On June 3, 2026, the Federal Trade Commission opened a 30-day public comment period — running through July 2, 2026 — on a petition from X Corp. asking the agency to set aside or modify the 2022 consent order that resolved its predecessor’s privacy case. The order in question is no minor artifact. It accompanied a $150 million civil penalty and resolved the FTC’s charges that Twitter had, for years, taken phone numbers and email addresses that users supplied for two-factor authentication and quietly fed them into its targeted-advertising machinery — a deception that also violated an earlier 2011 FTC order.

The petition raises a question that sits underneath every consent decree and that compliance teams rarely have occasion to examine: are these orders permanent? An FTC privacy order typically binds a company for twenty years. X’s filing argues that the order should end now, and the agency’s handling of that argument will signal how durable these obligations really are — and how a change in corporate ownership, leadership, and even technological mission bears on commitments made by a prior regime.

What X Is Arguing

X’s petition advances several connected claims, each designed to show that continued oversight no longer serves a valid regulatory purpose.

The company that misbehaved no longer exists. X contends that the conduct underlying the order belonged to the old Twitter, that the individuals responsible for the failures have all departed, and that the corporate entity itself has been transformed. The order, on this theory, polices a ghost.

A world-class privacy program already exists. X asserts it has built a mature privacy and data-protection program, such that the order’s monitoring, assessment, and certification requirements are redundant — duplicating protections already mandated by domestic and international privacy regimes and adding only cost.

The order obstructs AI development. This is the most forward-looking and revealing argument. X contends that the order’s requirements — including obligations to certify that it considers data-security and privacy risks when developing new products — impede its ability to develop artificial intelligence. In effect, X argues that a privacy commitment written for a social-media advertising business now functions as a brake on an AI business.

The costs are needless. X frames the ongoing assessment and certification obligations as imposing millions of dollars in costs to address risks already covered elsewhere, serving no purpose the broader privacy landscape does not already serve.

Setting aside or modifying a consent order is not a matter of a company simply outgrowing it. The governing standard, rooted in the Supreme Court’s framework for modifying consent decrees, asks whether there has been a significant change in factual circumstances or in law that makes continued application of the order inequitable or no longer in the public interest. The burden sits with the party seeking relief.

That standard cuts in several directions here. A genuine change in ownership and management is a factual change — but consent orders are deliberately attached to the corporate entity and its successors precisely so that they survive personnel turnover; that is the point of binding the company rather than the executives. A company’s claim to have voluntarily built strong compliance is likewise double-edged: the FTC may reasonably respond that the order is exactly why the program exists, and that dissolving the order to reward the program it produced would invert the incentive. The AI argument is the freshest, but it may be the weakest as a legal matter — “this twenty-year privacy commitment is inconvenient for our new line of business” is closer to a description of the order working as intended than to a changed circumstance that makes enforcement inequitable.

None of this means the petition is frivolous. The FTC does grant modifications, and a decade-old order can contain provisions overtaken by changes in technology, law, or the company’s actual operations. But the bar is high by design, because the alternative — orders that dissolve whenever a company restructures or rebrands — would make consent decrees a temporary inconvenience rather than a durable remedy.

Why Every Regulated Company Should Watch This

Even organizations with no connection to X have a stake in how the FTC resolves this petition, because it tests the half-life of regulatory commitments.

Consent orders are meant to outlast the people who signed them. A core premise of FTC enforcement is that an order binds the entity through ownership changes, mergers, and management turnover. If a change of control became a reliable path to early release, the deterrent value of every outstanding order would erode. The Commission’s response will indicate how firmly it holds that premise in 2026.

“We fixed it” is not, by itself, an exit. Many companies under order build robust programs and reasonably wonder when the supervision ends. X’s petition will produce a data point on whether demonstrated compliance shortens the leash or simply satisfies it. The conservative reading for any company under an active order is that the order runs its full term, and that strong compliance is the price of avoiding penalties, not a ticket out.

The AI-friction argument will recur. X’s claim that a legacy privacy order constrains AI development is a template other companies will reach for. Many outstanding FTC orders were written before the current generation of AI products existed, and their data-handling and product-development provisions can sit awkwardly against AI training and deployment. How the FTC treats this argument — whether it sees a legitimate changed circumstance or an attempt to shed accountability under cover of innovation — will shape how every company under an older order frames its own AI ambitions.

What To Do Now

For compliance and legal teams, the petition is a prompt to take stock rather than to act dramatically.

  • If your organization is under an FTC order, assume it runs its full term. Build and budget your compliance program on that assumption. Treat any modification as a possibility to pursue on the merits, not a baseline expectation.
  • Map your order’s obligations against your current and planned product lines — especially AI. If legacy provisions create genuine friction with new AI development, document the specifics now. Should you ever seek modification, the record you build today is the evidence you will rely on.
  • Maintain the assessments and certifications precisely as written. Petitions to modify are evaluated against a backdrop of demonstrated compliance. A company seeking relief from an order it has not scrupulously followed starts from a position of weakness.
  • Consider the comment period itself. The FTC’s public-comment process is open through July 2, 2026. Industry groups, privacy advocates, and affected parties can shape the record. Organizations with a stake in the precedent — in either direction — have a channel to be heard.

The X petition will not be resolved quickly, and its outcome is genuinely uncertain. But the question it raises is one every company operating under regulatory supervision should be able to answer for itself: when we agreed to twenty years of oversight, did we understand that we meant it? The FTC’s answer this summer will make that understanding a good deal more concrete.

This article is provided for informational purposes only and does not constitute legal advice.