Unwinding the Orders: The FTC's Twitter/X Petition, the Rytr Walk-Back, and the Federal Privacy Retreat

On June 3, 2026, X Corp. — the company formerly known as Twitter — filed a petition asking the Federal Trade Commission to set aside or modify one of the most consequential privacy consent orders in the agency’s modern history. Two days later, on June 5, the FTC opened a 30-day public comment window, running through July 2, 2026, before the Commission votes on whether to grant the request. The order in question is no minor relic. It is the 2022 settlement that required Twitter to pay a $150 million civil penalty for misusing phone numbers and email addresses that users had handed over for account security, and which extended federal oversight of the company’s data practices through 2042.

For compliance professionals, the petition is significant less for what happens to X specifically than for what it represents. Read together with the FTC’s December 2025 decision to walk back its Rytr enforcement action, and against the backdrop of the White House’s July 2025 AI Action Plan, the X petition is a data point in an unmistakable pattern: federal privacy and AI enforcement posture is loosening. That loosening is real, but it is also a trap. A company that reorganizes its compliance program around the assumption that the FTC has stepped back is exposing itself to the enforcers who have not — state attorneys general, the California Privacy Protection Agency (CPPA), and the plaintiffs’ bar. This article unpacks the procedural mechanics, the broader pattern, and why “the FTC is backing off” is the wrong lesson to take from 2026.

The Twitter/X order: a fifteen-year tether

The order X Corp. now seeks to escape has a long lineage. In 2011, Twitter entered into a consent decree with the FTC to resolve allegations that it had deceived users and failed to safeguard their personal information — including incidents in which attackers gained administrative control of the platform. That 2011 order imposed a 20-year compliance regime: prohibitions on misrepresenting privacy and security practices, plus a mandated information-security program subject to periodic third-party assessment.

The company did not stay clear of trouble. In May 2022, the FTC and the Department of Justice alleged that Twitter had violated the 2011 decree. From May 2013 until at least September 2019, Twitter told more than 140 million users that it was collecting their phone numbers and email addresses to secure their accounts — for two-factor authentication and account recovery — while quietly feeding that same contact information into its targeted-advertising systems, allowing advertisers to match users through tools like Tailored Audiences and Partner Audiences. The FTC characterized this as breaking the same privacy promises a second time. Twitter settled by agreeing to a $150 million civil penalty and an updated, more demanding order that reset the clock: new obligations around data use, user notice, multi-factor authentication options, and a strengthened privacy and information-security program, with FTC oversight extending a further 20 years — through 2042.

This is not the first attempt to loosen the tether. In July 2023, after Elon Musk’s acquisition, the company asked a federal court to terminate the consent order, arguing that the FTC’s post-acquisition probe had “spiraled out of control.” That effort went nowhere. The June 2026 petition is a different vehicle and a different moment.

What “set aside or modify” actually means

A petition to reopen and modify a final FTC order is a creature of the agency’s own Rules of Practice and Section 5(b) of the FTC Act. A respondent bound by a consent order can ask the Commission to set the order aside or alter its terms by demonstrating either that changed conditions of fact or law warrant the change, or that the public interest requires it. The decision rests with the Commission itself — the same body that issued the order — typically after a public comment period like the one now open. There is no neutral court in the first instance; the FTC is asked to reconsider its own handiwork.

That procedural posture matters for understanding who is driving this. The petitioner here is the company, X Corp., not the FTC reconsidering on its own motion. But the grounds X advances are calibrated precisely to the current Commission’s stated priorities. According to the petition, the order should be terminated — or modified to sunset at the end of 2026 — because: the order was imposed on a corporate entity that no longer exists and every individual responsible for the underlying failures has departed; X has since built what it calls a “world-class” privacy and data-protection program; the order’s obligations now merely duplicate protections already required by domestic and international privacy regimes and recognized industry frameworks, imposing millions of dollars in needless compliance costs; setting the order aside “safeguards First Amendment values”; and — the tell — that modifying the order “is critical to advancing American leadership in artificial intelligence.”

That final argument is not incidental. It is the language of the moment, and it is the thread connecting the X petition to the rest of the FTC’s 2026 docket.

