Privacy Law Recap 2025—FTC Enforcement

This past year saw significant change at the Federal Trade Commission, as Andrew Ferguson was appointed chairman by President Donald Trump, replacing Lina Khan, who served as chair during the Biden administration. 

Although Chairman Ferguson’s tenure began quietly, the year ended with an uptick in FTC enforcement activity. Agency leaders stressed that they have moved away from novel theories under Section 5 of the FTC Act in favor of more established theories under statutes like the Children’s Online Privacy Protection Act (COPPA). Despite shifting priorities and approach, the agency has remained active in youth privacy and online safety, AI, and data security. This post highlights key federal privacy enforcement developments in 2025 and expected trends for 2026.

Leadership changes

Ferguson’s appointment was one of several major leadership changes. President Trump dismissed Democratic commissioners Rebecca Kelly Slaughter and Alvaro Bedoya in March. Mark Meador was sworn in as a Republican commissioner, and Commissioner Melissa Holyoak resigned in November to become U.S. Attorney for the District of Utah. The FTC, which by statute has five commissioners (no more than three from the same party), now operates with two Republican commissioners.

Enforcement Trends

Youth privacy and online safety. In addition to finalizing amendments to COPPA, the FTC brought several enforcement actions concerning children’s privacy and online safety: 

• Genshin Impact. In the final days of the Biden administration, the FTC announced an enforcement action against Genshin Impact’s developers, alleging COPPA violations for promoting the game to children and failing to age gate, provide compliant notice, or obtain parental consent. Section 5 claims included misleading loot box odds and unfair design obscuring real-world spending by minors. The settlement imposed a $20 million penalty, prohibited loot box sales to children under 16 without parental consent, barred loot boxes solely for virtual currency unless players are also given the option to purchase them directly with fiat currency, and required a neutral age gate and deletion of personal information for users under 13 without consent.
• Disney. In September, the FTC brought a complaint against Disney alleging that it published child-directed videos on YouTube channels designated as “Not Made for Kids,” causing children’s personal information to be collected and used without the verifiable parental consent required by COPPA. To resolve the FTC’s allegations, Disney agreed to pay a $10 million civil penalty and institute an “Audience Designation Program” under which it must review and designate each video it posts to YouTube as “Not Made for Kids” or “Made for Kids.”
• Sendit. In September, the FTC sued the operators of Sendit, an anonymous messaging app integrated with social media platforms. According to the complaint, Sendit collected users’ birthdates (indicating some users were under 13) without COPPA-mandated parental consent. The complaint also alleges the defendants violated Section 5 by sending fabricated messages to drive engagement and misrepresented paid features. The FTC further alleges violations of the Restore Online Shoppers’ Confidence Act based on inadequate disclosure of recurring subscription charges. The case is pending in the Central District of California.
• Apitor. The FTC filed a complaint against China-based Apitor Technology Co. for COPPA violations arising from the collection of children’s geolocation data via a mobile app requiring location permissions. Apitor integrated a third-party SDK allowing a Chinese analytics provider to collect geolocation data without the requisite COPPA notice and parental consent. To resolve the matter, Apitor agreed to a $500,000 civil penalty (suspended for inability to pay) and injunctive relief requiring parental notice and consent, limits on data retention, and deletion of children’s information upon request.
• Aylo. In another case brought in a busy September, in a joint action with Utah, the FTC alleged that the Aylo Group Ltd. failed to prevent posting and dissemination of child sexual abuse material (CSAM) and nonconsensual material (NCM) on adult-content sites. The complaint alleged lack of age, identity, or consent verification and failure to address CSAM and NCM. The stipulated order requires a comprehensive compliance program, executive oversight, documented controls, annual risk assessments, and pre-publication age and identity verification.
• AI chatbot industry study. The FTC also launched an industry study in September in which it is seeking information from seven companies about the impact of AI chatbot companions on children and teens. The study seeks a wide variety of information about subjects such as how businesses that offer AI companions monetize user engagement; process user inputs; test and monitor for negative effects pre- and post-deployment; implement data collection and handling; and monitor and enforce rules, terms, and policies.

AI. In keeping with the White House’s position, the FTC has taken a more balanced view than the prior administration toward AI, seeking to ensure that consumers can enjoy its benefits and that the government does not hinder AI innovation in the United States. The current leadership has said it is not looking to “bend the law” to regulate AI but rather, per Chairman Ferguson’s testimony before the House Appropriations Committee, aiming for “[c]ircumspect and appropriate enforcement of existing laws to prevent fraudulent conduct ... while ensuring consumers gain the benefit of these new technologies.” As a practical matter, this appears to have led to a waning of the FTC’s focus on AI safety issues, including on potential discriminatory effects from automated technologies and on the use of personal information for model training. What remains is a primary focus on combatting exaggerated and unsubstantiated claims about the capabilities or efficacy of AI products and services and protecting minors in their interactions with AI. Key examples include: 

