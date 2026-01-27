This past year saw significant change at the Federal Trade Commission, as Andrew Ferguson was appointed chairman by President Donald Trump...

This past year saw significant change at the Federal Trade Commission, as Andrew Ferguson was appointed chairman by President Donald Trump, replacing Lina Khan, who served as chair during the Biden administration.

Although Chairman Ferguson's tenure began quietly, the year ended with an uptick in FTC enforcement activity. Agency leaders stressed that they have moved away from novel theories under Section 5 of the FTC Act in favor of more established theories under statutes like the Children's Online Privacy Protection Act (COPPA). Despite shifting priorities and approach, the agency has remained active in youth privacy and online safety, AI, and data security. This post highlights key federal privacy enforcement developments in 2025 and expected trends for 2026.

Leadership changes

Ferguson's appointment was one of several major leadership changes. President Trump dismissed Democratic commissioners Rebecca Kelly Slaughter and Alvaro Bedoya in March. Mark Meador was sworn in as a Republican commissioner, and Commissioner Melissa Holyoak resigned in November to become U.S. Attorney for the District of Utah. The FTC, which by statute has five commissioners (no more than three from the same party), now operates with two Republican commissioners.

Enforcement Trends

Youth privacy and online safety. In addition to finalizing amendments to COPPA, the FTC brought several enforcement actions concerning children's privacy and online safety:

Genshin Impact. In the final days of the Biden administration, the FTC announced an enforcement action against Genshin Impact's developers, alleging COPPA violations for promoting the game to children and failing to age gate, provide compliant notice, or obtain parental consent. Section 5 claims included misleading loot box odds and unfair design obscuring real-world spending by minors. The settlement imposed a $20 million penalty, prohibited loot box sales to children under 16 without parental consent, barred loot boxes solely for virtual currency unless players are also given the option to purchase them directly with fiat currency, and required a neutral age gate and deletion of personal information for users under 13 without consent.

AI.In keeping with the White House's position, the FTC has taken a more balanced view than the prior administration toward AI, seeking to ensure that consumers can enjoy its benefits and that the government does not hinder AI innovation in the United States. The current leadership has said it is not looking to "bend the law" to regulate AI but rather, per Chairman Ferguson's testimony before the House Appropriations Committee, aiming for "[c]ircumspect and appropriate enforcement of existing laws to prevent fraudulent conduct ... while ensuring consumers gain the benefit of these new technologies." As a practical matter, this appears to have led to a waning of the FTC's focus on AI safety issues, including on potential discriminatory effects from automated technologies and on the use of personal information for model training. What remains is a primary focus on combatting exaggerated and unsubstantiated claims about the capabilities or efficacy of AI products and services and protecting minors in their interactions with AI. Key examples include:

Limited means and instrumentalities liability. Pursuant to the July 2025 White House AI Action Plan, in December, the FTC on its own initiative issued an order reopening and setting aside the consent order against Rytr LLC just one year after it became effective. Over the dissent of then-Commissioner Ferguson and Commissioner Holyoak, the FTC had alleged that Rytr violated Section 5 of the FTC Act by providing its users the "means and instrumentalities" to generate false and deceptive AI-generated consumer reviews. Specifically, the FTC's complaint alleged that one service offered by Rytr generated reviews with specific details that had no relation to the user's input, so almost certainly would be false for the users who copied them and published them online. Rytr settled the matter, agreeing to a consent order that barred it from advertising, marketing, or selling a "Review or Testimonial Generation Service" for 20 years. In setting aside the order, the Commission reiterated the view expressed by Ferguson's dissent that the complaint did not state a Section 5 violation under a means and instrumentalities theory because the service had both lawful and unlawful potential uses, and because no evidence showed it had actually been put to illegal use as there was no evidence that false reviews generated by the service had ever been published. As to unfairness, the Commission reasoned that the complaint had failed to plead facts that met the standard of Section 5(n) of the FTC Act since "consumers benefit from the invention and availability of new tools, even though almost all tools have both legal and illegal uses."

Data security. The FTC has remained focused on data security, a perennial issue for the agency across administrations. For example:

Illuminate Education. In December, the FTC announced a settlement with education technology provider Illuminate Education to resolve allegations that the company's data security failures led to a data breach affecting the personal information of more than 10 million students. The complaint alleges that in 2021, a hacker used a former employee's credentials to gain unauthorized access to Illuminate's cloud environment, which included students' email and mailing addresses, dates of birth, student records, and health-related information. According to the complaint, the alleged security failures included storing student data in plain text and ignoring warnings from a third-party vendor about vulnerabilities. The FTC also alleges that Illuminate delayed notifying its customers of the breach, with certain school districts not being notified until nearly two years after the breach. The proposed consent order would require Illuminate to implement a comprehensive information security program, and, among other things, establish and publish data retention and deletion policies. This resolution follows a $5.1 million multistate attorney general settlement with the company over the same breach.

What the New Year May Bring

In 2026, we expect to see the FTC continue its heavy focus on youth privacy and online safety, including companion AI chatbots, and evaluating informational injury, possibly enforcing restrictions on data brokers, and potentially expanding its membership. For example:

On January 28, it is hosting a workshop on age verification technologies—picking up on its clear interest in such technologies.

The FTC is also hosting a workshop on measuring injuries and benefits to consumers in the data-driven economy on February 28, which is a follow-up to a similar workshop on informational injury held by the agency in 2017 and subsequent staff perspective on the topic.

Further, the notice and take down provisions of the TAKE IT DOWN Act go into effect on May 19. Given the agency's strong interest in online safety, we expect it will lose no time in using its enforcement authority to investigate businesses it suspects of noncompliance, though we may not see enforcement actions until 2027 or even later.

Similarly, in 2024, the FTC gained enforcement authority under Protecting Americans' Data From Foreign Adversaries Act of 2024 to enforce restrictions on data brokers to "sell, license, rent, trade, transfer, release, disclose, provide access to, or otherwise make available" personally identifiable sensitive data of a U.S. inpidual to a foreign adversary country (China, Russia, Iran, N. Korea) or an entity controlled by a foreign adversary country. We think 2026 could see the FTC's first enforcement action under this law.

Finally, we may see the leadership of the agency expand, as President Trump has nominated Republican David MacNeil to fill the FTC commissioner slot vacated by Melissa Holyoak. MacNeil is the CEO of WeatherTech, a company that manufactures automotive accessories. If confirmed, MacNeil would be rare, but not unprecedented, as someone with a background in business rather than a lawyer or economist, on the Commission.

