Free Download

FTC COMPLIANCE RESOURCE PACK

Four production-ready templates every FTC-regulated business needs. GLBA Privacy Notice, Safeguards Rule annual board report, claim substantiation log, marketing disclosure checklist. Aligned with 16 CFR Parts 313, 314, 255, 316, 310 and FTC Act Section 5.

CMMC Registered Practitioner Org | Raleigh, NC | 23+ Years | BBB A+
Get the Free Pack See the Paid FTC Course
Version: 2026.05 Updated: 2026-05-08 Files: 4 templates
Why This Pack Matters

FTC Enforcement Has Quietly Become the Most Aggressive in the United States

2024-2026 has produced a record run of FTC enforcement actions across the Safeguards Rule, the Endorsement Guides, ROSCA auto-renewal, AI-generated reviews, and dark patterns. Every business under Section 5 jurisdiction now needs documented compliance evidence — not just compliance intent.

The Federal Trade Commission writes the rules and enforces the rules across two complementary axes that touch nearly every business operating in the United States. On the privacy and data security axis, the Safeguards Rule (16 CFR Part 314) — expanded in late 2021 and amended in late 2023 — now imposes documented program requirements on a "financial institution" definition broad enough to capture mortgage brokers, motor vehicle dealers, finders, check cashers, payday lenders, real estate appraisers, tax preparers, and any non-bank lender. The 30-day breach-notification amendment under 16 CFR 314.5 (effective May 2024) added a federal disclosure clock for breaches involving 500 or more consumers.

On the marketing and advertising axis, FTC Act Section 5 — the unfair-or-deceptive-acts-or-practices statute that has anchored federal advertising regulation since 1914 — now sits alongside a thicket of more specific FTC instruments: the Endorsement Guides (16 CFR Part 255), materially expanded in 2023 to add disclosure requirements for material connections in social media; the Native Advertising Enforcement Policy Statement; the CAN-SPAM Act (16 CFR Part 316); the Telemarketing Sales Rule (16 CFR Part 310); the Made in USA Labeling Rule (16 CFR Part 323); and the Restore Online Shoppers' Confidence Act (ROSCA, 15 USC 8401-8405) governing online subscription disclosures and cancellation flows.

2024-2026 enforcement has produced a record run of consent decrees and civil penalty orders. Median settlement values are up materially. The agency is now actively pursuing AI-generated reviews, dark-pattern subscription flows, undisclosed influencer relationships, and inadequate Safeguards Rule programs. Regulated businesses that cannot produce documented privacy notices, board-level program reports, claim substantiation logs, and marketing disclosure checklists are flying without instruments.

This Resource Pack is the documentation chassis that satisfies the four most-frequently-requested FTC artifacts: privacy notice, annual program report, claim substantiation log, marketing disclosure checklist. Author once. Review annually. Sleep at night.

What's Inside

Four Templates, One ZIP Download

Editable HTML files. Open in any browser, paste into Word or Google Docs, brand with your business letterhead, sign, file.

01

GLBA Privacy Notice Template

Full GLBA Privacy Notice template structured to satisfy 16 CFR Part 313 disclosure requirements. Sections: information collected, information shared with affiliates, information shared with non-affiliated third parties (with the categories required by the Rule), consumer rights, opt-out election mechanism, joint-marketing arrangements, contact information, and effective date. Uses the FTC model form structure for maximum safe-harbor protection. Ready to brand and post on your website's privacy page or include in your customer-onboarding packet.

glba-privacy-notice-template.html — 14 KB
02

Safeguards Rule Annual Board Report Template

Annual report template the Qualified Individual files with the board (or senior officer) under 16 CFR 314.4(i). Sections aligned to the Rule's required topics: overall status of the information security program, risk assessment summary and material changes, risk management and control decisions, service-provider arrangements and oversight, results of testing and monitoring, security events of the past year and management's response, recommendations for material changes, board attestation and acknowledgement signature block. The single highest-leverage compliance artifact for any FTC-covered financial institution.