• Limited means and instrumentalities liability. Pursuant to the July 2025 White House AI Action Plan, in December, the FTC on its own initiative issued an order reopening and setting aside the consent order against Rytr LLC just one year after it became effective. Over the dissent of then-Commissioner Ferguson and Commissioner Holyoak, the FTC had alleged that Rytr violated Section 5 of the FTC Act by providing its users the “means and instrumentalities” to generate false and deceptive AI-generated consumer reviews. Specifically, the FTC’s complaint alleged that one service offered by Rytr generated reviews with specific details that had no relation to the user’s input, so almost certainly would be false for the users who copied them and published them online. Rytr settled the matter, agreeing to a consent order that barred it from advertising, marketing, or selling a “Review or Testimonial Generation Service” for 20 years. In setting aside the order, the Commission reiterated the view expressed by Ferguson’s dissent that the complaint did not state a Section 5 violation under a means and instrumentalities theory because the service had both lawful and unlawful potential uses, and because no evidence showed it had actually been put to illegal use as there was no evidence that false reviews generated by the service had ever been published. As to unfairness, the Commission reasoned that the complaint had failed to plead facts that met the standard of Section 5(n) of the FTC Act since “consumers benefit from the invention and availability of new tools, even though almost all tools have both legal and illegal uses.”
• AI washing. FTC enforcement under Chairman Ferguson has remained focused on misleading and unsubstantiated representations by developers about the capabilities and effectiveness of their AI products and services—often referred to as “AI washing.” For example, in a complaint filed in August against Air AI, the FTC alleged the company “deceptively marketed and sold a series of products and services aimed at entrepreneurs and small businesses,” which included “conversational AI technology” that was claimed to be capable of replacing, and better than, full-time human sales agents because the technology required no ramp-up time or management. The FTC claims that for some purchasers, this conversational AI was either unavailable or “faulty” with basic tasks such as making calls, scheduling, recording emails, or answering questions accurately. The FTC addressed similar claims about the capability of AI-powered goods and services in complaints against Click Profit, LLC (filed in March) and AccessiBe Inc. (filed in April).

Data security. The FTC has remained focused on data security, a perennial issue for the agency across administrations. For example:

• Illuminate Education. In December, the FTC announced a settlement with education technology provider Illuminate Education to resolve allegations that the company’s data security failures led to a data breach affecting the personal information of more than 10 million students. The complaint alleges that in 2021, a hacker used a former employee’s credentials to gain unauthorized access to Illuminate’s cloud environment, which included students’ email and mailing addresses, dates of birth, student records, and health-related information. According to the complaint, the alleged security failures included storing student data in plain text and ignoring warnings from a third-party vendor about vulnerabilities. The FTC also alleges that Illuminate delayed notifying its customers of the breach, with certain school districts not being notified until nearly two years after the breach. The proposed consent order would require Illuminate to implement a comprehensive information security program, and, among other things, establish and publish data retention and deletion policies. This resolution follows a $5.1 million multistate attorney general settlement with the company over the same breach.
• Illusory Systems. In December, the FTC announced a complaint and order against Illusory Systems, Inc., d/b/a Nomad, a cross-chain asset bridging protocol, for a security vulnerability exploited by hackers, resulting in more than $100 million in losses to consumers. The FTC alleged lack of reasonable security measures, including inadequate code testing and incident response. Under the settlement, Nomad must implement a comprehensive security program and biennial assessments and return recovered money to affected consumers.
• GoDaddy. The FTC finalized a complaint and order against GoDaddy, settling allegations that the webhosting provider failed to implement reasonable security measures, leading to data breaches, as well as misrepresenting its security and compliance with EU-U.S. and Swiss-U.S. Privacy Shield Frameworks. The order requires a comprehensive security program and prohibits misrepresentations about security and compliance.

What the New Year May Bring

In 2026, we expect to see the FTC continue its heavy focus on youth privacy and online safety, including companion AI chatbots, and evaluating informational injury, possibly enforcing restrictions on data brokers, and potentially expanding its membership. For example:

• On January 28, it is hosting a workshop on age verification technologies—picking up on its clear interest in such technologies.
• The FTC is also hosting a workshop on measuring injuries and benefits to consumers in the data-driven economy on February 28, which is a follow-up to a similar workshop on informational injury held by the agency in 2017 and subsequent staff perspective on the topic.
• Further, the notice and take down provisions of the TAKE IT DOWN Act go into effect on May 19. Given the agency’s strong interest in online safety, we expect it will lose no time in using its enforcement authority to investigate businesses it suspects of noncompliance, though we may not see enforcement actions until 2027 or even later.
• Similarly, in 2024, the FTC gained enforcement authority under Protecting Americans’ Data From Foreign Adversaries Act of 2024 to enforce restrictions on data brokers to “sell, license, rent, trade, transfer, release, disclose, provide access to, or otherwise make available” personally identifiable sensitive data of a U.S. individual to a foreign adversary country (China, Russia, Iran, N. Korea) or an entity controlled by a foreign adversary country. We think 2026 could see the FTC’s first enforcement action under this law.
• Finally, we may see the leadership of the agency expand, as President Trump has nominated Republican David MacNeil to fill the FTC commissioner slot vacated by Melissa Holyoak. MacNeil is the CEO of WeatherTech, a company that manufactures automotive accessories. If confirmed, MacNeil would be rare, but not unprecedented, as someone with a background in business rather than a lawyer or economist, on the Commission. 

This post is part of a series recapping privacy law developments in 2025. Please see the following posts for additional recaps of developments in 2025:

Privacy Law Recap 2025—State Comprehensive Consumer Privacy Laws

Privacy Law Recap 2025—Data Security

Privacy and Data Security Recap 2025—National Security