The Rytr walk-back and the AI Action Plan

To understand why the AI argument appears in a privacy petition about phone numbers and email addresses, look to December 2025. On December 22, 2025, the FTC reopened and set aside its own final consent order against Rytr, an AI writing-tool company. The Rytr order dated to September 2024, when the FTC sued the company as part of “Operation AI Comply,” alleging that Rytr’s service provided the “means and instrumentalities” to generate fake and deceptive consumer reviews. The complaint had asserted the tool had “no or de minimis legitimate uses.”

In setting the order aside, the Commission reversed that judgment. It concluded the complaint allegations did not actually establish a Section 5 violation — echoing then-Commissioner Ferguson’s earlier dissent that a tool with “both lawful and unlawful potential uses” cannot be treated as categorically illegal — and that the order “did not provide any benefit to consumers and thus unduly burdened AI innovation.” Crucially, the FTC framed the Rytr set-aside as the first concrete action implementing the White House’s July 2025 AI Action Plan, which directed the agency to review all of its final orders, consent decrees, and injunctions and to “modify or set aside any that unduly burden AI innovation.”

That directive is the connective tissue. The AI Action Plan converted “AI innovation” into a magic phrase capable of unwinding existing enforcement. Once the agency announced it would comb through its own back catalog of orders for anything that burdens AI, it invited every respondent under an active order to reframe its compliance obligations as an impediment to American AI leadership. X Corp.’s petition reads as exactly that invitation accepted: a privacy order born of an advertising-data scandal, recast as a drag on a company that now operates Grok and positions itself as an AI firm.

The pattern: what gets dropped, what gets pursued

It would be a mistake to read 2026 as the FTC abandoning enforcement wholesale. The more accurate picture is selective retrenchment, and the contours of that selectivity are instructive.

On the “unwind” side of the ledger: the Rytr set-aside, the broader review of legacy orders mandated by the AI Action Plan, and now the open question of the X order. The common denominator is enforcement that touches AI development or AI-adjacent products, particularly cases built on novel or aggressive theories like “means and instrumentalities” liability for a general-purpose tool.

On the “still pursued” side: in May 2026, the FTC announced settlements with Cox Media Group and two smaller marketing firms, requiring nearly $1 million — $930,000 — to resolve charges that they deceived customers with claims of an AI-powered “active listening” service that supposedly captured conversations from consumers’ smart devices to target ads. As detailed in our analysis of the Cox Media active-listening case, the service never listened to anything; it resold marked-up email lists obtained from data brokers. The FTC pursued that case to settlement even as it was setting Rytr free.

The distinction is coherent once you see it. Cox Media was a straightforward deception case — false claims about a product’s capabilities — that happened to involve the letters “AI.” Rytr was an attempt to hold an AI-tool maker liable for what users might do with a lawful product. The current Commission is comfortable policing lies about AI; it is retreating from theories that would make AI development itself risky. For compliance teams, that line is the single most useful thing to internalize about the 2026 FTC: misrepresentation enforcement is alive and well, while expansive liability theories aimed at the technology layer are in retreat.

Why “the FTC is backing off” is a trap

Here is where compliance teams can go badly wrong. The temptation, reading the headlines, is to conclude that the privacy-enforcement environment has eased and that programs built for a more aggressive FTC can be relaxed. That conclusion is dangerous for at least four reasons.

First, existing consent orders still bind until the Commission says otherwise. X Corp. has petitioned to be released from the 2022 order; it has not been released. The order remains fully in force through the comment period and through whatever vote follows, and the Commission may well decline to grant the request or grant only a narrow modification. Any company under an active FTC order should assume it remains enforceable in full. A petition is a request, not a result — and treating a pending petition as accomplished relief invites a contempt or civil-penalty action.

Second, the federal retreat does not vacate the field; it relocates the action to the states. The same conduct the FTC may be deprioritizing remains squarely within the jurisdiction of state attorneys general and dedicated state privacy regulators. California’s CPPA has been escalating both rulemaking and enforcement, and it is joined by a growing roster of comprehensive state privacy statutes. As we documented in our survey of the 2026 state privacy patchwork, roughly twenty states now have comprehensive consumer-privacy laws on the books, several with their own AI-specific provisions on automated decision-making and profiling. A company that aligned its program to a relaxed federal baseline can still find itself out of compliance in California, Colorado, Connecticut, Texas, and beyond — each with its own definitions, cure periods (many now expired or expiring), and penalty structures.

