By Era Anagnosti, Brent Bernell, Daniel Caprio, Steven Phillips, Andrew Serwin, and John Gevertz

On February 18, 2025, President Donald J. Trump signed an Executive Order (EO), entitled, “Restoring Democracy and Accountability in Government,” which asserts greater authority over all federal agencies, including those established by Congress as independent from direct presidential control. The EO specifically lists the Securities and Exchange Commission (SEC), the Federal Trade Commission (FTC), the Federal Communications Commission (FCC), the National Labor Relations Board (NLRB), and the Federal Reserve Board as relevant agencies.  

The EO could lead to delays, if not cancellations, of pending and proposed regulations at those agencies. At a minimum, it introduces uncertainty as it newly subjects all of their “significant regulatory actions” to White House review. Moreover, the EO reflects an intent (or represents an effort) to fundamentally change the current regulatory environment.

Specifically:

• The EO asserts that Article II of the US Constitution vests all executive power in the President, meaning that all executive branch officials and employees are subject to the President’s supervision and control.
• The EO declares that all agencies must submit draft regulations for White House review – with no carve-out for so-called independent agencies, except for the monetary policy functions of the Federal Reserve.
• The EO further provides that agencies must consult with the White House on their priorities and strategic plans, and that the White House will set their performance standards, with the Office of Management and Budget adjusting the agencies’ funding apportionments to ensure tax dollars are spent in a manner that is consistent with White House priorities.
• The President and the Attorney General (subject to the President’s supervision and control) will interpret all applicable law for the executive branch, meaning that, instead of allowing separate agencies to interpret their own enabling legislation, they must accept the Justice Department’s and White House’s interpretation as binding.

The EO follows the firing of the leaders of some of the independent agencies – in apparent contravention of the statutes that bar their dismissal without cause before the expiration of their terms. A number of those dismissals are currently being challenged in various federal courts.

While the EO purports to limit the independence of the agencies even in their areas of expertise, the effect of the Loper Bright decision last year already had resulted in the courts no longer deferring to the agencies’ expertise. In a 6-3 decision in Loper Bright, the Supreme Court overruled the Chevron doctrine, which held that where a statute was ambiguous or had not addressed the precise question at issue, courts would defer to a reasonable interpretation by the agency charged with implementing the statute. Instead, the Supreme Court held the “courts, not agencies, will decide all relevant questions of law arising on review of agency action” and expressly stated that there was to be “no deferential standard for courts to employ in answering those legal questions.”  It remains to be seen whether the courts will accept the EO’s assertion that the White House and the Attorney General are the sole and final arbiters of the meaning of laws passed by Congress.

The patina of independence at the FTC, FCC, and SEC has been blurred over the past two decades by various EOs and executive branch actions.  For example, the Biden Administration’s EO 14036 in 2021, titled “Promoting Competition in the American Economy” served to establish a “whole-of-government effort to promote competition in the American economy” by encouraging stronger enforcement of antitrust law.The Biden EO directed over a dozen federal agencies, including the FTC, to take action on 72 separate initiatives identified by the Biden Administration as beneficial for curbing anti-competitive practices. The order additionally established the White House Competition Council, a fifteen-member committee led by the National Economic Council. Also, in 2015, President Barack Obama called upon the FCC to take up the strongest possible rules to protect net neutrality, the principle that says internet service providers (ISPs) should treat all internet traffic equally. The FCC voted along party lines in favor of strong net neutrality rules to keep the internet open and free.

Still, the 2025 EO marks an unprecedented shift with its explicit assertion of control over executive branch agencies – which may increase the likelihood of legal challenges and the potential for a Congressional response, given that agencies such as the FTC, FCC, and SEC were created as independent agencies by Congress.

