One hundred days into the new administration, recent developments across multiple US federal agencies reflect a quickly evolving approach to digital governance, with notable shifts in regulatory priorities related to AI, data privacy, and agency operations. Key actions in April span updated privacy protections, refined enforcement strategies, and structural changes across several agencies.
FTC Activity: Commissioner Shake-ups, Enforcement Priorities Solidified, and COPPA Updates
In remarks delivered to the IAPP Global Privacy Summit on April 23, 2025, Commissioner Melissa Holyoak outlined three areas of emphasis for future Federal Trade Commission (FTC) enforcement:
- Cross-border Data Transfers: With trade tensions escalating across the Pacific, Commissioner Holyoak committed to giving increased attention to the sale of sensitive personal data to foreign entities, particularly those deemed to be national security risks. For this, the FTC will use a new tool in its enforcement arsenal, the Protecting Americans' Data from Foreign Adversaries Act (PADFA) — which the Biden Administration passed last year — alongside Executive Order 14117 (Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern), which will be enforced by the Department of Justice (DOJ) under its new rule. (See our client alerts here, here, and here).
- Children's Privacy: The FTC finalized its long-anticipated revisions to the Children's Online Privacy Protection Act (COPPA) Rule. We previously covered the substantive changes resulting from the revisions here. In sum, the updated rule creates a mandatory opt-in parental consent requirement for third-party disclosures, limits for data retention, modified definitions, and enhanced transparency for COPPA Safe Harbor programs. It will become effective on June 23, 2025. Holyoak also described the possibility of future age-verification frameworks in line with Utah's App Store Accountability Act.
- AI and Competition: Future AI-related enforcement is expected to focus on issues involving training data, consent practices, and market competition. Even as Chair Andrew Ferguson pushed back against the FTC's role as an AI regulator, Holyoak suggested that while enforcement will be more selective, particular attention will be given to how data access and transparency affect competitive dynamics in the AI space.
These new priorities come in the wake of significant personnel changes at the FTC. On March 18, 2025, President Donald Trump announced the dismissal of the two remaining Democratic commissioners from the FTC, Rebecca Kelly Slaughter and Alvaro Bedoya, igniting a legal dispute over the limits of presidential authority over independent agencies. The commissioners contend that their removal violates the 1935 Supreme Court precedent set in Humphrey's Executor v. United States, which restricts the president from removing FTC commissioners without cause. They have filed a lawsuit seeking reinstatement, arguing that their terminations undermine the agency's independence. In response, FTC Chair Andrew Ferguson asserted that the president possesses constitutional authority to remove commissioners. The case is currently before Washington, DC, District Judge Loren AliKhan and may ultimately be decided by the Supreme Court.
The same day the dismissals were announced, the FTC removed more than 300 blog posts published during the Biden administration, including several focused on consumer protection and AI compliance. The commission has not issued a formal explanation for the removals, which have prompted questions from stakeholders who had relied on the archived guidance for interpreting FTC positions on data privacy, transparency, and emerging technologies. The status of those opinions and interpretations is now unclear.
Amid this controversy, the US Senate confirmed Mark Meador as the newest FTC commissioner on April 10, 2025. Meador, a Republican and former antitrust counsel to Sen. Mike Lee (R-UT), has extensive experience from previous roles at the FTC and the DOJ. His confirmation restores a Republican quorum to the traditionally five-member commission, which had been left with only two members following the dismissals of Slaughter and Bedoya.
Finally, on April 28, the FTC announced an enforcement action in the AI space. The commission issued a proposed order requiring Workado, a vendor of AI-powered content detection tools, to cease "advertising the accuracy of its artificial intelligence (AI) detection products unless it maintains competent and reliable evidence showing those products are as accurate as claimed." The agency alleged that the company made unsupported claims about the performance of its AI software. Under the order, Workado must provide evidence to support future AI-related marketing statements. The case reflects a continued — though more narrowly focused — effort by the FTC to monitor the accuracy of claims made about AI capabilities.
CFPB Faces Proposed Layoffs and Legal Review
The Consumer Financial Protection Bureau (CFPB) is undergoing significant administrative and internal scrutiny following a plan supported by the Department of Government Efficiency to reduce the agency's workforce by more than 90%. If implemented, the plan would retain a small staff to carry out core functions while scaling back broader enforcement and oversight operations.
This restructuring proposal also has encountered legal challenges. On April 29, a federal appeals court reinstated a temporary block on the layoffs, pending further review. Several groups, including labor unions and local governments, have also filed suits, arguing that the proposed changes exceed executive authority and may undermine statutory protections.
Bulk Sensitive Data, Foreign Controls, and More Agency Shake-ups
Former President Joe Biden signed PADFA into law on April 24, 2024, as part of a broader national security and foreign aid package. The law, which prohibits data brokers from transferring US individuals' sensitive personal data to foreign adversary countries or entities controlled by such countries, took effect on June 23, 2024. Additionally, the DOJ's new rule implementing Executive Order 14117 was finalized on December 27, 2024. This rule, which restricts the transfer of bulk sensitive personal data and US government-related data to countries of concern, became effective on April 8, 2025, with additional provisions for "relevant transactions" going into effect on October 6, 2025. The DOJ has implemented a 90-day grace period (ending July 8, 2025) for organizations to implement changes necessary for compliance with the rule, specified via an Implementation and Enforcement Policy as well as guidance such as a Compliance Guide and FAQs.
Staff reductions at the National Institute of Standards and Technology have raised questions about the agency's future role in setting AI safety and cybersecurity standards. The changes coincide with broader budgetary proposals and a stated goal from President Trump to dismantle the CHIPS and Science Act.
Meanwhile, the Federal Communications Commission has announced the creation of a Council on National Security to coordinate policy responses to national security risks in the telecommunications sector. The council will focus on supply chain issues, vulnerability mitigation, and reducing dependencies on technology integration from foreign adversaries.
OMB Releases AI Governance and Procurement Memos
The Office of Management and Budget (OMB) issued two memoranda in April aimed at strengthening AI policy across federal agencies:
- Memo M-25-21 directs federal agencies to designate a chief AI officer, adopt a risk-based approach to high-impact AI systems, and ensure alignment with privacy, civil rights, and civil liberties protections. The memo emphasizes internal governance, transparency, and responsible deployment. While the Trump administration heralded a dramatic change in AI policy, not least by revoking former President Biden's executive order on AI safety and replacing it with a new executive order promoting AI competitiveness, the OMB memo reflects continuity, largely adopting the principles and frameworks of the former president's OMB.
- Memo M-25-22 updates AI-related federal procurement policies. It encourages the acquisition of American-developed technologies and outlines procedures for managing AI performance and risk throughout procurement life cycles by requiring agencies to track AI performance and manage risk throughout the acquisition process, with a significant emphasis on maximizing American competitiveness in the AI space.
These developments indicate a period of realignment across federal agencies as they respond to emerging technologies, national security concerns, and shifting policy priorities. AI governance, data protection, and institutional structure remain key areas to monitor in the coming months.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
