Back to Blog
· Robert Bergman

The FTC Is Loading Its Docket: What Ferguson's Signals Mean for Your PII

FTCprivacyenforcementFergusonCOPPAdata brokersPIIcompliance

Andrew N. Ferguson, chairman of the Federal Trade Commission, recently sent a signal that is becoming increasingly difficult to ignore. During a June 18 interview, he suggested that the FTC is preparing for a significant increase in data privacy enforcement actions during the second half of the year. While speaking with Mlex news service, he remarked that journalists covering the agency may struggle to keep pace with the volume of cases expected to arrive. That is a striking statement, although in some ways it simply reflects what many observers have already sensed.

For most of this year, the FTC has not been nearly as active in privacy enforcement as state regulators in places such as Texas and California. Now Ferguson argues that this period may be ending. He also connected future enforcement capacity to the proposed SECURE Data Act. If Congress approves the measure, the agency could expand staffing levels and computing resources, allowing it to assume a larger role in privacy oversight.

A Quieter Approach to Policy, No Retreat on Enforcement

At an oversight hearing in April, Ferguson described the FTC not as a broad economic regulator but as a law enforcement body responsible for protecting competition and addressing deceptive conduct. On privacy matters, he acknowledged that Section 5 continues to serve as a practical tool for data security and deception cases. Yet he also argued that it is not perfectly suited for today’s data economy. Maybe “workhorse” is the right word, maybe it is not. Either way, his position was clear enough. Congress, he said, should continue pursuing a national privacy framework.

Analysts tracking the agency have noticed a broader shift. Novel legal theories under Section 5 appear less prominent than before. Instead, enforcement efforts increasingly rely on established statutory authorities such as COPPA. The result is a somewhat paradoxical picture. Less policymaking in some respects, but no real retreat from enforcement. Cases involving misleading data practices, children’s privacy, data brokers, and major technology firms remain very much alive.

The 2026 Enforcement Actions

Several enforcement actions in 2026 illustrate this pattern.

  • On May 4, the FTC moved against Kochava and a subsidiary, seeking to prohibit the sale of sensitive location information. The agency alleged that location data associated with millions of mobile devices had been sold.
  • On March 30, action was taken against Match and OkCupid. The allegation centered on deceptive practices involving the sharing of personal information with a third party.
  • Then, on May 21, Cox Media Group and two additional companies agreed to pay nearly $1 million to resolve allegations connected to an AI-powered marketing service marketed as capable of “active listening.” The phrase itself almost sounds like science fiction, although regulators viewed the representations much less romantically.
  • June 5 brought final approval of an order resolving claims that Illuminate failed to adequately secure students’ personal information.
  • Earlier in the year, on February 26, Walmart agreed to a $100 million judgment addressing FTC and state allegations concerning deceptive earnings claims related to the Spark Driver delivery program.
  • Meanwhile, X Corp. remains in the spotlight. On June 3, the FTC sought public comment regarding the company’s petition to modify or set aside the existing order that originated during Twitter’s earlier operations.

New Statutory Pressure

Two statutory developments this spring have also widened the enforcement landscape.

The TAKE IT DOWN Act became enforceable on May 19. Prior to that date, Ferguson sent letters to more than a dozen prominent technology companies, reminding them of their compliance obligations. Warning letters followed the next day. The sequence was hard to miss.

Separately, amendments to COPPA require demonstrable compliance by April 22, 2026. On the data broker front, the FTC issued a reminder on February 9 regarding obligations under PADFAA, the Protecting Americans’ Data From Foreign Adversaries Act.

What This Means for Compliance Teams

For compliance teams, the practical message remains consistent, even if the regulatory environment occasionally feels like weather changing direction without warning. Organizations should verify pricing transparency practices and algorithmic pricing disclosures. AI-related marketing claims deserve scrutiny as well. Safeguards for minors continue to receive intense attention, and companies should confirm that their public statements regarding data security accurately reflect operational reality.

Children’s privacy is repeatedly identified as perhaps the highest federal priority heading into the latter part of the year. That conclusion appears again and again in legal analyses, which is unusual because analysts rarely agree on everything.

Two Themes to Watch

There are two themes that stand out.

  • The first involves data brokers and location data.
  • The second centers on PII compliance.

The FTC increasingly appears focused on whether organizations’ actual practices align with their representations regarding the collection, use, retention, sharing, and protection of personal information. If you’d rather not become a cautionary tale about what happens when your PII practices don’t quite match your privacy policy, look at what we built. PII Anomalyzer finds, redacts, and anonymizes the personal information buried in your documents, right on your own machine, before those documents wander off somewhere they shouldn’t. Consider it insurance against a problem you’d rather not explain to a regulator.