In recent years, rulings from the Supreme Court have cabined agency authority-.  Notably, the Court’s ruling in Loper Bright Enterprises v. Raimondo, 603 US 369 (2024), overruled the Chevron deference doctrine, which required courts to defer to an agency’s reasonable interpretation of an ambiguous provision it is charged with implementing.  The Supreme Court held that “courts, not agencies, will decide all relevant questions of law arising on review of agency action” and expressly stated that there was to be “no deferential standard for courts to employ in answering those legal questions.” Loper Bright applies equally to all agencies – including agencies like the SEC, FTC, and FCC that are charged with interpreting particularly technical statutes in policy-laden areas of regulatory law. 

In combination, Loper Bright and the EO, which challenges their independence, usher in a new era of regulation of American businesses at a time when technology and the economy are rapidly growing more complex. In this new era, uncertainty for businesses may increase as the authority to interpret governing law shifts away from the institutions with the highest levels of technical expertise. At the same time, businesses have more opportunities than before to challenge proposed rules and final regulations that are averse to their interests – by bringing their concerns to the attention of the White House and, if promulgated, challenging them in court. 

It remains to be seen how this EO will be implemented and how either the courts or Congress will respond. However, at minimum, absent a court order barring its implementation, it is likely that the EO will delay pending rulemakings, including the FTC’s privacy “surveillance rule” launched during the Biden Administration.

There are many unanswered questions as to the impact of this EO, and DLA Piper is prepared to advise companies as they navigate through this uncharted territory.

The Federal Trade Commission (FTC) reiterated its long-held view that hashing or pseudonymizing identifiers does not render data anonymous, in a post to its Technology Blog on July 24, 2024.

In the rather strongly worded post, while acknowledging that hashing and pseudonymizing data has the benefit of obscuring the underlying personal data, the FTC adamantly disagrees that it renders personal data anonymous, stating that:

[C]ompanies often claim that hashing allows them to preserve user privacy. This logic is as old as it is flawed – hashes aren’t “anonymous” and can still be used to identify users, and their misuse can lead to harm. Companies should not act or claim as if hashing personal information renders it anonymized.

The FTC emphasized that this has long been the agency’s position, highlighting several prior enforcement actions on this point and also citing 2012 (FTC) Technology Blog post, “Does Hashing Make Data ‘Anonymous’? (Rather than linking to the 2012 blog post, the FTC cheekily wrote: “To save a click, the answer is no, it does not.”)

Unsurprisingly, the FTC seems focused on the use and disclosure of persistent online identifiers that are commonly used to recognize individuals and devices online, such as email addresses, phone numbers, MAC addresses, hashed email addresses, device identifiers and advertising identifiers.  In the post, the FTCstresses that hashing  these identifiers does not relieve a company of its privacy obligations:

Regardless of what they look like, all user identifiers have the powerful capability to identify and track people over time, therefore the opacity of an identifier cannot be an excuse for improper use or disclosure.

The FTC also made clear its position that it is deceptive for a company to claim or treat as anonymous hashed or pseudonymized identifiers that enable the tracking or targeting of an individual or device over time and indicated that this is an area of focus for enforcement:

FTC staff will remain vigilant to ensure companies are following the law and take action when the privacy claims they make are deceptive.

Takeaways?

While this is not a new position or development, the FTC is indicating that it is an area of focus now. It may be a good time to remind digital, advertising, and other teams that online and other persistent identifiers—hashed or otherwise—are still personal data and subject to privacy requirements. It may also make sense to review relevant practices and areas, such as online and in-app identifiers and tracking (analytics, advertising or otherwise) and targeted advertising, including retargeting and custom audience building and list matching.

In addition, businesses may want to review privacy policies and other public-facing privacy statements to make sure they do not claim or imply that hashed or pseudonymized data is anonymous or overstate the privacy benefits of these practices. 

More Information

For more information about these developments and FTC enforcement in general, contact your DLA relationship Partner, the authors of this post, or any member of our Data, Privacy, and Cybersecurity team.

In this post, we summarize and provide key takeaways from the FTC’s enforcement against X-Mode and Monument.

