The U.S. Federal Trade Commission has long been a cornerstone in safeguarding consumer privacy, and outgoing Chair Lina Khan demonstrated a strong appetite for protecting consumer data privacy rights and pursuing companies that violate privacy laws.
President Donald Trump's 20 Jan. designation of Andrew Ferguson as FTC chair and nomination of Mark Meador as commissioner marks a new chapter for the agency, with uncertainty around whether it will remain as committed to privacy enforcement activity as it has been for the last four years.
It's clear the American Privacy Rights Act, the latest bipartisan effort at federal privacy legislation, won't make it over the finish line in its current form. Experts predict a different, potentially weaker, version of the bill could eventually pass, and more targeted bills might emerge that address specific areas of concern, like child privacy.
But, as with prior efforts to pass comprehensive federal privacy legislation, the APRA was stymied by a partisan fight over whether to include a right for individuals to sue companies that violate the privacy law and by questions over whether the federal law should fully preempt all existing state laws.
In this moment of uncertainty, there's also opportunity. Chief privacy officers and privacy leaders can, and should, step up and continue championing consumer data protection, even as federal legislators continue to drag their feet.
A shifting privacy landscape
It's likely the FTC will take a less aggressive stance on enforcement activity, which could create a vacuum in an already fragmented privacy landscape.
In the absence of strong federal oversight, state laws like the California Consumer Privacy Act and the Maryland Online Data Privacy Act have risen to fill the gap, and Texas is setting an example of strong privacy enforcement. But the resulting patchwork of requirements results in complex compliance challenges.
For businesses operating nationwide, a lack of a federal standard cannot be a cue for complacency. It should be a call to action.
The stakes for businesses and consumers
Trust is the currency of the digital age. Companies that cut corners on privacy protections risk alienating customers and damaging their reputations, as we've seen with recent data breaches from companies like Dell and Okta.
The anticipated decrease in enforcement may tempt some to deprioritize privacy investments, but this approach is shortsighted. It's become clear consumers are more educated about their rights than ever before, more skeptical of companies' privacy platitudes and more willing to hold businesses accountable.
The moral and strategic imperative for privacy leaders
For privacy professionals, the absence of clear federal guidelines is not an excuse to let standards slide; it's a mandate to raise the bar.
Organizations can — and should — view robust privacy practices as a competitive differentiator rather than a compliance checkbox. Especially if competitors are deprioritizing privacy, and consumers increasingly feel the onus falls on companies to protect their privacy rights, this is the perfect time to choose privacy as a competitive advantage.
Privacy leaders must advocate for:
- A privacy by default culture. Protective privacy settings should become the norm, not a "nice to have." By making consumer privacy a priority, companies build credible trust.
- Proactive transparency. Clear, innovative and user-friendly communication about how customer data is collected, used and protected should be offered at multiple points throughout the customer journey. This goes beyond just linking to a wall of legalese, instead it should break down policies and use direct language in disclaimers.
- Cross-functional collaboration and a seat at the executive table. Privacy cannot live in a silo. Partnering with legal, security and marketing teams ensures privacy initiatives are holistic and impactful. And having a voice at executive-level discussions is even better.
The road ahead
There are many unknowns around what a Ferguson-led FTC will mean for the privacy community, and whether Congress will finally move on a federal standard in 2025 but that doesn't diminish the critical importance of privacy. It amplifies it.
CPOs and privacy leaders now stand as front-line defenders of consumer trust and ethical data practices. By embracing this responsibility, they can transform privacy from a regulatory burden into a strategic asset, safeguarding not only their organizations but also the digital economy at large.
The fight for privacy is far from over. If anything, the lack of clear leadership from Congress on this issue should be a rallying cry for businesses to lead where regulators may falter.
Ron De Jesus, AIGP, CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/US, CIPT, FIP, is the field chief privacy officer at Transcend.
