Jul 08, 2026 · 6 min read
X Corp Asks FTC to Vacate Its 2022 $150M Privacy Order
X Corp filed its petition May 15, 2026. A 30 day comment window closed July 2, after fifteen advocacy groups and a dozen state attorneys general split over whether the order, which runs through 2042, should survive.
Elon Musk's X Corp has asked the Federal Trade Commission to tear up one of the most consequential privacy settlements of the last decade. On May 15, 2026, the company petitioned the FTC to set aside, or sharply shorten, the 2022 order that fined Twitter $150 million for repurposing phone numbers and email addresses users had handed over for two factor authentication into targeted advertising data. The FTC's public comment window closed July 2, 2026, after fifteen privacy groups and a coalition of state attorneys general staked out opposite positions. What happens next decides something bigger than X Corp's compliance bill: whether a privacy promise made under one set of owners survives once the ownership, the personnel, and the political mood in Washington all change.
Key Takeaways
- X Corp filed a petition with the FTC on May 15, 2026, asking the agency to set aside or modify the 2022 consent order that fined Twitter $150 million for misusing two factor authentication data in ad targeting.
- The FTC opened a 30 day comment period from June 3 to July 2, 2026 under docket FTC-2026-0727, before the Commission votes on the petition.
- Fifteen advocacy groups, including the Electronic Frontier Foundation, the Electronic Privacy Information Center, and the Consumer Federation of America, urged the FTC to reject what they called X Corp's "brazen attempt to escape accountability at the expense of the American people."
- A coalition of roughly a dozen state attorneys general, led by Iowa, backed the petition, arguing the order was used to scrutinize speech unrelated to privacy.
- The 2022 order extends FTC oversight of X's data practices through 2042; X Corp says compliance now costs close to $17 million a year and diverts engineering resources from AI development.
What Is X Corp Asking the FTC to Do?
X Corp wants the FTC to terminate the 2022 order roughly sixteen years before its scheduled 2042 expiration, or at minimum modify it to end by the close of 2026. The petition does not dispute that Twitter violated an earlier FTC order by misusing security data for advertising. Instead, it argues that enforcing the order no longer serves the public interest, invoking the FTC's own rule for reopening final orders, which requires a significant change in fact or law, with the burden of proof on the party seeking relief. The FTC's own announcement treats this as a genuine open question: the Commission's five members must now vote on whether X Corp has met that bar, and if so, whether to grant the petition outright or negotiate a narrower modification.
Why Does This Consent Order Exist?
The order traces back further than the 2022 fine. In 2011, the FTC issued its first privacy order against Twitter, Docket No. C 4316, after the company said users could keep tweets private and send secure direct messages while lacking the safeguards to back that up. Twitter violated that order over the next decade, the FTC alleged, by collecting phone numbers and emails from more than 140 million users for account security, then feeding that data into its ad system so marketers could target users by phone number and email.
In May 2022, the FTC and the Justice Department settled the case for $150 million and layered a stricter order on top: a mandatory privacy program, biennial third party assessments, restrictions on employee data access, and a ban on profiting from data collected under false pretenses. That order runs through 2042.
What Does X Corp Say Has Changed?
X Corp's petition leans on five points. The entity that committed the violations, pre Musk era Twitter, no longer exists after the 2022 acquisition and later restructuring. Every individual responsible for the conduct has left the company. X Corp says it has since built a "world class" privacy program, making the order redundant. It puts a number on the burden, close to $17 million a year in compliance costs that it says pulls engineering time from AI products, tying the argument to American AI leadership. And it argues a standing order gives future FTC leadership a tool to pressure the platform over the viewpoints it hosts, framing termination as a First Amendment safeguard.
Who Supports the Petition, and Who Is Fighting It?
The fight has split along predictable lines, with an unusual wrinkle. Fifteen advocacy groups, including EFF, the Electronic Privacy Information Center, the Consumer Federation of America, Public Citizen, the Demand Progress Education Fund, and the National Consumers League, filed a joint comment arguing the order should stay in force until 2042. Their legal point: obligations attach to the corporate entity, not whichever executives happen to be employed at a given moment, so a leadership change is not the changed circumstance the standard requires. They also argue X's push into AI makes stronger oversight more urgent, since training models on user data opens new avenues for the same secondary use the order was meant to stop. On the other side, roughly a dozen state attorneys general led by Iowa backed termination, arguing the order has been used to scrutinize content moderation unrelated to data security.
What Happens if the FTC Grants the Petition?
If the Commission agrees, X Corp becomes free of FTC monitored privacy audits nearly two decades early, and the case becomes the clearest precedent yet that a consent order is not a permanent floor. Every company living under an FTC privacy order would gain a template: change ownership, replace the executives named in the complaint, and argue that compliance costs conflict with a national priority like AI competitiveness. Purpose limitation, the principle that data collected for one stated reason cannot quietly be reused for another, is the promise this order enforces, the same principle behind GM's $12.75 million fine for selling OnStar driving data to insurers and the FTC's order banning Kochava from selling location data pulled from phones. If that promise can be voided through a corporate reshuffle, it changes what any privacy settlement is worth to the people it is meant to protect.
A Test Case for Every Company Under a Consent Order
For compliance officers managing long duration settlements, whether an FTC order, a state agreement, or an action like the FTC's order barring OkCupid from misrepresenting how it shares user data, this petition is worth tracking regardless of outcome. Two things are worth doing now: audit whether your own consent decree obligations are written to survive a change in ownership, since X Corp's argument assumes they might not be, and treat "we built a new privacy program" as a claim regulators will test against the order's specific terms, not a good faith defense, since the FTC's framework requires proof of changed circumstances, not just improved intentions.
Whatever the FTC decides, the petition has already put the durability of consent orders on record as an open legal question rather than a settled assumption. Companies signing multi decade privacy commitments, and the regulators drafting them, are now watching a live test of whether those commitments outlast the people who signed them.
Sources: Federal Trade Commission press release, Electronic Frontier Foundation, and MediaPost.