Elon Musk tries again to escape FTC audits of X data handling
Source: Ars Technica
“Unjustifiable”?
Musk can’t be trusted to protect X user privacy, public commenters warn FTC
Critics hope to keep Elon Musk from escaping a strict data‑privacy order imposed by the Federal Trade Commission (FTC) shortly before he took over Twitter.
The FTC order placed restrictions on X’s data use for 20 years, while requiring regular independent audits and granting the agency authority to request documents as needed to ensure compliance.
The FTC’s action came after Twitter voluntarily disclosed that, between May 2013 and September 2019, a coding error accidentally allowed phone numbers and email addresses that users shared for two‑factor authentication (2FA) to be used for targeted advertising aimed at those same users. In a settlement that came just months before Musk’s 2022 takeover, Twitter agreed to:
- Pay $150 million
- Allow the FTC to monitor the platform’s data‑handling practices until 2042 in order to protect user privacy
Musk tried and failed to get the order revoked in 2023. At that time, he accused the FTC of aggressively increasing the number of investigative demands and claimed the order was improper and should be terminated because the agency was “tainted by bias.”
In response, the FTC pointed out that Musk’s takeover raised genuine questions about the company’s ability to comply with the order, particularly after he terminated key staff who had ensured compliance for years. One engineer confirmed in a deposition that layoffs and other “cost‑cutting pressure and decisions” impaired X’s ability to “put technical restrictions and controls in place… around the company’s use of contact data to make sure that it was being used… for the purpose that the particular contact data was collected,” the agency’s filing said.
“No one was responsible for about 37 percent of X Corp.’s privacy program controls,” the FTC argued.
Additional red flags for the FTC included Musk’s demands that journalists get access to internal systems for the “Twitter Files” and a text from Musk insisting that an executive assistant gain access to systems “immediately,” threatening that “anybody standing in the way” would “be fired.” In 2024, the agency claimed that X security staff sometimes had to pointedly disobey Musk in order to remain in compliance. As Twitter’s functionality became spotty through steep layoffs, the FTC argued that it had “every reason to seek information about whether these developments signaled a lapse in X Corp.’s compliance.”
Musk lost his previous lawsuit after the court found it had no authority to amend or end the FTC’s order. He is trying again with new arguments, complaining in a May petition to the FTC that they should set aside the order “without delay.”
According to Musk, the FTC should stop its monitoring because:
- Twitter no longer exists – X was merged into xAI (Ars Technica, 2025), and xAI was later folded into SpaceX (Ars Technica, 2026).
- None of the leadership or engineers responsible for the 2FA error remain at the company, and “X has since built a world‑class privacy and data‑protection program” that protects consumers.
The company further argued that it has paid $17 million in “needless costs,” since a lawsuit over the same 2FA issue ended with a verdict in Twitter’s favor. If a court found that Twitter’s privacy policy adequately informed users that their contact info might be used for ad targeting, then the FTC should not be able to continue punishing X for that behavior, Musk argued.
“The factual foundation of the FTC’s complaint has been dismantled,” X says. “And the Order’s staggering costs—imposed on both the Company and on the Commission itself—are unjustifiable.”
As X sees it, the order also forces the company to duplicate compliance efforts, because X already must take extra precautions with data to comply with laws such as the European Union’s General Data Protection Regulation (GDPR).
Additional claims X raised to justify tossing the order
- Chilling speech – Allowing the FTC to maintain the order would chill speech on X, because it “creates a permanent mechanism through which future regulators can pressure the Company over the viewpoints it hosts.”
- Trump’s AI Action Plan – Donald Trump’s AI Action Plan requires government agencies to drop orders such as this one. Since X is “at the center of a family of companies—including xAI—that are at the forefront of America’s AI ambitions,” the FTC risks running afoul of Trump’s decree to eliminate unnecessary bureaucracy. The petition argues that the order diverts X “engineering resources from innovation to compliance paperwork.”
Musk wants the order either dropped immediately or set aside without delay.
Immediately or by the end of this year, as he says X will face another year of compliance costs.
First Commenters Agree: Deny X’s Petition
On Wednesday the FTC posted an update seeking public comments on X’s petition to end the strict data‑privacy monitoring. Stakeholders have until July 2 to weigh in — submit comments here. After the deadline, the agency will make its determination.
Only a little more than a dozen comments have been submitted so far, the majority anonymously urging the FTC to deny X’s petition.
Main Themes of the Anonymous Comments
- Compliance should stay in place. Commenters argued that Elon Musk knew about the order before buying Twitter and that the compliance costs he cites are proportionate to the scale of the violation, especially given X’s one‑time $44 billion valuation (Ars Technica, 2023).
- Mocking Musk’s attempts to back out. One joked, “buyer beware.” Another suggested Musk could find the $17 million needed for next year’s compliance costs by “cueing up some DOGE‑like cuts to save X money.”
- Call for stricter oversight.
“I do not trust that Elon and the X team won’t eventually do the exact same thing or worse. It should stay or become more strict.” – anonymous
- Privacy‑risk concerns. Commenters warned that without FTC standards, X could roll back privacy measures to cut costs. One noted that Musk’s efforts leading DOGE may have violated the Privacy Act.
Only one commenter supported X’s petition, but the submission focused more on criticizing the FTC than on defending X, alleging personal experience with “agency overreach.”
Named Commenters
| Commenter | Main Points |
|---|---|
| Amanda Collins | Stated that Musk’s relationship with the Trump administration should not influence the decision. Urged the FTC to “operate from a position of protecting the American public and not shielding oligarchs from consequences.” |
| William P. II (most substantive comment) | • Argued that X’s merger does not justify dropping the order; monitoring is more critical because the combined entity has strong incentives to train AI on user data. |
| • Cited two post‑acquisition data breaches: | |
| – 200 million records in 2023 (Ars Technica) | |
| – 2.8 billion profiles in 2025 (Forbes) | |
| • Highlighted the Irish Data Protection Commission’s 2024 inquiry into X’s use of user data to train the Grok AI model without adequate consent, undermining X’s GDPR claims. | |
| • Reminded that the order runs through 2042 because the FTC concluded a repeat offender requires sustained oversight; X is only four years into that period. | |
| Other anonymous submitters | Reiterated distrust of X’s privacy practices and called for the FTC to intensify its probe of X’s current data‑handling practices. |
Legal Threshold for Terminating the Order
To defeat the order, X must demonstrate that the order’s safeguards are either unworkable or contrary to the public interest, and that no other remedy can address the alleged harms. In the agency’s prior response, the FTC argued that Musk was seeking termination “to limit the FTC’s investigation into alarming developments related to its data‑privacy and security practice.”
About the Author
Ashley Belanger is a senior policy reporter for Ars Technica, tracking the social impacts of emerging policies and new technologies. She is a Chicago‑based journalist with 20 years of experience.
16 Comments
