Marketing Compliance in Regulated Industries: HIPAA, FTC, TCPA, CAN-SPAM, and FDIC — What's Actually Getting Companies Fined in 2026

The enforcement environment around digital marketing compliance has changed faster in the last three years than in the prior decade. Hospital systems have paid over $100 million in pixel-related penalties. Lead generators are navigating post-TCPA consent turbulence. Financial marketers are adjusting to new FDIC digital advertising rules. This is what you actually need to know — from a practitioner who manages the marketing stack, not a law firm billing by the hour.

Why marketing compliance enforcement intensified

For most of the 2010s, digital marketing compliance was treated as a theoretical concern — the kind of thing legal reviewed annually and filed away. The technology moved faster than enforcement, and regulators were slow to catch up with what tracking pixels, server-side data pipelines, and programmatic advertising actually did with consumer data.

That changed materially around 2022–2023. The HHS Office for Civil Rights issued guidance on tracking technologies and HIPAA in December 2022. The FTC began pursuing healthcare-adjacent companies under the Health Breach Notification Rule. TCPA class action activity reached levels that made consumer-facing companies treat it as operational risk rather than legal footnote. And the FCC adopted (and then the 11th Circuit vacated) a one-to-one consent rule that forced the entire lead generation industry to examine its consent flows.

The result is a compliance environment where the gap between what most marketing teams are doing and what the regulations require is both visible to regulators and actively being closed through enforcement. Most marketing compliance violations aren't the result of companies deliberately breaking the law. They're the result of marketing teams implementing standard industry practices — the same pixels, the same opt-in flows, the same email templates — without knowing that "standard practice" had diverged from what the law requires. That doesn't change the liability.

HIPAA and tracking pixels: the $100M problem

The number cited most often in healthcare marketing compliance discussions is $100 million — the total in penalties and settlements tied to tracking pixel violations across 19 major cases from 2023 to 2025. Advocate Aurora Health paid $12.25 million for exposing 3 million patients' data via Meta Pixel. Mass General Brigham's exposure reached $18.4 million. Dozens of smaller systems have faced significant settlements.

The underlying issue is straightforward but surprisingly hard to fix without changing your tracking architecture: standard marketing pixels are browser-side scripts that collect and transmit information about user activity on whatever page they're loaded on. When those pages are on healthcare websites — appointment scheduling pages, patient portals, condition-specific content, telehealth intake forms — the information being transmitted can include details that, alone or in combination, constitute protected health information under HIPAA.

The specific pages and contexts that create the highest exposure: patient portals, appointment scheduling pages, condition-specific content pages (where URLs and titles reference diagnoses or treatments), provider search tools, telehealth intake forms, and prescription refill or pharmacy pages.

The practical solution is moving marketing conversion events to a server-side configuration, where your server receives the conversion event, strips or never collects PHI, and sends a compliant signal to the advertising platform. This is also better marketing measurement — server-side signals are cleaner, more reliable, and produce better match rates for platform optimization. The compliance fix and the measurement fix point in the same direction.

FTC marketing compliance: broader than healthcare

The FTC's authority over unfair or deceptive acts under Section 5 of the FTC Act applies to essentially every commercial marketing activity. The FTC's Health Breach Notification Rule pursuit of GoodRx ($1.5M) and BetterHelp ($7.8M) — companies that aren't HIPAA-covered entities — for transmitting health data to advertising platforms established that HIPAA exemption doesn't mean FTC exemption.

The FTC's updated Endorsement Guides (2023) significantly tightened disclosure requirements for influencer marketing, affiliate marketing, and any arrangement where a financial relationship exists between an advertiser and a promoter. Clear and conspicuous disclosure is required — not a footnote, not a buried hashtag. Affiliate and partner programs create particular exposure because the company being promoted can be held liable for non-compliant disclosures made by affiliates operating on its behalf.

The FTC also requires that advertising claims be substantiated at the time they're made — not after. In an environment where AI-generated content is producing advertising claims at scale, the risk of unsubstantiated claims in the marketing pipeline has grown considerably.

TCPA: what prior express written consent actually requires in 2026

The Telephone Consumer Protection Act has generated more marketing compliance litigation than any other regulation in the last decade. Class action settlements regularly reach eight figures. Statutory damages of $500 to $1,500 per illegal text or call apply per-contact, not per-campaign. A text blast to 100,000 people without proper consent is potentially 100,000 violations.