Third, private litigation is unaffected by FTC posture. The California Consumer Privacy Act carries a private right of action for certain data breaches, with statutory damages between $100 and $750 per consumer per incident. State wiretap and biometric statutes — Illinois’s BIPA most prominently — generate substantial class-action exposure regardless of what any federal agency does. Plaintiffs’ firms do not wait for the FTC’s permission, and a federal decision to set aside an order does not estop a private claim premised on the same underlying conduct under state law.

Fourth, the deregulatory posture is itself a source of uncertainty rather than stability. Enforcement priorities set by executive action can be reset by the next administration, the next Commission majority, or the next high-profile incident. The Rytr set-aside passed on a divided Commission; the X petition will be decided by a vote. Building a long-term compliance strategy on the assumption that a particular enforcement philosophy will persist is a bet on political weather. Orders that are set aside can, in principle, inform future enforcement when conditions change, and conduct that goes unaddressed federally today remains discoverable evidence in state and private actions tomorrow.

What to do now

The practical response to a loosening federal posture is not to loosen in turn. It is to re-anchor the compliance program to the enforcers and obligations that remain binding.

• Treat active consent orders as fully operative. If your organization is under an FTC order, continue to meet every term — assessments, notices, data-use restrictions, program maintenance — until you have a written Commission decision releasing you. Do not let a pending petition, yours or a peer’s, become an excuse to relax controls.

• Map obligations to the strictest applicable state regime, not the federal floor. Inventory which of the roughly twenty comprehensive state privacy laws apply to your data flows, and build to the most demanding — typically California, with its CPPA rules on automated decision-making, risk assessments, and cybersecurity audits. Compliance with the strictest state standard generally subsumes the federal expectations and insulates you from the regulators most likely to act.

• Honor the original purpose of security data. The conduct at the heart of the Twitter order — collecting contact information for security and repurposing it for advertising — remains deceptive under Section 5 and under every state UDAP and privacy statute, regardless of the order’s fate. Audit how authentication data, recovery emails, and phone numbers flow through your ad and AI systems, and ensure use is limited to the purpose disclosed at collection.

• Scrutinize AI marketing claims. The Cox Media settlements show the FTC will still pursue false claims about AI capabilities. Whatever a product does or does not do, say so accurately. “AI-powered” is not a marketing flourish; it is a representation that must be substantiated.

• Document data-subject rights, consent, and vendor diligence. Private actions and state enforcement turn on records: consent provenance, deletion and access-request handling, and what you knew about the data your vendors supplied. The Cox Media case turned in part on reselling broker-sourced lists; vendor liability is real.

• Avoid building strategy on a single administration’s priorities. Design for durability across enforcement cycles. The cheapest compliance posture in June 2026 may be the most expensive one in a later year if the pendulum swings back and the gap is litigated retroactively under state law.

Conclusion

X Corp.’s June 3, 2026 petition to set aside or modify the Twitter privacy order is a clarifying event. It shows a company reading the room correctly: an FTC that has, since the July 2025 AI Action Plan and the December 2025 Rytr set-aside, signaled real appetite for unwinding obligations it now views as burdens on AI innovation. The petition may even succeed in whole or in part; the comment window closes July 2, 2026, and the Commission will vote.

But the deregulatory shift at the federal level is narrower and more fragile than the headlines suggest. The FTC is retreating from expansive liability theories aimed at the AI technology layer while continuing to police outright deception, as Cox Media demonstrates. And beneath the federal layer sits a dense, growing structure of state privacy laws, an increasingly assertive CPPA, and a plaintiffs’ bar that needs no agency’s blessing. For compliance teams, the correct reading of 2026 is not that the rules have relaxed but that the locus of enforcement has moved. The smart move is to follow it there.

This article is provided for informational purposes only and does not constitute legal advice.