X Corp Should Not Escape FTC Privacy Compliance
EFF and Allies Oppose X’s FTC Petition to Waive Privacy Violation Order
The Electronic Frontier Foundation (EFF) and civil society allies have formally urged the Federal Trade Commission (FTC) to reject X Corp.’s petition to set aside or modify a 2022 order requiring the company to report regularly to the FTC for its violations of user data. The order, stemming from a 2011 settlement over user data mismanagement, mandates compliance obligations until 2042. X’s petition argues that restructuring its privacy program justifies lifting the order, but critics call this a strategic attempt to evade accountability.
The Tech TL;DR:
- X’s petition risks undermining FTC-mandated data privacy safeguards.
- AI integration and past breaches highlight ongoing risks of user data exploitation.
- Corporate data practices are increasingly being scrutinized.
The Nut Graf: A Legal and Technical Crossroads
The FTC’s 2022 order updated the expiration of X’s obligations to 2042, following a 2011 settlement over inadequate data protection. The company’s recent petition claims that restructuring its privacy program—now led by “new leadership with a philosophy grounded on privacy”—merits relief. However, the EFF’s rebuttal underscores that FTC consent decrees bind the corporate entity, not individual employees, and that X’s actions since 2022, including AI model training on user data without consent, contradict its assertions.
Why Data Practices Impact Security
The broader implications of X’s data practices align with risks in AI-driven systems. For instance, the company’s 2024 integration of the Grok AI model—trained on user data without meaningful consent—raises concerns about vulnerabilities. Clever attacks on models trained on user data have the ability to reveal the data a model was originally trained on. This aligns with the FTC’s original concerns about secondary data use.
Cybersecurity Threat Report: The Blast Radius of X’s Data Practices
X’s argument that its entry into the AI space should be reason not to continue the oversight ignores the dangers that AI introduces to user data, which were the same risks that led to the 2022 order. In 2025, X suffered a data breach. The breach underscores the urgency of maintaining security.
The FTC’s orders are not a burden but a safeguard, and X’s petition is a distraction from the real work of securing user data.
— David Sobel, National Consumers League
The Implementation Mandate: Code as Compliance
For enterprise IT teams, the X case highlights the need for data minimization strategies.
The Directory Bridge: IT Triage in Action
With X’s petition pending, enterprise IT departments are accelerating audits of their own data practices.
Why the 2022 Order Matters for AI Governance
The 2022 decree’s renewal was a direct response to X’s 2011 violations, which included failing to secure user data against hackers. The FTC’s $150 million fine was a step toward holding the company accountable. X’s current petition, however, reflects a broader trend of companies leveraging “innovation” as a shield against regulation.