Critics Urge FTC to Maintain Strict Data Privacy Order on X

Critics hope to keep Elon Musk from escaping a strict data-privacy order imposed by the Federal Trade Commission (FTC) shortly before he took over Twitter.

The FTC order placed restrictions on X’s data use for 20 years, while requiring regular independent audits and granting the agency authority to request documents as needed to ensure compliance.

The FTC’s action came after Twitter voluntarily disclosed that between May 2013 and September 2019, a coding error accidentally allowed phone numbers and email addresses that users shared for two-factor authentication purposes to be used for targeted advertising aimed at those same users. In a settlement that came just months before Musk’s 2022 takeover, Twitter agreed to pay $150 million and to allow the FTC to monitor the platform’s data-handling practices until 2042 in order to protect user privacy.

Musk tried and failed to get the order revoked in 2023. At that time, Musk accused the FTC of aggressively increasing the number of investigative demands. He claimed that the order was improper and should be terminated because the agency was “tainted by bias.”

In response, the FTC pointed out that Musk’s takeover of Twitter raised genuine questions about the company’s ability to comply with the order, particularly after he terminated key staff who for years had ensured compliance. One engineer confirmed in a deposition that layoffs and other “cost-cutting pressure and decisions” impaired X’s ability to “put technical restrictions and controls in place… around the company’s use of contact data to make sure that it was being used… for the purpose that the particular contact data was collected,” the agency’s filing said.

“No one was responsible for about 37 percent of X Corp.’s privacy program controls,” the FTC argued.

Also raising red flags for the FCC were Musk’s demands that journalists get access to internal systems for the “Twitter Files”, as well as a text from Musk insisting that an executive assistant get access to systems “immediately,” threatening that “anybody standing in the way” would “be fired.” In 2024, the agency claimed that X security staff sometimes had to pointedly disobey Musk in order to remain in compliance. As Twitter’s functionality became spotty through steep layoffs, the FTC argued that it had “every reason to seek information about whether these developments signaled a lapse in X Corp.’s compliance.”

Musk lost his previous lawsuit after the court found it had no authority to amend or end the FTC’s order. Musk is trying again with new arguments, complaining in a May petition to the FTC that they should set aside the order “without delay.”

According to Musk, the FTC should stop its monitoring because Twitter no longer exists, as X was merged into xAI, and then xAI was folded into SpaceX. Musk also argues that since none of the leadership or engineers responsible for the two-factor authentication error remain at the company, and “X has since built a world-class privacy and data-protection program” that protects consumers, the FTC doesn’t have to intervene anymore.

The company further argued that it has paid $17 million in “needless costs,” since a lawsuit over the same two-factor authentication issue ended with a verdict in Twitter’s favor. If a court found that Twitter’s privacy policy adequately informed users that their contact info might be used for ad targeting, then the FTC should not be able to continue punishing X for that behavior, Musk argued.

“The factual foundation of the FTC’s complaint has been dismantled,” X says. “And the Order’s staggering costs—imposed on both the Company and on the Commission itself are unjustifiable.”

As X sees it, the order also requires the company to duplicate compliance efforts, because X already must take extra precautions with data to comply with laws like the European Union’s General Data Protection Regulation (GDPR).

Finally, X raised two other claims to justify tossing the order. First, X claimed that allowing the FTC to maintain the order would chill speech on X, because it supposedly “creates a permanent mechanism through which future regulators can pressure the Company over the viewpoints it hosts.”

And second, X argued that Donald Trump’s AI Action Plan requires government agencies to drop orders such as this one. Since X is “at the center of a family of companies—including xAI—that are at the forefront of America’s AI ambitions,” the FTC risks running afoul of Trump’s decree to eliminate unnecessary bureaucracy, if the agency’s order keeps on diverting X “engineering resources from innovation to compliance paperwork,” the petition says.

Musk wants the order either dropped immediately or by the end of this year, as he says X will face another year of compliance costs.

First commenters agree: Deny X’s petition

On Wednesday, the FTC posted an update, seeking public comments on X’s petition to end the strict data privacy monitoring. Stakeholders have until July 2 to weigh in here, after which the agency will make its determination.

Only a little more than a dozen comments have been submitted so far, the majority anonymously urging the FTC to deny X’s petition.

Mostly, commenters agreed that Musk should be stuck complying with the order. They suggested that he knew about the order prior to purchasing Twitter and that the compliance costs he references are proportionate to the scale of the violation, particularly considering X’s one-time $44 billion valuation. Seemingly poking fun at Musk’s failed attempt to back out of buying Twitter, one joked, “buyer beware.” Another trolled Musk by suggesting that he find the $17 million for next year’s compliance costs by cueing up some DOGE-like cuts to save X money.

Some commenters suggested that rather than dismiss the order, the agency should intensify its efforts to probe X’s current data handling practices.

“I do not trust that Elon and the X team won’t eventually do the exact same thing or worse. It should stay or become more strict,” an anonymous commenter wrote.

Another insisted that X can’t be trusted to handle user privacy, writing that “without the standards set by the FTC, Twitter could roll back their privacy measures for the sake of cost cutting without any consequence.” Others agreed Musk’s track record didn’t seem great, with one noting that his efforts leading DOGE may have violated the Privacy Act.

As of this writing, only one commenter supported X’s petition, but they seemed more interested in criticizing the FTC than backing X’s claims, anonymously alleging to have been targeted by similar agency overreach.

Not everyone submitted anonymously. One of the first commenters, Amanda Collins, wrote that Musk’s relationship with the Trump administration should not influence the decision. She urged the FTC to continue to “operate from a position of protecting the American public and not shielding oligarchs from consequences.”

The most substantive comment so far came from William Pate II, who argued that X’s merger should not be a reason to drop the order. Rather, the FTC’s monitoring of X data handling only becomes more critical, since the combined entity likely has “strong commercial incentives to train AI on user data.”

That “makes the order’s privacy review requirements more relevant, not less,” Pate wrote.

Pate also suggested that the FTC should consider two post-acquisition data breaches by X: 200 million records in 2023 and 2.8 billion profiles in 2025. Those breaches do not suggest that X gets a gold star for data privacy, the commenter suggested, while also shooting down X’s claims about its GDPR compliance efforts ensuring consumer protection.

“The Irish Data Protection Commission’s 2024 formal inquiry into X Corp.’s use of user data to train the Grok AI model without adequate consent” is “evidence that X Corp. does not treat existing regulatory frameworks as self-executing” and undermines X’s GDPR claims, Pate suggested.

“The order runs through 2042 because the Commission concluded that a repeat offender required sustained oversight,” Pate wrote. “X Corp. is four years into that period. Nothing in the petition establishes that the concerns underlying that judgment have been resolved.”

To defeat the order, X will likely first have to show that the order’s safeguards are either unworkable or contrary to the public interest, and then that there’s no other way to remedy alleged harms than to terminate it.

Last time that Musk tried, the FTC held firm, arguing that Musk was seeking to terminate the order because he was “hoping to limit the FTC’s investigation into alarming developments related to its data privacy and security practice.”