TCPA requires prior express written consent before marketing text messages or autodialed calls to cell phones. That consent must be in writing, unambiguous, specific about the technology being used, signed by the consumer, not bundled as a condition of purchase, and — since April 11, 2025 — must be honored when revoked through any reasonable method, not just the channel the company designates.

The FCC's one-to-one consent rule — which would have required separate consent for each marketer — was vacated by the 11th Circuit in January 2025 and formally removed by the FCC in August 2025. But the underlying TCPA prior express written consent requirement remains fully in force, and blanket consent practices with hyperlinked partner lists remain actively litigated.

CAN-SPAM compliance: the rules most email programs still get wrong

CAN-SPAM's per-violation penalty of up to $51,744 per non-compliant email applies to every email, not to campaigns — and the FTC has demonstrated it will impose multi-million dollar fines for systemic non-compliance.

The most common failures: deceptive subject lines ("Re: your request" on a cold email is a violation); missing or invalid physical postal address; opt-out mechanisms that don't work or aren't honored within 10 business days; and liability for affiliates and partners sending email on your behalf. CAN-SPAM is an opt-out law, not opt-in — but the requirements on commercial content identification, header accuracy, and opt-out mechanics are non-negotiable and frequently missed.

In 2026, the FTC is increasing scrutiny of affiliate and partner email networks, treating plausible deniability as an insufficient defense when a brand benefits commercially from non-compliant affiliate email activity.

FDIC advertising compliance for financial services marketers

The FDIC's Part 328 updated rules addressed a gap that had grown as banking moved digital: the original requirements were written for physical advertising. The updated rule requires FDIC official digital signs on websites and apps in locations relevant to deposit account customers, mandates clear differentiation between deposit and non-deposit investment products, and clarifies requirements for fintech and BaaS partners offering banking products under a bank's charter.

The core digital signage provisions reached their compliance deadline in May 2025. A revised, less prescriptive version of certain provisions was finalized in early 2026, with a compliance date of April 2027 for those specific elements.

Beyond FDIC-specific rules, CFPB UDAAP authority creates broad exposure for financial marketing that misleads consumers about rates, terms, fees, or product characteristics — advertising a rate that applies only to a narrow subset of customers without adequate disclosure, suppressing material fees while featuring low-fee claims, or using "pre-approved" language for consumers who face additional underwriting.

Cookie consent and pixel compliance across all industries

Washington State's My Health My Data Act (MHMDA), effective 2024, is the most consequential state health privacy law for marketers: it applies to any company collecting "consumer health data," carries a private right of action, prohibits geofencing around healthcare facilities, and defines consumer health data broadly enough to include information inferred from browsing behavior. It applies to Washington state residents, which means any company marketing to consumers nationwide.

The FTC's pixel tracking enforcement theory doesn't require HIPAA applicability. If your privacy policy says you don't share personal information with third parties, and your site runs a Meta Pixel that transmits browsing data to Meta, you have a gap the FTC has demonstrated it will pursue.

Registration and opt-in requirements: what valid consent looks like

For text messages and autodialed calls, TCPA requires a checkbox affirmatively selected by the consumer — not pre-checked — with a disclosure stating the consumer agrees to receive automated marketing texts, identifying who will be sending them, and making clear that consent is not a condition of purchase. The most common failures: bundled consent that simultaneously agrees to terms, privacy policy, and marketing contact in a single checkbox; pre-checked boxes; vague partner disclosures; and purchased leads whose consent flows don't satisfy current TCPA standards for the downstream buyer.

What a marketing compliance audit actually covers

A useful audit starts with the actual marketing stack — every pixel on every page, every opt-in form, every email sequence, every SMS program, every ad platform configuration. The gap between what companies document and what their marketing technology is actually doing is almost always where the exposure is.

The output is a prioritized remediation plan grounded in operational specifics: which pixels need to move server-side, which opt-in forms need new consent language, which email sequences need modified subject lines, which ad claims need substantiation review. Compliance advice that can't be implemented in the actual marketing stack isn't compliance — it's documentation.

For companies in regulated industries, the intersection of marketing compliance and performance marketing is where the real work happens. If you're managing significant marketing spend in a regulated industry, the right time to audit your compliance posture is before a regulator or plaintiff's attorney does it for you. If you're managing a portfolio of companies in regulated verticals, the PE advisory practice extends that oversight across the portfolio. And if you need senior marketing leadership to own the compliance function alongside the growth function, the fractional CMO engagement covers both.