I. The FTC’s Order Against X-Mode for Selling and Sharing Sensitive Location Information

The FTC reached an unprecedented settlement with data broker, X-Mode, prohibiting it from disclosing sensitive geolocation information and requiring it to delete or destroy all precise geolocation data previously collected as well as all products or services created with this data, unless it obtains valid consumer consent.

Background

In its complaint, the FTC alleges X-Mode sold precise geolocation data that could be used to track individuals’ visits to sensitive locations such as reproductive health clinics, shelters, medical clinics, or places of worship, in violation of Section 5 of the FTC Act, which prohibits companies to engage in unfair and deceptive trade practices. The FTC alleges X-Mode surreptitiously collected and sold precise geolocation data from millions of users without their consent, in violation of their privacy rights, and in direct opposition to the company’s own public representations.

In particular, the FTC alleges that X-Mode did not adequately disclose the intended use of users’ geolocation data and did not secure valid informed and affirmative consent from users prior to the data collection and/or sharing. Further, the company did not provide users of its own apps (e.g., Drunk Mode and Walk Against Humanity) with transparent notices that describe the purposes for collecting and processing geolocation information and notify that their information would be sold to government contractors for national security purposes. Additionally, X-Mode allegedly failed to honor Android users’ requests to opt-out of such data collection and provided third parties access to these users’ sensitive personal data in conflict with their privacy choices.

Despite having two of its own apps that collect geolocation information, X-Mode primarily relies on third-party app publishers to amass the location information it collects and sells. The FTC claims the company provided sample consumer notices to these third-party app publishers that misled consumers about the purposes for which their location information was being collected, used, and could otherwise be processed. The company also allegedly failed to verify that the third-party app publishers were, on their own, notifying their consumers of the relevant processing purposes and obtaining valid consent.

Additionally, the FTC alleges the company targeted consumers based on sensitive characteristics and failed to remove sensitive geolocation information from the raw location data it sold to third parties downstream. It also failed to implement reasonable or appropriate safeguards to protect against innocuous downstream uses of the location information it sold.

FTC Order Requirements

The FTC’s decision and order prohibits X-Mode from selling or sharing any sensitive location data and requires the company to:

• delete or destroy all precise geolocation data previously collected as well as all products or services created with this data, unless it obtains valid consumer consent or ensures the data has been de-identified or rendered non-sensitive.
• maintain a comprehensive record of all sensitive location data it collects and maintains, to ensure it is adequately protecting and not unlawfully selling or sharing this information.
• develop a supplier assessment program to ensure that third parties who provide location data to X-Mode:
  • obtain affirmative express consent from consumers for the collection, use, and sale of their data and
  • ensure that data brokers/providers are tracking and honoring individuals’ requests to opt out of the sale/disclosure of their data.
• ensure all recipients of its location data do not associate it with sensitive locations, such as medical facilities, religious institutions, shelters, schools, union offices, and immigrant service offices.
• notify the FTC within thirty (30) days of determining there was a “third-party incident,” defined as a third-party sharing X-Mode’s location data in violation of its contractual limitations.
• establish a data retention schedule and implement a comprehensive privacy program that adequately protects consumers’ personal information.

The order specifies that disclosures requesting consumers’ “affirmative express consent” must be “clear and conspicuous” and separate from any existing terms of service, terms of use, or privacy policy and someone hovering over a piece of content on a website, muting content, pausing content, or closing content will not constitute affirmative express consent.

Likewise, the FTC’s order against Monument for certain alleged disclosures of sensitive health data stipulates similar remedial measures.

II. The FTC’s Order Against Monument regarding Disclosures of Sensitive Health Data to Third Parties for Marketing Purposes

The FTC announced a proposed order, prohibiting alcohol addiction treatment company, Monument, from disclosing individuals’ health information to third-party advertising companies and platforms for purposes of targeted advertising without valid consent.

