve-out under the Safeguards Rule?
Financial institutions that maintain customer information on fewer than 5,000 consumers are exempt from a few specific Safeguards obligations — the written risk assessment, the continuous-monitoring or annual penetration testing requirement, the incident response plan, and the annual report to the board. They are still required to implement the rest of the program. Module 1 walks the carve-out decision tree, and Module 2 explains which obligations remain even if you qualify.
Are multi-factor authentication and encryption truly required?
Yes. The 2021 modernization made MFA mandatory for any individual accessing customer information, with limited exceptions that the Qualified Individual must approve in writing. Encryption of customer information at rest and in transit is required, with the option to use compensating controls reviewed and approved in writing by the Qualified Individual. Module 2 covers both the rule text and the practical implementation.
Is encryption a real safe harbor for breach notification?
Operationally, yes. The May 13, 2024 notification trigger applies only to unauthorized acquisition of unencrypted customer information. Properly implemented full-disk encryption, field-level encryption, and tokenization can keep an event below the notification threshold. Module 4 walks the technical and documentation requirements that make the safe harbor defensible — encryption is only protective if you can prove the keys were not also compromised.
What is the 30-day breach notification clock, exactly?
The clock starts when the financial institution discovers a "notification event" affecting at least 500 consumers' unencrypted customer information. The institution must report to the FTC within 30 days of discovery via the Commission's online portal, and the notification becomes part of a public, searchable record. State law clocks (often shorter, sometimes 14 or 15 days) and contractual notification clocks layer on top.
What is the refund policy?
If you complete less than 25 percent of the course and request a refund within 14 days of purchase, we will issue a full refund. After 25 percent completion or 14 days, refunds are no longer available because lifetime access has effectively been delivered. Email support@petronellatech.com or call 919-348-4912.
Does the certificate of completion expire?
The certificate itself does not expire and your access to the course content is lifetime. However, FTC regulations evolve — and the May 13, 2024 amendment is proof. We recommend re-watching updated modules whenever the FTC issues a major rule change. We push course updates to all enrolled learners free of charge for at least 24 months from purchase.
Do you offer team or group pricing?
Yes. Five-seat, 25-seat, and enterprise licenses are available with administrator dashboards, completion reporting, and SSO options. Call 919-348-4912 or email support@petronellatech.com for a quote tailored to your headcount and onboarding cycle.
How does this compare to KnowBe4-style security awareness training?
General security awareness training (phishing simulations, password hygiene, social engineering) is necessary but not sufficient under the Safeguards Rule. FTC Compliance Mastery is regulatory, not behavioral. We pair well with general SAT — see our 2026 Security Awareness Training course for the human-firewall side. Most clients run both for full coverage.
Do you also offer compliance services beyond training?
Yes. Beyond training, PTG delivers full-cycle compliance work: FTC Safeguards audits and gap assessments, written information security programs, vCISO and fractional security leadership, incident response and breach notification preparation, CMMC for defense contractors, and AI-augmented compliance automation. Many clients start with the course and then engage us for the build-out.
Will this satisfy the Safeguards Rule training requirement?
Element 5 of 16 CFR § 314.4 requires training for personnel sufficient to address relevant security risks. This course satisfies the operator-training prong for compliance staff, the Qualified Individual, and managers responsible for the program. Front-line staff still benefit from general security awareness training in addition. We document attendance and exam completion to give you written training evidence the FTC can accept.
Is this course legal advice?
No. The course is regulatory training and operational guidance. It is not a substitute for advice from qualified counsel licensed in your jurisdiction. We work alongside your in-house and outside counsel and frequently coordinate directly with their teams during the build-out phase.
Lock in FTC Compliance Mastery Today
Enroll online for $399, or call our team to discuss group pricing, the small-firm carve-out, and how to combine the course with a Safeguards gap assessment.
Questions? Email support@petronellatech.com
This page provides marketing information only and is not legal advice. Consult qualified counsel for jurisdiction-specific obligations.