Six weeks after President Trump returned to the Oval Office, there remains considerable uncertainty about how his administration will approach privacy and cybersecurity policy. The President has yet to name several top cybersecurity officials, and neither his campaign platform nor The Heritage Foundation's Project 2025, from which the President has distanced himself, provides policy prescriptions.
This makes it difficult to predict whether we can expect the cancellation, continuation, or modification of the prior administration's initiatives, such as President Biden's Jan. 17 executive order, "On Strengthening and Promoting Innovation in the Nation's Cybersecurity" (https://bit.ly/4ibHNev), which has been removed from the White House website but not rescinded.
President Trump's only significant actions in this area since retaking office have involved two independent review boards, the Cyber Safety Review Board (CSRB) and the Privacy and Civil Liberties Oversight Board (PCLOB). The termination (https://bit.ly/3F3Q9GE) of all CSRB members, appointed by the Director of the Cybersecurity and Infrastructure Security Agency (CISA), may slow or halt their investigation into the Salt Typhoon hack (https://bit.ly/3Qu4wqb) of U.S. telecommunications systems.
The dismissal (https://bit.ly/4hMHIhf) of the Democratic members of the PCLOB, which oversees key intelligence programs, may also affect international data transfers. If the PCLOB is seen as incapable of ensuring that U.S. intelligence agencies will respect Europeans' data privacy, pressure may build on their governments to withdraw from the Transatlantic Data Privacy Framework, which could disrupt how and whether American companies do business in Europe.
While the future of both the PCLOB and CSRB remains murky, the view of privacy and cybersecurity policy comes into sharper focus when we look to the new leadership of key agencies.
Federal Trade Commission (FTC)
FTC Commissioner Andrew Ferguson has replaced previous chair, Lina Khan. President Trump nominated Mark Meador, a Washington, D.C., attorney who was formerly antitrust counsel to Senator Mike Lee of Utah, to fill the vacant spot, creating a Republican majority.
While Meador has not publicly commented much on privacy issues, Ferguson has a long track record. Ferguson has voted in favor of every privacy-related FTC enforcement action. However, he has argued both publicly (https://bit.ly/4hPxzk1) and privately (https://bit.ly/4i8x4S2) that the Democratic majority has overreached by, as he puts it, interpreting the FTC's primary statute as a "comprehensive privacy law."
He has said that the FTC should focus on enforcing existing law rather than expanding its authority through new rulemaking, and should wait for Congress to act on privacy. This may spell the end, for example, of the FTC's proposed Commercial Surveillance and Data Security Rulemaking (https://bit.ly/414nk4e), which would focus on data security, data minimization, and algorithmic accountability.
One partial exception may be the FTC's recent changes (https://bit.ly/3Xe9drT) to the Children's Online Privacy Protection Act (COPPA), also referred to as the COPPA Rule. Proposed in late 2023 and finalized on Jan. 16, 2025, these amendments are pending further review in light of President Trump's regulatory freeze. Given the bipartisan support for stronger privacy protections for minors, however, these COPPA amendments may move forward in modified form.
While Chairman Ferguson voted for these amendments, praising them as "the culmination of a bipartisan effort," he noted "serious problems" the new majority should address: the frequency of parental consent requirements, a prohibition on indefinite personal data retention, and the lack of an exception to facilitate age verification.
By contrast, the FTC is expected to continue enforcing at least two bipartisan priorities. The Protecting Americans' Data from Foreign Adversaries Act prohibits data brokers from sharing Americans' sensitive personal data with Russia, China, North Korea, and Iran, or entities controlled by those countries. Given bipartisan concerns about foreign use of Americans' data, we can expect the FTC to continue enforcement.
The Restoring Online Shoppers' Confidence Act requires subscription-based services to provide clear disclosures of opt-out features, including straightforward cancellation procedures. Considering the FTC's history of unanimous consent in bringing actions under this Act, it will presumably remain a priority.
Securities and Exchange Commission (SEC)
In contrast, the SEC may take a softer line on enforcement. SEC Chair Gary Gensler stepped down on Jan. 20, and President Trump has tapped Paul Atkins, a cryptocurrency lobbyist and former SEC commissioner under President George W. Bush, to replace him. Atkins is notable for his skepticism toward certain enforcement actions.
Current Republican SEC Commissioners have been critical of enforcement actions carried out by the Biden-era SEC against companies that suffered cybersecurity attacks, including an action against software company SolarWinds that was narrowed in Federal Court last July.
