Listen to this post

Since Andrew Ferguson assumed the role of FTC chair in January 2025, following his year-long tenure as a commissioner, businesses have been watching closely for signals of how the agency might redirect its focus on privacy enforcement. Ferguson’s public statements, concurrences, and dissents provide valuable insight into his regulatory philosophy and what companies can expect under his leadership. This is the first in our series on what to expect from the FTC on privacy enforcement during Ferguson’s tenure as chair.

Philosophical Approach: “Staying in Our Lane”

The cornerstone of Ferguson’s regulatory philosophy is a commitment to enforcing existing laws without extending the FTC’s reach beyond what he views as its congressional mandate. In his September 2024 remarks at the International Consumer Protection and Enforcement Network, Ferguson emphasized:

“We must be mindful not to stretch the scope of consumer-protection laws beyond their rightful purpose. We must stay in our lane.”

He cautioned against treating consumer protection law as a “panacea for social ills,” arguing that doing so undermines the rule of law, creates legal uncertainty, and can have a chilling effect on innovation.

His statements reflect a concern that regulatory overreach not only exceeds statutory authority but can actively harm the innovation economy. In his June 2024 Taiwan remarks, Ferguson noted that “competition law will not get us the privacy standards we seek, nor is it intended to,” revealing his preference for domain-specific approaches to different regulatory problems.

The FTC as “Cop on the Beat” Rather Than Rulemaker

Ferguson has expressed skepticism about extensive rulemaking. In his December 2024 dissent to the FTC’s Regulatory Plan and Agenda, he stated bluntly:

“The Commission under President Trump will focus primarily on our traditional role as a cop on the beat. We will vigorously and faithfully enforce the laws that Congress has passed, rather than writing them.”

This suggests businesses may expect:

  • Fewer new privacy rules and more case-by-case enforcement actions;
  • Stricter textual interpretation of existing statutes such as COPPA, GLBA, and Section 5 of the FTC Act; and
  • Less reliance on policy statements and sub-regulatory guidance.

Ferguson’s preference for enforcement over rulemaking represents both a philosophical position on separation of powers and a practical assessment of the commission’s strengths. In his dissent on the Non-Compete Clause Rule, he argued that “the difficulty of legislating in Congress is a feature of the Constitution’s design, not a fault,” suggesting he views the constraints of the legislative process as purposeful rather than obstacles to be circumvented.

Section 5 Enforcement: Clear Standards for “Unfairness”

Ferguson favors a more restrained interpretation of the FTC’s unfairness authority under Section 5. While he acknowledges the three-part test established by Congress (substantial injury, not reasonably avoidable, and not outweighed by countervailing benefits), he tends to apply this test more narrowly than his predecessors.

In multiple statements, Ferguson has emphasized that:

  • Clear harm is required – The “substantial injury” prong requires demonstrable harm, not speculative or theoretical injuries.
  • Consent as central – Ferguson views proper notice and consent as often sufficient to render injuries “reasonably avoidable” by consumers.
  • Business practices vs. outcomes – He distinguishes between business practices that directly cause harm and those that may enable harmful outcomes but aren’t inherently harmful themselves.

For example, in his Mobilewalla concurrence, Ferguson supported unfairness claims related to the unconsented collection of sensitive data but rejected unfairness theories based on how lawfully collected data was subsequently categorized or analyzed.

Under Ferguson’s leadership, the FTC likely will invoke its unfairness authority on cases with clear, substantial injury that consumers could not reasonably avoid, rather than expanding the doctrine to address emerging technologies or novel business practices.

What It Means for Businesses

Based on Ferguson’s statements and positions, businesses should:

  • Focus on meaningful consent – Ensure that privacy notices are clear and that you have documented consent for collecting and using sensitive data.
  • Document data practices – Maintain clear records of data collection, use, and sharing practices.
  • Monitor case-by-case enforcement – Watch for enforcement actions rather than new rulemakings to understand the agency’s evolving priorities.
  • Engage with legislative processes – With Ferguson’s FTC less likely to set policy through rulemaking, businesses should increase their engagement with congressional privacy initiatives, as statutory changes may be the primary vehicle for major privacy policy developments.

While Ferguson’s approach represents a shift from the previous administration, it does not signal an abandonment of privacy enforcement. Instead, we can expect the FTC to take a more traditional approach focused on clear statutory mandates and established legal theories, with vigorous enforcement of existing privacy laws while being more cautious about expanding the FTC’s authority through creative interpretation.