Background

In its complaint, the FTC alleges that Monument used online tracking technologies such as cookies, pixels, APIs, and other similar technologies, to collect personal data about individuals who visited and interacted with Monument’s websites and other online and subscription services. The relevant data includes name, email address, address, phone number, date of birth, IP address, government issued ID, information about alcohol consumption and medical history, device identifiers, and other relevant information about the 84,000 impacted individuals. Once collected, Monument allegedly categorized this information into ‘Custom Events’ and provided the Custom Event information along with email addresses, IP addresses, and other unique identifiers to the third-party advertisers for re-targeting and custom audience purposes, allowing advertisers to identify specific individuals for targeted advertising. The complaint further alleges that Monuments’ contracts with these third-party advertisers did not limit the third parties’ downstream use of the disclosed personal data for their own commercial purposes.

The FTC documented that Monument publicly claimed, in its privacy policy that it was fully compliant with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and that any information provided by individuals would be kept “100% confidential, secure and HIPAA compliant.” In addition, the policy stated that Monument would not disclose any personal data, including health information, to third parties without the individual’s written consent.  Nonetheless, the privacy policy simultaneously stated that Monument would disclose personal data, including health information, to third parties including for marketing purposes. 

The FTC claims that these disclosures and representations violate Section 5 of the FTC Act for misrepresentations and deceptive omissions of material facts constituting deceptive practices, and the Opioid Addiction Recovery Fraud Prevention Act of 2018 (“OARFPA”) for unfair or deceptive acts or practices related to information regarding a substance use disorder treatment service and/or product.

FTC Order Requirements

Under the order, along with imposing a (suspended) $2.5 million civil penalty and amongst other things, Monument must:

• identify all health information the company shared with relevant third parties for unlawful purposes and instruct the third-party recipients to delete such data;
• provide notice to all impacted individuals about the unlawful disclosure of their personal data, including their health information;
• not disclose any health information to third parties for advertising purposes;
• obtain an individual’s affirmative express consent prior to disclosing health information for any purpose other than advertising (which is prohibited under the order); and
• not make deceptive or misleading statements to promote its services, such as about its HIPAA compliance and its data practices.

Monument is also ordered to implement a comprehensive privacy program to protect the privacy and security of the personal data it collects, retains, and discloses. The privacy program must include:

• a privacy officer who is a designated and qualified employee that reports to a senior executive and who is responsible for the privacy program;
• regular assessments of the company’s privacy operations concerning personal data;
• adequate technical, administrative, and organizational safeguards to protect personal data, including reviews of its relevant contracts with third parties;
• a data retention policy that limits retention of personal data to the shortest time necessary to fulfill the purposes for which it was collected and the retention schedule must be made publicly available; and
• processes to maintain records of processing activities that capture the personal data that is collected on behalf of and/or disclosed to a third party.

III. Takeaways

In line with its other recent enforcement actions, these orders underscore the FTC’s commitment to restraining the collection, sale, or disclosure of consumers’ sensitive personal information. Businesses that collect, sell, or otherwise process sensitive personal information, and particularly precise geolocation information and health information, should:

• Establish and implement a comprehensive privacy program that adequately maps the company’s collection and processing of personal information and protects consumers’ personal information;
• Conduct due diligence of downstream third-party businesses and service providers to whom it discloses personal information and ensure that adequate contractual terms are in place;
• Obtain affirmative and informed prior consent from individuals for the collection, use, disclosure and/or sale of their sensitive personal data;
• Avoid sharing, selling, or otherwise disclosing sensitive geolocation data and health information;
• Ensure data providers/data brokers who supply the company with personal information are collecting informed, affirmative and valid consent from individuals and honoring opt-outs as necessary; and
• Review their data retention schedules and practices.

These orders highlight the growing importance of implementing and maintaining a comprehensive, well-rounded privacy program that goes beyond providing a cookie-cutter privacy policy, and the FTC’s willingness to increase oversight and institute significant consequences against those who don’t.

For more information about these developments and FTC enforcement in general, contact your DLA relationship Partner, the authors of this post, or any member of our Data, Privacy and Cyber security team.