safeguards-rule-annual-report-template.html — 16 KB
03

Claim Substantiation Log

Tracker for every objective marketing claim across every channel. Columns: claim text, claim type (performance, comparative, health, environmental, savings, ROI, security, AI capability), substantiation source (peer-reviewed study, internal data, expert analysis, vendor representation, customer survey), substantiation reviewer, substantiation date, channel of publication (website, social, email, paid, OOH, podcast, video), publication date, expiration / re-substantiation cadence. Maintain it. When the FTC, a competitor, or a state AG files a challenge, this log is your first line of defense under FTC Act Section 5 and the Endorsement Guides.

claim-substantiation-log.html — 11 KB
04

Marketing Disclosure Checklist

Pre-publication compliance gate covering FTC Endorsement Guides 16 CFR Part 255 (including the 2023 amendments), Native Advertising Enforcement Policy, social-media-specific guidance for Instagram / TikTok / YouTube / Twitter / LinkedIn, the 2024 expanded scope on AI-generated endorsements and AI-generated reviews, CAN-SPAM email disclosures (16 CFR Part 316), Telemarketing Sales Rule disclosures (16 CFR Part 310), Made in USA Labeling Rule (16 CFR Part 323), and ROSCA online subscription disclosures (15 USC 8401-8405). Run the checklist before any campaign goes live.

marketing-disclosure-checklist.html — 18 KB
When to Use It

Five Common FTC-Compliance Use Cases

Initial Customer Onboarding

Send the GLBA Privacy Notice with the first contract or terms of service. Required under 16 CFR 313 before the customer relationship begins. Single highest-frequency FTC privacy artifact.

Annual Board Cycle

Walk the Safeguards Rule annual board report through the next regular board meeting. Capture sign-off in the minutes. Required documented evidence under 16 CFR 314.4(i).

Pre-Campaign Marketing Gate

Run every campaign — paid, organic, influencer, email, OOH, AI-generated — through the marketing disclosure checklist before publication. Catches Endorsement Guides and Native Advertising violations before they ship.

Claim Approval Workflow

Make the claim substantiation log a required gate in your marketing or product-launch workflow. Every objective claim entered with substantiation source before going live. The single most common FTC enforcement defense.

FTC Inquiry or CID Response

If a Civil Investigative Demand or compliance inquiry arrives, the four templates produce four of the five most-requested FTC artifacts in their finished form. Reduce response time from weeks to days.

How To Deploy

Five Steps from Download to Filed Documentation

Download and unzip

Enter your work email below. We send the ZIP within 60 seconds. Unzip locally; the four HTML files open in any browser for preview.

Publish the GLBA Privacy Notice

Brand the template, post on your website's privacy page, include in onboarding packets, send to existing customers if your sharing practices have changed in the last 12 months.

File the Safeguards annual report

If your business is a covered financial institution under the Rule, walk the annual report through the next board meeting. Capture sign-off in the minutes. Save with the QI Designation Memo and the WISP.

Wire the substantiation log into marketing

Add the claim substantiation log as a required column in your marketing pipeline (Asana, Notion, Monday, Trello, Airtable). Every objective claim requires a substantiation entry before publication.

Run the disclosure checklist pre-launch

Make the marketing disclosure checklist a required pre-publication gate. Owner: marketing leadership or general counsel. Time per campaign: 15-30 minutes. Caught violation cost: thousands to millions.

Get The Pack

Free Download — Email Below

Enter your work email. We send the ZIP within 60 seconds and add you to our monthly cybersecurity newsletter (one-click unsubscribe). No credit card. No upsell ambush.

Send Me the FTC Resource Pack

4 templates. ZIP. Free.

By submitting, you agree to receive the resource pack and our monthly newsletter. We never sell your email. Unsubscribe in one click.

Go Deeper

Pair the Pack with the Course

The pack is the documentation chassis. The course turns your QI, general counsel, and marketing leadership into FTC-fluent operators.

FTC Compliance Mastery Course

FTC regulatory deep-dive: GLBA Privacy and Safeguards Rules, FTC Act Section 5 substantiation doctrine, Endorsement Guides walkthrough, CAN-SPAM and TSR refresh, ROSCA and auto-renewal compliance, breach-notification rehearsal, current 2024-2026 enforcement trends. $499 per seat per year.

