← All Publications
May 13, 2025

The Future Of Privacy Enforcement Under Ferguson’s FTC

In this Law360 article, Kandi Parsons explores what privacy enforcement may look like for the Federal Trade Commission under newly appointed Chairman Andrew Ferguson. It includes an unlikeliness for the FTC to engage in privacy-related rulemaking, as Ferguson appears ready to repeal existing regulations. Furthermore, the FTC is expected to take more traditional enforcement action under Section 5 while pursuing fewer individual liability cases, including privacy actions. The article also explains why the commission is less likely to scrutinize artificial intelligence as aggressively as its predecessor, and how companies can make sure they’re well positioned no matter what the FTC’s privacy priorities turn out to be. Please note that this article is paywalled when viewed on the original publisher’s site.

Read the Original Article →

Every presidential administration change draws questions regarding how newly appointed government leaders will affect their respective agencies’ missions. The Federal Trade Commission is no exception. Historically, the agency’s approach to privacy had remained fairly consistent across several administrations.

But when President Joe Biden’s nominee for FTC chair, Lina Khan, took the helm, she took a much more aggressive approach to privacy than several of her predecessors —applying the FTC Act’s unfairness authority broadly in privacy cases, as seen in the FTC’s actions against Mobilewalla, as well as Amazon Alexa;1 scoring record-breaking civil penalties, like those against Epic Games,2 seeking individual liability for companies’ executives, including the CEO of Drizly;3 and undertaking expansive rulemaking and policy efforts like the commercial surveillance rulemaking.4

Many of those actions drew dissents or critical concurrences from her Republican colleagues, including current Chairman Andrew Ferguson, who took the helm in January and was previously a commissioner.

Now, the tables have turned. When President Donald Trump tapped Ferguson to be the commission’s next chair, his leaked pitch to Trump for the job gave prognosticators a blueprint for how he might run the agency. Those materials and his early actions indicate a marked shift from the activist agenda of his predecessor toward a more restrained, traditional approach to privacy enforcement.

The commission under Ferguson’s leadership will likely undertake fewer policymaking initiatives, more traditional interpretations under Section 5 of the FTC Act, a hands-off approach to artificial intelligence and the introduction of new priorities like content moderation. At the same time, he will not likely shy away from prosecuting legal violations in some of the agency’s core areas of focus, including misrepresentations about data, children’s privacy, data brokers and Big Tech.

So, while businesses shouldn’t expect sweeping new regulatory standards, they also shouldn’t relax their privacy compliance efforts — particularly given that state requirements, like transparency obligations, create pathways for the FTC to enforce its existing rules and laws.

Reduction in Privacy Rulemaking Efforts

First, under Ferguson, the FTC is unlikely to engage in significant privacy-related rulemaking unless expressly tasked by Congress, and the commission will let any pending rulemakings expire. Rulemaking was a key priority during Khan’s leadership, but the first item on Ferguson’s agenda in his one-pager is “Repeal burdensome regulations.”5

Previously, in concurring with his colleagues that the agency should seek information regarding how personal data affects pricing, Ferguson noted in his concurring statement that the commission has a role in learning about industry, but “[t]he drain [by the agency] is the incredible volume of rulemaking the majority has undertaken. Many of these rules are unlawful.”6

As such, we are unlikely to see further action on the commercial surveillance and data security rulemaking.7 In fact, even though the agency sought comment on the use of personal data for pricing in mid-January, the ability to comment was closed shortly thereafter, long before the comment period had ended.

More Traditional Enforcement Action Under Section 5

Second, the FTC is unlikely to bring novel privacy enforcement actions or target individuals at large companies. Under prior leadership, the FTC stretched its unfairness authority to classify data like location at certain places as inherently sensitive,8 such as in Mobilewalla in 2024, and allege harms from the mere retention of personal data, as in the 2023 decision in U.S. v. Amazon.com Inc., in the U.S. District Court for the Western District of Washington.9

Ferguson has criticized this approach in his concurring and dissenting statement regarding Gravy Analytics and Mobilewalla, warning that it treats the FTC Act as “a comprehensive privacy law” that “involves tradeoffs that Congress alone should make.”10 In objecting to the commission’s determination of what data was sensitive, and finding brokers’ collection and use of that data unfair, Ferguson noted that the FTC Act provides no guidance: “The list is therefore a purely subjective creation of Commission bureaucrats.”

Instead, he favors using deception authority when companies disclose data without consent. Expect more traditional enforcement focused on misrepresentations or concrete harms. Businesses that want to avoid FTC scrutiny should ensure marketing materials, privacy notices and terms of use are accurate and up to date. In addition, privacy controls should work as described to consumers. Finally, obtaining consumer consent for unanticipated data processing can help reduce privacy risk.

Cases that include individual liability are likely to decrease as well. During her tenure, Khan sought individual liability against company executives in privacy cases like that against Drizly.11 This is common in fraud cases where scam artists frequently start new fraudulent businesses, but has been rare in cases against large, established companies for privacy and data security violations.

The FTC’s Drizly press release suggested the commission found it important to ensure CEOs who move companies will implement appropriate practices in their new organizations.12 Given his more business-friendly posture, Ferguson may be more restrained in seeking individual liability in nonfraud cases, including privacy actions.

