Through the Department of Commerce, they created something called the “safe harbour” arrangement. Companies voluntarily enter it, and when they do so, they declare that they will abide by a set of privacy rules. Because they're declaring that, they are subject to the Federal Trade Commission Act, which prevents misleading and deceptive advertising. If you say that you adhere to the safe harbour rules and you don't, then the Federal Trade Commission has the power to investigate you and charge you. There are very substantive penalties for companies that breach their declared statements about privacy.
On February 6th, 2007. See this statement in context.