View course →

FTC Compliance Training Service Page

PTG's full FTC-compliance training and consulting offering: WISP authoring, fractional Qualified Individual coverage, Safeguards Rule annual reporting, advertising substantiation review, breach-notification readiness, FTC inquiry response.

Service overview →
More Free Packs

Other Industry-Specific Resource Packs

Build out the documentation chassis across every regulatory environment your business operates in.

Security Awareness Training Resource Pack

Incident Report, MFA Enrollment Checklist, Vendor Risk Questionnaire, Quick Reference Card. For every employee at every business. Pair with the SAT course.

Download SAT pack →

CPA Firm Cybersecurity Resource Pack

WISP template, Qualified Individual designation memo, vendor SOC 2 review tracker, breach 30-day matrix. For accounting firms and tax practices subject to IRS Pub 4557 and FTC Safeguards.

Download CPA pack →
FAQ

Frequently Asked Questions

Twelve questions we hear most often about the FTC Resource Pack, the templates, and how the pack fits into a complete program.

What is in the free FTC Compliance Resource Pack?
Four production-ready templates: a GLBA Privacy Notice template that satisfies 16 CFR Part 313 disclosure requirements, a Safeguards Rule annual board report template aligned with 16 CFR 314.4(i) (the report the Qualified Individual must file annually with the board or governing body), a claim substantiation log for advertising and marketing claims under Section 5 of the FTC Act, and a marketing disclosure checklist covering FTC Endorsement Guides, Native Advertising Guidance, and the 2024 social-media disclosure expectations. Editable HTML, single-business license, free.
Who is this pack for?
Any business operating under FTC jurisdiction. The "financial institution" definition under the FTC Safeguards Rule sweeps in mortgage brokers, motor vehicle dealers, finders, check cashers, payday lenders, real estate appraisers, tax preparers, accountants offering loan-related services, and any non-bank lender. The marketing-side templates apply to literally any business that advertises (FTC Act Section 5 jurisdiction is essentially universal). E-commerce brands, SaaS marketers, agency clients, fintech, healthcare marketing, and consumer-product companies all benefit.
Is the resource pack really free?
Yes. Free for any business to download and use internally. No per-seat fee, no time-limited trial, no obligation to purchase the paid FTC Compliance Mastery course. The only ask is your work email so we can send the ZIP and add you to our monthly cybersecurity newsletter — one-click unsubscribe.
What is the GLBA Privacy Notice and when do I need to send it?
Under 16 CFR Part 313, every covered financial institution must provide consumers with a clear and conspicuous notice describing what personal information is collected, with whom it is shared, the categories of disclosures, and the consumer's right to opt out of certain sharing. The initial notice is due before the customer relationship begins; an annual notice is required if the firm shares non-public personal information with non-affiliated third parties outside enumerated exceptions. The template in this pack uses the FTC model form structure for maximum safe-harbor protection.
What is the Safeguards Rule annual board report?
16 CFR 314.4(i) requires the Qualified Individual to provide a written report at least annually to the board of directors (or, for entities without a board, the senior officer responsible for the security program). The report must address the overall status of the information security program, risk assessment, risk-management decisions, service-provider arrangements, results of testing, security events and management's response, and any recommendations for material changes. The template in this pack is structured to map directly to those required topics.
What is the claim substantiation log for?
FTC Act Section 5 prohibits unfair or deceptive acts or practices, including unsubstantiated advertising claims. Every objective marketing claim — performance, comparative, health, environmental, savings, ROI — must have a reasonable basis at the time the claim is made. The substantiation log records the claim text, the underlying evidence (study, internal data, expert analysis, vendor representation), the reviewer, the date, and the channels where the claim is published. Maintain it. When the FTC or a competitor files a challenge, this log is your first line of defense.
Does the marketing disclosure checklist cover influencer and social media?
Yes. The checklist covers FTC Endorsement Guides 16 CFR Part 255, the 2023 amendments adding stricter disclosure requirements for material connections, the Native Advertising Enforcement Policy Statement, social-media-specific guidance for Instagram / TikTok / YouTube / Twitter / LinkedIn, and the 2024 expanded scope on AI-generated endorsements and AI-generated reviews. Use it as your pre-publication compliance gate for any marketing campaign.
Which compliance frameworks does this pack support?
FTC Safeguards Rule (16 CFR Part 314), GLBA Privacy Rule (16 CFR Part 313), FTC Act Section 5 (unfair and deceptive practices), FTC Endorsement Guides (16 CFR Part 255), CAN-SPAM Act (16 CFR Part 316), Telemarketing Sales Rule (16 CFR Part 310), Made in USA Labeling Rule (16 CFR Part 323), and the Restore Online Shoppers' Confidence Act (ROSCA, 15 USC 8401-8405). State analogues are noted in the template footnotes (CA Auto-Renewal Law, NY Auto-Renewal Law, etc.).
How does this pair with the FTC Compliance Mastery course?
The pack is the documentation chassis. The course is the FTC regulatory deep-dive: GLBA Privacy and Safeguards Rules, FTC Act Section 5 substantiation doctrine, Endorsement Guides walkthrough, CAN-SPAM and TSR refresh, ROSCA and auto-renewal compliance, breach-notification rehearsal, and current 2024-2026 enforcement trend analysis. The course currently runs $499 per seat per year with volume pricing for compliance teams of 5+ seats.
Are the templates legal advice?
No. The templates are documentation starting points authored by cybersecurity and compliance practitioners. They are calibrated to typical SMB and mid-market posture under FTC jurisdiction. Engage your own legal counsel — particularly for state-law overlay (CA, NY, IL, TX, MA), industry-specific overlay (HIPAA, FCRA, CFPB), and matter-specific interpretations. PTG can introduce you to FTC-experienced counsel on request.
Do I need a Qualified Individual to use the Safeguards annual report template?
Yes. 16 CFR 314.4(a) requires every covered financial institution to designate a Qualified Individual responsible for the information security program; 16 CFR 314.4(i) requires that QI to file the annual report. If your business has not yet named a QI, start with the QI Designation Memo in the CPA Resource Pack (the format is industry-agnostic) — designate, then sign and file the annual report at the next board cycle.
What other free resource packs do you offer?
The Security Awareness Training Resource Pack for every employee at any business, the CPA Firm Cybersecurity Resource Pack for accounting and tax practices, and (planned for Q3 2026) a CMMC 2.0 Level 2 documentation pack for defense-supply-chain firms.
About The Author