Less Scrutiny of AI

Third, the current commission is less likely to scrutinize AI as aggressively as the previous administration. Khan suggested the FTC should cabin AI’s processing of certain sensitive data and warned industry that the FTC would enforce its privacy authority against AI technologies. Comparatively, Ferguson has urged caution on stifling AI innovations.

In dissenting from the FTC’s settlement with Rytr, a generative AI company, Ferguson objected to finding agenerative AI technology as unfair and illegal just because it may be used for fraud.13 Ferguson warned that “it threatens to turn honest innovators into lawbreakers and risks strangling a potentially revolutionary technology.”

Under Ferguson’s leadership, the agency is much less likely to bring actions against innovative technologies like AI for potential unfairness, and instead will likely focus any enforcement on claims about an AI product’s capabilities or misrepresentations on how it uses personal data.

Given the scrutiny will likely be on AI providers’ claims, companies should be transparent about how AI models use data — especially if sensitive data is involved — and avoid overstating their models’ capabilities.

New Priorities

Finally, Ferguson has expressed a clear intent to pursue new priorities, including whether content moderation and deplatforming — what the agency has dubbed “tech censorship” — practices may violate the law. To that end, in February, the commission launched a request for information about how consumers may have been denied services based on their speech.14

It is unclear whether these practices violate the FTC Act, particularly in light of the restraint the chair suggested should be exercised with respect to unfairness, but the commission’s press releases announcing the request for information suggest certain moderation and/or suspension of services may be deceptive or unfair practices.

Companies involved in content hosting or moderation should follow these developments to the extent guidance emerges, review moderation practices to determine how they are applied in light of the FTC’s questions, and prepare for increased scrutiny — though not necessarily enforcement.

Investigations or reporting on this request for information could affect hosting and moderation practices policies, and any public-facing inquiries could have reputational effects.

Conclusion

Notwithstanding the ways new leadership may change the commission’s privacy priorities and approach to cases, Ferguson supported a variety of privacy actions during the previous administration. Ferguson voted for cases alleging violations of the Children’s Online Privacy Protection Act, against data brokers, for deceptive processing of data, for information security failures and more.

Companies should expect the commission to maintain a strong focus on enforcing Section 5 in the privacy area, particularly for deceptive practices, and long-standing privacy rules like COPPA, in the year ahead. Reviewing statements, from policies to controls to marketing, related to data processing and evaluating compliance with bedrock FTC principles and rules will help companies be well positioned during that time.

Kandi Parsons is a shareholder at ZwillGen PLLC. She previously served in the Federal Trade Commission’s Division of Privacy and Identity Protection as a senior staff attorney.

The opinions expressed are those of the author(s) and do not necessarily reflect the views of their employer, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.

Reprinted with permission from Law360. Further duplication without permission is prohibited. All rights reserved.

  1. https://www.ftc.gov/news-events/news/press-releases/2024/12/ftc-takes-action- against-mobilewalla-collecting-selling-sensitive-location-data and https://www.ftc.gov/news-events/news/press-releases/2023/05/ftc-doj-charge- amazon-violating-childrens-privacy-law-keeping-kids-alexa-voice-recordings-forever ↩︎
  2. https://www.ftc.gov/news-events/news/press-releases/2022/12/fortnite-video-game- maker-epic-games-pay-more-half-billion-dollars-over-ftc-allegations ↩︎
  3. https://www.ftc.gov/news-events/news/press-releases/2022/10/ftc-takes-action- against-drizly-its-ceo-james-cory-rellas-security-failures-exposed-data-25-million ↩︎
  4. https://www.ftc.gov/legal-library/browse/federal-register-notices/commercial- surveillance-data-security-rulemaking ↩︎
  5. https://punchbowl.news/wp-content/uploads/FTC-Commissioner-Andrew-N-Ferguson- Overview.pdf. ↩︎
  6. https://www.ftc.gov/system/files/ftc_gov/pdf/surveillance-pricing-6b-ferguson- concurrence.pdf. ↩︎
  7. https://www.ftc.gov/legal-library/browse/federal-register-notices/commercial- surveillance-data-security-rulemaking. ↩︎
  8. https://www.ftc.gov/news-events/news/press-releases/2025/01/ftc-finalizes-order- prohibiting-gravy-analytics-venntel-selling-sensitive-location-data. ↩︎
  9. https://www.ftc.gov/system/files/ftc_gov/pdf/Amazon-Complaint-%28Dkt.1%29.pdf. ↩︎
  10. https://www.ftc.gov/system/files/ftc_gov/pdf/gravy_-mobilewalla-ferguson- concurrence.pdf. ↩︎
  11. https://www.ftc.gov/news-events/news/press-releases/2022/10/ftc-takes-action- against-drizly-its-ceo-james-cory-rellas-security-failures-exposed-data-25-million. ↩︎
  12. Id. ↩︎
  13. https://www.ftc.gov/system/files/ftc_gov/pdf/ferguson-rytr-statement.pdf. ↩︎
  14. https://www.ftc.gov/news-events/news/press-releases/2025/02/federal-trade-commission-launches-inquiry-tech-censorship. ↩︎
Prev
/
Next
Recent Articles