Commissioners Hester Peirce and Mark Uyeda criticized four related SEC actions against other software companies for wrongly focusing on the companies' failure to provide "immaterial details" about cyber incidents, rather than on the actual impacts of such events. Some reporting suggests (https://reut.rs/41r0xB7) that the incoming SEC is likely to focus primarily on corporate misconduct that causes direct investor losses.
Changes to the SEC's cybersecurity reporting obligations are also likely. The SEC's current cybersecurity rule requires in part that the victim of a "material" breach disclose it to the agency within four days of determining that the breach is in fact material, and requires public companies to describe their board of directors' oversight of cybersecurity risks in Form 10-K.
Both sitting Republican commissioners voted against adopting this rule, and it has been criticized as ineffective at providing investors with meaningful information about breaches. While the rule's future is in doubt, there is debate over whether an overhaul or a repeal is more likely.
Cybersecurity and Infrastructure Security Agency (CISA)
Agenda 47, the official platform of the Trump campaign, said little about the Cybersecurity and Infrastructure Security Agency (CISA). Although President Trump has publicly distanced himself from Project 2025, it proposes significantly paring back CISA's mission, especially regarding CISA's efforts to coordinate with social media companies on countering misinformation.
The administration has placed several employees in the agency's Election Security and Resilience division on administrative leave, (https://politi.co/3QsSIEE) and additional layoffs are expected (https://politi.co/4gRpoCn).
Meanwhile, Department of Government Efficiency (DOGE) staffers Edward Coristine and Kyle Schutt have joined CISA (https://bit.ly/4i6We3k). Project 2025 also proposed spinning off certain CISA functions to other agencies to "refrain from duplicating" cybersecurity functions, and would move CISA to the Department of Transportation (DOT) while dissolving the Department of Homeland Security (DHS).
President Trump has not yet named a new CISA Director since former Director Jen Easterly stepped down on Jan. 20. DHS Secretary, former South Dakota Governor Kristi Noem, has been supportive of the cybersecurity industry and promoted efforts to draw the industry to her state.
However, she also took a strong stance against federal cybersecurity grants and, in 2023, South Dakota was the only state not to seek such funding. Notwithstanding President Trump's freeze on federal aid, now on pause (https://reut.rs/3CRpsEx) by a federal judge, it is unclear whether these grants will continue.
CISA also faces divided Republican opinion on Capitol Hill. House Homeland Security Committee Chairman Mark Green (R-Tenn.) has been a strong backer of CISA.
But in the Senate, Homeland Security and Governmental Affairs Committee Chairman Rand Paul (R-Ky.) has fiercely criticized the agency's coordination with social media companies, arguing, as quoted in POLITICO on Oct. 22, 2023 (https://politi.co/4i9gZLF), "CISA has blatantly violated the First Amendment and colluded with Big Tech to censor the speech of ordinary Americans." ("Conservatives Are Increasingly Knives Out for the Nation's Top Cyber Agency," POLITICO, Oct. 22, 2023)
Observers are divided on whether we may see a "strategic pause" in the formulation of new CISA cyber-incident reporting requirements that were to be finalized in October of this year.
Federal privacy legislation
Prospects for comprehensive privacy legislation in this congressional session are unclear. Republicans' so-called "trifecta" should make passage easier than in the preceding divided Congress, though complicated by their razor-thin House majority.
In light of these political factors, any federal privacy bill that does emerge may look more like Texas' privacy law than the American Privacy Rights Act proposed last year, with a stronger focus on data security requirements than on consumer rights and data minimization. Disagreements over a private right of action, like those afforded under California's privacy law, may continue to be a sticking point in Congress.
Progress is more likely in the domain of children's internet privacy. Last summer, the Senate overwhelmingly passed the bipartisan Kids Online Safety and Privacy Act, a two-bill package that would mandate separate privacy protections for teenagers and children under 13.
These protections would include bans on targeted advertising and non-consensual data collection, a revised actual knowledge standard, a data deletion mechanism, stricter privacy by default standards, parental controls, risk audits, and the option to opt-out of personalized algorithmic recommendations. An amended version approved by the House Committee on Energy and Commerce failed to reach a floor vote.
The House and Senate versions diverged over where to set the standard for knowledge of a minor's website use. The Senate version had an actual knowledge standard for all entities covered by the bill, whereas the House proposed a three-tier system, with different knowledge standards for (1) "high-impact social media companies," (2) other companies with an annual gross revenue exceeding $200 million that collect the personal information of more than 200,000 people, and (3) all other companies. Only time will tell whether Congress will be able to reconcile their versions this year.
Originally published by Westlaw Today.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
