FTC Should Reject X Waiver of Privacy Order
X wants to end a 20 year privacy watchdog now.
X Corp. filed a petition with the Federal Trade Commission on May 15 to set aside or modify a 2022 consent decree that requires the company to report regularly on its handling of user data after violating privacy promises. The filing spotlights a long running dispute over how the platform uses information users provided to secure accounts, such as phone numbers and email addresses, for targeted advertising. The underlying enforcement started with a 2011 settlement after the FTC found that Twitter, now X, failed to protect user data, exposing it to hackers. That earlier case shaped a framework in which the company could not misrepresent its data protection measures, had to implement safeguards, and face ongoing reporting obligations to the FTC for two decades. The 2022 renewal extended those obligations to 2042 and kept the spotlight on how X handles millions of user records, even as the company faces a $150 million penalty for the alleged violations.
The petition has triggered a chorus of privacy advocates who say the order’s long tail matters. The Electronic Frontier Foundation and allies Demand Progress Education Fund, National Consumers League, and the Electronic Privacy Information Center argue in open comments that the FTC should reject X’s bid to roll back the decree or shorten the reporting horizon. Their position rests on the idea that regulatory oversight is a deterrent and a mechanism for accountability that protects users long after any corporate leadership change. The filing notes that the 2011 resolution already required a 20-year reporting cadence and that the 2022 modification broadens governance by embedding ongoing transparency about security posture. Advocates emphasize that twenty years is not just a clock; it is a continuous obligation to prove to users and regulators that privacy controls remain effective as technology and attack methods evolve.
X’s lawyers, for their part, argue that a "new era" of privacy and information security is underway. They point to a revamped program with fresh personnel and a leadership philosophy that places privacy at the core. In their view, the post-2011 restructuring represents a meaningful shift in how the company approaches user data protection, potentially reducing the need for the long running reporting that the decree imposes. The contrast between a renewed privacy program and the demand for long-term oversight is at the heart of the debate, and it is unfolding in the public comment process that accompanies such petitions.
For compliance officers and policy teams, the case underlines a key tension: deadlines versus discretion. The order’s survival through 2042 creates a durable compliance baseline that requires documented governance, clear data handling practices, and verifiable reporting cadence. If the FTC grants any relief, the agency could reframe or reduce the reporting burden, but until then, privacy programs must prepare for ongoing scrutiny, with a risk register that accounts for renewed penalties and public enforcement actions if obligations aren’t met. The FTC’s decision will also shape how other platforms calibrate their “privacy by design” investments versus the costs and complexities of long-term consent decrees. In enforcement terms, the stick remains: continued reporting and regular FTC oversight, with potential penalties if obligations slip. What happens next depends on regulator feedback, public comments, and how the agency weighs the difference between a reorganized privacy program and a legally binding, decades-long surveillance of compliance.
Industry watchers should monitor the FTC’s timetable for ruling on the petition and any accompanying clarifications to the consent decree. A rejection would cement a continued long-term reporting regime, while approval could lead to a renegotiated, possibly shorter, set of obligations. Either path will send a signal about how aggressive the FTC intends to be in tethering large platforms to verifiable privacy protections, and how much risk compliance teams should bake into their planning for the next 5, 10, and 20 years.
- EFF and Allies: X’s FTC Petition to Waive Privacy Violation Order Should be RejectedEFF Updates / Mainstream / Published JUL 02, 2026 / Accessed JUL 07, 2026