EFF and Allies Call on FTC to Reject X Corp.'s Petition to Waive 2022 Privacy Consent Order

EFF and Allies Call on FTC to Reject X Corp.'s Petition to Waive 2022 Privacy Consent Order

FTC Should Not Let X Corp. Escape a 2022 Privacy Consent Order

Takeaway: The Electronic Frontier Foundation (EFF) and allied consumer‑privacy organizations have formally asked the Federal Trade Commission (FTC) to reject X Corp.’s petition to modify or terminate a 2022 consent decree, emphasizing that corporate restructuring does not dissolve legally binding privacy obligations.


The 2022 Consent Decree Remains Critical

  • Background: In May 2022, the FTC issued a consent decree against X Corp. (formerly Twitter) for using account‑security data—phone numbers, email addresses—to target ads. The order fined the company $150 million and required regular reporting on data‑security practices.
  • Scope: The decree is a renewal of a 2011 settlement that barred the company from misrepresenting its data‑protection measures and mandated twenty‑year reporting obligations, now extended to 2042.
  • Petition: On May 15, X Corp. filed a petition to “set aside or modify” the order, arguing that its new privacy program and AI ambitions render the decree obsolete.
  • EFF Position: The EFF, together with Demand Progress Education Fund, the National Consumers League, and EPIC, filed a joint letter urging the FTC to reject the petition, noting that the decree binds the corporate entity, not individual employees.

Corporate Restructuring Does Not Nullify Legal Obligations

  • X’s Claim: The company asserts that a “new privacy and information security program” staffed by new personnel justifies lifting the order.
  • Counterargument: Legal precedent holds that FTC orders attach to the corporate entity itself; they survive leadership changes and rebranding.
  • Evidence of Ongoing Issues:
    • In 2024, X quietly integrated its AI model Grok and trained it on user data without meaningful consent.
    • A massive data breach in 2025 exposed millions of user records.
  • Conclusion: These incidents demonstrate that X’s privacy practices have not fundamentally changed, undermining its request for relief.

AI Development Is Not a Reason to Abandon Oversight

  • X’s Rationale: The petition argues that maintaining the order “diverts engineering resources from innovation to compliance paperwork” and hinders U.S. AI leadership.
  • Risk Highlighted by EFF: AI models trained on user data create new vectors for secondary‑use violations. Attackers can craft prompts to extract training data, potentially exposing private information.
  • Policy Implication: Rather than waiving oversight, robust compliance is essential to mitigate AI‑related privacy risks.

Financial Burden Argument Is Unfounded

  • X’s Assertion: The company claims the consent decree imposes an undue financial burden.
  • EFF Rebuttal: The compliance cost is a “rounding error” compared to X’s $200 billion valuation after the xAI merger, indicating the burden is negligible.

Call to Action for the FTC

  • Letter Summary: The joint response debunks X’s claims, reiterates the importance of continued oversight, and urges the FTC to reject the petition.
  • Broader Impact: Upholding the decree reinforces accountability for large platforms that handle sensitive user data, setting a precedent for future privacy enforcement.

Bottom line: The EFF and its partners argue that X Corp.’s name change, leadership turnover, and AI ambitions do not merit dissolving a consent decree that safeguards millions of users’ privacy. The FTC is urged to deny the petition and maintain the existing oversight framework.

Sources