The U.S. is rightfully protective of U.S. consumers, and the Federal Trade Commission (FTC) often takes the role of protecting privacy rights through Section 5 of the FTC Act. The linked article highlights such enforcement against a foreign entity and notes that such enforcement was possible because of the target's effect on U.S. commerce.  

Foreign entities that provide products and services to U.S. consumers necessarily have such an effect, but is that itself enough to truly support enforcement?  While a U.S. enforcement body can take action against certain aspects of foreign entities (e.g., banning their products and services from being shipped into/available in the U.S.), it is less likely enforcement could be levied against a foreign entity without that entity having some kind of physical connection to the U.S.  

In the action described in the linked article, the UK entity had a U.S. subsidiary, and it seems likely that this was a key lever in the foreign parent's willingness to agree to sanctions. Without such a U.S.-based affiliate or assets that would necessarily be subject to penalty, seizure, or other U.S. action, U.S. enforcement directly against foreign entities would require cooperation with the entity's home government, a treaty that would enable local enforcement, or some kind of binding international law. The constant hand-wringing over TikTok evidences, among other things, these very limitations.