Built for FTC-Regulated Businesses, by Practitioners

CP

Craig Petronella, CMMC-RP

Founder & CEO, Petronella Technology Group

Craig is a CMMC Registered Practitioner, an Amazon best-selling author of 12 cybersecurity books, host of the Cybersecurity and Compliance with Craig Petronella podcast, and a 23-year veteran of incident response, forensic investigation, and FTC-aligned compliance program delivery. PTG serves FTC-regulated businesses across the United States with WISP authoring, fractional Qualified Individual coverage, MDR, vCISO, advertising substantiation review, and breach-notification readiness. The PTG team — including Blake Rea, Justin Summers, and Jonathan Wood — are also CMMC Registered Practitioners.

Get the Pack. File the Documentation. Pass the Audit.

Free FTC Compliance Resource Pack now. Optional paid course when you are ready to layer on FTC regulatory deep-dive training.

Download the Free Pack View the FTC Course
SAT Resource Pack CPA Resource Pack FTC Compliance Training FTC Safeguards Rule All Courses Talk to PTG

Petronella Technology Group, Inc. — 7000 Six Forks Road, Raleigh, NC 27615 — 919-348-4912 — support@petronellatech.com. The free FTC Compliance Resource Pack is provided "as-is" for single-business internal use. Templates are not legal advice. Consult counsel for jurisdiction-specific compliance interpretations. The FTC Compliance Mastery course is sold separately at $499 per seat per year.